Long Overdue: Revisiting Library Privacy Policies During Choose Privacy Week
By Nancy Kranich
Rutgers University School of Communication and Information
Although our integrated library system conformed to our privacy expectations, we grappled with other electronic issues, particularly 3rd party agreements and the proxy server that linked users to licensed databases. The more we delved into individual licenses, the more we became aware of their limitations. We discovered how reliant we are on vendors’ own privacy protection policies once our users pass through our proxy server. Although user authentication includes no PII passed onto 3rd party vendors, we discovered that our proxy server software does collect IP addresses that a vendor could request when one of our users exhibits questionable behavior. We also found our electronic reference chat system vulnerable to privacy breaches as were our interlibrary loan and copy/scanning transactions. Paper record keeping systems also raised privacy and security concerns, especially those maintained by special collections that are retained indefinitely along with those used for off-site storage and intra-campus delivery services.
Protecting the Privacy of Minors and Students—Special Considerations
Updating Existing Privacy Policies
Once a library privacy task force completes its work, revisions and reviews are necessary as staff and processes change and best practices evolve. The ALA Intellectual Freedom Committee has recently approved several additional privacy guidelines for consideration. These include:
- Library Privacy Guidelines for E-book Lending and Digital Content Vendors
- Library Privacy Guidelines for Data Exchange Between Networked Devices and Services
- Library Privacy Guidelines for Public Access Computers and Networks
- Library Privacy Guidelines for Library Websites, OPACs, and Discovery Services
- Library Privacy Guidelines for Library Management Systems
- Library Privacy Guidelines for Students in K-12 School
These new guidelines offer a perfect opportunity for libraries to revisit their existing privacy and confidentiality policies and practices and update them to follow FIPPS principles, as well as incorporate the latest guidance that reflects ever-changing best practices. Finally, when a library reviews its privacy policies and practices, it should use the occasion not only as a “teachable moment” to update staff as well as users about revisions, but also as a way to help users understand how to protect themselves in the digital age.