Hello everyone! It’s been a while since our last post in April, and a lot has happened. A Supreme Court ruling that will change how courts interpret an individual’s right to privacy, a bipartisan federal data privacy bill gaining momentum, ICE dipping into LexisNexis data much more than initially thought – and all of that is just within the past month. A lot is going on in the privacy world right now! While we won’t be back on our regular post schedule for a little longer, we will have time to bring you analysis and updates as they come along.
Speaking of updates, we have a big one to announce – the publication of our first book! Managing Data for Patron Privacy: Comprehensive Strategies for Libraries breaks down what library workers need to do to protect the privacy of their patron’s data. In this book, Kristin Briney, Biology & Biological Engineering Librarian at the California Institute of Technology, and LDH founder Becky Yoose cover key topics as:
succinct summaries of major U.S. laws and other regulations and standards governing patron data management;
information security practices to protect patrons and libraries from common threats;
how to navigate barriers in organizational culture when implementing data privacy measures;
sources for publicly available, customizable privacy training material for library workers;
the data life cycle from planning and collecting to disposal;
how to conduct a data inventory;
understanding the associated privacy risks of different types of library data;
why the current popular model of library assessment can become a huge privacy invasion;
data privacy and security provisions to look for in vendor contracts.
Managing Data for Patron Privacy is a great place to start for library workers and libraries looking to cultivate a sustainable, holistic approach to their data privacy practices. Come for the case studies and practical advice; stay for the cats, glitter, and pasty recipe. 😉 We hope you enjoy the book, and please let us know if you have any questions or comments as you dive into our new book!
Happy belated Spring Equinox to our fellow Northern Hemisphere dwellers! It doesn’t exactly feel like spring for many folks, but soon enough, there will be leaves on the trees, flowers in the gardens, and pollen in the air. So, so much pollen. Pollen that makes you sneeze even if you haven’t ventured outside in days and have all the windows and doors closed. Pollen that coats your car to the point where you can’t see out of the windshield. Pollen clouds. Pollen is everywhere. It’s like nature’s version of glitter.
The analogy of pollen-as-glitter doesn’t quite match up one-to-one. For example, limiting the amount of glitter we come into contact with is easier than limiting the amount of pollen unless you take drastic measures (like moving to another part of the world to avoid certain types of pollen). However, we have a more accurate analogy to form – data as glitter. Here are some ways data is like glitter from our tweet in 2020:
Hot take – Data is not the new oil. Data is the new glitter:
– Lures humans in with its shininess – Very easy to accumulate – Found in places you least likely expect to find it – Almost impossible to get rid of – Everyone insists on using it w/o thinking through the consequences
We all had a glitter phase – all glitter, all the time. For some of us, though, we are the ones who are left cleaning up after someone somewhere in the building used any glitter. The nature of glitter – the attractiveness of the shininess, the ease of getting a hold of glitter, the lightweight and aerodynamic nature of individual glitter specks – is sure to be a recipe of disaster if there are no guidelines in place in using it. Parents and educators might already know a few of these guidelines: laying down plastic or paper over the workspace for easy cleanup, not leaving glitter containers open when not in use, and washing hands when finished working with glitter. For such tiny specks of plastic, it takes a lot of effort to ensure that the glitter doesn’t get everywhere and on everyone.
Data is like glitter. If there are no guidelines or measures to control the use and flow of data, you will have multiple versions of the same data set in various places. In previous #DataSpringCleaning posts, we talk about electronic and physical data retention and deletion, but that only addresses some of the privacy risks we face when working with data. For those unfortunate enough to have to clean up after a glitter explosion, it’s nearly impossible to get all the glitter if control measures were not put in place. The same is true with data – left unrestricted, data will get everywhere, making it almost impossible to delete. It also makes it practically impossible to control who has access, what is shared, and even when it’s appropriate to work with patron data.
For this year’s #DataSpringCleaning, we’re taking a proactive approach to avoid cleaning up explosion after explosion of glitter-like data. What are some ways you can limit the spread of patron data in your library or organization? The data lifecycle is a great place to start:
What data do you absolutely need to collect to do what you need to do?
