Tag: ALA

Posted on

Just Published – ALA Privacy Field Guides

Title covers of the seven Library Privacy Field Guides.

Readers of the Tip of The Hat might be familiar with the ALA Privacy Guidelines and Checklists or even use them in their library privacy work. Created in 2015, the Guidelines aim to assist libraries and library vendors in providing patron privacy guidance around library technology and services. The Checklists give more guidance in turning this guidance into actionable checklists for libraries to incorporate into their work. The Guidelines and Checklists have provided valuable advice and direction for many a library and library vendor alike throughout the years.

As the privacy needs of libraries change, so have the Guidelines and Checklists. Nevertheless, the growing complexity of privacy work means a new set of challenges for libraries to face. Alongside this increasing set of challenges is the need for a group of resources that are easy to understand and provide the tools necessary for library workers to advocate for privacy practices on all levels, from the public to administration to vendors. 

The Privacy Field Guides, an IMLS sponsored project in collaboration with ALA, aims to meet this need. These just-published guides offer practical guidance around major library privacy topics:

  • Data Lifecycles (If you’re familiar with our work at LDH, you might not be surprised that we helped out with the creation of this guide!)
  • Digital Security Basics
  • How To Talk About Privacy
  • Non-Tech Privacy
  • Privacy Audits
  • Privacy Policies
  • Vendors and Privacy

What sets these guides apart from other library privacy resources is that they serve as a starting point for library workers who are unsure where and how to start doing privacy work at their libraries. Each guide contains hands-on exercises where library workers can immediately impact how their library practices privacy. Does your library lack a privacy policy that patrons can easily read and understand? The Privacy Policy walks you through creating a draft privacy policy that is informative and readable for your patrons. The guides also provide talking points for library workers communicating about library privacy. How To Talk About Privacy focuses on building those talking points for a variety of audiences – be it patrons, administration, and everyone in between – but you will also find talking points in the other guides focused on specific topics, such as privacy in the vendor selection and contract negotiation processes or protecting patron privacy in physical library spaces.

These guides are a valuable addition to your library’s privacy toolkit and are a great way to start privacy discussions in your library. Take some time to go through the digital versions of the Field Guides and let us know what you think!

Posted on

The Lasting Impact of The Patriot Act on Libraries

A man wearing sunglasses holds a white sign as he walks through a street protest. The sign has two human eyes looking up and to the right. The sign message - 'The "Patriot" Act is watching you"
Image source – https://flickr.com/photos/crazbabe21/2303197115/ (CC BY 2.0)

This weekend marked the 20th anniversary of 9/11 in the US. Life changed in the US after the attacks. One of the many aspects of our lives that changed was the sudden erosion of privacy for everyone living in the States. One of the earliest visible examples of this rapid erosion of privacy was the Patriot Act. Let’s take a moment and revisit this turning point in library privacy history and what has happened since.

A Quick Refresher

The Patriot Act was signed in October 2001 after the attacks of September 11th. The law introduced or vastly expanded government surveillance programs and rights. US libraries are most likely familiar with Section 215. While in the past the government was limited in what information they could obtain through secret FISA orders, Section 215’s “tangible things” expanded the use of these secret orders to “books, records, papers, documents, and other items.” Given the examples included in the Section’s text, it wasn’t too much of a stretch to assume that “tangible things” included library records.

The good news – for now – is that Section 215 is not here to mark the 20th anniversary of the passage of the Patriot Act. The Section was sunsetted in 2020 after years of renewal and a second life through the USA Freedom Act. The Section did not die quietly, though – while support for renewal spanned across both parties in the Senate and the House, different versions of the renewal bill stalled the renewal process. The possibility of a renewal of Section 215 or a similar version of the Section is still present. However, it is unclear as to when talks of renewal will restart.

