A Quick Chat About Patron Data Privacy During Company Acquisitions and Mergers

Another week, another acquisition. The latest news in the library vendor world came last Monday, with Clairvate purchasing ProQuest at the small sum of $5.63 billion. Academic libraries that subscribe to Web of Science and EndNote with Clairvate and Alma and Primo with ProQuest face the reality that now all of these products are owned by one company. We can’t forget that ProQuest has its fair share of mergers and acquisitions, though, as illustrated in Marshal Breeding’s ProQuest mergers and acquisitions chart.

This latest acquisition continues the trend of consolidation in the library vendor marketplace. With this consolidation of products and services comes the ability for companies to create more complete profiles of library patrons through increased data collection and tracking capabilities. In fact, during the company call regarding the acquisition on May 17th, company representatives commented that with the ProQuest acquisition, the company “can serve the entire research value chain, early stage and K12 setting, thru postgrad.” Put another way by another company representative, “We can touch every student in K through doctoral degrees everywhere. There is no product overlap.” Combine that quote with phrases from the press release such as “long-term predictive and prescriptive analytics opportunities from the enhanced combination of ProQuest’s data cloud with the billions of harmonized data points in the Clarivate Research Intelligence Cloud” (emphasis mine). You start to understand why this acquisition is a patron privacy concern.

This isn’t the first time a merger or acquisition brought up library privacy concerns. However, the size of this acquisition is cause for all libraries to stop and review their vendor management practices. The vendor relationship lifecycle can assist libraries in reviewing some of their vendor management practices. It’s difficult to determine if a vendor will still be around as an independent company in a few years when you’re shopping for a product or service. Nonetheless, it’s still worthwhile to do some research around the company. For example, you can find the latest vendor news in various library industry publications and sites such as Computers in Libraries and Library Technology Guides. Doing some research ahead of time (including asking around your professional network) can flag potentially problematic or unsustainable businesses to remove from consideration in the selection process.

The onboarding stage provides opportunities for libraries to mitigate privacy risks throughout the rest of the vendor lifecycle. Contracts usually do the heavy lifting when determining the fate of customer data after an acquisition, merger, or bankruptcy. We won’t get into the detailed legal aspects of mergers and acquisitions – we are not lawyers at LDH. Still, you can read a two-part blog series about pre- and post-closing liabilities around privacy and acquisitions/mergers if you want the nitty-gritty legal details. Nonetheless, vendor contracts should have something in the contract about what will happen to patron data in the case of a merger, acquisition, or bankruptcy. Though the concept of data ownership is fraught with equating data to a commodity, retaining ownership of patron data by the library addresses some of the risks, including patron data in the list of company assets during a sale or bankruptcy. Another contract negotiation point is reserving the right to withdraw the library’s data from the company after a sale or bankruptcy. This withdrawal needs to address how the data should be securely transferred and deleted from the vendor’s systems, treating this process as the separation process at the end of a business relationship. Yet another control strategy is requiring explicit and affirmative informed consent from patrons if the vendor wants to include the patrons’ data in the acquisition or merger. The more control the library has over the fate of the data after a company is bought or goes under, the better chances the library has to mitigate privacy risks.

Thanks to the trend toward monopolies in the library marketplace, libraries subscribing to ProQuest or Clairvate products and services have limited options outside of using the contract in controlling data flows and disclosures during a merger or acquisition. When discussed with your legal staff, the contract strategies mentioned earlier can mitigate data privacy risks when the vendor eventually becomes part of a giant conglomerate. Conglomerates (or monopolies) can go beyond the basic user profiles and analytics with more invasive behavioral tracking and analytic practices traditionally absent in libraries. Until there is a critical mass of libraries combining their political capital to push vendors to engage in privacy-preserving data management, individual libraries will need to continue navigating contract languages and “what if” scenarios on a vendor-by-vendor basis.

A Forced Exercise in Risk Management

A mustached adult white man leaning back in his office chair holding a beer. Text overlay "well that escalated quickly"
Image Source: https://knowyourmeme.com/photos/353279-that-escalated-quickly

When we asked readers last week about library discussions around campus or organization mandates requiring COVID-19 vaccinations, we expected that libraries would have time to plan to adjust to the mandate. Responses from last week indicated as such. The consensus was various employee groups meeting and discussing who must be vaccinated and how workplaces can confirm vaccination status.

Then Thursday came around, and the CDC escalated things a tiny bit with their new mask guidelines. And by “a tiny bit,” we mean “blowing away any incremental steps in loosening mask guidelines and went straight to a free-for-all mask honor system.”

Britney Spears grimacing while listening to a contestant on a popular singing competition show.
Yikes.

This sudden decision took many businesses and organizations – libraries included – by surprise. Most planned for a multi-month phased reduction in mask requirements, but here we are. After a year of struggling to get even the most reluctant patrons to mask up in the library, library workers now face several conundrums including dealing with patrons who refuse to follow library mask requirements based on the CDC announcement and libraries required by their parent organization to check for vaccination status for patrons going maskless in the library.

