We made it! We’re coming to you from our new server home. We’re still settling in, so please let us know if you come across something that isn’t quite working on the website. If you are one of our email subscribers and find this post in your spam box, you can add firstname.lastname@example.org to your contacts list to help prevent future emails from being banished to the spam folder.
Now that the dust has settled, we regret to inform you that summer is almost over. Schools are back in session, summer reading programs are wrapping up for the season, and a new batch of LIS students are starting their first semester of library school. We also regret to inform you that the pandemic is still hanging in there, adding its own layer of stress and uncertainty on top of everything else.
Uncertainty is hard to plan for, even in non-pandemic times. Libraries with plans for phasing back in-building services find themselves changing those plans daily to keep up with changes in health ordinances, legal regulations, and parent organizational mandates. We find ourselves back in the first few months of the pandemic, scrambling to figure out what to do. Then again, we haven’t stopped scrambling throughout the pandemic to find ways to provide patrons services that won’t put both patrons and library workers at risk.
Risk assessment and management are exercises in dealing with uncertainty. We like to have neat solutions to neat problems; risk management tells us that problems are much messier and are less likely to be solved with neat solutions. Take, for example, four common responses used in determining how to manage risk:
- Accept – Choosing to accept the risk, usually done in cases where the cost of the realized risk is less than the cost in addressing the risk
- Transfer – Shifting the risk to another party (another person, group, or tool) who is better situated to manage the risk
- Mitigate – Adding checks or controls to limit risk in a particular situation
- Eliminate – Changing something to remove or avoid the risk
Some of you might be surprised that the last response, eliminate, is not the primary goal in risk management. This is partly due to the level of control we have in the situation that presents the risk. We cannot eliminate some risks due to, well, pandemic, while others are unavoidable due to the nature of our work – where we work, operational needs, external needs/pressures, and so on. In those instances where we cannot entirely eliminate the risk, we can still have some control over our response to the risk, particularly with mitigating or transferring the risk.
While we cannot eliminate all risks in our libraries around the pandemic’s uncertainty, we can still work toward identifying and managing risks that we have more control over, including those risks around patron privacy. Here are a few resources to get you started on managing patron data privacy risks:
- A Practical Guide to Performing a Library User Data Risk Assessment in Library-Built Systems
- The Privacy Impact Assessment (PIA) template files from the Data Privacy Best Practices for Libraries project:
- The Library Privacy and Vendor Management Training Series from the Data Privacy Best Practices for Libraries project
- Our “risk” tag on the blog
By focusing on risks that we are better situated to address through transference, mitigation, and elimination, we can avoid the inertia that comes with being overwhelmed by risks we have less control over. It might seem like arranging the deckchairs on the Titanic, but living with so much uncertainty in such a short time can short-circuit our ability to identify and manage risk, particularly when we are not trained to manage risk during long periods of heightened uncertainty. If you find yourself at that point, you can take advantage of the start of the fall season by resetting the privacy risk management button by making a list of privacy risks outside your control and risks that you or your library are better able to manage. You might not be able to identify all the risks in one sitting, and that’s okay. If you are struggling to identify risks that you or your library can manage, revisit the earlier resources to help you through the process.
Managing risk requires accommodating uncertainty and variations of the same risk. Risk likelihoods and severity can change without notice. Risks also have different severity, harms, and likelihoods for different people – what might be a low harm risk for one person might be a risk that has more significant harms for another. Risk management strategies help wrangle this uncertainty by providing some structure in responding to the uncertain nature of risk. While we can’t eliminate uncertainty, we can be better prepared to manage uncertainty in parts of our lives, such as our work that affects patron privacy.