Training is Only One Part of the Library Privacy Equation

Wouldn’t it be nice if you never had to take another work-mandated training ever again? No more having to block an entire day off to head over to sit in a stuffy windowless room trying to focus on the training slides while all the lights are still on, making the projection barely readable, and you can barely make out what the trainer is saying? Even when you take the pandemic into account, do you really want to sit through a day-long Zoom training session?

If you said no to either question, you’re in good company. Training is either a critical component or a bureaucratic hurdle in the workplace, depending on who you ask. Training quality widely differs from workplace to workplace. Some training sessions are well designed and practical, while others fail. Nevertheless, training serves several critical functions in any organization, including library privacy training:

  • Orienting workers to library privacy policies and procedures
  • Providing opportunities for practicing specific procedures or skills in a controlled environment through the use of scenarios and other exercises
  • Ensuring a baseline knowledge of library privacy codes, ethics, and standards
  • Developing new or updating existing knowledge or skills around protecting patron privacy

Privacy protections are only as strong as those who have the least amount of knowledge about those protections. Lack of training or undertraining library workers creates additional risks to patron privacy through not following or understanding policy or procedure. Regular up-to-date training of library workers reduces that risk to patrons and library alike.

With that said, training can only do so much in protecting patron privacy. Training is only one part of a comprehensive approach to library privacy. On its own, privacy training – no matter how well-designed – cannot reduce or eliminate all privacy risks. Training alone is ineffective when a tool, policy, or procedure is inherently privacy-invasive. Training will not solve the flawed policy, procedure, or tool – as long as the invasiveness is left unaddressed, you’ll continue to see the same results from said bad design. If there is a process that repeatedly leaks or provides unauthorized access to patron data, for example, and there is no dedicated effort on the part of the library in changing this process, training will not fundamentally address the risk to the fullest extent possible.

You might be thinking that training could bring a library’s attention to the risks of such a process, but this is where we have to confront the uncomfortable truth around privacy training. Library privacy training is only as effective as the lowest number of resources or staff dedicated to protecting patron privacy in library operations. If the library only spends dedicated resources and staff time in creating and conducting privacy training, library workers are left trying to implement what they learned in training without the support needed to have a chance to succeed in reducing privacy risks in their daily work. For example, a library privacy training that teaches library workers to write a privacy policy might produce a policy that the library can then adopt. But what happens afterward? There needs to be support in ensuring that library procedures line up with the privacy policy. The privacy policy also needs to be communicated to patrons – how can a library do that effectively so that patrons can easily access and understand the policy without being given the required time and resources to do the necessary work? Where is the time to review vendor contracts and privacy policies to identify misalignment with the library privacy policy, and how will library workers address these risks with the vendors if they cannot get the time dedicated to this work?

Without the organization’s support, the effectiveness of library privacy training is limited at best. Over-relying on privacy training to protect patron privacy is like waiting to address privacy risks at the end of a project – attempts to mitigate risk will be hampered by a lack of resources and time. It will most likely not solve fundamental issues inherent in the end product’s design. Like Privacy by Design in project management, a privacy program prioritizing privacy in all levels of library operations and services can systematically address these fundamental privacy issues. Unlike training, privacy programs focus on the long term – what resources are needed to embed privacy into every level of library work? How can we build a sustainable relationship with our patrons to address their privacy concerns? How can patrons have more agency in helping with determining how the library does privacy?

Library privacy requires every part of library operations to prioritize privacy. Strong privacy policies, privacy-preserving technologies, vendor contract negotiations and privacy assessments, privacy audits, data inventories – these are only some of the things that libraries need to do to protect patron privacy better. Training is part of that library privacy equation, but without dedicating resources and time to a sustainable library privacy program, training alone cannot protect patron privacy.

So, What’s Going On With Data Privacy Regulation Nowadays?

An adult white woman wearing a black dotted white shirt and jeans stands facing a white wall with black text. The text lists and describes the five data privacy principles by Mozilla: sensible settings, no surprises, defense in depth, user control, and limited data.
Image source: https://www.flickr.com/photos/vintagedept/15704560667/ (CC BY 2.0)

Welcome to the first post of the year! We hope you all had a restful holiday break. Now that most of us are back from our holiday break, it’s time to figure out what exactly is going on and what to expect in the new year.