The Act’s Impact on Libraries

Libraries acted quickly after the passage of the Act. Right after the passage of the Patriot Act, those of us in the library profession might remember taking stacks of borrowing histories and other physical records containing patron data and sending them through the shredder. Other libraries adjusted privacy settings in their ILSes and other systems to not collect borrowing history by default. ALA promptly sent out guidance for libraries around updating privacy and law enforcement request policies and procedures. And it would be safe to assume that several people got into librarianship because of the profession’s efforts in protecting privacy and pushing back against the Patriot Act.

Even with the flurry of activity in the profession early on, questions about the use of Section 215 to obtain patron data persist today. Even though the Justice Department testified in 2011 that Section 215 was not used to obtain circulation records, the secrecy imposed on searches in Section 215 makes it difficult to determine precisely the extent of the Section’s library record collection activities.

While we cannot say for sure if Section 215 was used to obtain patron data, we know that other parts of the Act were used in an attempt to get patron data. Most notably was the use of National Security Letters (NSL) and gag orders by the government to obtain patron data. The Connecticut Four successfully challenged the gag order on an NSL served to the Connecticut library consortium Library Connection. While the Connecticut Four took their fight to court, other libraries proactively tried to work around the gag order by posting warrant canaries in the building to notify patrons if they had been served an NSL.

Lessons Learned or Business as Usual?

The Patriot Act reminded libraries of the threat governments pose to patron privacy. Libraries responded with considerable energy and focus to these threats, and these responses defined library privacy work in the 21st century library. Still, the lessons learned from the early days of the Act didn’t entirely transfer to other threats that pose as much of a threat to patron privacy as governments and law enforcement. While libraries could quickly dispose of risky patron data on paper after the Act’s passage, a substantial amount of today’s patron data lives on third-party databases and systems. The removal of control over patron data in third-party systems limits the ability to adjust to new privacy threats quickly. Technology has evolved to provide some possible protections, including encryption and other ways to restrict access to data. Legal regulations around privacy give both libraries and patrons some level of control over data privacy in third-party systems. Despite these progressions in technology and law, data privacy in the age of surveillance capitalism in the library brings new challenges that many libraries struggle to manage.

Some could argue that libraries sub-optimized data privacy protections in response to the Act’s threats, hyper-focusing on government and law enforcement at the expense of addressing other patron privacy risks. At the same time, the standards and practices developed to mitigate governmental threats to patron privacy can be (and to certain extents have been) adapted to minimize these other risks, particularly with third parties. One of the first lessons learned in the initial days of the Act came from the massive efforts of shredding and disposing of patron data in bulk in libraries throughout the country. Libraries realized at that moment that data collected is data at risk of being seized by the government. Data can’t be seized if it doesn’t exist in the first place. As libraries continue to minimize risks around law enforcement requests, we must remember to extend those privacy protections to the third parties that make up critical library operations and services.

Posted on

Privacy at ALA Midwinter – 2021 Recap

Logo for the 2021 ALA Midwinter Meeting and Exhibits.

Patron privacy had several moments in the spotlight at last week’s ALA Midwinter Conference. If you missed the conference or the news updates, no worries! Here are the highlights to help you catch up.

A big moment for privacy resolutions

ALA Council passed two major privacy resolutions during ALA Midwinter, moving the organization and the profession to make a more deliberate stance against surveilling library patrons through facial recognition software and behavioral data tracking. You can read the full text of the original resolutions at the end of the Intellectual Freedom Committee Midwinter Report, but here are the actions called for in each resolution:

Resolution in Opposition to Facial Recognition Software in Libraries

  1. opposes the use of facial recognition software in libraries of all types on the grounds that its implementation breaches users’ and library workers’ privacy and user confidentiality, thereby having a chilling effect on the use of library resources;
  2. recommends that libraries, partners, and affiliate organizations engage in activities to educate staff, users, trustees, administrators, community organizations, and legislators about facial recognition technologies, their potential for bias and error, and the accompanying threat to individual privacy;
  3. strongly urges libraries, partners, and affiliate organizations that use facial recognition software to immediately cease doing so based on its demonstrated potential for bias and harm and the lack of research demonstrating any safe and effective use;
  4. encourages legislators to adopt legislation that will place a moratorium on facial recognition software in libraries; and
  5. directs the ALA Executive Director to transmit this resolution to Congress. [This clause was removed by amendment before the final vote in Council]

