Just Published – Managing Data for Patron Privacy

The book cover of Managing Data for Patron Privacy set against a blue background, flanked by a padlock, file folder, and open laptop.

Hello everyone! It’s been a while since our last post in April, and a lot has happened. A Supreme Court ruling that will change how courts interpret an individual’s right to privacy, a bipartisan federal data privacy bill gaining momentum, ICE dipping into LexisNexis data much more than initially thought – and all of that is just within the past month. A lot is going on in the privacy world right now! While we won’t be back on our regular post schedule for a little longer, we will have time to bring you analysis and updates as they come along.

Speaking of updates, we have a big one to announce – the publication of our first book! Managing Data for Patron Privacy: Comprehensive Strategies for Libraries breaks down what library workers need to do to protect the privacy of their patron’s data. In this book, Kristin Briney, Biology & Biological Engineering Librarian at the California Institute of Technology, and LDH founder Becky Yoose cover key topics as:

  • succinct summaries of major U.S. laws and other regulations and standards governing patron data management;
  • information security practices to protect patrons and libraries from common threats;
  • how to navigate barriers in organizational culture when implementing data privacy measures;
  • sources for publicly available, customizable privacy training material for library workers;
  • the data life cycle from planning and collecting to disposal;
  • how to conduct a data inventory;
  • understanding the associated privacy risks of different types of library data;
  • why the current popular model of library assessment can become a huge privacy invasion;
  • addressing key topics while keeping your privacy policy clear and understandable to patrons; and
  • data privacy and security provisions to look for in vendor contracts.

Managing Data for Patron Privacy is a great place to start for library workers and libraries looking to cultivate a sustainable, holistic approach to their data privacy practices. Come for the case studies and practical advice; stay for the cats, glitter, and pasty recipe. 😉 We hope you enjoy the book, and please let us know if you have any questions or comments as you dive into our new book!

To Build or to Target?

It’s been a busy couple of weeks in the privacy world. First, Colorado is poised to be the newest state to join the patchwork of US state data privacy law. Next, Overdrive acquires Kanopy. And then there’s what happened when a patron submits an FOIA request for their data. Privacy forgot that it’s supposed to be summer vacation! Today we’re setting aside those updates and talking about a topic that has been one of the most requested topics for the blog.

You or your colleagues might be scanning through the last couple months of American Libraries in preparation for ALA Annual later this month, only to come across the “Target Acquired” article in the May 2021 issue (page 52-53), profiling three libraries in their use of marketing and data analytic products. The profiles seem harmless enough, from email newsletter management to collection analysis. They want to understand their patrons to serve their communities better. These profiles give three different ways these products can help other libraries do the same.

Did you notice, though, that none of the profiles talked about patron privacy?

There’s a reason for that. Marketing and data analytics products such as customer relationship management systems (CRMS) rely on personal data – the more, the better. The more data you feed into the system, the more accurate the user profile is to create a personalized experience or more effective marketing campaigns. CRMS are increasingly integrated into the ILS – OCLC Wise is an example of such an integration, and other ILS companies plan to release their own versions or create better integrations with existing products on the market. The libraries using Engage and Wise are excited about the possibilities of better understanding their patrons through the data generated by patron use of the library. However, we wonder if these libraries considered the consequences of turning patrons into data points to be managed in a vendor system.

It should be no surprise to our readers that LDH’s approach to marketing and data analytics in libraries does not place data above all else. Data ultimately does not replace the relationship-building work that libraries must do through meeting with community members. However, advertisement pieces such as the one in American Libraries aim to normalize user profiles in CRMS and other analytics products in libraries. As the article states at the beginning, data plays a large part in library outreach. With the pressure to prove their value to the community, library administration and management will reach for data to secure their library’s future in the community. The cost of over-relying on data to prove a library’s value, however, is usually left unexamined in these situations.

With that said, let’s do a little exercise. We have the chance to write a sequel to the advertisement piece. Instead of questions about the products, our questions will turn the tables and focus on the libraries themselves:

What are the privacy risks and potential harms to different patron groups from using the product?

Increased patron surveillance via data collection and user profiling can lead to disproportionate privacy risks for several patron groups. In addition, the business models of several vendors create additional harm by targetting specific minoritized groups, such as reselling data to data brokers or providing data to government agencies such as ICE.

What business need(s) does the product meet? What other products can meet the same need that doesn’t create a user profile or require increased patron surveillance?

