Upcoming Library Privacy Trainings

A grey and white tabby cat laying down on top of a binder of handwritten notes sitting on a table.
The cat wishes to discuss your professional development plans for 2021. Image source – https://www.flickr.com/photos/donabelandewen/3543134442/ (CC BY 2.0)

It’s already the second month of 2021 – have you had some time to figure out your 2021 professional development goals? Here are a couple of privacy training opportunities for you or to pass along to your colleagues! 

Library Data Privacy Fundamentals (February 16 – March 15, 2021) – This month-long course (taught by Becky Yoose of LDH) will go through the foundations of library data privacy for library workers who are new to the library world or wish to strengthen their core understanding of library data privacy. We’ll cover the basics of the data lifecycle, privacy policies and procedures, and vendor privacy management. The course will also explore the “what” and “how” in communicating privacy to both patrons and library colleagues, including administrators.

Library Freedom Project Crash Courses – The Library Freedom Project will be offering a pair of free two-month courses during the summer and fall of 2021. Their first Crash Course, Systems & Policies (May -June 2021), will dive into privacy and data governance policies, privacy audits, vendor privacy management, and working with IT. The second Crash Course, Programs & Training (September-October 2021) will cover how to teach privacy to patrons and library staff alike, including creating privacy programs. These courses are free, but there is an application process. Applications for both courses will open in March 2021.

PLP Data Privacy and Cybersecurity Training for LibrariesHello to all the Pacific Library Partnership (PLP) member libraries reading right now! You might have attended one of the trainings last year as part of the Data Privacy Best Practices for Libraries project. If you want to learn more about how to train your library in data privacy and security, you’re in luck – thanks to continued funding through LSTA, we are happy to announce our second year of the project and our Train-the-Trainer series!This year we are offering two month-long training series on Data Privacy (offered in March and April 2021) taught by Becky Yoose of LDH and Cybersecurity (offered in April 2021) taught by Blake Carver of Lyrasis.

Don’t fret if the course dates don’t work for you – we will keep you posted throughout the year of additional library privacy-related professional development. Stay tuned!

Privacy at ALA Midwinter – 2021 Recap

Logo for the 2021 ALA Midwinter Meeting and Exhibits.

Patron privacy had several moments in the spotlight at last week’s ALA Midwinter Conference. If you missed the conference or the news updates, no worries! Here are the highlights to help you catch up.

A big moment for privacy resolutions

ALA Council passed two major privacy resolutions during ALA Midwinter, moving the organization and the profession to make a more deliberate stance against surveilling library patrons through facial recognition software and behavioral data tracking. You can read the full text of the original resolutions at the end of the Intellectual Freedom Committee Midwinter Report, but here are the actions called for in each resolution:

Resolution in Opposition to Facial Recognition Software in Libraries

  1. opposes the use of facial recognition software in libraries of all types on the grounds that its implementation breaches users’ and library workers’ privacy and user confidentiality, thereby having a chilling effect on the use of library resources;
  2. recommends that libraries, partners, and affiliate organizations engage in activities to educate staff, users, trustees, administrators, community organizations, and legislators about facial recognition technologies, their potential for bias and error, and the accompanying threat to individual privacy;
  3. strongly urges libraries, partners, and affiliate organizations that use facial recognition software to immediately cease doing so based on its demonstrated potential for bias and harm and the lack of research demonstrating any safe and effective use;
  4. encourages legislators to adopt legislation that will place a moratorium on facial recognition software in libraries; and
  5. directs the ALA Executive Director to transmit this resolution to Congress. [This clause was removed by amendment before the final vote in Council]

Resolution on the Misuse of Behavioral Data Surveillance in Libraries

  1. stands firmly against behavioral data surveillance of library use and users;
  2. urges libraries and vendors to never exchange user data for financial discounts, payments, or incentives;
  3. calls on libraries and vendors to apply the strictest privacy settings by default, without any manual input from the end-user;
  4. urges libraries, vendors, and institutions to not implement behavioral data surveillance or use that data to deny services;
  5. calls on libraries to employ contract language that does not allow for vendors to implement behavioral data surveillance or use that data to deny access to services;
  6. calls on libraries to oversee vendor compliance with contractual obligations;
  7. calls on library workers to advocate for and educate themselves about library users’ privacy and confidentiality rights; and
  8. strongly urges libraries to act as information fiduciaries, assuring that in every circumstance the library user’s information is protected from misuse and unauthorized disclosure, and ensuring that the library itself does not misuse or exploit the library user’s information.

[Disclosure – LDH participated in the Behavioral Data Surveillance Resolution working group]

Each resolution is a strong indictment against surveillance technology and practices, but the resolutions will have limited impact if no further action is taken by the organization or its members. While ALA and its vast array of committees start updating and creating policies, standards, and guidelines to assist libraries in enacting these resolutions, individual libraries can use these resolutions to guide decision-making processes around these technologies on the local level. Library workers can use these resolutions to start conversations about how their libraries should protect patrons against these specific surveillance technologies and practices.