Where should you keep the data?
Who should have access to the data?
How should the data be shared, if at all?
How do you clean up after the data is no longer used or needed?
Another place to start is to get into the habit of asking if you truly need to use patron data in the first place. Some of the worst glitter cleanups come from times when glitter use was absolutely unnecessary – for example before you use that glitter bath bomb, do you really need to have glitter all over yourself and your bathtub and your bathroom and your pets who enter the bathroom and your carpet and your furniture and your clothes and everyone who comes into contact with you or the other glittered surfaces? The answer is almost always “no.”
Stopping to ask yourself if patron data is needed in the first place to do the thing that you need to do is one of the best ways to avoid putting patron privacy at risk at your library. Thinking about data in terms of glitter can help you get into the habit of being more judicious about when to use patron data and how it should be used to limit unmitigated messes that will take considerable amounts of time to clean up. Data is glitter – plan accordingly!
Keeping track of the latest threats to patron data privacy and safety is easily a full-time job in quiet, uneventful times. Last week was neither quiet nor uneventful. From the possibility of increased cyber warfare in the coming weeks to the progression of anti-LGBTQIA+ and anti-CRT regulations in several US states, many library workers are rightfully feeling overwhelmed with the possible implications of these events on the patron’s right to privacy in the library. And all of this is happening while we are still in the middle of a pandemic!
This week we are going to help you, the reader, to take a moment to stop, breath, and orient yourself in light of the recent increase in threats to patron privacy. We have three things that you can do today that can get you started in protecting patron data privacy and security in light of recent events:
Reacquaint yourself and others on how to avoid phishing attempts – Libraries are no strangers in being the target of phishing attacks; however, with the possibility of increased cyber warfare, the phishing attempts will only increase. As we saw with Silent Librarian, phishers are not afraid to use the library as a point of entry into the more extensive organizational network to access sensitive personal information. The Phishing section of the Digital Basics Privacy Field Guide is an excellent way to spread awareness at your library if you are looking for a simple explainer to share with others.
Check if your library is holding onto circulation, reference chat, and search histories – By default, your ILS should not be collecting borrowing history, but the applications you use for reference services might have similar information. The same goes for your library’s catalog or discovery layer and logs that might be capturing searches from patrons in a system log. This data can be used to harm patrons, particularly patrons who experience greater harms when their privacy is violated, such as LGBTQIA+ students and minors. Check the system and application settings to ensure that your systems are not collecting circulation and search histories by default. Review the reference chat logs to ensure that personal patron data is not being tracked or retained in the metadata and the chat content.
(Bonus – If you find patron data that is not supposed to be there after checking and changing settings, make sure to delete it securely!)
Check your backups – You should be checking your backups regularly, but today is a good day to do an extra round of checks on your data backups:
Can you restore the system with the latest backup in case of a ransomware or malware attack? If you haven’t already tested your backups, you might run into unexpected issues in your attempt to restore your system after an attack. Schedule a backup test sooner than later if you haven’t restored from a data backup before to catch these issues while the system is still up and functional.
Where are your backups located? Having an offline copy can mitigate the risk of loss or destruction of all copies from an attack. You also want to ensure that the backup is securely stored separately from the system or application.
What data is being stored in the backups? Backups are subject to the same risk as other data regarding unauthorized access or government requests. This is especially important when these backups have personal data, such as a patron’s use of library resources and services. Adjust what data is being backed up daily to limit capture of such patron data and limit the number and frequency of full database backups.
How long are you storing backups? Backups can be used to reconstruct a patron’s use of library resources and services over time. We have to balance the utility of backups and data security and privacy; however, the longer you keep a backup, the less valuable it will be in restoring a system and the more the risk of that data being breached or leaked. The length of time you should retain a backup copy will depend on several factors, including if the backups are incremental or full and what type of data is stored in the backup. Nevertheless, if you are unsure where to start, review any backups older than 60 days for possible deletion.
(Bonus – if you’re not backing up your data, now would be a perfect time to start!)