Resolution on the Misuse of Behavioral Data Surveillance in Libraries

  1. stands firmly against behavioral data surveillance of library use and users;
  2. urges libraries and vendors to never exchange user data for financial discounts, payments, or incentives;
  3. calls on libraries and vendors to apply the strictest privacy settings by default, without any manual input from the end-user;
  4. urges libraries, vendors, and institutions to not implement behavioral data surveillance or use that data to deny services;
  5. calls on libraries to employ contract language that does not allow for vendors to implement behavioral data surveillance or use that data to deny access to services;
  6. calls on libraries to oversee vendor compliance with contractual obligations;
  7. calls on library workers to advocate for and educate themselves about library users’ privacy and confidentiality rights; and
  8. strongly urges libraries to act as information fiduciaries, assuring that in every circumstance the library user’s information is protected from misuse and unauthorized disclosure, and ensuring that the library itself does not misuse or exploit the library user’s information.

[Disclosure – LDH participated in the Behavioral Data Surveillance Resolution working group]

Each resolution is a strong indictment against surveillance technology and practices, but the resolutions will have limited impact if no further action is taken by the organization or its members. While ALA and its vast array of committees start updating and creating policies, standards, and guidelines to assist libraries in enacting these resolutions, individual libraries can use these resolutions to guide decision-making processes around these technologies on the local level. Library workers can use these resolutions to start conversations about how their libraries should protect patrons against these specific surveillance technologies and practices.

Dystopian future, or dystopian present?

The Top Tech Trends session explored the dystopian aspects of technologies including deepfakes, surveillance practices normalized during the COVID-19 pandemic, and the connection between prison libraries and biometric technologies. The recorded session is available to Midwinter registrants, but if you do not have access to the on-demand video of the session, the American Libraries article on the session summarizes each aspect and the impact it can have on patron privacy and the ability for libraries to serve patrons. Take a moment to read the summary or watch the session and ask yourself – Is your library on its way toward a dystopian tech future, or has it already arrived? What can you do to protect patrons against this privacy dystopia at the library?

Posted on

New ALA Guidelines and Zoom Update

Welcome to this week’s Tip of the Hat!

In case you missed it – last week ALA announced a trio of new guidelines for libraries concerned with patron privacy during the reopening process as well as libraries who use security cameras at their branches:

Guidelines for Reopening Libraries During the COVID-19 Pandemic – Theresa Chmara, J.D. guides libraries with planning reopening procedures and policies, including requirements around wearing masks, health screenings of both patrons and staff, and contact tracing. While these guidelines are not legal advice, these guidelines should inform your discussions with your local legal advisors.

Guidelines on Contact Tracing, Health Checks, and Library Users’ Privacy – This statement from IFC reaffirms the importance of patron privacy in the reopening process, including giving newly published guidelines around contact tracing at the library. The statement also directs libraries to the Protecting Privacy in a Pandemic Resource Guide, which brings together several privacy resources for libraries to incorporate into their reopening processes, as well as the expansion of existing patron services to online.

Video Surveillance in the Library Guidelines – Libraries who use security cameras should review their existing policies around camera placement, recording storage and retention, and law enforcement requests for recordings considering the new guidelines. There are also sections around patrons filming library staff and other patrons which public libraries should review regarding staff and patron privacy and safety.

Take some time to review the above guidelines and discuss how these guidelines might affect your library’s reopening or use of security cameras in the building!

Zoom Update

Zoom reported that they will not provide end-to-end encryption for free-tier users so Zoom can comply with law enforcement. Now that you know how Zoom will respond to law enforcement requests, does their stance line up with your library’s law enforcement request policy, as well as your patron privacy policy? If not, how will your library adjust your use of Zoom for patron services? One option is to not use Zoom, but as we covered in previous newsletters, Zoom is arguably one of the user-friendly video conferencing software in the market. Nonetheless, there are alternatives out there that do a better job protecting privacy, including Jitsi. If you must use Zoom for patron services, check out the Zoom Security Recommendations, Settings List, and Resources document from LDH’s Remote Work presentation in April to help you secure your Zoom calls.