Sometimes libraries buy one system that doesn’t match the actual business need for the library. For example, several collection management systems on the market do not require individual-level data to provide analysis as to how to spend collection budgets or meet patron demand. In addition, libraries do not need market segmentation products to perform collection usage analysis.

How does the library reconcile the use of the product with Article III of the ALA Code of Ethics, Article VII of the ALA Library Bill of Rights (and the accompanying Privacy Interpretation document), and other applicable library standards and best practices around patron privacy?

This one is self-explanatory. FYI – “Other libraries are doing the same thing” is not an answer.

What are social, economic, and cultural biases encoded into the product? What biases and assumptions are in the data collection and analysis processes?

Library services and systems are not free from bias, including vendor systems. One bias that some libraries miss is that the data in these systems do not reflect the community but only those who use the library. Even the list of inactive users in the system does not fully reflect the community. Moreover, data alone doesn’t tell you why someone in your community doesn’t have a relationship with the library. Data doesn’t tell you, for example, that some patrons view the library as a governmental agency that will pass along data to other agencies. Data also won’t fix broken relationships, such as libraries violating patron trust or expectations.

What is the library doing to inform patrons about the use of the product? Do patrons fully understand and consent to the library using their data in the product, including pulling data from data brokers and creating profiles of their library use?

More likely than not, your library does not give patrons proper or sufficient notice, nor give patrons the chance to explicitly consent for their data to be collected and used in these products. Refer to the Santa Cruz Civil Grand Jury report on what happens when the public calls out a library using a product in the advertisement article without full patron notification or consent.

Keep these questions in mind the next time you read about marketing and data analytics products in professional magazines such as American Libraries. These advertisement articles are designed to fly under the radar for readers who might not be thinking about the privacy implications of highlighted products and practices. Building relationships with the community require a considerable amount of time and care from the library. Data might seem to be a shortcut in speeding up the process. Nonetheless, choosing to view patrons as targets and metrics can ultimately undermine the foundation of any sustainable relationship.

Reader Survey Open Until June 15th

Thank you to everyone who has filled out the reader survey. If you haven’t filled out the survey yet, we want to hear from you! Take five minutes to help shape the future of the blog by filling out our short survey.

Libraries, Privacy, and… Tropes?

Welcome to this week’s Tip of the Hat!

A popular way to procrastinate at LDH is to dig through the pile of articles and other literature about all facets of privacy: regulations, ethics, practices, current events… the current events pile is at overcapacity at the moment. In these piles of articles, we come across one particular trope that we’d like to address – libraries as exemplars of privacy ethics and practices.

This trope is similar to others in other mainstream stories that use libraries as exemplars for other things, such as community engagement, democracy, and learning centers. The “library as privacy exemplar” trope coexists with these other tropes, sometimes in the same story. Other times the trope is front and center of an article. An example of this is an IAPP article about general privacy practices at the library. At best, this article demonstrates the attitude and tone of how many writers think about the library as an enlightened entity with their focus on privacy. Near the end of the article comes another trait that these articles tend to share, which is modeling privacy practices off of the library profession: “While library culture tilts heavily in favor of protecting the ‘citizen from state’ intrusion, that same culture can be mobilized to advocate for ‘customer’ privacy as well in relation to third-party service providers.”

All of this leads us to a hidden danger in the “library as privacy exemplar” trope, which is unquestioned trust in libraries in all matters of privacy and data ethics. Some of that trust has been earned – there are several library privacy initiatives, such as the Library Freedom Institute, that are very active in the greater community in their advocacy and education around data privacy. In addition, LDH’s conversations with technology workers in other fields have made it clear that professionals in other industries wished that they had strong professional ethics and standards like the library profession.

Nonetheless, others from outside the library profession take this trust too far. For example, in Emma Trotter’s “Patron Data Privacy Protection at Public Libraries: The Ethical Model Big Data Lacks”, Trotter proposes that libraries should become personal data stores (PDS) where people can gather their data in one secure place and then manage the processing of their data by third parties. Trotter is very confident that libraries can become the ethical role model for Big Data with this marriage between PDS and library privacy ethics. Overall, Trotter believes that the ethical issues around Big Data would be negated once libraries become front and center in the overall management of Big Data.