Focusing on these three actions today will provide your library with an action plan to address the increased risks to patron data privacy and security in the coming weeks and months (and even years). Even though we focused on things you can do right now, don’t forget to include in your action plan how you will work with third parties (such as vendors) in addressing the collection, retention, and sharing of patron data! And as always, we will keep you up to date on the latest news and events impacting patron data privacy and security, so make sure you subscribe to our weekly newsletter to get the latest news delivered to your inbox.
Readers of the Tip of The Hat might be familiar with the ALA Privacy Guidelines and Checklists or even use them in their library privacy work. Created in 2015, the Guidelines aim to assist libraries and library vendors in providing patron privacy guidance around library technology and services. The Checklists give more guidance in turning this guidance into actionable checklists for libraries to incorporate into their work. The Guidelines and Checklists have provided valuable advice and direction for many a library and library vendor alike throughout the years.
As the privacy needs of libraries change, so have the Guidelines and Checklists. Nevertheless, the growing complexity of privacy work means a new set of challenges for libraries to face. Alongside this increasing set of challenges is the need for a group of resources that are easy to understand and provide the tools necessary for library workers to advocate for privacy practices on all levels, from the public to administration to vendors.
The Privacy Field Guides, an IMLS sponsored project in collaboration with ALA, aims to meet this need. These just-published guides offer practical guidance around major library privacy topics:
Data Lifecycles (If you’re familiar with our work at LDH, you might not be surprised that we helped out with the creation of this guide!)
Digital Security Basics
How To Talk About Privacy
Vendors and Privacy
These guides are a valuable addition to your library’s privacy toolkit and are a great way to start privacy discussions in your library. Take some time to go through the digital versions of the Field Guides and let us know what you think!
We sometimes like to say that something happens because of “magic” – in reality, that “magic” is the result of the (invisible) labor of real and unmagical people. To some patrons, this “magic” takes the form of the many programs, resources, and services the library provides daily. It takes the work of people in both the public and back-office spaces of the library. What happens, then, if you take the “magic” created by people and replace it with the “magic” of technology?
Last month the Santa Monica Public Library announced their plans to reopen a branch closed to the public due to staff cuts last year. The branch opening wasn’t made possible by regaining staff positions but instead made possible through a state grant to expand physical services through a suite of self-service technology. This grant uses existing technologies that many libraries use, including self-checkout machines, security cameras, and a controlled entry card swipe/tap or keypad. Combining these technologies to create a self-service library without staff isn’t new, either – for example, several Europeanlibraries expanded physical library hours through self-service technologies. The technology behind Santa Monica Library’s branch reopening, Open+, has been piloted in other US libraries such as Gwinnett County Public Library to expand library hours and service sans on-site staff.
This open library model comes with tradeoffs that leave many library workers worried. Library workers and patrons alike raised valid concerns around open libraries replacing staff to save costs. Another tradeoff that some might miss is the increased collection, processing, and retention of data generated from patron use of the physical library. While the individual technologies are not new, the combination of existing technologies to create an open library expands the amount of surveillance and data collection to a level that exponentially exposes patrons to various privacy harms.
We might as well start with the elephant in the room. The use of security cameras in libraries has been contested throughout the years, with libraries trying to balance using cameras for physical library security and patron privacy. ALA created guidelines about security camera use for libraries but the use of cameras in library spaces brings the risk of violating patron privacy throughout each stage of the patron data lifecycle:
Collection – where are the cameras located? Are they recording footage of patrons using library resources, such as browsing shelves, computer usage, or other identifiable usages of materials in the library?
Storage, retention, and deletion – where is the recorded footage being stored? Is it locally stored in the library? If not, where is that storage? Is it with a vendor, organizational IT, or even local law enforcement? How long are recordings kept? How many copies, including backups, exist, and how long are they kept?
Access and disclosure – who has access to the footage? Library workers, the vendor, the parent organization? Can law enforcement access the footage without a court-issued order? What are the policies around disclosing footage?
Depending on the library’s location, some state and local regulations around library privacy can potentially include security camera footage as part of their definition of protected patron data. However, this protection cannot be guaranteed even if the regulations include such footage if the vendor recording and retaining footage is not legally obligated to protect this footage or if the footage is stored and retained by law enforcement.