2022 is shaping up to be another busy year for privacy professionals. A lot of that work will be around tracking data privacy regulations worldwide, from China’s new data protection regulation (PIPL) to India’s proposed changes to their Personal Data Protection bill. News from the EU is steady with GDPR violations and fines and will continue throughout the year. The EU is also poised to introduce more data regulations, including regulations around AI and cybersecurity.

While other countries are implementing and revising data privacy regulations, the US remains in a perpetual cycle of failed data privacy and security bills. A glance at the US State Privacy Legislation Tracker shows that despite 23 states introducing data privacy bills last year, Virginia and Colorado were the only states to sign a bill into law in 2021. Like LDH’s home state of Washington, some states failed to pass multiple data privacy bills, including bills that were re-introduced after earlier attempts to pass the same bill in previous years.

On a federal level, several data privacy and security bills – such as the Data Care Act of 2021, the Mind Your Own Business Act of 2021, and the Children and Teens’ Online Privacy Protection Act – remain active; however, there is no strong indication about the fate of these bills in the current session of Congress. Comprehensive data privacy and security legislation, such as the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act and the Consumer Data Privacy and Security Act of 2021, remain in committee. Again, there’s no firm indication if either of these comprehensive bills will become law in 2022.

Where does all of this leave US libraries and library vendors? Internationally, data privacy regulation updates will mean more changes for vendors who fall within the scope of said regulations. The upcoming data initiatives in the EU, for example, can impact the data privacy practices of library vendors and other organizations that fall under the scope of GDPR. In addition, as was the case with GDPR, international data privacy regulations can influence the overall shape of the data privacy legislation in the US. Nevertheless, the US continues to march to the beat of their own drum, still relying on a sectorial approach to data privacy regulation, with states trying to figure out comprehensive data privacy regulation on their terms.

Most of the existing comprehensive data privacy regulations, like CCPA and VCDPA, target for-profit and/or organizations that meet specific revenue or data sharing/selling thresholds, leaving most libraries outside of the scope of these laws. Just because libraries are not currently required to comply with these laws does not mean that they are not impacted by this patchwork approach to data privacy in the US. While GDPR impacted some libraries via their parent institutions (such as higher education institutions with campuses or partnerships in the EU), most libraries have probably noticed changes with library vendor services throughout the year as vendors work toward CCPA compliance. Some of these changes include allowing patrons to request a copy of the personal data the vendor has in their systems. If other states pass data privacy bills, libraries should expect additional change concerning how the vendor handles data privacy, regardless of where the library is located in the US.

In short, the data privacy regulation landscape for 2022 looks a bit like 2021 – a lot of legislative activity, but we’re not sure if that activity will lead to actual regulation. As always, LDH will keep you up to date on data privacy regulations that will impact libraries and library vendors. In the meantime, libraries should continue to work with vendors in not only ensuring compliance to specific data privacy regulations but going beyond a compliance-only approach to better protect patron privacy at the library.

Holiday Break Privacy Reads

The Executive Assistant wishes everyone a happy Festivus season! It’s time to gather around the Festivus pole for the Airing of Grievances, in which we suspect there are many grievances to be aired given how 2021 played out. Nevertheless, a new year brings new opportunities and fewer grievances – unless you’re the Executive Assistant. There is the perpetual grievance of not having enough tuna in the office.

A black and white picture of an one-eyed black cat sitting on a carpeted floor, with a fur-covered cat toy ball by her tail. The cat is adored with neon reindeer antlers and ears.
“Grievances? I have many…”

We will be back after the New Year. We have you covered if you need some privacy reads and videos to tie you over the holiday break. 2021 has been a hectic year in the privacy world, and while we covered a lot in the blog this year, there’s a lot more that we didn’t get to in our posts. Here are some of the reads that you might have missed this past year:

Have a safe and quiet rest of 2021, and we’ll see you next year!

There’s a Post About That!

There’s a saying that makes the rounds at the LDH office – “same problems, different day.” While there is no shortage of unique and exciting privacy challenges out there, eventually there will be a version of a previous privacy issue we dealt with in the past that pops up in our daily work. The same goes for the general privacy discourse in the library world. It’s been a busy couple of weeks in the library discourse where we see versions of the same topics and issues discussed in the past. It can feel like we’re stuck in a time loop, reliving the same conversations.

