Turning Acknowledgment into Action

Several people putting up a net banner with an orange outline of Chief Seattle's face and text underneath the face - "Chief Seattle is Watching"
Image source: https://www.flickr.com/photos/backbone_campaign/21483972929/ (CC BY 2.0)

We’re going to start the post with a quick exercise. Where do you live and work? Easy enough, right? Some of you probably can name a street, neighborhood, town, city, or state off the top of your head.

Let’s take the first question and change a couple of words – whose land do you live and work on?

Some of you might already know whose land that you live and work on. For those who do not, you can visit https://native-land.ca/ to find more information about the indigenous lands you currently occupy.

As we wrap up  Native American Heritage Month this week, we are taking some time to give some context around the land acknowledgment included in our recent talks. You can use the resources at the end of the post for your acknowledgments that go beyond a statement of whose land you’re on.

Acknowledgment as The First Step

LDH lives and works on the unceded, traditional land of the Duwamish People, the first people of Seattle.

The above-italicized sentence is the start of the land acknowledgment in recent LDH talks. Many of us have encountered similar statements in various events and presentations. Land (or territory) acknowledgments sometimes stop here, naming the peoples whose land we’re on. However, this approach lacks the full acknowledgment of how the land became occupied. It also doesn’t acknowledge the present-day impact this occupation has on the people.

The Duwamish Tribe was the first signatories on the Treaty of Point Elliott in 1855. The Tribe has been denied the rights established in the treaty for over 165 years. The United States Federal Government currently does not recognize the Duwamish Tribe, denying the Tribe the rights and protections of federal recognition.

Naming the treaty is important in giving the historical context around the occupation of the land, but equally important is the explicit statement that the treaty has still to be honored by the federal government. The Duwamish Tribe is not federally recognized, which is important to acknowledge because of its historical impact on the Tribe and its current impact on the Tribe’s rights to funding for and access to housing, social services, and education, among other resources and services.

The Duwamish People are still here, continuing to honor and bring to light their ancient heritage.

Indigenous people are still here. It’s easy to leave the land acknowledgment to acknowledge the past and not venture into the present. But an acknowledgment of the present has to go beyond education and head into action.

Calls to Action

A portion of the speaker’s fee from the conference will be donated to Real Rent Duwamish. Real Rent serves as a way for people occupying this land to provide financial compensation to the Tribe for use of their land and resources – https://www.realrentduwamish.org/

The Tribe has started a petition to send to our state congresspeople to create and support a bill in Congress that would grant the Tribe federal recognition. The link to the petition is on the slide – https://www.standwiththeduwamish.org/

You are welcome to join me in donating to Real Rent or signing the petition.

The second half of the acknowledgment are two specific calls to action. Each action provides the opportunity for event attendees to support or advocate for the Duwamish People whose land LDH occupies. Real Rent Duwamish provides financial support and resources for the Tribe through a voluntary land tax. The petition aims to gather support for a bill granting the Tribe federal recognition, giving the Tribe access to services and resources available to other treaty tribes. If attendees cannot financially donate to Real Rent, they can provide non-financial support through the petition.

LDH’s acknowledgment focuses on calls to action around solidarity with the Duwamish People. Other land acknowledgments make the additional call for event attendees to research whose lands they occupy through https://native-land.ca/. Clicking on a specific territory will provide a page with resources where attendees can learn more about the Indigenous people whose land they’re on. For example, the Duwamish Tribe page on the site also links to ways to support the Tribe. Other calls to action found in land acknowledgments include supporting water protectors, such as supporting water protectors in stopping Line 3.

Resources

The list below is some resources you can use to inform not only yourself and others about the land you occupy but also what you and others can do to be in solidarity with Indigenous people in your acknowledgments and beyond.

Libraries (and Archives) as Information Fiduciaries? Part Three

A collection of football tickets and postcard invitations in a clear archival sleeve.
Image source: https://flickr.com/photos/27892629@N04/15959524202/ (CC BY 2.0)

Welcome back to the third installment of the information fiduciaries and libraries series! It’s been a while since we explored the concept of libraries acting as a trusted party managing patron personal data. Thanks to Tessa Walsh’s recent demo of Bulk Reviewer, we got the nudge we needed to tackle part three of the series. You can catch up on Parts One and Two if you need a refresher on the subject.

Managing Personal Data in a Collection

We left off the series with the question about what happens to a library’s information fiduciary role when the personal data is entrusted with is part of the collection. The relationship between the personal data in the collection, the person, and the library or archive is not as straightforward as the relationship between the library and the patron generating data from their use of the library. Personal papers and collections donated to archives contain different types of personal data, from financial and medical to personal secrets. What happens in the case where a third party donates these papers containing highly personal information about another person to a library or archive? In the case of a person donating their documents, what happens when they have personal data of another person who may not have consented to have this data included in this donation? Moving from the archive to the institutional repository, what happens when a researcher submits research data that contain identifiable personal data as part of a data set, be it a spreadsheet that includes Social Security Numbers or oral histories containing highly personal information to a living person?