The use of controlled entry technology brings another privacy risk to patrons in an open library setting. Academic, school, and other special libraries might be familiar with using card swipe or tap machines that control access to physical library spaces. These technologies are uncommon in public libraries, however. These controlled access systems can create logs of patron data: who came into the library at what time. This patron log can potentially put patron privacy at risk through a data breach or misuse through secondary use (the reuse of data collected for another purpose) in the form of learning analytics and marketing campaigns.
Security cameras and controlled entry onto themselves create some privacy risks; nonetheless, these risks can be mitigated if particular care is put into the planning and implementation of each technology. Pairing these technologies with other monitoring technologies creates a profile of a patron’s library use through the combination of data sets. Who is doing the data collecting, storing, and retaining determines the level of risk to patron privacy. That is where libraries considering open library models need to spend considerable time assessing the privacy risks associated with who controls the surveillance technologies used to collect and store patron data. Currently, open library models consist of third-party technologies and services to coordinate all of these technologies. These third parties are not subject to state and local regulations around library data privacy (outside of California and Missouri). Trying to replace one “magic” (people) with another (technology services provided by a third party) doesn’t get rid of cost. Instead, it transfers and transforms it to the point where some library workers might not realize that the open library “magic” comes at the cost of patron privacy.
 The use of controlled entry technology in public libraries is also an equity issue concerning which groups of patrons can access the library outside of staffed hours. Who is excluded from the physical library in an open library model, and what are the implications of excluding them?
People sometimes ask what keeps privacy professionals up at night. What is that one “worst-case scenario” that we dread? Personally, one of the scenarios hanging over my head is insider threat – when a library employee, vendor, or another person who has access to patron data uses that data to harm patrons. A staff person collecting patron addresses, birthdays, and names to steal the patrons’ identities is an example of insider threat. Another example is a staff person accessing another staff’s patron records to obtain personal information to harass or stalk the staff member.
Last week, an IT employee at NCSU was doxed as a local leader of a white supremacist group. This person, who worked IT for the libraries in the past, doxed individuals, including students in his own university, to harass and, in some cases, incite violence toward the people being doxed. As an IT employee, this person most likely had unchecked access to students, staff, and faculty personal information. It wouldn’t be a stretch to say that he still had access to patron information, given his connections to the library and his IT staff position.
Libraries spend a lot of time and attention worrying about external threats to patron privacy: vendors, law enforcement, even other patrons. We forget that sometimes the greatest threat to patron privacy works at the library. Library workers who have access to patron data – staff, administration, board members, volunteers – can exploit patrons through the use of their data for financial gain in the case of identity theft or harm them through searching for specific library activity, checkouts of certain materials, or even names or other demographic information with the intent to harass or assault. The reality is that there might not be many barriers, if at all, to stop library workers from doing so.
The good news is that there are ways to mitigate insider threat in the library, but the library must be proactive in implementing these strategies for them to be the most effective:
Practice data minimization – only collect, use, and retain data that is necessary for business operations. If you don’t collect it, it can’t be used by others with the intent to harm others.
Implement the Principle of Least Privilege – who has access to what data and where? Use roles and other access management tools to provide staff (and applications!) access to only the data that is absolutely needed to perform their intended duty or function.
Regularly review internal access to patron data – set up a scheduled review of who has what access to patron data. When an employee or other library worker/affiliate changes roles in the organization or leaves the library, develop and implement policies and procedures in revoking or changing access to patron data at the time of the role change or departure.
Confidentiality Agreements For Library Staff, Volunteers, and Affiliates – your privacy and confidentiality policy should make it clear to staff that patrons have the right to privacy and confidentiality while using library resources and services. Some libraries go further in ensuring patron privacy by using confidentiality agreements. These confidentiality agreements state the times when patron data can be access and the acceptable uses for patron data. Violation of the agreement can lead to immediate termination of employment. Here are some examples of confidentiality agreements to start your drafting process:
Regularly train and discuss about privacy – ensure that everyone who is involved with the library – staff, volunteers, board members, anyone that might potentially access patron data as part of their role with the library – is up to date on current patron privacy and confidentiality policies and procedures. This is also an opportunity to include training scenarios that involve insider threat to generate discussion and awareness of this threat to patron privacy.
