Negotiating Contracts with Vendors for Privacy
by Eric Stroshane
Library Development Manager
North Dakota State Library
Crossposted from ChoosePrivacyWeek.org
In the wake of the 2013 Snowden revelations and the March 2017 Congressional resolution to eschew the FCC’s privacy rules, we’ve seen online privacy initiatives gain significant traction while garnering widespread attention and accolades. Efforts like Reset the Net and the non-profit Let’s Encrypt have ushered in an era of far greater and more evenly distributed online privacy and security. An endless stream of news stories raised public awareness. Most sites we habituate now use HTTPS by default–that familiar green padlock in your address bar. This provides two key things when properly implemented: a certificate authority’s assurance that the site you’re at is run by the domain in the address field and a clear indicator that what you do on that site is encrypted so only authorized parties can view it. In other words, it safeguards your banking credentials, search queries, account information, and medical queries from prying eyes. This is true of the big name sites you and your patrons routinely visit to conduct research: Wikipedia, Google, Medline Plus, and PubMed, as well as news sites like nytimes.com, washingtonpost.com, etc. The ideal is for sharing to be the end-user’s choice.
Keeping personal information confidential is something we understand the importance of in the library field. This is a cornerstone of intellectual freedom, it’s enshrined in our Code of Ethics, and it’s codified in state laws throughout the U.S., laws that we and our predecessors helped shape. This is a right we’ve fought for in the Supreme Court. Knowing this, it may be surprising to notice how few of our own websites, online catalogs, databases, and content vendor sites fail to enact the basic privacy safeguards that have become commonplace everywhere else. We have no one to blame for this but ourselves and it is high time we started doing better. The simplest way forward is working with our vendors on implementing key privacy safeguards: using HTTPS by default across all library-provided or licensed content, imposing reasonable limits on gathering personal information and restricting 3rd party sharing, secure and encrypted storage of any patron account and transactional details that are retained, and a readily available privacy policy detailing these measures and any interactions with 3rd parties.
I appreciate that many of us didn’t come to the field with computer science backgrounds. We don’t necessarily possess the language or technical expertise to clearly convey to our vendors what is necessary. This is where ALA’s Library Privacy Guidelines and Checklists come in. These contain the verbiage and guidance we need to work with our vendors. I’d specifically recommend the ones on E-book Lending and Digital Content Vendors; Library Websites, OPAC’s, and Discovery Services; and Library Management Systems/Integrated Library Systems.
Just about the only thing the Guidelines don’t elucidate is when we should talk to our vendors. I personally recommend doing this whenever the opportunity presents itself. The more frequently they hear this and the more librarians they hear it from, the more diligently they will pursue it. Here are some good places to get started:
- Before you’re under contract, as this is when you have the most leverage.
- Put wording from the guidelines and checklists in your RFP’s.
- Convey the importance of these privacy safeguards during product demonstrations.
- When contracts come up for renewal, express your concerns. Let them know this is a priority for you and budgets are getting tighter.
- Talk to your sales reps when they make their regular calls—they visit with the development team and are always looking for feedback to share that may gain them a competitive edge.
- If you have a chance to take part in a focus group, do so and voice the need for these measures.
- Visit with your vendors when they exhibit at conferences you attend. Talk to them about the importance of patron privacy safeguards.
Ultimately, we’re in this with them and they wish to have a product that we both want to procure and which will continue to serve us and our users over time. None of us can get to that point by standing still.