Data privacy and online security from the library's perspective
Transcript
The Library Context
Today, as in the past, the patron’s right to privacy is critical to the mission of the institution.
To recap, personal Information is information that, alone or when used in combination with other information, can be used to identify, locate or contact an individual.
Data Privacy is the extent to which one’s personal data is observed, shared, revealed, exploited, and/or misused in digital spaces and systems, such as the Internet and the ability to exercise control over that personal data.
Confidentiality is the obligation of an individual, organization or business to protect personal information and not misuse or wrongfully disclose that information.
As public institutions providing free access to circulating resources, libraries have long been stewards of patron data. In the early 20th century, that data was as simple as a paper record of a borrowed book.
The 4th amendment to the US constitution provides all citizens with rights to protect their privacy. Yet there is no single national law regulating how personal data is collected and used. Instead, state and federal laws vary, and can overlap or contradict each other. Guidelines developed by governments, non-profits, and industry groups may lay out best practices, but are not enforceable law. For more information, see links in the resources section at the end of this module.
In 1981, the New York State legislature passed a law that specifically protects user information and data held by libraries. Forty-eight other states in the U.S. have also passed laws that specifically protect the personal information and data collected, stored, and used in libraries. For more information, see links in the resources section.
More than ever, patrons may feel their privacy is at risk.
Libraries and library staff, too, are challenged with guarding patron privacy while navigating a complex, new data environment. Libraries rely on third party vendors to provide a variety of services. The legal issues around patron data privacy are complicated by the fact that libraries regularly rely on a variety of third party vendors for various services, including cataloging systems, research databases, & internet access. If and when patrons use third party services, the library may share the patron’s information with the third parties, but only as necessary for the third party to provide services to the library.
Libraries should ask questions like: is the data stored securely? Is it kept only for only so long as it is needed? To whom does the vendor give access to the data? Is the data properly destroyed by the vendor after it is no longer needed? Can the vendor transmit or sell the data to someone else, without the library’s permission? It’s likely that these questions were considered by your administration. Open a dialogue if you’d like to know more about the considerations that went into the contracts your library has signed.
For their part, third party vendors should be transparent about their data handling processes and have secure storage methods.
Third party vendors should also abide by laws relating to information about minors: for example, the Children’s Online Privacy Protection Act.
Library staff should help patrons understand the data security realities and risks related to third party vendors as outlined in the library’s privacy policy. When a patron links, say, from a library-owned site to a vendor site, their activity may be tracked, and data about them may be collected.
Patrons should be aware of the differences between library services and vendor services, and know vendor privacy policies so they can choose if and what to share.