Bill Murray from the movie Groundhog Day reporting on the holiday celebrations in a small town - "Well, it's 
Groundhog Day... again."
We know we’re a couple months away from Groundhog Day, but still…
GIF source – https://giphy.com/gifs/pr-13USAwkGCTd6xy

Luckily, this gives LDH the opportunity to highlight relevant posts from the Tip of The Hat! Whether you missed the posts the first time around or are looking to revisit some of our older content, the newsletter-turned-blog has covered a lot of ground in the library privacy world. Let’s take some time to review some of those posts as the library world revisits several privacy conversations this week.

Mergers and Acquisitions and Consolidation oh my!

It’s official – Clarivate’s acquisition of Proquest is finally complete, furthering the consolidation of the library vendor marketplace. The acquisition isn’t the first one that led many in the library community to worry about the consequences of having only a handful of companies controlling the marketplace and what effects this consolidation would have on data privacy. In addition, there’s the practical concern of what exactly happens to patron data when a business is acquired or goes bankrupt. Here are some previous posts that touch on the relationship between vendors and library data privacy:

The Library Privacy Trope That Nevers Die

Libraries full of dusty books. Librarians reading all day on the job. Librarians shushing patrons. No matter where you go, there’s always a version of one of these tropes whenever libraries come up in the conversation. Most of the time, you find these tropes being brought up by people who don’t work at libraries, be it news reporters with cringeworthy article openers (“Libraries are no longer for books!”) to everyday conversation (“library quiet”). However, sometimes libraries themselves indulge in using library tropes for their own purposes. This week was no different with a social media account for a public library system in the US creating a meme about how the library doesn’t track patron use of library materials.

Longtime readers of the blog might recall our library privacy trope post from last year detailing the dangers of the trope to libraries and patrons. While the profession has a strong ethical mandate to protect patron privacy, including patron data, the reality is that libraries are subject to the same data privacy constraints and issues that show up in any other industry. For example, libraries and their vendors keep track of which patrons use specific resources and services. A library failing to let patrons know how the library or vendor collects, processes, and shares patron data or misrepresents library data privacy practices in communications to patrons is at risk of an ethics breach, losing the trust of their patrons.

While it might be fun to poke fun at the data privacy practices of commercial companies, libraries are best served to remember that they are not above engaging in the same privacy-invasive practices as their commercial counterparts. Case in point – the growth of customer relationship management systems in libraries and how the use of a CRM led a library to be investigated by a civil grand jury. Another case in point – many libraries still use Google Analytics to track patron use of the library website. In any case, meme responsibly.

When Privacy and Security Become a Barrier unto Themselves

A recent Twitter thread touched on many patrons’ struggles with multifactor authentication and how library workers encounter this struggle daily. Take some time to read the thread and the replies. It is a good reminder that not all privacy and security controls work for everyone. In some cases, these controls create barriers to using the library. These controls can disproportionally affect patrons who, for example, do not have reliable access to a mobile phone or limited phone service if the library or vendor requires all patrons to use multifactor authentication for using library resources or services.

Privacy and equity are not mutually exclusive. Sometimes the choices libraries make can put some patrons in a bind, particularly when libraries move core services to newer platforms that collect more data about patron use of the service than before. Our post about ethical design in library privacy practices is a good starting point to consider how to center patrons in how your library approaches patron services and programs.

[Related – sometimes your data privacy and security policies for staff are a liability in themselves! We touched on this liability last October using administrator privileges on work computers. As you think about what data privacy and security measures to put in place at your library, take some time to think about the costs and benefits of each measure. Sometimes it’s better – both for the bottom line and for data privacy and security – to accept certain risks.]

Libraries (and Archives) as Information Fiduciaries? Part Three

A collection of football tickets and postcard invitations in a clear archival sleeve.
Image source: https://flickr.com/photos/27892629@N04/15959524202/ (CC BY 2.0)

Welcome back to the third installment of the information fiduciaries and libraries series! It’s been a while since we explored the concept of libraries acting as a trusted party managing patron personal data. Thanks to Tessa Walsh’s recent demo of Bulk Reviewer, we got the nudge we needed to tackle part three of the series. You can catch up on Parts One and Two if you need a refresher on the subject.

Managing Personal Data in a Collection

We left off the series with the question about what happens to a library’s information fiduciary role when the personal data is entrusted with is part of the collection. The relationship between the personal data in the collection, the person, and the library or archive is not as straightforward as the relationship between the library and the patron generating data from their use of the library. Personal papers and collections donated to archives contain different types of personal data, from financial and medical to personal secrets. What happens in the case where a third party donates these papers containing highly personal information about another person to a library or archive? In the case of a person donating their documents, what happens when they have personal data of another person who may not have consented to have this data included in this donation? Moving from the archive to the institutional repository, what happens when a researcher submits research data that contain identifiable personal data as part of a data set, be it a spreadsheet that includes Social Security Numbers or oral histories containing highly personal information to a living person?