As you probably already guessed, these complications are only the start of the fiduciary responsibilities of libraries and archives surrounding these types of personal data. We’ve covered redacting PII from digital collections in the past, but redaction of personal data to protect the privacy of the people behind that data only addresses a small part of how libraries and archives can fulfill their information fiduciary role. Managing personal data in collections requires managing data in the best interests of the library/archive and the person donating the materials and the best interests of the people behind the personal data included in that donated material, which may not be the same person as the donor.

Thankfully, we don’t have to navigate this complex web of relationships to determine how to manage the collection with the best interest of the people behind the data. The Society of American Archivist’s Privacy & Confidentiality Section can help libraries and archives manage personal data in their collections. If you are looking for documentation around privacy in archives, check out the documentation portal. Have too many types of personal data to know where to start? The section’s bibliography can lead you to the right resources for each major type of personal information you have in your collection. Perhaps you want to know more about current issues and concerns around personal data in collections. The RESTRICTED blog has you covered, alongside webinars such as Tessa’s demo of Bulk Reviewer mentioned at the start of this post. We highly recommend checking out the mini-blog series from Heather Briston, following up on her webinar “It’s Not as Bad as You Think – Navigating Privacy and Confidentiality Issues in Archival Collections.”

Beyond the section, you also might find the following publications helpful in determining how your library or archive should fulfill their responsibilities to the people behind the data in your collections:

  • Botnick, Julie. “Archival Consent.” InterActions: UCLA Journal of Education and Information Studies 14, no. 2 (2018). https://doi.org/10.5070/D4142038539.
  • Mhaidli, Abraham, Libby Hemphill, Florian Schaub, Cundiff Jordan, and Andrea K. Thomer. “Privacy Impact Assessments for Digital Repositories.” International Journal of Digital Curation 15, no. 1 (December 30, 2020): 5. https://doi.org/10.2218/ijdc.v15i1.692.

This is only a small selection of what’s available, but the Privacy & Confidentiality Section’s resources are an excellent place to start to untangle the complex web of determining what is in the best interest of all parties involved in managing the personal data in your collections.

Before we end our post, there is one question that a few of our readers might have – can archivists guarantee the same level of confidentiality as lawyers or doctors can in protecting personal information in legal matters?

A Question of Archival Privilege

Some of our readers might remember discussions about archival privilege in the early 2010s stemming from the litigation surrounding the Belfast Project oral histories. Archival privilege is not legally recognized despite legal arguments for such a privilege or tying such a privilege to researcher privilege in court (such as in Wilkinson v. FBI and Burka v. HHS). These rulings mean that materials in a collection are subject to search via subpoenas and warrants, which leads to privacy harms to those whose personal data is included in those collections. Nevertheless, it’s still worthwhile to revisit the calls for such a privilege and discussions of what archival privilege would look like:

Even though Boston College successfully appealed the initial order to hand over all the records listed in the subpoena, we are still left with whether the archives profession should push for privileged relationships between donors or other individuals represented in the collections and the archives. We will leave discussion of if such a privilege should exist (and in what form) to our readers.

Just Published – Licensing Privacy Vendor Contract and Policy Rubric (Plus Bonus Webinar!)

Happy National Spicy Hermit Cookie Day! Today is your day if you need an excuse to make a batch of cookies to prepare for the baking rush in a few weeks. While the term “hermit” refers to the cookie’s ability to keep for months, we at LDH are not exactly sure if we can call a cookie a literal hermit. Nevertheless, we know what can make someone into a hermit – spending countless hours reading vendor contracts.

(We would like to apologize for that transition. Here is a picture of a tray of freshly baked cookies to make up for it.)

The lucky academic library people who deal with content platform vendor contracts know all too well the frustrations with these contracts, particularly around data privacy and security. Contracts are notorious for being obtuse and dense, but an added complication with content platform contracts is the limited and vague language around our patrons’ data – what data is collected, why the vendor is collecting it, how they’re collecting patron data and sharing it to other third parties, what data rights patrons have, and so on. The complications don’t stop there. Academic library workers not only have to negotiate data privacy with the vendor, but more often than not, they find themselves internally negotiating for privacy at an institutional level, advocating and educating institutional peers about patron privacy rights and needs. Protecting patron privacy shouldn’t be this hard, but this is the reality that many academic library workers face in the contract evaluation and negotiation processes.

