Just Published! Library Data Risk Assessment Guide

Welcome to this week’s Tip of the Hat!

To build or to outsource?

Building an application or creating a process in a library takes time and resources. A major benefit of keeping it local, though, is that libraries have the greatest control over the data collected, stored, and processed by that application or system. Conversely, a major drawback of keeping it local is the sheer number of moving parts to keep track of in the building process. Some libraries have the technical know-how to build their own applications or have the resources to keep a process in house. Keeping track of privacy risks is another matter. Risk assessment and management must be addressed in any system or process that touches patron data, so how can libraries with limited privacy risk assessment or management experience make sure that their local systems and processes mitigate patron privacy risks?

Libraries have a new resource to help with privacy risk management! The Digital Library Federation’s Privacy and Ethics in Technology Working Group (formerly known as the Technologies of Surveillance Working Group) published “A Practical Guide to Performing a Library User Data Risk Assessment in Library-Built Systems“. This 28-page guide provides best practices and practical strategies in conducting a data risk assessment, including:

  • Classifications of library user data and privacy risk
  • A table of common risk areas, including probability, severity, and mitigation strategies
  • Practical steps to mitigate data privacy risks in the library, ranging from policy to data minimization
  • A template for readers to conduct their own user data inventory and risk assessment

This guide joins the other valuable resources produced by the DLF Privacy and Ethics in Technology Working Group:

The group also plans to publish a set of guidelines around vendor privacy in the coming months, so be sure to bookmark https://wiki.diglib.org/Privacy_and_Ethics_in_Technology and check back for any updates!

A New Privacy Framework For You

Welcome to this week’s Tip of the Hat!

The National Institute of Standards and Technology recently published version 1.0 of their Privacy Framework. The purpose of the framework is to create a holistic approach to manage privacy risks in an organization. The Framework is different from other standards in such that the goal is not full compliance with the Framework. Instead, the Framework encourages organizations to design a privacy program that best meets the current realities and needs of the organization and key stakeholders, such as customers.

The Framework structure is split into three parts:

  • The Core is the activities and outcomes for protecting privacy in an organization. These are broken down by Function, Category, and Subcategory. For example:
    • Identify-P (the P is there to differentiate from NIST’s Cybersecurity Framework) is a Function in which the organization is developing an organizational awareness of privacy risks in their data processing practices.
    • A Category of the Identify-P Function is Inventory and Mapping, which is taking stock of various systems and processes.
    • The Subcategories of the Category are what you would expect from a data inventory: what data is being collected where, when, how, by who, and why.
  • The Profile plays two roles – it can represent the current privacy practices of an organization, as well as a target set of practices for which the organization can aim for. A Current Profile lists the current Functions, Categories, and Subcategories the organization is currently doing to manage privacy risks. The Target Profile helps businesses figure out what Functions, Categories, and Subcategories should be in place to best protect privacy and to mitigate privacy risk.
  • The Implementation Tiers are a measurement of how the organization is doing in terms of managing privacy risk. There are four Tiers in total, ranging from minimal to proactive privacy risk management. Organizations can use their Current Profile to determine which Tier describes their current operations. Target Profiles can be developed with the desired Tier in mind.

Why should libraries care about this framework? Libraries, like other organizations, have a variety of risks to manage as part of their daily operations. Privacy risks come in a variety of shapes and sizes, from collecting more data than operationally necessary and not restricting sharing of patron data with vendors to lack of clear communications with staff about privacy-related policies and procedures. Some organizations deal with privacy risks through privacy risk assessments (or privacy impact assessments). The drawback is that the assessments are best suited for focusing on specific parts of an organization and not the organization itself.

The Privacy Framework provides a way for organizations to manage privacy risks on an organizational level. The Framework takes the same approach to privacy as Privacy by Design (PbD) by making privacy a part of the entire process or project. The Framework can be integrated into existing organizations, which is by design – one of the criticisms of PbD is the complications of trying to implement it in existing projects and processes. The flexibility of the Framework can mean that different types of libraries – school, academic, public, and special – can create Profiles that both address the realities of their organization as well as creating Target Profiles that incorporate standards and regulations specific for their library. School libraries can address the risks and needs surrounding student library data as presented in FERPA, while public libraries can identify and mitigate privacy risks facing different patron groups in their community. The Framework also allows for the creation of Subcategories to cover any gaps specific to an industry or organization not covered by the existing Framework, which gives libraries added flexibility to address library industry-specific needs and risks.