Dystopian future, or dystopian present?

The Top Tech Trends session explored the dystopian aspects of technologies including deepfakes, surveillance practices normalized during the COVID-19 pandemic, and the connection between prison libraries and biometric technologies. The recorded session is available to Midwinter registrants, but if you do not have access to the on-demand video of the session, the American Libraries article on the session summarizes each aspect and the impact it can have on patron privacy and the ability for libraries to serve patrons. Take a moment to read the summary or watch the session and ask yourself – Is your library on its way toward a dystopian tech future, or has it already arrived? What can you do to protect patrons against this privacy dystopia at the library?

Holiday Privacy Reads and Videos

A one eyed black cat with cartoon antlers sitting and looking up.

The Executive Assistant wishes all of our subscribers and readers a happy holiday season!

We will be back at the start of the new year; in the meantime, here are some videos and long reads to keep you company as we go on our holiday break:

Have a safe and healthy rest of 2020!

Just Published – Data Privacy Best Practices Toolkit for Libraries

Welcome to this week’s Tip of the Hat!

Today we’re happy to announce the publication of the Data Privacy Best Practices Toolkit for Libraries. This toolkit is part of the Data Privacy Best Practices Training for Libraries project, an LSTA-funded collaborative project between the Pacific Library Partnership and LDH focusing on teaching libraries the basics of data privacy. This introduction into data privacy in libraries serves as a guide for both administration and front-line workers, providing practical advice and knowledge in protecting patron data privacy.

The cover page for Data Privacy Best Practices Toolkit for Libraries: A Guide for Managing and Protecting Patron Data.

What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy.  At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.

This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.

Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!

News and Resource Roundup – Michigan Privacy Law Update, Privacy Literacy Toolkit, and Testing Your Infosec+Digital Literacy Knowledge

Welcome to this week’s Tip of the Hat! This week we bring you an important state legislative update, a resource guide, and three quizzes to start your week.

Michigan library patron data law amendment update

Last December LDH reported on SB 0611, an amendment that would considerably weaken Michigan’s library data privacy laws. The bill allows for libraries to release patron data to law enforcement without a court order:

A library may disclose library records without a court order or the written consent described in subsection (2) under any of the following circumstances:

(a) Upon the request of a law enforcement officer who is investigating criminal activity alleged to have occurred at the library or if the library requests the assistance of a law enforcement officer regarding criminal activity alleged to have occurred at the library, the library may disclose to the law enforcement officer any library record pertinent to the alleged criminal activity. The library director and any other person designated by the library board or commission is authorized to determine whether to disclose library records subject to this subdivision. The library is not required to release library records under this subdivision and may require the law enforcement officer to obtain written consent or an order of the court as required in subsection (2)

After almost a year of inactivity, the bill is now progressing through the state legislature. If you are a Michigan library and concerned about this bill, please contact your state representative and senator about your concerns.

Privacy literacy clearinghouse

If you are searching for resources or examples of privacy literacy instruction after reading our last post, you’re in luck! Digital Shred is a collection of teaching resources and case studies for anyone wanting to incorporate privacy literacy into their instruction work, from information literacy sessions to dedicated privacy workshops. Created and curated by Sarah Hartman-Caverly and Alexandria Chisholm, the authors of the article featured in the last TotH post, Digital Shred also provides another way to keep current on ongoing privacy and surveillance news and issues. Explore the site, and don’t forget to check out the teaching resources and materials for the privacy workshop series created by the authors!

Quiz time

The school year is in full swing, and students are now facing their first round of quizzes and tests. We want to share the pain joy of test-taking by highlighting three quizzes to test your information security – as well as literacy! – knowledge and skills:

  • Spot the Phish – This quiz tests how well you can spot a phishing email in the Gmail email service. While the focus is only on one email platform, the lessons here can apply to any email service!
  • Spot the Deepfake – Deepfakes are images or videos that have been altered to create a realistic image or recording of someone’s likeness doing or saying things that, in reality, did not happen. AI, machine learning, and other developments in technology have made it so that some deepfakes are almost indistinguishable from unaltered media. This quiz will test your observational skills along with your critical thinking by asking you which videos are deepfakes and which ones are the real thing.
  • Spot the Troll – our last quiz focuses on identifying which social media accounts are real, and which ones are fake. It’s not as easy as you’d think…

Ch-ch-ch-ch-changes…

Welcome to this week’s Tip of the Hat!

We’ve been busy the last couple of weeks with website and newsletter changes, and now with the dust mostly settled from these changes, we’d like to give you an update about these changes.

