Do These Three Things Today to Protect Your Patrons’ Privacy

Keeping track of the latest threats to patron data privacy and safety is easily a full-time job in quiet, uneventful times. Last week was neither quiet nor uneventful. From the possibility of increased cyber warfare in the coming weeks to the progression of anti-LGBTQIA+ and anti-CRT regulations in several US states, many library workers are rightfully feeling overwhelmed with the possible implications of these events on the patron’s right to privacy in the library. And all of this is happening while we are still in the middle of a pandemic!

This week we are going to help you, the reader, to take a moment to stop, breath, and orient yourself in light of the recent increase in threats to patron privacy. We have three things that you can do today that can get you started in protecting patron data privacy and security in light of recent events:

Reacquaint yourself and others on how to avoid phishing attemptsLibraries are no strangers in being the target of phishing attacks; however, with the possibility of increased cyber warfare, the phishing attempts will only increase. As we saw with Silent Librarian, phishers are not afraid to use the library as a point of entry into the more extensive organizational network to access sensitive personal information. The Phishing section of the Digital Basics Privacy Field Guide is an excellent way to spread awareness at your library if you are looking for a simple explainer to share with others.

(Bonus – turn on multi-factor authentication wherever possible! You can also include the Multi-Factor Authentication section from the Digital Basics Guide while talking to others in the library about MFA.)

Check if your library is holding onto circulation, reference chat, and search histories – By default, your ILS should not be collecting borrowing history, but the applications you use for reference services might have similar information. The same goes for your library’s catalog or discovery layer and logs that might be capturing searches from patrons in a system log. This data can be used to harm patrons, particularly patrons who experience greater harms when their privacy is violated, such as LGBTQIA+ students and minors. Check the system and application settings to ensure that your systems are not collecting circulation and search histories by default. Review the reference chat logs to ensure that personal patron data is not being tracked or retained in the metadata and the chat content.

(Bonus – If you find patron data that is not supposed to be there after checking and changing settings, make sure to delete it securely!)

Check your backups – You should be checking your backups regularly, but today is a good day to do an extra round of checks on your data backups:

  • Can you restore the system with the latest backup in case of a ransomware or malware attack? If you haven’t already tested your backups, you might run into unexpected issues in your attempt to restore your system after an attack. Schedule a backup test sooner than later if you haven’t restored from a data backup before to catch these issues while the system is still up and functional.
  • Where are your backups located? Having an offline copy can mitigate the risk of loss or destruction of all copies from an attack. You also want to ensure that the backup is securely stored separately from the system or application.
  • What data is being stored in the backups? Backups are subject to the same risk as other data regarding unauthorized access or government requests. This is especially important when these backups have personal data, such as a patron’s use of library resources and services. Adjust what data is being backed up daily to limit capture of such patron data and limit the number and frequency of full database backups.
  • How long are you storing backups? Backups can be used to reconstruct a patron’s use of library resources and services over time. We have to balance the utility of backups and data security and privacy; however, the longer you keep a backup, the less valuable it will be in restoring a system and the more the risk of that data being breached or leaked. The length of time you should retain a backup copy will depend on several factors, including if the backups are incremental or full and what type of data is stored in the backup. Nevertheless, if you are unsure where to start, review any backups older than 60 days for possible deletion.

(Bonus – if you’re not backing up your data, now would be a perfect time to start!)

Focusing on these three actions today will provide your library with an action plan to address the increased risks to patron data privacy and security in the coming weeks and months (and even years). Even though we focused on things you can do right now, don’t forget to include in your action plan how you will work with third parties (such as vendors) in addressing the collection, retention, and sharing of patron data! And as always, we will keep you up to date on the latest news and events impacting patron data privacy and security, so make sure you subscribe to our weekly newsletter to get the latest news delivered to your inbox.

Just Published – ALA Privacy Field Guides

Title covers of the seven Library Privacy Field Guides.

Readers of the Tip of The Hat might be familiar with the ALA Privacy Guidelines and Checklists or even use them in their library privacy work. Created in 2015, the Guidelines aim to assist libraries and library vendors in providing patron privacy guidance around library technology and services. The Checklists give more guidance in turning this guidance into actionable checklists for libraries to incorporate into their work. The Guidelines and Checklists have provided valuable advice and direction for many a library and library vendor alike throughout the years.

