A brown hat with the text "LDH consulting services" next to it.

Tip of the Hat

26 September 2020

COVID-19 Updates And More Privacy Considerations

Welcome to this week’s Tip of the Hat, everyone.

It's been a week for many of us as COVID-19 rapidly changed both work and personal lives. During the last newsletter, public events were still going on, schools and libraries were still open, and we were not in a pandemic. This newsletter is being composed in a completely different world in Seattle – closed schools and libraries, canceled events, and the realization that COVID-19 is much more widespread than previously thought.

This week, many libraries are closed to the public, while other libraries that are still open are being pressured to close to protect the health of their staff. This means staff might be working from home for the first time, or are trying to move in-person library instruction online. The Library Freedom Project provides a good list of privacy considerations for online instruction. Academic and school libraries should also be aware of the updated guide on FERPA and COVID-19 and how student privacy is impacted by the COVID-19 pandemic. In the general world, healthcare professionals, as well as employers, are struggling to find a balance between personal privacy and disclosure in the context of HIPAA regulations.

The rapid developments of last week also presented a challenge – how do you protect privacy while at the same time keeping up with changes at work? Many work from home arrangements were hastily put together with less than 24 hours’ notice, leaving IT departments scrambling to figure out if VPN or other remote access to staff systems can handle the increased user traffic, but at the same time might not realize that the remote access method has a vulnerability, such as an unknown open port, or even providing access to internal applications without special logins or IP restrictions. IT staff should ensure that only staff can access work systems and network drives, including requiring VPN use to access these places as well as additional authentication and user access rules. In short, IT staff have their work cut out for them in the next few weeks. Nonetheless, there have been many guides published in the last week, like this one from NC Department of Information Technology, for people working from home and what they can do to protect their digital privacy and security.

On the public services side, online communications between staff might take a variety of forms, from an increased number of emails to online web conferencing. If the organization doesn't offer an online group collaboration platform, like Microsoft Teams, staff might take to free third party applications, such as Slack, Discord, or your tried and true suite of Google products. Patron privacy might be compromised if patron data is shared on unsecured applications, as well as places that are subject to a public records disclosure request. Therefore, it's a good time to remind everyone to keep patron privacy in mind in working from home, including limiting storing and communicating patron data to secure communication channels controlled by the organization.

It's impossible to keep track of every COVID-19 development, and libraries have struggled to respond to these changes. With more libraries closing and trying to keep staff busy, we cannot forget that the choices we make during the COVID-19 pandemic will have long-lasting consequences on data privacy for some time to come. It's hard to step back and take a breath to reassess where everything stands on patron privacy, but it's worth the effort to take a few moments to go through the library's response so far and ask how each response might put patron privacy at risk.

A note about LDH services during this time

As with other small businesses in the US, business at LDH has been impacted by COVID-19. While we are unable to offer in-person trainings at this time (social distancing!), we do offer a number of online services:
  • Customized online training on privacy topics including:
    • privacy in the patron data lifecycle
    • operationalizing privacy policies, procedures, and practices
    • vendor privacy management
    • privacy assessments
  • Reviews of existing privacy policies and procedures at your organization, identifying possible patron privacy risks, and exploring ways to mitigate those risks.
  • Informational legal regulation reviews/scans of current privacy regulations that could affect your organization or your vendors. In short, while I'm not a lawyer, I can help you talk to your lawyer about library privacy.
Please let me know if you have any questions, or would like to discuss other ways in which LDH can meet your privacy needs during this time.
Have a question or topic that you want us to write about? Email us at newsletter@ldhconsultingservices.com!