The Licensing Privacy Project is here to help. The Mellon Foundation-funded project just published the Vendor Contract and Policy Rubric to streamline the evaluation and negotiation processes for content vendor contracts and policies. Academic library workers can use the rubric to evaluate contracts for potential data privacy and security issues in eight key privacy domains, including data collection and user surveillance. The rubric brings together several well-known library privacy standards and practices to streamline the evaluation process, noting which vendor privacy practices could meet those standards and which to flag for further evaluation and negotiation. The supplementary glossary and example contract language resources provide definitions for common privacy terms and what type of contract language to look out for in specific privacy domains. The interactive features of the rubric allow for sharing evaluation notes, identified privacy risks, and ways to mitigate those risks within the library and institutional staff who are part of the negotiation process.

If you want to learn more about the rubric and how you can use it at your academic library, make sure to sign up for the webinar this Wednesday (11/17) at 1 pm Central Standard Time. Not only will you learn more about the rubric, but you will also get a chance to talk to other colleagues in brainstorming all the possible ways this rubric can help you advocate for patron privacy during the contract negotiation process. If you can’t make it, don’t worry – the webinar will be recorded. We hope to see you there!

Don’t Forget About Privacy While Turning Back The Clock

Last weekend was when we finally got our one hour back (for those of us still observing Daylight Savings Time [DST] in the US). Instead of sleeping in, though, we are barraged with public service announcements and reminders to spend that hour taking care of things that otherwise get ignored. That fire alarm battery isn’t going to change itself! Like #DataSpringCleaning, the end of DST is a great opportunity to take care of privacy-related things that we’ve been putting off since spring.

What are some things you can do with the reclaimed hour from DST?

  • Choose and sign up for a password manager – If you’re still on the fence about choosing a password manager, check out our post about the basics of selecting a manager. Once you get past the inertia of selecting a password manager, switching to a password manager becomes a smoother process. Instead of switching all your accounts to the password manager at once, you can enter the account information into the manager when you sign into that specific account. Using the password manager’s password generator, you can also use that time to change the password to a stronger password. And while you’re logged in…
  • Set up multifactor authentication (MFA) – You should really turn on MFA if you haven’t already done so for your accounts. Use a security key (like a YubiKey) or an authenticator app for MFA if possible; nevertheless, the less secure versions of MFA – SMS and email – are better than no MFA. Read about MFA on the blog if you’re curious to learn more about MFA.
  • Review privacy and security settings for social media accounts – Social media sites are constantly adding and changing features. It’s good to get into the habit of checking your social media account settings to make sure that your privacy and security settings are where you want them to be. Another thing you might want to check is how much of your data is being shared with advertisers. Sites like Facebook and Twitter have account setting sections dedicated to how they use your data to generate targeted ads.

Your library also has a reclaimed hour from DST. What can you do at work with that reclaimed hour?

  • Review the privacy policy – It never hurts to review the privacy policy. Ideally, the privacy policy should be updated regularly, but sometimes even having a review schedule in place doesn’t necessarily guarantee that the review actually gets done. If the policy missed its regularly scheduled review, it might be worthwhile to push for the overdue review of the policy to ensure the policy’s alignment with current professional standards, codes, and legal regulations.
  • Check your department or team procedures against the privacy policy – Your department work procedures change regularly for various reasons, such as changes in technology or personnel. These changes might take these procedures out of alignment with the current privacy policy. Relatedly, an update to the privacy policy might need to be reflected in changes to the procedure. Review the two sets of documents – if they’re not in alignment, it’s time to set up a more formal document review with the rest of the department. Now is also an excellent time to set up a schedule for reviewing procedures against the privacy policy (as well as privacy-adjacent policies) on a regular basis if such a schedule doesn’t already exist.
  • Shred paper! – Take time to look around your workspace for all the pieces of paper that have sensitive or patron data. Do you need that piece of paper anymore? If not, off to the office shredder it goes. Grab a coffee or a treat on your way back from the shredder while you’re at it – you earned it ☕🍫

We won’t judge you if you ultimately decide to spend your reclaimed hour sleeping in (or changing that fire alarm battery). Nevertheless, making a habit of regularly checking in with your privacy practices can save you both time and trouble down the road.