As you probably already guessed, these complications are only the start of the fiduciary responsibilities of libraries and archives surrounding these types of personal data. We’ve covered redacting PII from digital collections in the past, but redaction of personal data to protect the privacy of the people behind that data only addresses a small part of how libraries and archives can fulfill their information fiduciary role. Managing personal data in collections requires managing data in the best interests of the library/archive and the person donating the materials and the best interests of the people behind the personal data included in that donated material, which may not be the same person as the donor.

Thankfully, we don’t have to navigate this complex web of relationships to determine how to manage the collection with the best interest of the people behind the data. The Society of American Archivist’s Privacy & Confidentiality Section can help libraries and archives manage personal data in their collections. If you are looking for documentation around privacy in archives, check out the documentation portal. Have too many types of personal data to know where to start? The section’s bibliography can lead you to the right resources for each major type of personal information you have in your collection. Perhaps you want to know more about current issues and concerns around personal data in collections. The RESTRICTED blog has you covered, alongside webinars such as Tessa’s demo of Bulk Reviewer mentioned at the start of this post. We highly recommend checking out the mini-blog series from Heather Briston, following up on her webinar “It’s Not as Bad as You Think – Navigating Privacy and Confidentiality Issues in Archival Collections.”

Beyond the section, you also might find the following publications helpful in determining how your library or archive should fulfill their responsibilities to the people behind the data in your collections:

  • Botnick, Julie. “Archival Consent.” InterActions: UCLA Journal of Education and Information Studies 14, no. 2 (2018). https://doi.org/10.5070/D4142038539.
  • Mhaidli, Abraham, Libby Hemphill, Florian Schaub, Cundiff Jordan, and Andrea K. Thomer. “Privacy Impact Assessments for Digital Repositories.” International Journal of Digital Curation 15, no. 1 (December 30, 2020): 5. https://doi.org/10.2218/ijdc.v15i1.692.

This is only a small selection of what’s available, but the Privacy & Confidentiality Section’s resources are an excellent place to start to untangle the complex web of determining what is in the best interest of all parties involved in managing the personal data in your collections.

Before we end our post, there is one question that a few of our readers might have – can archivists guarantee the same level of confidentiality as lawyers or doctors can in protecting personal information in legal matters?

A Question of Archival Privilege

Some of our readers might remember discussions about archival privilege in the early 2010s stemming from the litigation surrounding the Belfast Project oral histories. Archival privilege is not legally recognized despite legal arguments for such a privilege or tying such a privilege to researcher privilege in court (such as in Wilkinson v. FBI and Burka v. HHS). These rulings mean that materials in a collection are subject to search via subpoenas and warrants, which leads to privacy harms to those whose personal data is included in those collections. Nevertheless, it’s still worthwhile to revisit the calls for such a privilege and discussions of what archival privilege would look like:

Even though Boston College successfully appealed the initial order to hand over all the records listed in the subpoena, we are still left with whether the archives profession should push for privileged relationships between donors or other individuals represented in the collections and the archives. We will leave discussion of if such a privilege should exist (and in what form) to our readers.

Just Published – Licensing Privacy Vendor Contract and Policy Rubric (Plus Bonus Webinar!)

Happy National Spicy Hermit Cookie Day! Today is your day if you need an excuse to make a batch of cookies to prepare for the baking rush in a few weeks. While the term “hermit” refers to the cookie’s ability to keep for months, we at LDH are not exactly sure if we can call a cookie a literal hermit. Nevertheless, we know what can make someone into a hermit – spending countless hours reading vendor contracts.

(We would like to apologize for that transition. Here is a picture of a tray of freshly baked cookies to make up for it.)

The lucky academic library people who deal with content platform vendor contracts know all too well the frustrations with these contracts, particularly around data privacy and security. Contracts are notorious for being obtuse and dense, but an added complication with content platform contracts is the limited and vague language around our patrons’ data – what data is collected, why the vendor is collecting it, how they’re collecting patron data and sharing it to other third parties, what data rights patrons have, and so on. The complications don’t stop there. Academic library workers not only have to negotiate data privacy with the vendor, but more often than not, they find themselves internally negotiating for privacy at an institutional level, advocating and educating institutional peers about patron privacy rights and needs. Protecting patron privacy shouldn’t be this hard, but this is the reality that many academic library workers face in the contract evaluation and negotiation processes.