Posted on

All Things Privacy At #alamw20

Welcome to this week’s Tip of the Hat! Are you prepared for ALA Midwinter in Philadelphia this week? If not, you’re not alone. LDH is ready to help you get the most out of #alamw20!

Before You Go

Here are some reminders as to how to protect your privacy while traveling and conferencing:

VPN? Check. AC wall charger or power bank for the phone? Check. Mental reminder to take off the conference badge outside of conference spaces? Check!

In the Exhibit Hall

Booth #1823 – Stop by and get a sneak peak of the upcoming Privacy Field Guides! These guides cover a variety of topics, including privacy audits and the data lifecycle.
Booth #864 – The Library Freedom Project will be answering any questions about the Institute (applications due February 10th) as well as handing out resources about protecting privacy at your library and community.

In the Schedule

Sunday, January 26th seems to be the day for privacy at Midwinter:

Intellectual Freedom Committee (IFC) Privacy Subcommittee Meeting; 8:30 AM – 10:00 AM; Room 111-A
Learn more about the current projects going on in the Privacy Subcommittee! You don’t have to be a member to attend the meeting.

Data and Diversity: Navigating the Ethics of Demographic Data in Inclusive Community Collections; 1:00 PM – 2:00 PM; Room 203-AB
Abstract: Librarians building local collections want to represent the diversity of their communities. When we use information about people’s identities to assess a collection’s inclusivity, how do we protect people’s privacy and respect their autonomy? We’ll discuss how we addressed these questions for local digital music collections at public libraries in Seattle and beyond.

We’ll share best practices we created, how we developed those practices, and how we continue to adapt them. We present our work with community data as a template for engaging with the complex and evolving issues facing librarians in an era of rapid technological and societal change.

LITA Top Tech Trends; 1:00 PM – 2:00 PM; Room 122-A
LITA’s Top Tech Trends is always a popular event, and privacy and security will most likely make their way into the panel discussion.

Data Abuse: Is There a Sustainable Solution to Help Notify Users of Egregious Data Abuses?; 4:00 PM – 5:00 PM; Room 204-C
Abstract: How can patrons easily understand the extent of data collection that results from their use of electronic resources? Often, the resource provider just wants to confirm a patron’s institutional affiliation, but some vendors require that users create an account, subscribe to a newsletter, or provide demographic information. At Cornell University Library, staff are exploring options for helping patrons easily understand data collection from electronic resources – a system that can be supported, shared, and used by all. In this discussion, we will explore our ideas so far, and seek input on how to make such a service sustainable.

LDH will not be at Midwinter this year, but we plan to be at Annual in Chicago. We hope to catch you then! In the meantime, safe travels to Philly, and enjoy all the privacy offerings Midwinter has to offer.

Posted on

Ransomware, CS and Privacy, and #FollowMonday

Welcome to this week’s Tip of the Hat! Summer is in full swing this August, and the Executive Assistant is contemplating where would be the coolest place in the office to park herself to work. While she roams the office and while I make sure she doesn’t make a small blanket fort connected to the office refrigerator, here are a couple of quick links and updates in the privacy and library worlds to start your week.

A refrigerator with its door open, and a green tent set up in front of the open door.
Ransomware strikes another library system

Last month, the Butler County Federated Library System in Pennsylvania became the latest library system to succumb to ransomware. As a result, the system has gone back to using paper to track circulation information. Like other ransomware attacks, the system might have to rebuild their online infrastructure if they are unable to retrieve the ransomed data.

If your library hasn’t been hit with ransomware yet, the best defense against ransomware is to prevent it from taking over your system. Awareness programs and information security training can help with educating staff about the ways that ransomware and other viruses and malware can infiltrate the library system, and regular reminders and updates can also help keep staff current on trends and new infosec practices.