A note about IT staff, be it internal library IT staff or an external IT department (campus IT, city government IT, or another form of organizational IT) – Do not automatically assume that IT staff are following privacy/security standards and policy just because they are IT. Now is the time to discuss with your IT connections about their current access is and what is the minimum they need for daily operations. However, even if the IT department practices good security and privacy hygiene (such as making sure they follow the Principle of Least Privilege), any IT staff member who works with the library in any capacity must also sign a confidentiality agreement and be included in training sessions at the very minimum.
A data inventory is a good place to start if you are not sure who has access to what data in the library. The PLP Data Privacy Best Practices for Libraries project has several templates and resources to help with creating a data inventory, assessing privacy risks, and practical actions libraries can take in reducing the risk of an insider threat.
Libraries serve everyone. We serve patrons who are already at high risk for harassment and violence. Libraries must do their part in mitigating the risk that insider threat creates for our patrons who depend on the library for resources and support. Otherwise, we become one more threat to our patrons’ privacy and potentially their lives or the lives of their loved ones.
What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy. At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.
This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.
Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!
Building an application or creating a process in a library takes time and resources. A major benefit of keeping it local, though, is that libraries have the greatest control over the data collected, stored, and processed by that application or system. Conversely, a major drawback of keeping it local is the sheer number of moving parts to keep track of in the building process. Some libraries have the technical know-how to build their own applications or have the resources to keep a process in house. Keeping track of privacy risks is another matter. Risk assessment and management must be addressed in any system or process that touches patron data, so how can libraries with limited privacy risk assessment or management experience make sure that their local systems and processes mitigate patron privacy risks?
A driver’s license card is the first document many people use to prove their identity, be it at work, or the bank, or the airport. The card has key information needed for organizations and institutions: name, date of birth, address, photo, and the illustrious driver’s license number. Driver’s license cards can be a convenient form of identification, but it can also be a convenient way for your patrons’ identities to be stolen if your library is not careful in its handling of the card’s information.
As part of the library card registration process, many public libraries require some form of identification with a current address to confirm the patron’s home address. These libraries almost always accept driver’s license cards as one form of identification. But what do libraries do with the information on the card? Some record the driver’s license number in the patron record, while others take a photocopy scan of the card (yes, this has happened!). Several libraries use specially programmed barcode scanners to automatically populate the fields in the patron record from the information provided from the driver’s license barcode.
Each method carries its level of risk to the library patron’s privacy. Storing driver’s license numbers in the patron record or other places can open the patron up to identify theft if the library’s systems or physical spaces are compromised. There are various ways to compromise a physical or electronic space. We are familiar with the story of a person breaking into the system to steal information, but sometimes it is a staff person who steals the information. We also can’t forget that a leak is as damaging as a breach – sometimes staff leave the patron record up on the screen at public service desks, or a report printout is left on a desk for anyone to see or take.
Overall, the best way to mitigate the risk of a breach or leak of driver’s license numbers is to not collect or store driver’s license numbers. In the collection stage of the patron data lifecycle, we decide what data to collect. The data you collect should be tied to a specific, demonstrated business need at the point of collection. If you are collecting driver’s license numbers as a way to verify patrons and addresses, what are the business needs for collecting and storing that number in the patron record? You can achieve the same business need by other means, including creating a process of validating the patron record information with the identification without recording additional personal information in the record. Another consideration is that while driver’s license cards are a convenient form of identification, the card might have a name that the patron no longer uses and might have other outdated or incorrect information, including address information if the state does not mail a new card when there is an address change. Finally, not all patrons have driver’s license cards, and your patron registration policies and procedures need to accommodate this reality.