The Licensing Privacy Project is here to help. The Mellon Foundation-funded project just published the Vendor Contract and Policy Rubric to streamline the evaluation and negotiation processes for content vendor contracts and policies. Academic library workers can use the rubric to evaluate contracts for potential data privacy and security issues in eight key privacy domains, including data collection and user surveillance. The rubric brings together several well-known library privacy standards and practices to streamline the evaluation process, noting which vendor privacy practices could meet those standards and which to flag for further evaluation and negotiation. The supplementary glossary and example contract language resources provide definitions for common privacy terms and what type of contract language to look out for in specific privacy domains. The interactive features of the rubric allow for sharing evaluation notes, identified privacy risks, and ways to mitigate those risks within the library and institutional staff who are part of the negotiation process.

If you want to learn more about the rubric and how you can use it at your academic library, make sure to sign up for the webinar this Wednesday (11/17) at 1 pm Central Standard Time. Not only will you learn more about the rubric, but you will also get a chance to talk to other colleagues in brainstorming all the possible ways this rubric can help you advocate for patron privacy during the contract negotiation process. If you can’t make it, don’t worry – the webinar will be recorded. We hope to see you there!

Don’t Forget About Privacy While Turning Back The Clock

Last weekend was when we finally got our one hour back (for those of us still observing Daylight Savings Time [DST] in the US). Instead of sleeping in, though, we are barraged with public service announcements and reminders to spend that hour taking care of things that otherwise get ignored. That fire alarm battery isn’t going to change itself! Like #DataSpringCleaning, the end of DST is a great opportunity to take care of privacy-related things that we’ve been putting off since spring.

What are some things you can do with the reclaimed hour from DST?

  • Choose and sign up for a password manager – If you’re still on the fence about choosing a password manager, check out our post about the basics of selecting a manager. Once you get past the inertia of selecting a password manager, switching to a password manager becomes a smoother process. Instead of switching all your accounts to the password manager at once, you can enter the account information into the manager when you sign into that specific account. Using the password manager’s password generator, you can also use that time to change the password to a stronger password. And while you’re logged in…
  • Set up multifactor authentication (MFA) – You should really turn on MFA if you haven’t already done so for your accounts. Use a security key (like a YubiKey) or an authenticator app for MFA if possible; nevertheless, the less secure versions of MFA – SMS and email – are better than no MFA. Read about MFA on the blog if you’re curious to learn more about MFA.
  • Review privacy and security settings for social media accounts – Social media sites are constantly adding and changing features. It’s good to get into the habit of checking your social media account settings to make sure that your privacy and security settings are where you want them to be. Another thing you might want to check is how much of your data is being shared with advertisers. Sites like Facebook and Twitter have account setting sections dedicated to how they use your data to generate targeted ads.

Your library also has a reclaimed hour from DST. What can you do at work with that reclaimed hour?

  • Review the privacy policy – It never hurts to review the privacy policy. Ideally, the privacy policy should be updated regularly, but sometimes even having a review schedule in place doesn’t necessarily guarantee that the review actually gets done. If the policy missed its regularly scheduled review, it might be worthwhile to push for the overdue review of the policy to ensure the policy’s alignment with current professional standards, codes, and legal regulations.
  • Check your department or team procedures against the privacy policy – Your department work procedures change regularly for various reasons, such as changes in technology or personnel. These changes might take these procedures out of alignment with the current privacy policy. Relatedly, an update to the privacy policy might need to be reflected in changes to the procedure. Review the two sets of documents – if they’re not in alignment, it’s time to set up a more formal document review with the rest of the department. Now is also an excellent time to set up a schedule for reviewing procedures against the privacy policy (as well as privacy-adjacent policies) on a regular basis if such a schedule doesn’t already exist.
  • Shred paper! – Take time to look around your workspace for all the pieces of paper that have sensitive or patron data. Do you need that piece of paper anymore? If not, off to the office shredder it goes. Grab a coffee or a treat on your way back from the shredder while you’re at it – you earned it ☕🍫

We won’t judge you if you ultimately decide to spend your reclaimed hour sleeping in (or changing that fire alarm battery). Nevertheless, making a habit of regularly checking in with your privacy practices can save you both time and trouble down the road.