The flexibility of the Framework is a strength for organizations looking for a customized approach to organizational privacy risk management. This same flexibility can also be a drawback for libraries looking for a more structured approach. The Framework incorporates other NIST standards and frameworks, which can help ease apprehension of those looking for more structure. Nonetheless, libraries that want to explore risk management and incorporate privacy into their organization should give NIST Privacy Framework some consideration.

Who Knows, Who Decides, and Who Decides Who Decides

Welcome to this week’s Tip of the Hat!

Shoshana Zuboff’s book The Age of Surveillance Capitalism provides a comprehensive overview of the commodification of personal information in the digital age. Surveillance capitalism is a specific form of capitalism that focuses on using personal data to predict and control user behavior. Zuboff’s analysis of surveillance capitalism centers around three questions:

  • Who knows?
  • Who decides?
  • Who decides who decides?

In the book, Zuboff provides some context to the questions:

The first question is “Who knows?” This is a question about the distribution of knowledge and whether one is included or excluded from the opportunity to learn. The second question is “Who decides?” This is a question about authority: which people, institutions, or processes determine who is included in learning, what they are able to learn, and how they are able to act on their knowledge. What is the legitimate basis of that authority? The third question is “Who decides who decides?” This is a question about power. What is the source of power that undergirds the authority to share or withhold knowledge?

Zuboff offers answers to these three questions in her book: “As things currently stand, it is the surveillance capitalist corporations that know. It is the market form that decides. It is the competitive struggle among surveillance capitalists that decides who decides.” While the current prognosis is grim according to Zuboff’s analysis, the three questions are a powerful tool in which one can discover the underlying power structures of a particular organization or culture.

An interesting thought exercise involves applying these three questions to the library. On a lower level, the data lifecycle provides some answers to “Who knows?” concerning access to patron data as well as the publication and disclosure of data in reports, data sets, and so on to third parties. The “Who decides?” question goes beyond the data lifecycle and ventures into the realm of data governance, where decisions as to who decides the data practices of the library are made. However, the answer goes beyond data governance. Library use of third-party tools and services in collecting or processing patron data bring these third parties into the realm of “Who knows?” as well as “Who decides?” The third-party can adjust their tools or products according to what best serves their bottom line, as well as providing a tool or product that they can market to libraries. Third parties decide what products to put out to the market, and libraries decide which products meet their needs. Both parties share authority, which leads this thought experiment closer to Zuboff’s analysis of the market as the decider.

That brings us to the third question, “Who decides who decides?” Again, our thought experiment starts to blend in with Zuboff’s answer to the same question. There is indeed a struggle between vendors competing in a niche market that has limited funds. We would be remiss, though, if we just left our analysis pointing to competition between third parties in the market. Part of what is driving the marketplace and the tools and services offered within are libraries themselves. Libraries are pressured to provide data for assessment and outcomes to those who directly influence budgets and resources. Libraries also see themselves as direct competitors to Google, Amazon, and other commercial companies that openly engage in surveillance capitalism. Instead of rejecting the methods used by these companies, libraries have to some extent adopted the practices of these perceived market competitors to keep patron using library services. A library on this path could find themselves upholding surveillance capitalism’s grasp in patrons’ lives.

Fitting this thought experiment into one newsletter does not give the questions the full attention they deserve, but this gives us a place to start thinking about how the library shares some of the same traits and qualities found in surveillance capitalism. Data from patron activities can provide valuable insight into patron behaviors, creating personalized library services where yet more data can be collected and analyzed for marketing purposes. It’s no surprise that data analytics and customer relationship management systems have taken off in the library market in recent years – libraries believe that there is a power that comes with these tools that otherwise wouldn’t be accessible through other means. Nonetheless, that belief is influenced by surveillance capitalists.

Decided for yourself – give Zuboff’s book a read (or listen for the audiobook) and use the three questions as a starting point for when you investigate your library’s role in the data economy.