Training can only go so far, though, and having a plan in place will not only help mitigate panic when ransomware takes over a system, but also mitigate any overlooked vulnerabilities concerning patron data privacy. For example, while libraries have used paper for decades to track circulation information, automation in the last few decades has taken over this process. Making sure that staff are trained and have current procedures in handling sensitive patron data in paper format – including storage and disposal – can help protect against inadvertent privacy breaches.

H/T to Jessamyn West for the link!

Is it time for Computer Science curriculums to prioritize privacy?

In an op-ed in Forbes, Kalev Leetaru argues that CS curriculum should follow the way of library and information science and emphasize privacy in their programs. Near the end of the article, Leetaru illustrates the struggle between privacy and analytics:

Privacy naturally conflicts with capability when it comes to data analytics. The more data and the higher resolution it is, the more insight algorithms can yield. Thus, the more companies prioritize privacy and actively delete everything they can and minimize the resolution on what they do have to collect, the less capability their analytics have to offer.

This represents a philosophical tradeoff. On the one hand, computer science students are taught to collect every datapoint they can at the highest resolution they can and to hoard it indefinitely. This extends all the way to things like diagnostic logging that often becomes an everything-or-nothing concept that has led even major companies to have serious security breaches. On the other hand, disciplines like library and information science emphasize privacy over capability, getting rid of data the moment it is safe to do so.

What do you think? Would emphasizing privacy in CS programs change current data privacy practices (or lack thereof) in technology companies?

#FollowMonday – @privacyala

Keeping up with all the latest developments in the privacy field is a challenge. There is so much happening that it can be a full-time job to keep up with all the developments. ALA’s Choose Privacy Every Day Twitter account can help you sift through all the content in a nicely packaged weekly post of the major developments and updates in the privacy world, be it in libraries or out there in the world. You can find out about new legislation, tools to help protect your patrons’ privacy, and yes, there is a section to keep up with the latest data breaches.

Posted on

All Things Privacy – ALA Annual 2019 Edition

Welcome to this week’s Tip of the Hat! This week is the American Library Association Annual Conference in DC, and LDH is packed up and ready to talk all things privacy to thousands of library folks from across the country. The Executive Assistant will keep things in order while we exhibit, but she is not letting the other half of LDH go it alone at #alaac19. Who is this new addition to LDH? Come by our booth (#844) at Annual to find out more!

If you are one of the lucky folks who is attending #alaac19, LDH would like to help you have a great conference while keeping some of your privacy intact in the process. Here are some ways to enjoy your conference and protect your privacy at the same time:

At the airport – if you are flying to DC, your airline might be using facial recognition during the boarding process. In most cases, you can opt out. Techcrunch wrote about the process and you can learn more about the opt-out process there.

Connecting to public, hotel, and conference wifi – Use a VPN anytime you are connecting to a public wifi network or other network that is not your home or your work network. Your place of work might already have a VPN available for use for when you are working outside the office; however, keep in mind that work can also see any non-work traffic you might engage in while connected. If you don’t have work VPN or want to have a VPN separate from work, there are several options you can choose from. LDH uses Private Internet Access, which offers good VPN service at a reasonable cost, and works across multiple platforms (Windows, iOS, Android). The one thing to remember, though, is to never use a free VPN service. If the product is “free” the actual cost to use the product is your own personal data.

On the Exhibit Floor – You might notice that the QR code or barcode under your name on your badge. Exhibitors sometimes ask you if they can scan your badge, particularly if you want nice swag! What exactly is in that QR code? When I scanned my badge from Midwinter using an Android barcode scanner app, this is the output: “csi313|1237819|Becky|Yoose|”. My name is there, but also note the two strings of numbers before it. While indecipherable to attendees, those strings could eventually lead to the vendor getting your contact information. If you wouldn’t give your physical business card to a vendor, you might want to decline the offer to have your badge scanned by the same vendor. Better yet, ask the vendor what they do with the information that they get off of your scanned badge.