It’s Dangerous to Go Alone

A cross stitch of a pixelated which old man with a white beard flanked by two pixelated fires. A pixelated sword lies in front of the old man. Text in white above the scene "It's dangerous to go alone. Take This."
Image source: https://www.flickr.com/photos/12508267@N00/31229743046/ (CC BY 2.0)

Juan saw his recent promotion to Director of Access Services at Nebo University Libraries as an opportunity to change his library’s approach to patron privacy. However, Juan knew that becoming a manager of one of the largest departments in the libraries would not altogether remove the roadblocks he kept running into when he advocated for more robust privacy policies and practices as a staff member. Juan now had to figure out how to use his new position to advocate for the privacy changes he had been pushing for a long time…

Juan was one of the four fictional library workers introduced to participants in a recent library privacy workshop. Unlike the other three library workers, Juan was in a unique position. Instead of addressing privacy concerns with other academic departments or campus members, Juan focused on the library itself. When he was still staff, Juan had some limited success in getting better privacy protections at the library. Like many others, Juan ran into organizational roadblocks when changing privacy practices on a larger scale. Newly promoted and with new administrative political capital in the library, Juan thinks he’s in a better position to push for privacy changes throughout the entire library system.

However, Juan is not considering one essential thing – it takes much more than one person in a library to create a sustainable culture of privacy. Many of us have been in the same situation as Juan in going out on our own and pushing for privacy changes in our libraries. We do this on top of everything else that we are responsible for in our daily duties. Sometimes we rationalize this additional workload by bending and stretching existing job responsibilities without formally accommodating the new responsibilities. Other times, we deem privacy work so important that we are willing to sacrifice a portion of our well-being to ensure our patrons are protected (hello Vocational Awe). This might gain us a couple of small wins in the short term: a change in a departmental procedure or reducing the amount of data collected by a patron-facing application or system. However, the long-term reality is that these changes are not set up to be maintained because there is no sustainable system in place. Unless, of course, we as individuals decide to take on that maintenance – but even then, one person can only take on so much on top of their existing workload before everything starts to fall apart.

Creating sustainable privacy practices and programs in organizations requires at minimum two things: dedicated resources and dedicated people. Most libraries do not have these things, relying on existing staff and resources to make privacy happen. While libraries have historically been able to operate with this organizational kludge, changes to library operations and services in the last few decades have made this kludge not only ineffective but dangerous to both patrons and the library as an organization with regard to privacy risk and potential harms if those risks are realized. It is nearly impossible for patrons not to generate data in their library use, be it physical or online. Because so much of this generated data is collected by the library and third parties, even the routine act of trying to document the lifecycle of this data can be a monumental task if there is no dedicated structure in place for this work to be done sustainably.

Like many of us, Juan wants to protect patron privacy. Nevertheless, if he tries to go it alone and does not build the infrastructure to sustain privacy practices, his efforts will be short-lived at best. Privacy policies and procedures are part of that infrastructure, but they’re a part of the infrastructure that is dependent on the dedicated staff time and resources that are critical for sustainable practices. What are some of Juan’s options?

  • Create a centralized library data governance committee – Juan can’t do this work alone, particularly when his primary job responsibilities don’t include overseeing the library’s privacy practices. Creating a data governance committee would bring in both administration and staff from different areas of the library that work or use patron data to oversee data management, including data privacy and security. This committee would not only create and review privacy policies and procedures but would also serve as an accountability mechanism for when things go wrong or to ensure things get done. No one library worker would be solely responsible for the library’s privacy practices in this option, though Juan would need to ensure that participation in the committee does not become an undue burden for staff.
  • Advocate for a dedicated budget line for data privacy and security – There might already be data privacy and security resources available at the university, but those resources might not cover library-specific needs such as professional development for privacy training, consulting, or auditing. Some departments in the library might already have a dedicated budget line for privacy and security, such as Library Systems. Juan might want to talk to the department managers to determine if there might be a chance to collaborate in increasing funds to help fund data privacy and security activities in the library.
  • Advocate for a dedicated privacy staff position in the library – Even with a library data governance committee, ultimately, someone has to wrangle privacy at the library. Juan’s role might include some oversight of some privacy practices in Access Services; unless his job description changes, he cannot be the privacy point person for the entire library. Having a dedicated point person for privacy at the library would ensure that the data governance committee is kept on track in terms of being the data steward for the group. More importantly, it would also ensure that at least one person in the library has dedicated time and resources to track, manage, and address new and evolving data privacy risks and harms patrons face while using the library. While a full-time dedicated position to privacy is ideal, the budget might not support a new position at the time of the request. In that case, Juan might argue that he could be the privacy point person under the condition that he can shift his current responsibilities to other managers in Access Services. Nevertheless, Juan’s suggestion should only be a short-term workaround while the library works to find funding for a full-time privacy position.