While libraries do have a strong ethical basis around advocacy and adoption of privacy practices, libraries also have their fair share of privacy issues and gaps. Libraries are not immune to the same threats and vulnerabilities as other professions and industries, such as data leaks and breaches, ransomware attacks, phishing, and even underfunding or undertraining staff in ways to protect patron privacy. Librarianship also deals with ethical issues around their collection and processing of patron data, particularly for marketing and user profiling, as well as working with vendors who also collect and process patron data without giving the patron control over what is collected and processed. One doesn’t need to search too far to find an example of such – one being the Santa Cruz Public Library’s Civil Grand Jury Report about the numerous ethics breaches surrounding their use of patron data without full patron notice and consent, among other violations of patron privacy.

Yes, other industries can learn from libraries about how to approach privacy in their daily work, including ethics and advocacy, but libraries also have to be honest about the profession’s struggles around data privacy, both on a practical and ethical level. Part of that is being public with these struggles in the public discourse, be it with patrons or with people from other industries who are looking for a model to base their professional privacy ethics and practices on. Another part is re-evaluating how we, as a library profession, market ourselves as privacy experts and safe-keepers of data to our patrons. Again, libraries set themselves apart from other industries regarding privacy ethics and advocacy, but they cannot set themselves apart from the reality that is working with data in the real world that has real needs that fall into ethical gray areas and real data security and privacy risks.

CRMS 101

Welcome to this week’s Tip of the Hat! Today we have a brief overview of an acronym that is becoming a popular tool in libraries – the customer relationship management system [CRMS] – and how this new player in the library field affects patron privacy. While some folks know about CRMS, there might be others that are not exactly sure what they are, and what they have to do with libraries. Below is a “101”- type guide to help folks get up to speed on the ongoing conversation.


What is a CRMS?

A customer relationship management system [CRMS] manages an organization’s interactions with customers with the goal to grow and maintain customer relationships with the organization. CRMS products have been used in other fields outside of librarianship for decades, mostly in commercial businesses, but the increased importance in data analysis and improving customer experiences has led for wider adoption of CRMS products in other fields, including libraries.

What is a CRMS used for?

Many organizations use CRMS products to track various communications with customers (email, social media, phone, etc.) as well as data about a customer’s interests, demographics, and other data that can be used for data analysis. This analysis is then used to improve and customize the user experience (targeted marketing, personal recommendations, and invitations, etc.) as well as making business decisions surrounding products, services, and organization-customer relations. This analysis can also be used to create user profiles or for market segmentation research.

What are some examples of CRMS?

There are many proprietary and open source options, though Salesforce is one of the most recognized CRM companies in the overall field. In the library world, several library vendors sell standalone CRMS products, such as OrangeBoy’s Savannah. Other library vendors have started offering products that integrate the CRMS into the Integrated Library System [ILS]. OCLC’s WISE is one such example of this integration, while other library vendors plan to release their versions in the near future.

What data is collected in a CRMS?

A CRMS is capable of collecting a large quantity of very detailed data about a customer. Types of patron data that can be collected with a library CRMS includes (but not limited to):

  • Demographic information
  • Circulation information like total checkouts, types of materials checked out, and physical location of checkouts
  • Public computer reservation information
  • Electronic resource usage
  • Program attendance

In addition to library supplied data, other data sets from external sources can be imported into the CRMS ranging from US Census data to open data sets from cities and other organizations that could include other demographic information by geographical area (such as zip code) or by other indicators.

How is patron privacy impacted by CRMS?

The amount of information that can be collected by a CRMS is akin to the type of information collected by commercial companies who sell services and products. By creating a user profile, the company can use that information to personalize that customer’s experience and interactions with the company, with the ultimate goal of creating and maintaining return customers. Traditionally libraries do collect and store some of the same information that CRMS products collect; however, it is usually not stored in one central database. Creating a profile of a patron’s use of the library leaves both the library and the patron at high risk for harm on both a personal and organizational level. This user profile is subject to unauthorized access by library staff, data breaches and leaks, or intentional misuse by staff or by the vendor that is hosting the system. This user profile can also be subject to a judicial subpoena, which puts patrons who are part of vulnerable populations at higher risk for personal harm if the information is collected and stored in the CRMS.

Further reading on the conflict between the CRMS, data collection, and library privacy:

What can we do to mitigate privacy risks if we use a CRMS?