Outside the conferencetake off your badge. This is for both security and privacy reasons. DC is full of tourists, but they do not need to know your name while you’re walking through the streets to your next meeting!

At the conference – there are several privacy-related events happening at #alaac19! The Office for Intellectual Freedom created a list of programs and meetings of all things privacy-related programming, including sessions on Privacy by Design and minors privacy rights. Between sessions, check out the Glass Room Experience in the exhibit hall at booth #3446! The booth will be featuring the community edition of the original Glass Room Experience. From the organizer of the booth – “This edition was developed as a result of high demand from visitors of larger Glass Rooms in London and New York, who also wanted to set up similar exhibitions in their cities. This smaller, portable version comes in a lightweight and adaptable format that can be set up in a variety of different spaces from libraries and schools to conferences and metro stations.”

Last but not least, stop by booth #844 and say hi to LDH! We will be sharing the booth with Equinox Open Library Initiative. If you want to learn more about how open source technology can help empower your library, the folks over at Equinox OLI would be more than happy to talk to you at the booth.

If you are heading to DC this week, safe travels and we hope to see you at booth #844!

Posted on

Monday Mystery: Conference Information Sharing

Welcome to this week’s Tip of the Hat! It seems that spring has just arrived for many of us in the US; however, the calendar tells us that we are only weeks away from the ALA Annual Conference in Washington DC in June. Our Executive Assistant was going through the PDF registration form the other day and noticed the following question:

A text box with the following text: "Attendees may receive exciting advance information from exhibitors like invitations, contests and other hot news. COUNT ME IN!" Yes/No checkboxes are next to the last sentence.

The above question on the registration form asks if the person (or in this case, cat) wants to receive information from conference exhibitors. The Executive Assistant paused. What does checking the “Yes” box all entail? Since we’re in the data privacy business, this is a perfect Monday Mystery for us to investigate.

After a quick search of the conference website, we land on ALA’s Privacy Policy at http://www.ala.org/privacypolicy. If you haven’t spent time with a privacy policy, it can seem daunting or downright boring. Let’s walk through this policy to find out what happens when we check the “Yes” box.

The “Information Collection & Use” section lays out what information is collected and when. They define “personal data” as information that can be used to identify someone: name, email, address, etc. The section breaks down some common actions and situations when ALA collects data, including event registration. We already guessed that ALA was collecting our information for event registration purposes, but we need to dig deeper into the policy to answer our question.

We then find a section labeled “Information Sharing” in which we might find our answer! The section lists who ALA shares information with in detail, including the type of data and circumstances that the data is shared. “Services Providers” seems promising – that is until we get into the details. The data listed that is shared to service providers is mostly technical data – location data, log files, and cookies – and has nothing regarding giving information to receive updates from exhibitors. Back to square one.

Moving down the policy, we arrive at the “Your Rights and Choices Regarding Your Information” section, which lists the following right:

Object to processing – You have the right to object to your Personal Data used in the following manners: (a) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); (b) direct marketing (including profiling); and (c) processing for purposes of scientific/historical research and statistics;”

Okay, we have the right to ask ALA not to use our personal data for marketing purposes. That’s a very important right to have, though that doesn’t exactly solve the mystery of what happens when we click on the “Yes” box.

This, readers, is where we are going to cheat in this investigation. It’s time to put our exhibitor hat on!

Exhibitors at major conferences are usually offered some form of registrant/member list as a means to promote their business before the conference. ALA does the same with Annual, and exhibitors can rent attendee lists. From https://2019.alaannual.org/list-rental, exhibitors have the option to “[t]arget buyers by industry segment, demographic profile or geographic area.” So, just not names and emails are shared!