Newsletter changes

LDH has been sending newsletters to your inbox for almost a year and a half. While it’s a convenient way to receive the latest privacy updates, searching and linking to these posts were less than convenient. To make access to our privacy updates easier for our subscribers and to the general public, we are proud to launch our Tip of the Hat blog!

What does this mean for newsletter subscribers? You will still receive the latest posts in your inbox. The greatest change is the ease of searching and accessing older posts. The majority of the newsletter archive have now been migrated to the blog, where you can search the archive in multiple ways: free text search, tags, and categories. Each post also has a shorter, permanent URL for easier sharing with your colleagues. We hope that this new blog will give you easier access to all the privacy news you can use!

Website changes

In addition to the blog, LDH has updated our website, including:

  • Services – updated list of services LDH provides for clients and examples of previous client work
  • About – updated list of library privacy work in the field, as well as adding a personnel entry for our Assistant to the Executive Assistant

We’re always looking for ways to improve the website, including content offerings. What would you like to find on the LDH website? Let us know by sending an email to newsletter@ldhconsultingservices.com and we’ll take it from there.

New ALA Guidelines and Zoom Update

Welcome to this week’s Tip of the Hat!

In case you missed it – last week ALA announced a trio of new guidelines for libraries concerned with patron privacy during the reopening process as well as libraries who use security cameras at their branches:

Guidelines for Reopening Libraries During the COVID-19 Pandemic – Theresa Chmara, J.D. guides libraries with planning reopening procedures and policies, including requirements around wearing masks, health screenings of both patrons and staff, and contact tracing. While these guidelines are not legal advice, these guidelines should inform your discussions with your local legal advisors.

Guidelines on Contact Tracing, Health Checks, and Library Users’ Privacy – This statement from IFC reaffirms the importance of patron privacy in the reopening process, including giving newly published guidelines around contact tracing at the library. The statement also directs libraries to the Protecting Privacy in a Pandemic Resource Guide, which brings together several privacy resources for libraries to incorporate into their reopening processes, as well as the expansion of existing patron services to online.

Video Surveillance in the Library Guidelines – Libraries who use security cameras should review their existing policies around camera placement, recording storage and retention, and law enforcement requests for recordings considering the new guidelines. There are also sections around patrons filming library staff and other patrons which public libraries should review regarding staff and patron privacy and safety.

Take some time to review the above guidelines and discuss how these guidelines might affect your library’s reopening or use of security cameras in the building!

Zoom Update

Zoom reported that they will not provide end-to-end encryption for free-tier users so Zoom can comply with law enforcement. Now that you know how Zoom will respond to law enforcement requests, does their stance line up with your library’s law enforcement request policy, as well as your patron privacy policy? If not, how will your library adjust your use of Zoom for patron services? One option is to not use Zoom, but as we covered in previous newsletters, Zoom is arguably one of the user-friendly video conferencing software in the market. Nonetheless, there are alternatives out there that do a better job protecting privacy, including Jitsi. If you must use Zoom for patron services, check out the Zoom Security Recommendations, Settings List, and Resources document from LDH’s Remote Work presentation in April to help you secure your Zoom calls.

Choose Privacy Week Recap

Welcome to this week’s Tip of the Hat!

This weekend was hot in Seattle, with temperatures near 90 F. While the Executive Assistant took this time to bask in this heat, we at LDH tried to find a cool spot in the home office to work, away from the Executive Assistant’s gaze.

Last week was a busy week on the Choose Privacy Every Day site for Choose Privacy Week! Here’s what you might have missed:

  • Virtual Programming and Patron Privacy – Jaime Eastman along with the ALSC Children and Technology committee give much-needed guidance for library workers who are moving children-oriented programs and services online due to the pandemic. The post goes into the Children’s Online Privacy Protection Act (COPPA), and what library workers need to do to protect the privacy of children while keeping in compliance with COPPA. Bookmark the ALSC Virtual Storytime Services Resource Guide for additional guidance (coming soon!).
  • Protecting Privacy In A Pandemic: A Resource Guide – On Friday, May 8th, OIF hosted a Privacy Town Hall about patron privacy. While we wait for the recording of the Town Hall event, the blog post lists the main topics and resources covered by the panelists in the Town Hall.
  • When libraries become medical screeners: User health data and library privacy – Some libraries are now giving medical screenings to patrons who want to enter the library building. What privacy risks are there in collecting health data of your patrons? Read the article by LDH to find out why library workers might not be the best choice in handling health data.

Finally, if you have that one library privacy topic that you’ve been meaning to write about or if you want to share your privacy thoughts to a wide audience, Choose Privacy Every Day is looking for blog authors! There are some requirements for being an author for the blog, but this is a great opportunity to get your ideas and thoughts out into the library world.

That’s a wrap! Or, at least, the computer core temperature says it’s time to put the computer in the freezer. If you’re on the West Coast, stay cool, and for those of you who got snow on the East Coast, stay warm!