It’s Dangerous to Go Alone

A cross stitch of a pixelated which old man with a white beard flanked by two pixelated fires. A pixelated sword lies in front of the old man. Text in white above the scene "It's dangerous to go alone. Take This."
Image source: https://www.flickr.com/photos/12508267@N00/31229743046/ (CC BY 2.0)

Juan saw his recent promotion to Director of Access Services at Nebo University Libraries as an opportunity to change his library’s approach to patron privacy. However, Juan knew that becoming a manager of one of the largest departments in the libraries would not altogether remove the roadblocks he kept running into when he advocated for more robust privacy policies and practices as a staff member. Juan now had to figure out how to use his new position to advocate for the privacy changes he had been pushing for a long time…

Juan was one of the four fictional library workers introduced to participants in a recent library privacy workshop. Unlike the other three library workers, Juan was in a unique position. Instead of addressing privacy concerns with other academic departments or campus members, Juan focused on the library itself. When he was still staff, Juan had some limited success in getting better privacy protections at the library. Like many others, Juan ran into organizational roadblocks when changing privacy practices on a larger scale. Newly promoted and with new administrative political capital in the library, Juan thinks he’s in a better position to push for privacy changes throughout the entire library system.

However, Juan is not considering one essential thing – it takes much more than one person in a library to create a sustainable culture of privacy. Many of us have been in the same situation as Juan in going out on our own and pushing for privacy changes in our libraries. We do this on top of everything else that we are responsible for in our daily duties. Sometimes we rationalize this additional workload by bending and stretching existing job responsibilities without formally accommodating the new responsibilities. Other times, we deem privacy work so important that we are willing to sacrifice a portion of our well-being to ensure our patrons are protected (hello Vocational Awe). This might gain us a couple of small wins in the short term: a change in a departmental procedure or reducing the amount of data collected by a patron-facing application or system. However, the long-term reality is that these changes are not set up to be maintained because there is no sustainable system in place. Unless, of course, we as individuals decide to take on that maintenance – but even then, one person can only take on so much on top of their existing workload before everything starts to fall apart.

Creating sustainable privacy practices and programs in organizations requires at minimum two things: dedicated resources and dedicated people. Most libraries do not have these things, relying on existing staff and resources to make privacy happen. While libraries have historically been able to operate with this organizational kludge, changes to library operations and services in the last few decades have made this kludge not only ineffective but dangerous to both patrons and the library as an organization with regard to privacy risk and potential harms if those risks are realized. It is nearly impossible for patrons not to generate data in their library use, be it physical or online. Because so much of this generated data is collected by the library and third parties, even the routine act of trying to document the lifecycle of this data can be a monumental task if there is no dedicated structure in place for this work to be done sustainably.

Like many of us, Juan wants to protect patron privacy. Nevertheless, if he tries to go it alone and does not build the infrastructure to sustain privacy practices, his efforts will be short-lived at best. Privacy policies and procedures are part of that infrastructure, but they’re a part of the infrastructure that is dependent on the dedicated staff time and resources that are critical for sustainable practices. What are some of Juan’s options?

  • Create a centralized library data governance committee – Juan can’t do this work alone, particularly when his primary job responsibilities don’t include overseeing the library’s privacy practices. Creating a data governance committee would bring in both administration and staff from different areas of the library that work or use patron data to oversee data management, including data privacy and security. This committee would not only create and review privacy policies and procedures but would also serve as an accountability mechanism for when things go wrong or to ensure things get done. No one library worker would be solely responsible for the library’s privacy practices in this option, though Juan would need to ensure that participation in the committee does not become an undue burden for staff.
  • Advocate for a dedicated budget line for data privacy and security – There might already be data privacy and security resources available at the university, but those resources might not cover library-specific needs such as professional development for privacy training, consulting, or auditing. Some departments in the library might already have a dedicated budget line for privacy and security, such as Library Systems. Juan might want to talk to the department managers to determine if there might be a chance to collaborate in increasing funds to help fund data privacy and security activities in the library.
  • Advocate for a dedicated privacy staff position in the library – Even with a library data governance committee, ultimately, someone has to wrangle privacy at the library. Juan’s role might include some oversight of some privacy practices in Access Services; unless his job description changes, he cannot be the privacy point person for the entire library. Having a dedicated point person for privacy at the library would ensure that the data governance committee is kept on track in terms of being the data steward for the group. More importantly, it would also ensure that at least one person in the library has dedicated time and resources to track, manage, and address new and evolving data privacy risks and harms patrons face while using the library. While a full-time dedicated position to privacy is ideal, the budget might not support a new position at the time of the request. In that case, Juan might argue that he could be the privacy point person under the condition that he can shift his current responsibilities to other managers in Access Services. Nevertheless, Juan’s suggestion should only be a short-term workaround while the library works to find funding for a full-time privacy position.

All three options require some form of collaboration and negotiation with the administration and staff. Juan cannot realistically create these structures alone if he wants these structures to survive. It comes back to creating and maintaining relationships in the organization. Without these relationships, Juan is left on his own to push for privacy, which inevitably leads to burnout. No matter how passionate we are about patron privacy, like Juan, we must realize that we must not do our privacy work alone if we want our efforts to succeed.