As an academic librarian, what do you need to know about your library’s privacy and confidentiality policy?

Today’s move by the U.S. House of Representatives to deny extending certain provision of the US Patriot Act (one of which pertains to libraries) and the call for protests leading up to it remind us that privacy is still an important issue for libraries. This caused me to think about my own library’s privacy policies and what we would do if approached by federal officials requesting information.

I’ve spent the last few days looking over the privacy statements of university libraries and reviewing the American Library Association’s stand on privacy. The following is what I consider to be the essential questions that academic librarians should be asking in order to understand where their library stands concerning the privacy and confidentiality of personally identifiable information gathered through everyday library use.

A Definition?

What do I mean by privacy? Is it a right? A condition? Defining privacy is difficult because no matter how you slice it, most claims tend to assume privacy to be essential value. Perhaps it is, but it is tricky to argue that point.

Let us assume for the sake of argument that privacy is indeed an essential value; what does it apply to? I think we can divide privacy into three categories: informational privacy, behavioral privacy, and locational privacy. The first includes information that a person or a society generally assumes to be private. This can include health information, financial data, and personal opinions. The second type of privacy is often equated (one could say, incorrectly) with the right to personal choice and includes the right to abortion, sexual rights, or the right to view pornographic material. The third refers to activities that, because they function within a private space, are themselves considered to be private and include those activities violated by invasions into one’s home or office space.

As academic librarians, we are primarily concerned with the first of these: information privacy (though many of us are advocates for certain behavioral privacy rights as well).

What You Need To Know

What personally identifiable information does your library collect? In order to set up a borrower’s account, the library usually needs certain pieces of personally identifiable information (PII) from a student,* including his/her name, email address, local address, student ID, and degree level. Where does this information come from? Is it provided by the student or the records department? Does the student need to give consent for the library to use this information or is there a university policy that grants consent?

In the course of daily operations, the library may collect all types of information, including what a user checks out or requests via Inter-library loan, what library websites they navigate to and from, or what items they are searching for in the online catalog. This information is extremely useful to librarians and can be used for collection development, improving online services, and budgeting. But how much of this information is retained, for how long, and how much of it is personally identifiable? These are questions that librarians should have answers to or clearly state in their privacy statements. Many libraries collect a minimum amount of user information, much of it not personally identifiable, and regularly scrub that information from their servers.

What other privacy or confidentiality policies also apply? Whether you are developing a policy for a library or trying to better understand you own, you need to understand other policies that may already be in place. At a federal level, all libraries are affected by the U.S.A. Patriot Act. Universities receiving federal aid are additionally affected by the Federal Educational Rights and Privacy Act of 1974, which regulates what student information is considered private and who is permitted to access that information.  Some states, like Illinois and North Carolina, have laws specifically referencing the confidentiality of library records. Librarians should also consider any university statements on student privacy and the privacy policies of the American Library Association.

What data are vendors collecting? Vendors are the wildcard in any privacy policy. While you have some wiggle room when negotiating contracts, ultimately librarians cannot control how vendors and other third-party information providers use the data they acquire. This is especially true in cases where vendors have set up Web 2.0 functions that allow users to set up personal profiles and share info (e.g. CQ Press, Wilson Web, Ebsco, Elsevier, CSA, to name a few).

In a 2010 College & Research Libraries article, Trina Maji of the University of Vermont concluded that

the privacy policies of major vendors of online library resources fail to express a commitment to many of the standards articulated by the librarian profession and information technology industry for the handling and protection of user information. […] They are unspecific in disclosing how they protect that information from unauthorized access or disclosure, and they offer no clear recourse for users who feel the terms of the policy have been violated.

This conclusion is based on content analysis of vendor privacy statement and not a reached by examining actual practice. Nonetheless, I think we are wise to be wary of any company that does not publicize its stance on the confidentiality of user data, especially given the rising value of personal information in a market partially based on behavioral targeting practices. We should advise our students that the library has little or no control over what data they share online once they move to a third-party site.

What if someone requests personally identifiable information? Nine times out of ten, the answer to this question is “Don’t give it to them!” but there are some exceptions. Through a subpoena or court order, records can be accessed by state and federal officials. Currently under the provisions of the U.S. Patriot Act (unless they are allowed to expire), federal officials can demand access to library user data. There is nothing that restricts libraries from scrubbing the PII beforehand, unless there are state laws  in place demanding the retention of “public records,” which can include any email sent to and from librarians (state employees) or via the campus network, server logs, and data submitted via online forms.

In short, it can get sticky. That’s why it’s important for librarians to know who is the appropriate authority (usually the University Librarian) to make the decision whether or not the data should be handed over in legitimate circumstance. But additionally, librarians and student workers alike should have a strong knowledge of local policies, practices and privacy expectations.

Recommendations For Developing a Privacy Statement

To quickly sum things up, here are my recommendations for academic libraries that have yet to develop a privacy statement or are thinking to revise their current one.

  1. Publicize your statement on privacy and confidentiality.
  2. Detail the information that you collect, how you collect it, what you plan to use it for, and how users can opt out (if that is an option).
  3. Provide information on local, state, and federal privacy standards.
  4. State your intended response to inquiries from individuals or agencies seeking user information.
  5. Warn users about third-party vendors.
  6. Give users contact info for expressing their concerns.

Examples of Academic Library Privacy Statements

References

Magi, T. (2010). A content analysis of library vendor privacy policies: Do they meet our standards? College & Research Libraries, 71(3), 254–72.

*To make things simple, I’ll just use the term student, but I’m actually referring to anyone who uses an academic library: students, staff, faculty, visiting scholars, international students, and non-enrolled, non-staff patrons.