Even if you don’t collect or store the driver’s license number, there are still ways in which the library might inadvertently collect more patron information than they need from the card. Scanning driver’s license barcodes to auto-populate patron registration forms and records can save time in data entry, but be aware that these barcodes carry much more information than what is presented on the card, including gender and even Social Security Numbers. The software that you use to scan the barcodes should only record the information needed for the patron form and not store the additional information in the barcode. Your software vendor should have information about how they treat this extra data; if they do not, then the vendor product is a potential security risk for the library and the patrons which needs to be addressed with the vendor.
No matter how your library handles driver’s license cards, your library should be actively reviewing privacy practices on a regular basis. In 2019, the Contra Costa County Library System decided to stop collecting driver’s license numbers and purged existing numbers from their patron records. This decision came just at the right moment – the library system suffered a ransomware attack at the beginning of 2020. While recent reports state that no personal data was compromised, the risk of identity theft to library patrons would have been much greater if the driver’s license numbers were still stored at the library. In short, it’s never too late to review policies and procedures around patron address verification at your library!
The National Institute of Standards and Technology recently published version 1.0 of their Privacy Framework. The purpose of the framework is to create a holistic approach to manage privacy risks in an organization. The Framework is different from other standards in such that the goal is not full compliance with the Framework. Instead, the Framework encourages organizations to design a privacy program that best meets the current realities and needs of the organization and key stakeholders, such as customers.
The Framework structure is split into three parts:
The Core is the activities and outcomes for protecting privacy in an organization. These are broken down by Function, Category, and Subcategory. For example:
Identify-P (the P is there to differentiate from NIST’s Cybersecurity Framework) is a Function in which the organization is developing an organizational awareness of privacy risks in their data processing practices.
A Category of the Identify-P Function is Inventory and Mapping, which is taking stock of various systems and processes.
The Subcategories of the Category are what you would expect from a data inventory: what data is being collected where, when, how, by who, and why.
The Profile plays two roles – it can represent the current privacy practices of an organization, as well as a target set of practices for which the organization can aim for. A Current Profile lists the current Functions, Categories, and Subcategories the organization is currently doing to manage privacy risks. The Target Profile helps businesses figure out what Functions, Categories, and Subcategories should be in place to best protect privacy and to mitigate privacy risk.
The Implementation Tiers are a measurement of how the organization is doing in terms of managing privacy risk. There are four Tiers in total, ranging from minimal to proactive privacy risk management. Organizations can use their Current Profile to determine which Tier describes their current operations. Target Profiles can be developed with the desired Tier in mind.
Why should libraries care about this framework? Libraries, like other organizations, have a variety of risks to manage as part of their daily operations. Privacy risks come in a variety of shapes and sizes, from collecting more data than operationally necessary and not restricting sharing of patron data with vendors to lack of clear communications with staff about privacy-related policies and procedures. Some organizations deal with privacy risks through privacy risk assessments (or privacy impact assessments). The drawback is that the assessments are best suited for focusing on specific parts of an organization and not the organization itself.
The Privacy Framework provides a way for organizations to manage privacy risks on an organizational level. The Framework takes the same approach to privacy as Privacy by Design (PbD) by making privacy a part of the entire process or project. The Framework can be integrated into existing organizations, which is by design – one of the criticisms of PbD is the complications of trying to implement it in existing projects and processes. The flexibility of the Framework can mean that different types of libraries – school, academic, public, and special – can create Profiles that both address the realities of their organization as well as creating Target Profiles that incorporate standards and regulations specific for their library. School libraries can address the risks and needs surrounding student library data as presented in FERPA, while public libraries can identify and mitigate privacy risks facing different patron groups in their community. The Framework also allows for the creation of Subcategories to cover any gaps specific to an industry or organization not covered by the existing Framework, which gives libraries added flexibility to address library industry-specific needs and risks.
The flexibility of the Framework is a strength for organizations looking for a customized approach to organizational privacy risk management. This same flexibility can also be a drawback for libraries looking for a more structured approach. The Framework incorporates other NIST standards and frameworks, which can help ease apprehension of those looking for more structure. Nonetheless, libraries that want to explore risk management and incorporate privacy into their organization should give NIST Privacy Framework some consideration.