All three options require some form of collaboration and negotiation with the administration and staff. Juan cannot realistically create these structures alone if he wants these structures to survive. It comes back to creating and maintaining relationships in the organization. Without these relationships, Juan is left on his own to push for privacy, which inevitably leads to burnout. No matter how passionate we are about patron privacy, like Juan, we must realize that we must not do our privacy work alone if we want our efforts to succeed.

Just Published – Data Privacy and Cybersecurity Best Practices Train-the-Trainer Handbook

Cover of the "Data Privacy and Cybersecurity Best Practices Train-the-Trainers Handbook".

Happy October! Depending on who you ask at LDH, October is either:

  1. Cybersecurity Awareness Month
  2. An excuse for the Executive Assistant to be extra while we try to work
  3. The time to wear flannel and drink coffee nevermind, this is every month in Seattle

Since the Executive Assistant lacks decent typing skills (as far as we know), we declare October as Cybersecurity Awareness Month at LDH. Like last year, this month will focus on privacy’s popular sibling, security. We also want to hear from you! If there is an information security topic you would like us to cover this month (or the next), email us at newsletter@ldhconsultingservices.com.

We start the month with a publication announcement! The Data Privacy and Cybersecurity Training for Libraries, an LSTA-funded collaborative project between the Pacific Library Partnership, LDH, and Lyrasis, just published two library data privacy and cybersecurity resources for library workers wanting to create privacy and security training for their libraries:

  • PLP Data Privacy and Cybersecurity Best Practices Train-the-Trainer Handbook – The handbook is a guide for library trainers wanting to develop data privacy and cybersecurity training for library staff. The handbook walks through the process of planning and developing a training program at the library and provides ideas for training topics and activities. This handbook is a companion to the Data Privacy Best Practices Toolkit for Libraries published last year.
  • PLP Data Privacy and Cybersecurity Best Practices Train-the-Trainer Workshops (under the 2021 tab) – If you’re looking for train-the-trainer workshop materials, we have you covered! You can now access the materials used in the two train-the-trainer workshops for data privacy and cybersecurity conducted earlier this year. Topics include:
    • Data privacy – data privacy fundamentals and awareness; training development basics; vendor relations; patron programming; building a library privacy program
    • Cybersecurity – cybersecurity basics; information security threats and vulnerabilities; how to protect the library against common threats such as ransomware and phishing; building cybersecurity training for libraries

Both publications include extensive resource lists for additional training materials and to keep current with the rapid changes in cybersecurity and data privacy in the library world and beyond. Feel free to share your training stories and materials with us – we would love to hear what you all come up with while using project resources! We hope that these publications, along with the rest of the project’s publications, will make privacy and cybersecurity training easier to create and to give at your library.

Is Library Scholarship a Privacy Information Hazard?

A white hazard sign with an image of a human stick figure being sapped by a electric blob. Image is sandwiched between red and black text - "Warning, this area is dangerous"
Image source: https://www.flickr.com/photos/andymag/9349743409/ (CC BY 2.0)

Library ethics, privacy, and technology collided again last week, this time with the publication of issue 52 of the Code4Lib Journal. In this issue, the editorial committee published an article describing an assessment process with serious data privacy and ethical issues and then explained their rationale for publishing the article in the issue editorial. The specifics of these data privacy and ethical issues will not be covered in-depth in this week’s newsletter – you can read about said issues in the comment section of the Code4Lib Journal article in question.

You might have noticed that we said “again” in the last paragraph. This isn’t the first time library technology publications and patron privacy collided. The Code4Lib Journal published a similarly problematic article last year, but the journal is one of many library scholarship venues that have published scholarly and practical literature that are ethically problematic with regard to patron privacy. Technology and assessment are the usual offenders, ranging from case studies of implementing privacy-invasive technologies to research extolling the benefits of surveilling students in the name of learning analytics without discussing the implications of violating student patron privacy. These publications are not set up as a point-counterpoint exploration of these technologies and assessment methods in terms of privacy and ethics. Instead, these publications are entered into the scholarly record as is, with an occasional contextual note or superficial sentence or two about privacy. Retraction is almost unheard of in library scholarship, and retraction is not very effective in addressing problematic research.