Libraries that can still require masks for everyone regardless of vaccination status can bypass the privacy issues around checking patron vaccination status. The libraries relying on local or state mask mandates to enforce their own can’t rely on them, though, given how quickly some state and local governments are dropping their mask mandates. While the CDC said that only fully vaccinated people can be maskless in most public spaces, the lifting of state and local mask mandates when many places haven’t reached the 50% vaccination mark (such as Washington State at the time of the announcement) turns this privacy issue into a privacy and health issue for both patrons and library workers. What we have is the privacy risks discussed last week now compounded by health risks presented with the new guidelines.

Managing risk is rarely a clear-cut process. Reducing one risk could inadvertently create or increase the chances for another risk. Keeping a detailed access log of who logs into a particular electronic resource through a proxy server can aid in investigations and quicker resolutions to issues around systematic unauthorized content harvesting, but this mitigation comes at the cost of privacy through increased collection and retention of detailed patron data, increasing the risk of improper reuse of this data through the library or third parties (such as creating user profiles for targeted marketing or reselling this data to fourth parties) or through a data breach or leak. Risk management is a process of checks and balances where one needs to consider the consequences of choosing risk management strategies and avoiding a “min-max” outcome with unaddressed risk.

Libraries who want or are now required by their organization to enforce CDC guidelines in their libraries now face the issue of suddenly needing to manage the risks around checking the vaccination status of maskless patrons. The US has not widely adopted a vaccine passport system (which has privacy issues), and fake vaccination cards abound. We listed the issues around contact tracing in libraries in a previous post, and all of those privacy concerns apply to libraries required to check vaccination status. The equitable service issues also apply, but it is compounded with health risks. Library workers who are still waiting to be vaccinated or cannot get vaccinated for medical reasons are stuck in limbo alongside patrons in the same situations.

These risks around privacy, service, and health would have been easier to manage through a gradual phasing out of mask mandates. Unfortunately, we are in the timeline where that isn’t happening. Requiring masks mitigates the privacy and health risks until the local population reaches a vaccination threshold where the health risks are at acceptable levels for both patrons and library workers. Libraries mitigated equitable service risks created by mask requirements by offering free masks to patrons or making alternative service arrangements for patrons who medically cannot wear a facial covering. This sudden turnabout from the CDC makes this strategy more fraught with risk. It creates a new type of service issue in the form of maskless patrons claiming vaccination status, which then creates new privacy and health issues alongside additional service issues for those who do not want to or cannot prove their vaccination status.

Some libraries that can no longer mandate masks for all might go with an honor system and allow patrons to go maskless without proving their vaccination status. That avoids the privacy and ethical risks involved in checking vaccination status but, depending on local population vaccination levels, the policy could increase the health risks to both unvaccinated patrons and library workers. It’s also an equitable service risk for patrons wanting to use the physical library but at the same time are not fully vaccinated due to medical reasons or are still waiting to start/complete their vaccination schedule.

This is all to say that there’s no good way to address the chaos created by the CDC last Thursday. We’re 14 months into the pandemic, and the pandemic fatigue settling in at the start of the year has grown at a rapid pace. Libraries – like other service and retail industries – are stuck in the middle of this, struggling with a public who are tired, confused, and ready to be done with all of this back and forth with guidelines and restrictions. Any decisions around COVID-19 policies at the library, including masks and vaccination checks, need to balance the privacy, equity, and health risks while acknowledging how that decision will impact library workers’ morale and safety.

Ask The Readers – Academic Libraries and Campus Vaccine Requirements

A black plushie llama wearing a "I got my COVID-19 vaccine!" sticker.
#PrivacyLlama got their shot!

We’re taking it a bit easy this week for a good reason – the designated blog writer just received her second COVID shot. The Executive Assistant isn’t quite ready for the blog writer position just yet, so her writing debut on the blog will have to wait a bit longer.

We have a question for our readers that we would appreciate any help with answering! Many organizations are starting to reopen for in-person services and operations as the US vaccine rollout continues. Several colleges and universities plan to reopen for in-person classes for the fall semester, but on one condition – students, faculty, and staff must be vaccinated for COVID-19. This trend of requiring vaccines to access physical spaces goes beyond academic institutions. Offices, schools, travel companies (and choice destinations), dining, and live event venues are either planning to or currently requiring proof of vaccination as part of their in-person reopening plans. The legality of some of these requirements varies by state, but it’s safe to assume that there will be an area in your life that will have some form of vaccine requirement.

Academic libraries on campuses requiring vaccination are in a unique position. While some campus libraries are restricted to those enrolled or employed at the university, many other campus libraries are open to the public. Details about vaccine requirements for campus visitors are scant, though details might emerge as we get closer to the fall semester. It’s most likely that visitors will be exempt from the requirements, but we want to find out if that is the case from our academic library readers of the blog. We’ve written about the privacy implications of libraries tracking patrons through contract tracing and medical screenings, and it could be that the vaccine requirements might add another data collection point that has privacy implications for a particular patron group.