As the privacy needs of libraries change, so have the Guidelines and Checklists. Nevertheless, the growing complexity of privacy work means a new set of challenges for libraries to face. Alongside this increasing set of challenges is the need for a group of resources that are easy to understand and provide the tools necessary for library workers to advocate for privacy practices on all levels, from the public to administration to vendors. 

The Privacy Field Guides, an IMLS sponsored project in collaboration with ALA, aims to meet this need. These just-published guides offer practical guidance around major library privacy topics:

  • Data Lifecycles (If you’re familiar with our work at LDH, you might not be surprised that we helped out with the creation of this guide!)
  • Digital Security Basics
  • How To Talk About Privacy
  • Non-Tech Privacy
  • Privacy Audits
  • Privacy Policies
  • Vendors and Privacy

What sets these guides apart from other library privacy resources is that they serve as a starting point for library workers who are unsure where and how to start doing privacy work at their libraries. Each guide contains hands-on exercises where library workers can immediately impact how their library practices privacy. Does your library lack a privacy policy that patrons can easily read and understand? The Privacy Policy walks you through creating a draft privacy policy that is informative and readable for your patrons. The guides also provide talking points for library workers communicating about library privacy. How To Talk About Privacy focuses on building those talking points for a variety of audiences – be it patrons, administration, and everyone in between – but you will also find talking points in the other guides focused on specific topics, such as privacy in the vendor selection and contract negotiation processes or protecting patron privacy in physical library spaces.

These guides are a valuable addition to your library’s privacy toolkit and are a great way to start privacy discussions in your library. Take some time to go through the digital versions of the Field Guides and let us know what you think!

Before You Share a Patron’s Story, Part 2

A square white neon conversational bubble against a black wall.
Photo by Jason Leung on Unsplash

Welcome back to our series about responsibly sharing patron stories! Last week we talked about the importance of consent for libraries publishing stories about individual patrons. This week we get into the mechanics of consent and some of the complications around seeking consent to share particular stories.

A couple of housekeeping points before we get started:

  • This week’s post is pretty long! We decided to keep the post as-is instead of breaking it up into two more posts because we felt it essential to present the mechanics and complications of consent together in the same post.
  • We primarily focus on libraries sharing patron stories around events and services for marketing and outreach purposes. Consent also plays a critical role in library assessment and research. Though we will not cover specific issues around privacy and consent in this post’s assessment and research processes, we’ll touch on an overlap point between these two topics.

Asking for (Explicit) Consent

There are two types of consent. The first is implied consent. We encounter this through statements in public notices: “by using this service, you give us permission to use your posts, comments, and other content and likeness for…”. Many physical events still rely on implied consent through conspicuous signage depending on the intended use of the photographs and video and what is captured by the photograph or video (e.g., one patron vs. a group of patrons). Implied consent is passive, which means patrons have to seek out these notices and understand what they are consenting to by attending the program or using a service. Patrons might not even know that these notices exist, or they might not fully understand what might be shared by the library, leading to possible data and ethics breaches, among other consequences. Even when patrons share their own stories on library social media pages, some might not expect libraries to republish their stories in different mediums, such as an annual report or a fundraising campaign.

Instead, libraries should seek explicit consent, which requires affirmative action from the patron. When a library wishes to publicly share a story, quote, or other information about an individual patron’s library use, include at least the following in the ask to the patron:

  • Who you are
  • What information you wish to share and why
  • Where and who you want to share the information
  • How to contact you if the patron has any questions or concerns about sharing or privacy

The consent request should be informative and easy to understand. For example, a library can ask for consent to share patron feedback gathered through a program survey or evaluation form by creating a question asking the patron if the library has permission to quote the patron’s feedback in a library report or other publication. The library should also ask if the patron would like to have their name published alongside the feedback in case the patron would rather have their comment published without their name attached to it. In another example, the following is a sample message to a patron asking to share a patron’s post on the library’s social media page:

“Hello! I’m the outreach coordinator for the library. Thank you for sharing your story about our new service. Would it be okay to share your post in our weekly library newsletter to our patrons to show how other patrons benefited from our new service? Would you also be okay with being named along with the post in the newsletter? You can respond back to this message to us know if you would be okay with us sharing the post, and if you have other questions or concerns.”