Library scholarship is not consistently aligned with the profession’s ethical standards to uphold patron privacy and confidentiality. Whether or not an article is judged on its potential impact on library privacy is currently up to the individual peer reviewer (or in the case of editor-reviewed journals such as Code4Lib, the editor). In addition, library scholarship is not set up to assess the potential privacy risks and harms of the publication in question to specific patron groups, particularly patrons from minoritized populations. Currently, there is no suitable mechanism to do such an assessment that can be included in the original publication so that it would be both meaningful and informative to the reader. We are left with publications in the library scholarship record that promote the uncritical adoption of high-risk practices that go against professional ethics and harm patrons. This becomes more perilous when these publications come across those in the field who do not have the knowledge or experience in assessing these publications with patron privacy and ethics in mind.

What we end up with, therefore, is a scholarly record full of information hazards. An information hazard is a particular piece of information that can potentially cause harm to the knower or create the potential to harm others. This differs from misinformation where the information being spread is false, whereas the truthfulness of the information hazard is intact. Nick Bostrom’s seminal work on information hazards breaks down the specific risks and harms of different types of hazards. Library scholarship has (at least) two information hazards in particular when it comes to library privacy and ethics:

Idea hazard – Ideas hold power. They also come with risks. Even if the dissemination of an idea is kept at a high level without specific details, it can become an idea hazard. The idea that a library can use a particular system or process to assess library use can risk patron privacy. There are ways to mitigate an idea risk of this nature, including evaluating the assessment idea through the Five Whys method or other methods to determine the root need for such an assessment.

Development hazard – A development hazard is when advancement in a field of knowledge leads to technological or organizational capabilities that create negative consequences. Like other fields of technology, library technology falls into this hazard category, particularly when combined with the evolution of library assessment practices and norms. Sharing code and processes (which is a data hazard) can lead to community or commercial development of more privacy-invasive library practices if no care is taken to mitigate patron privacy risks.

How, then, can library scholarship become less of a privacy information hazard? First and foremost, the responsibility falls on the publishers, editors, peer reviewers, and conference program organizers who control what is and is not added to the library scholarly record. This includes creating a code of ethics for submission authors to follow and guidelines for reviewers and editors to follow to assess the privacy and ethical implications of the submission. However, these codes and guidelines are not effective if they are not acted upon. As Dorothea Salo says, “Research on library patrons that contravenes library-specific ethics is unethical; it should not be published in the LIS literature, and when published there, should be retracted.” Regardless of the novelty or other technical merits of the submission, if the submission violates or goes against library ethics or privacy standards, the editors, reviewers, and publishers have the responsibility as shapers of the scholarly record to not publish the submission lest they add yet another information hazard to the record.

Library privacy and ethics must also be a part of every stage of the submission and publication process. This takes a page from Privacy by Design, taking a proactive approach to privacy instead of rushing to include privacy at the last minute, making any privacy effort ineffective at best. Ethical codes and guidelines are one way to embed privacy into a process; another is to include checkpoints in the process to bring in external subject matter experts to review submissions well in advance to identify or comment on specific privacy or ethical risks. If done early in the submission process, the information received can then be used to revise the submission to address these issues or to change the focus of the submission to one that is more appropriate to address the privacy and ethical implications of the topic at hand. The submission itself doesn’t have to be abandoned, but it must be constructed so that the privacy and ethical risks are front and center, describing why this method, idea, process, or code goes against library ethics and privacy. This option doesn’t eliminate the idea/data hazard, but shifting the focus on privacy and ethical repercussions can mitigate the risks that come with such hazards.

Whether intentional (as in the case of the latest Code4Lib Journal issue) or unintentional, library scholarship places patron privacy at risk through the unrestricted flow of information hazards. Many in the profession face pressure to create a constant stream of scholarship, but at what cost to our patrons’ privacy and professional ethics? A scholarly record full of privacy information hazards has and will continue to have long-lasting implications for the profession’s ability to protect patron privacy as well as how well we can serve everyone in the community (and not just those who have a higher tolerance for privacy risks or won’t be as negatively impacted by poor privacy practices). As the discussion about the Code4Lib Journal’s decision to publish the latest information hazard into the scholarly record continues, perhaps the community can use this time to push for more privacy and ethically-aligned submission and review processes in library scholarship.