If your library chooses to use a CRMS:

  • Limit the type and amount of patron data collected by the system. For data that is collected and stored in the CRMS, consider de-identification methods, such as aggregation, obfuscation, and truncation
  • Perform risk assessments to gauge the level of potential harm connected by collecting and storing certain types of patron information as well as matching up patron information with imported data sets from external sources
  • Negotiate at the contract signing or renewal stage with the vendor regarding privacy and security policies and standards around the collection, storage, access, and deletion/retention of patron data, as well as who is responsible for what in case there is a data breach
  • Perform regular privacy and security audits for both the library and the vendor

We hope that you find this guide useful! Please feel free to forward or pass along the guide in your organizations if you are having conversations about CRMS adoption or implementation. LDH can also help you through the decision, negotiation, or implementation processes – contact us to learn more!

Data Analytics @ Your Library: An Executive Summary of the Santa Cruz Report

Welcome to this week’s Tip of the Hat!

Last week was a busy week in the world of library privacy, and not just because there were a variety of privacy-related presentations and events at ALA Annual. While folks were wrapping up and traveling back from DC, a Santa Cruz county civil grand jury published a report that will shape the library and vendor data analytics landscapes. Running short on time due to ALA travel last week and this week’s holiday schedule? Here’s an executive summary so you can get a head start on thinking about how to approach the report at your own organizations.


What was the report about?

The report, “Patron Privacy at Santa Cruz Public Libraries: Trust and Transparency in the Age of Data Analytics,” is the result of an investigation by the Civil Grand Jury about the Santa Cruz Public Library’s (SCPL) use of a commercial analytics program, Gale’s Analytics on Demand (AoD), to analyze patron data.

Who wrote the report?

The report was written by the Civil Grand Jury. The county of Santa Cruz has a Civil Grand Jury comprised of 19 private citizens. One of their roles in the county is to examine and investigate government operations and to recommend actions to improve said operations. The Consolidated Final Report for 2018-2019 lists other investigations undertaken by the Jury, including detention facilities and public defense contracts.

What did the report find?

The report found that the Santa Cruz Public Library did not adequately inform patrons about the use of AoD at SCPL or do a thorough privacy risk analysis on using AoD at SCPL. The major themes in the Grand Jury’s findings are:

  • Mismatch between use of AoD and SCPL confidentiality and privacy policy
  • Lack of communications between SCPL and library patrons regarding use of data analytics, including giving the patrons the option to give consent to the library to use their data for data analytic use
  • Failure on SCPL’s part to thoroughly investigate the risks, effectiveness, and best practices in using data analytics in processing patron data
  • Lack of contract language with the vendor that protects the interest of both SCPL and library patrons

What are the recommendations?

The Grand Jury recommendations to SCPL include:

  • Updating the SCPL confidentiality and privacy policy to reflect the use of data analytic tools to process patron data
  • Create a system that allows patrons to consent to having their data used for data analytics
  • Follow professional and industry best practices around patron privacy
  • Create a data privacy officer role whose responsibility will be implementing and enforcing the privacy policy
  • Review and amend vendor contracts to protect the interests of both the library and library patrons

What’s next?

ALA will most likely release a response to the report in the near future; however, the next major updates will most likely come at the time where the library will submit their responses to the Grand Jury’s finding and recommendations later in the year.

We use analytics software – based on this report, what do we do?

The recommendations provide a good outline to where to begin. If you need a place to start, here are four key actions to focus on:

  • Review privacy policies – does your policy clearly tell patrons that you use analytics to process patron data?
  • Review current patron communications – how are you communicating with patrons about how the library uses their data? Can your patrons give consent to having their data processed by analytics software? Is there a way they can opt-out?
  • Review your privacy practices – Go through the ALA Library Privacy Checklists and make a plan of action for any areas in the Priority 1 Actions sections of the lists that your organization has not implemented
  • Review vendor contracts – pay close attention to areas in which contracts can be amended to shore up patron privacy protections including reflecting local and state regulations surrounding patron data and responsibilities of the vendor in the event of a data breach.

Feel free to forward this summary to folks in your organization! We highly recommend giving the full report a read, but we recognize that time is sparse during the summer season, so we hope that the above summary can help you start conversations at your organization. LDH will keep you updated as the official responses from SCPL, ALA, and others are published in the coming months.

As a reminder, LDH Consulting Services can assist your organization in reviewing privacy policies and practices in addition to risk assessments, staff training, and data inventories. If you have any questions, or would like to discuss how LDH can help your organization’s privacy practices, give us a ping!