If you work at an academic library whose campus is requiring vaccinations, we’d like to hear from you. Is your campus library being asked to track campus visitors’ vaccination status under the new vaccine requirements? Public and school libraries, too – is your organization planning similar requirements? Email us at newsletter@ldhconsultingservices.com with your answers, concerns, or questions! We will keep your replies confidential. Depending on the feedback, we will write a follow-up post about what libraries that find themselves required to track patron vaccination status can do to minimize privacy risks.

In the meantime, best of luck with your vaccination journeys, and we’ll catch you next week!

Open Data of Another Kind

Entryway door with the words "OPEN" and "NOW" written in tape on the two steps leading up to the door, respectively.
Photo by Kadir Celep on Unsplash

We sometimes like to say that something happens because of “magic” – in reality, that “magic” is the result of the (invisible) labor of real and unmagical people. To some patrons, this “magic” takes the form of the many programs, resources, and services the library provides daily. It takes the work of people in both the public and back-office spaces of the library. What happens, then, if you take the “magic” created by people and replace it with the “magic” of technology?

Last month the Santa Monica Public Library announced their plans to reopen a branch closed to the public due to staff cuts last year. The branch opening wasn’t made possible by regaining staff positions but instead made possible through a state grant to expand physical services through a suite of self-service technology. This grant uses existing technologies that many libraries use, including self-checkout machines, security cameras, and a controlled entry card swipe/tap or keypad. Combining these technologies to create a self-service library without staff isn’t new, either – for example, several European libraries expanded physical library hours through self-service technologies. The technology behind Santa Monica Library’s branch reopening, Open+, has been piloted in other US libraries such as Gwinnett County Public Library to expand library hours and service sans on-site staff.

This open library model comes with tradeoffs that leave many library workers worried. Library workers and patrons alike raised valid concerns around open libraries replacing staff to save costs. Another tradeoff that some might miss is the increased collection, processing, and retention of data generated from patron use of the physical library. While the individual technologies are not new, the combination of existing technologies to create an open library expands the amount of surveillance and data collection to a level that exponentially exposes patrons to various privacy harms.

We might as well start with the elephant in the room. The use of security cameras in libraries has been contested throughout the years, with libraries trying to balance using cameras for physical library security and patron privacy. ALA created guidelines about security camera use for libraries but the use of cameras in library spaces brings the risk of violating patron privacy throughout each stage of the patron data lifecycle:

  • Collection – where are the cameras located? Are they recording footage of patrons using library resources, such as browsing shelves, computer usage, or other identifiable usages of materials in the library?
  • Storage, retention, and deletion – where is the recorded footage being stored? Is it locally stored in the library? If not, where is that storage? Is it with a vendor, organizational IT, or even local law enforcement? How long are recordings kept? How many copies, including backups, exist, and how long are they kept?
  • Access and disclosure – who has access to the footage? Library workers, the vendor, the parent organization? Can law enforcement access the footage without a court-issued order? What are the policies around disclosing footage?

Depending on the library’s location, some state and local regulations around library privacy can potentially include security camera footage as part of their definition of protected patron data. However, this protection cannot be guaranteed even if the regulations include such footage if the vendor recording and retaining footage is not legally obligated to protect this footage or if the footage is stored and retained by law enforcement.

The use of controlled entry technology brings another privacy risk to patrons in an open library setting. Academic, school, and other special libraries might be familiar with using card swipe or tap machines that control access to physical library spaces. These technologies are uncommon in public libraries, however.[1] These controlled access systems can create logs of patron data: who came into the library at what time. This patron log can potentially put patron privacy at risk through a data breach or misuse through secondary use (the reuse of data collected for another purpose) in the form of learning analytics and marketing campaigns.

Security cameras and controlled entry onto themselves create some privacy risks; nonetheless, these risks can be mitigated if particular care is put into the planning and implementation of each technology. Pairing these technologies with other monitoring technologies creates a profile of a patron’s library use through the combination of data sets. Who is doing the data collecting, storing, and retaining determines the level of risk to patron privacy. That is where libraries considering open library models need to spend considerable time assessing the privacy risks associated with who controls the surveillance technologies used to collect and store patron data. Currently, open library models consist of third-party technologies and services to coordinate all of these technologies. These third parties are not subject to state and local regulations around library data privacy (outside of California and Missouri). Trying to replace one “magic” (people) with another (technology services provided by a third party) doesn’t get rid of cost. Instead, it transfers and transforms it to the point where some library workers might not realize that the open library “magic” comes at the cost of patron privacy.

[1] The use of controlled entry technology in public libraries is also an equity issue concerning which groups of patrons can access the library outside of staffed hours. Who is excluded from the physical library in an open library model, and what are the implications of excluding them?