Week Roundup – In The News and What Would You Do?

Welcome to this week’s Tip of the Hat! Last week was a busy week. Here’s a recap of what you might have missed.

LDH in the News

What Would You Do?

One public library in New Jersey has been finding various ways to support their community while the library building is closed, but one strategy has started a debate on Library Twitter – using patron data to do welfare checks:

Recently, the Library decided to take more direct action to help the Roxbury community. Armed with its enormous patron database, library staffers are going through the list and, literally in descending order, calling the oldest and most vulnerable of Roxbury’s residents to inquire on their well-being, let them know someone cares and will listen, and when need be to connect them to vital resources to get them through this difficult time.

The article goes on to describe how this strategy led to an increase in requests for masks to be distributed by the library.

While this single instance seems to have had a positive outcome, the use of the data collected by the library to do wellness checks brings up the question of “we could, but should we?” concerning using patron data in this manner. Some of the issues and considerations brought up on Library Twitter include:

  • Scope creep – several library workers serve as de facto social workers in their communities. How can libraries in this position support their community while working with local community organizations and local government departments who are better suited for social work? How can this work be done while honoring patron privacy?
  • Data quality – the article stated that the library staff used the age listed in the patron database. How reliable is that data? ILS migrations and even the move to an automated library system can introduce data quality issues in the patron record, including age.
    • For example – one library that moved from a paper-based system to an ILS in the mid-1990s still found patrons whose birthdays were listed as the date of the migration years later.
  • Notice and consent – patrons have certain expectations when giving data to libraries. Some of these expectations come from what the library states in their privacy and confidentiality notices, as well as other communications to patrons from the library. It’s safe to say that libraries don’t list “wellness checks” in their patron privacy notices as one potential use of patron data. This gets into the issue of using data outside of the stated purposes when the data was exchanged between the patron and the library. Recent data privacy legal regulations and best practices address this by requiring businesses to inform about the new use and to get affirmative consent before using the data for said new use.

There are some other items brought up in the Twitter discussion, such as different expectations from patrons, the size of the community, and patron-staff relationships. Some patrons chimed in as well! Like many other real-world data privacy conundrums, this one is not as clear cut in terms of how to best approach addressing the issue at hand – making sure that patrons in under-supported or vulnerable community groups get the support that they need.

We want to hear from you – what would you do in this situation? Email us at newsletter@ldhconsultingservices.com and we’ll discuss the results in a future newsletter. We will not post names or institutions in the newsletter results, so email away and we’ll do the rest to protect your privacy as we discuss patron privacy. Let us know what you think!

Two Reasons to Celebrate Privacy This Week

Welcome to this week’s Tip of the Hat! This week marks two important dates. The first date is this Tuesday! Data Privacy Day is a worldwide event to raise awareness as well as promote data privacy practices. Some last-minute ideas to celebrate #DataPrivacyDay at your library can include:

  • Posts to your library’s blogs, news feed, or social media about how patrons can protect their privacy online and at the library. Not sure what to share with your patrons? The User Tools section on the Choose Privacy Everyday is a good place to start.
  • If you need a last-minute book/material display for your library, here is a list of materials from the Library Freedom Institute to help you seed your public display.
  • Cookies for your staff – with a catch, of course. If your library has a staff room or area, bring in some cookies to share and place some information about web trackers and cookies alongside the actual cookies.
  • Consider distributing How Did We Get Here?: A Zine About Privacy at the Library at your library, and have a brown bag lunch (or better yet, provide lunch) discussion about privacy practices at the library.
  • If you work with students, or if you have a student in your household (or if you’re a student yourself!), read up on students and privacy at https://studentprivacy.ed.gov/.

The second date marks the first anniversary of LDH Consulting Services! We launched at Midwinter 2019, aiming to provide libraries and library vendors guidance on all things library data privacy. It’s been a busy year getting the word out at our first ALA Annual, as well as word of mouth and this newsletter. This first year saw many training sessions, legislation reviews, and even a guest lecture or two! Thank you to everyone – our clients, supporters, newsletter subscribers – for helping LDH through the first year. We hope to serve the library and vendor community in protecting patron privacy for years to come.

Speaking of serving – LDH is still accepting projects and clients for Summer and Fall of 2020. We have a variety of training offerings for staff, including data lifecycle management, vendors and privacy, privacy impact assessments, and implementing privacy at your organization. LDH can also help you keep track of developing data privacy regulations in your state! With California’s new data privacy law in effect, many other states are looking to implement similar laws that can impact how libraries do business with vendors concerning patron privacy. If your organization needs that initial push in adopting best privacy practices or a review of existing privacy policies and practices, LDH is more than ready to help with that push.

The majority of our clients come to LDH through word of mouth, so we appreciate you all telling your colleagues about LDH and our services!