Training is Only One Part of the Library Privacy Equation

Wouldn’t it be nice if you never had to take another work-mandated training ever again? No more having to block an entire day off to head over to sit in a stuffy windowless room trying to focus on the training slides while all the lights are still on, making the projection barely readable, and you can barely make out what the trainer is saying? Even when you take the pandemic into account, do you really want to sit through a day-long Zoom training session?

If you said no to either question, you’re in good company. Training is either a critical component or a bureaucratic hurdle in the workplace, depending on who you ask. Training quality widely differs from workplace to workplace. Some training sessions are well designed and practical, while others fail. Nevertheless, training serves several critical functions in any organization, including library privacy training:

  • Orienting workers to library privacy policies and procedures
  • Providing opportunities for practicing specific procedures or skills in a controlled environment through the use of scenarios and other exercises
  • Ensuring a baseline knowledge of library privacy codes, ethics, and standards
  • Developing new or updating existing knowledge or skills around protecting patron privacy

Privacy protections are only as strong as those who have the least amount of knowledge about those protections. Lack of training or undertraining library workers creates additional risks to patron privacy through not following or understanding policy or procedure. Regular up-to-date training of library workers reduces that risk to patrons and library alike.

With that said, training can only do so much in protecting patron privacy. Training is only one part of a comprehensive approach to library privacy. On its own, privacy training – no matter how well-designed – cannot reduce or eliminate all privacy risks. Training alone is ineffective when a tool, policy, or procedure is inherently privacy-invasive. Training will not solve the flawed policy, procedure, or tool – as long as the invasiveness is left unaddressed, you’ll continue to see the same results from said bad design. If there is a process that repeatedly leaks or provides unauthorized access to patron data, for example, and there is no dedicated effort on the part of the library in changing this process, training will not fundamentally address the risk to the fullest extent possible.

You might be thinking that training could bring a library’s attention to the risks of such a process, but this is where we have to confront the uncomfortable truth around privacy training. Library privacy training is only as effective as the lowest number of resources or staff dedicated to protecting patron privacy in library operations. If the library only spends dedicated resources and staff time in creating and conducting privacy training, library workers are left trying to implement what they learned in training without the support needed to have a chance to succeed in reducing privacy risks in their daily work. For example, a library privacy training that teaches library workers to write a privacy policy might produce a policy that the library can then adopt. But what happens afterward? There needs to be support in ensuring that library procedures line up with the privacy policy. The privacy policy also needs to be communicated to patrons – how can a library do that effectively so that patrons can easily access and understand the policy without being given the required time and resources to do the necessary work? Where is the time to review vendor contracts and privacy policies to identify misalignment with the library privacy policy, and how will library workers address these risks with the vendors if they cannot get the time dedicated to this work?

Without the organization’s support, the effectiveness of library privacy training is limited at best. Over-relying on privacy training to protect patron privacy is like waiting to address privacy risks at the end of a project – attempts to mitigate risk will be hampered by a lack of resources and time. It will most likely not solve fundamental issues inherent in the end product’s design. Like Privacy by Design in project management, a privacy program prioritizing privacy in all levels of library operations and services can systematically address these fundamental privacy issues. Unlike training, privacy programs focus on the long term – what resources are needed to embed privacy into every level of library work? How can we build a sustainable relationship with our patrons to address their privacy concerns? How can patrons have more agency in helping with determining how the library does privacy?

Library privacy requires every part of library operations to prioritize privacy. Strong privacy policies, privacy-preserving technologies, vendor contract negotiations and privacy assessments, privacy audits, data inventories – these are only some of the things that libraries need to do to protect patron privacy better. Training is part of that library privacy equation, but without dedicating resources and time to a sustainable library privacy program, training alone cannot protect patron privacy.

So, What’s Going On With Data Privacy Regulation Nowadays?

An adult white woman wearing a black dotted white shirt and jeans stands facing a white wall with black text. The text lists and describes the five data privacy principles by Mozilla: sensible settings, no surprises, defense in depth, user control, and limited data.
Image source: https://www.flickr.com/photos/vintagedept/15704560667/ (CC BY 2.0)

Welcome to the first post of the year! We hope you all had a restful holiday break. Now that most of us are back from our holiday break, it’s time to figure out what exactly is going on and what to expect in the new year.

2022 is shaping up to be another busy year for privacy professionals. A lot of that work will be around tracking data privacy regulations worldwide, from China’s new data protection regulation (PIPL) to India’s proposed changes to their Personal Data Protection bill. News from the EU is steady with GDPR violations and fines and will continue throughout the year. The EU is also poised to introduce more data regulations, including regulations around AI and cybersecurity.

While other countries are implementing and revising data privacy regulations, the US remains in a perpetual cycle of failed data privacy and security bills. A glance at the US State Privacy Legislation Tracker shows that despite 23 states introducing data privacy bills last year, Virginia and Colorado were the only states to sign a bill into law in 2021. Like LDH’s home state of Washington, some states failed to pass multiple data privacy bills, including bills that were re-introduced after earlier attempts to pass the same bill in previous years.

On a federal level, several data privacy and security bills – such as the Data Care Act of 2021, the Mind Your Own Business Act of 2021, and the Children and Teens’ Online Privacy Protection Act – remain active; however, there is no strong indication about the fate of these bills in the current session of Congress. Comprehensive data privacy and security legislation, such as the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act and the Consumer Data Privacy and Security Act of 2021, remain in committee. Again, there’s no firm indication if either of these comprehensive bills will become law in 2022.

Where does all of this leave US libraries and library vendors? Internationally, data privacy regulation updates will mean more changes for vendors who fall within the scope of said regulations. The upcoming data initiatives in the EU, for example, can impact the data privacy practices of library vendors and other organizations that fall under the scope of GDPR. In addition, as was the case with GDPR, international data privacy regulations can influence the overall shape of the data privacy legislation in the US. Nevertheless, the US continues to march to the beat of their own drum, still relying on a sectorial approach to data privacy regulation, with states trying to figure out comprehensive data privacy regulation on their terms.

Most of the existing comprehensive data privacy regulations, like CCPA and VCDPA, target for-profit and/or organizations that meet specific revenue or data sharing/selling thresholds, leaving most libraries outside of the scope of these laws. Just because libraries are not currently required to comply with these laws does not mean that they are not impacted by this patchwork approach to data privacy in the US. While GDPR impacted some libraries via their parent institutions (such as higher education institutions with campuses or partnerships in the EU), most libraries have probably noticed changes with library vendor services throughout the year as vendors work toward CCPA compliance. Some of these changes include allowing patrons to request a copy of the personal data the vendor has in their systems. If other states pass data privacy bills, libraries should expect additional change concerning how the vendor handles data privacy, regardless of where the library is located in the US.

In short, the data privacy regulation landscape for 2022 looks a bit like 2021 – a lot of legislative activity, but we’re not sure if that activity will lead to actual regulation. As always, LDH will keep you up to date on data privacy regulations that will impact libraries and library vendors. In the meantime, libraries should continue to work with vendors in not only ensuring compliance to specific data privacy regulations but going beyond a compliance-only approach to better protect patron privacy at the library.