On the exhibitor side, having that information would allow for targeted marketing – instead of blasting the entire attendee list, exhibitors can reach out to those most likely to be receptive to their service or product. On the attendee side, some want to have this type of targeted marketing to plan their time at the conference efficiently, or to do homework before hitting the exhibit hall. For other attendees, though, it means more emails that they’ll just delete or unsubscribe. And then there’s the question about what happens to that attendee data after the conference…

In the end, we still have a bit of a mystery on our hands. The only reason we got this far in our little Monday Mystery investigation is that LDH has been bombarded with emails trying to sell us attendee lists which tipped us off to start looking at the exhibitor section of the conference site. Your average conference attendee wouldn’t have that information and would be left scratching their heads due to the lack of information at the point of registration about what information is shared on these attendee lists. While we don’t have a clear answer to end today’s investigation, we hope that this gives our readers a little reminder to do some research the next time they are asked a similar question on a registration form.

Speaking of ALA Annual, LDH Consulting Services is excited to announce that we will be exhibiting in DC in booth 844! Many thanks to Equinox Open Library Initiative for making exhibiting at ALA Annual possible for LDH. Give us a ping if you will be at Annual and would like to talk more about LDH can do for your organization.

Posted on

There’s a Checklist For That!

Welcome to this week’s Tip of the Hat!

Last week was a busy week on both state and federal privacy regulation fronts, and it was a busy week for one-half of LDH too due to jury duty! The Executive Assistant was tasked to keep an eye on the state and federal updates; however, when asked for the report, the Executive Assistant was not forthcoming:

A black cat curled up on a yellow and green blanket.
While we catch up from a very busy week of updates, let’s talk about checklists.

Many of us use checklists each day, either as a to-do list, or to confirm that everything is in place before opening a library, or launching a new online service. Checklists can help prioritize and direct focus on otherwise large nebulous encompassing things, making sure that the important bits are not overlooked.

When we talk about privacy, many folks become overwhelmed as to what they should be doing at work to protect patron privacy. Libraries, in particular, have many bases to cover when it comes to implementing privacy best practices, ranging from electronic resources, public computing, websites, and applications. Where does one start?

In 2016, the ALA Intellectual Freedom Committee published the ALA Library Privacy Guidelines, aimed to help libraries and vendors in developing and implementing best practices surrounding digital privacy and security:

  • E-book Lending and Digital Content Vendors
  • Data Exchange Between Networked Devices and Services
  • Public Access Computers and Networks
  • Library Websites, OPACs, and Discovery Services
  • Library Management Systems
  • Students in K-12 Schools

There is a lot of good information in these guides; however, we run into the same overwhelming feeling when reading all the guides, not knowing where to start. Enter the checklists!

To give folks direction in working through the Library Privacy Guidelines, volunteers from the LITA Patron Privacy Interest Group and the Intellectual Freedom Committee’s Privacy Subcommittee created Library Privacy Checklists for each corresponding Guideline. Each checklist is broken down into three sections:

Priority 1 lists best practices that the majority of libraries and vendors should take with minimal additional resources. These practices are a baseline, the minimal amount that one needs to do to protect patron privacy.

Priority 2 are practices that will require a bit more planning and effort than those in the previous section. These practices can be done with some additional resources, be it in-house knowledge/skills or external vendors or contractors. Depending on the checklist, many libraries and vendors can implement at least one practice in this section, but some might not be able to go beyond this section.

Priority 3 are practices that require a higher level of technical skill and resources to implement. For those libraries and vendors that have the available resources, this section gives guidance as to where to focus those resources.

These checklists break the ALA Library Privacy Guidelines down into prioritized, actionable tasks for libraries and organizations to use when trying to align themselves with the Guidelines. The prioritization helps those organizations with limited resources to focus on core best privacy practices as well as giving more resourced organizations guidance as to where to go next in their privacy efforts. These checklists can also be used as a foundation for conversations about overall privacy practices at an organizational level, which could turn into a comprehensive privacy program review. There are many ways one can use these checklists at their organization!

The checklists were published in 2017; nevertheless, even though the technological landscape rapidly changes year to year, many of the practices in the checklists are still good practices to follow in 2019. Take some time today to visit revisit the checklists, and think about how those checklists can help you address some of your organization’s privacy questions or issues.