However, if you wish to share the same story in the annual report, you will need to check back with the patron since the patron only gave explicit consent for publication in the newsletter. Reusing the story for the annual report without explicit consent can violate the patron’s expectations.

Gaining explicit consent can be more involved with events and programs, particularly when the event is being photographed and/or recorded for publication. Web-based programs and events might have consent features built into the application used to host the program, such as Zoom’s consent popup to users when a session is recorded. Physical events and programs can include consent forms before or at the event for presenters and attendees, particularly for individuals prominently featured in photographs or recordings of the event.

Consent Considerations Regarding Publishing Patron Stories

Some of you might notice one critical component missing in the earlier sample ask – the ability for the patron to withdraw their consent at any time. While libraries should honor the withdrawal of previously given consent when a patron requests that a library social media post mentioning them by name be taken down, the library must weigh potential consequences of making a patron’s use of the library public through sharing their story. The persistent nature of published information – physical or online – requires careful thinking and approach regarding sharing patron stories.

One consideration before asking for consent is the nature of the service or topic featured in the story or quote. Publicly associating an individual patron with a late evening study event at a college library does not carry the same potential harms and consequences as associating a particular patron who receives tutoring through a program at the same library. The latter could result in embarrassment and negatively impact relationships based on others’ perceived or actual judgment of the patron’s need for additional educational assistance while attending college. Some patrons in the latter group might be okay with the library sharing their comments about the tutoring program, and that’s okay! It is still the responsibility of the library to gain informed explicit consent before publication. The library should exercise caution with when and how they approach patrons in asking for their consent in publishing their stories depending on the sensitivity of the topic or service, particularly around any story that can reveal patron information about their identity or status, such as race/ethnicity, disability, or class status.

There are times when explicit consent cannot be not freely given. Sometimes this is because there are legal constraints as to the age where one can give consent (in the case of minors). Other times the power dynamic between people might compel or pressure someone to consent to something they wouldn’t have otherwise. Patron groups such as students, minoritized populations, and incarcerated people might feel compelled to consent based on the power dynamic between the individual and the library. Unlike research and assessment, where the Institutional Review Board (IRB) or ethics committee would address issues around consent with vulnerable participants, there might not be a formal process in place for marketing or outreach to locate and handle potential situations where patron consent is coerced, be it intentional or not.

For example, the public library is the only place to offer ESL classes in a rural town. The library reserves the right to use individual patron photos and stories from those classes for library publications. For a patron who is an undocumented immigrant, the publication of their personal data and likeness can put themselves and others in harm’s way. Because the library is the only place where they have access to ESL classes, the patron might feel compelled to consent to the library publishing their identifying photo or story in order to access a much-needed service.

In the example, the patron is likely to experience privacy harms – perceived or actual – through the library, not fully realizing the power dynamics that come into play when consenting to publish individual patron stories. Recognizing when patrons may not freely give consent can mitigate privacy harms. This recognition can also prompt a conversation about the intended purpose of publishing individual patron stories and the actual impact publication might have on the patron. When posting a feel-good patron story, good intentions do not cancel out the negative impact of exploiting specific patron stories (e.g., inspiration porn or performative allyship) for the library’s reputational or financial gain.

The Role of Consent in Sharing Patron Stories

Consent is vital in protecting patron privacy. Consent is also not an automatic “get out of jail free” card for the library when privacy harms are realized after publishing a patron story. Libraries need to recognize the importance of consent – as well as its limitations – in determining which patron stories to share with others. Consent gives patrons control over the “what and how” regarding the library sharing their story, but only if the consent is informed, explicit, and freely given. Taking the time and care around determining how to ask for consent can limit some of the potential pitfalls and limitations discussed earlier, such as recognizing when consent might not protect patrons from privacy harms or when consent might be coerced.

Some patrons are more than happy for the library to share their stories with the world, while others expect the library not to betray their rights to confidentiality and privacy. Nevertheless, libraries should not automatically assume that a patron sharing their story with others gives the library implicit permission to share on behalf of the patron. A patron might be comfortable sharing their story with others they know but might not be as comfortable if the library shared it with strangers. Having a consent process creates a check to protect patron privacy and not take advantage of the relationship the patron has with the library. The process of gaining informed, explicit, and freely given consent should not only take into consideration how the library can responsibly share a patron’s story with minimal privacy risk to the patron but feed into a larger conversation around patron control over how the library uses their information in both daily operations and public communications.

Before You Share a Patron’s Story: Part 1

A view of a street with the words "share with care" written on the pavement in white.
Image source: https://www.flickr.com/photos/4nitsirk/27234818658/ (CC BY SA 2.0)

We sometimes encounter a heartwarming story that restores a little of our faith in humanity during our regularly scheduled doomscrolling. In the library world, we commonly come across stories of people remembering the excitement they felt with getting their first library card or a book they checked out at the library that changed their lives for the better. Libraries also tell many heartwarming stories of how library services impacted patrons’ lives, be it homework assistance, language classes, or technology workshops. Sharing personal stories of how the library impacted the lives of patrons can not only provide a much-needed respite from doomscrolling and persuade the public by demonstrating the value libraries bring to their organization or community.

When Sharing is Not Caring, Depending on Who’s Doing The Sharing

Nevertheless, sharing individual patron stories about their library use is not without its risks. Take, for example, the now-deleted post from a university library telling a story about a student checking out books from the library for their mom during Covid lockdown. It’s a nice story, but one commenter asked if the library asked the student for their consent to publish their individual story. We soon learn afterward that the library fabricated the story. The library later explained that the fabricated story was an aggregation of personal stories from patrons.

Barring the issues around publishing a hypothetical story without clear disclosure that the story was not real, the problem of publishing individual patron stories is sometimes overlooked. Libraries must understand that a library sharing a personal patron story is different than a patron sharing the same story by their own volition in terms of privacy. These differences center around patron privacy expectations and consent.

Consent, or Why You Need to Ask Before Sharing

We know some patrons are eager to share their library stories with the world, and many of them do on their personal social media posts, talking with others, or even writing a friendly letter to the editor. What is the difference between a patron posting their story versus a library posting the same story? While the patron posting their own story is willingly sharing their story to the public, the library sharing the same story might violate the patron’s privacy rights. Library workers are obligated by professional standards, library policies, and legal regulations to not disclose patron use of library resources and services.

For example, if a patron finds that the latest post about a new service or resource in the library news blog features mentions them by name and the patron didn’t give the library permission to publish their name attached to the resource or service, the library committed two types of breaches: a data breach (through the unauthorized disclosure of data about a patron’s use of the library) and an ethics breach (through a patron’s expectations that the library would not share their activities at the library). Other examples of possible data and ethics breaches through library news posts and updates include:

  • Publishing historical checkout cards with patron names on the card
  • Posting historical reference questions that contain personal data about patrons
  • Announcing unscheduled library visits of notable people on social media or otherwise publicly broadcasting an individual’s presence at the library
  • Publishing identifiable patron stories and quotes (collected from surveys, feedback forms, focus groups, or individual interviews) in reports and research articles

There is one instance where a library sharing a patron’s story might not result in either breach, and that is when the library obtains the explicit consent of the patron to share their story. We’ll use GDPR’s definition of consent for this post – consent must be “freely given, specific, informed and unambiguous.” Asking consent gives the patron control over disclosing their use of library services and resources. It also allows the patron to choose what type of information is disclosed and where it is disclosed. One patron might be okay with the library posting their name and a quote about their experience at a library program. In contrast, another patron might be fine with the library posting a quote but not having their name attached to the quote. Each patron has their level of privacy preferences, and asking for consent informs the library what each patron is comfortable with in publishing their story. It is the responsibility of the library to respect the privacy preferences of each patron through the act of asking for consent.

The process of gaining consent to share patron stories might be as simple as sending a short message to the patron, but consent is much more than a “yes or no” question. Next week’s post will cover what explicit consent could look like depending on the ask. We’ll also discuss the considerations around the consent process around sharing patron stories, including one major consideration that tends to be missed in conversations about consent… you’ll have to check back next week to find out what that is, so stay tuned!