Libraries as Information Fiduciaries? Part Two

People sitting at tables and working at the Rose Main Reading Room of the NYPL. A blur/color filter has been applied to the photo.
Image source: (CC BY ND 2.0)

Welcome back to our series on information fiduciaries and libraries! We introduced the concept of information fiduciaries in Part One. In this series entry, we will focus on libraries as possible information fiduciaries.

A Question of Interest

Jack M. Belkin, who popularized the information fiduciary concept in 2014, expanded the traditionary fiduciary concept to a trusted party managing personal data on behalf of another. In the context of the library, what would be considered the best interest of the person? In the 10th edition of the Intellectual Freedom Manual, we have one possible interpretation of “best interest” in the way of privacy and confidentiality:

“In brief, libraries and library workers must act as information fiduciaries, assuring that in every circumstance the library user’s information is protected from misuse and unauthorized disclosure, and ensuring that the library itself does not misuse or exploit the library user’s information.”

On the surface, this appears straightforward enough. However, how a library defines “misuse or exploit” leads to a question about how libraries interpret “best interest” in the fiduciary relationship. Some organizations might interpret “best interest” in ways that others would consider exploitative. Such is the case with academic institutions and learning analytics as described in “A matter of trust: Higher education institutions as information fiduciaries in an age of educational data mining and learning analytics.” Jones, Rubel, and LeClere describe how current learning analytics initiatives violate not only student privacy but also student trust in the institution. At the same time, the institution is acting in the perceived best interest of both students and the institution.

Like academic institutions, libraries are under immense pressure to engage in data practices at the expense of patron privacy. A key component of fiduciary relationships is acting in the best interest of the represented person. While it might be in the best interest for libraries to extensively collect patron data for operations, marketing, and analysis, this level of collection and data processing would violate the best interest of their patrons’ privacy. Libraries committing to an information fiduciary relationship with their patrons must scrutinize their data privacy practices and recalibrate these practices to center on patron privacy interests.

A Question of Ownership

It becomes clear while evaluating practices and interests that the relationship between libraries, patrons, and third parties complicates matters not only in competing best interests but also in matters of data ownership. Personal data is collected in several ways. Sometimes the data collection is direct – an example is when a patron gives the library personal data to obtain a library card. Other times libraries collect personal data generated from a patron’s library resources and services use, even though the patron might not be aware of this data generation and collection. Patrons also directly give personal data to vendors when signing up for accounts and generate data when they use vendor services and resources, possibly unaware of such generation and collection happening on the vendor’s end. On top of all of this, libraries directly give vendors patron personal data. So, who owns what data?

Another component of a fiduciary relationship is the concept of management of valuable assets, particularly in sensitive matters. As demonstrated in the previous paragraph, data ownership can easily be contested if there is no clear sense as to who owns what data. Libraries can (and should!) use vendor contracts to state that the library and its patrons own the data collected by the vendor, defining some clearer ownership roles. Once again, however, technology and data practices can throw this clarity back to uncertainty, particularly with data aggregation and analytics practices by vendors and fourth parties, sometimes in the interests of the customers (libraries and patrons) and sometimes in the interest of the vendor which conflict with patron/library interests. As Jones, Thomson, and Arnold argue in “Questions of Data Ownership on Campus,” adopting an information fiduciary role can help navigate the issue of determining who owns what through focusing on shared ownership and asset management in the best interest of the patron. Even when libraries and third parties claim ownership over patron data collected through patron use of resources and services, any collection or processing of this data must center around the patrons’ best interests with regards to patron privacy.

We would be amiss, though, if we didn’t address a potential issue of treating data as an asset, even in a fiduciary role. In Kerry and Morris Jr.’s “Why data ownership is the wrong approach to protecting privacy,” commodifying data provides little protection for user privacy. Treating data as property reinforces current practices of placing market interests over individual interests. Placing the onus of data privacy management on the individual when there’s evidence that notice and consent currently fail to protect data privacy. Instead of focusing primarily on data ownership and transactional relationships, Kerry and Morris Jr. argue for federal regulation that falls in line with information fiduciary’s emphasis on acting in the interest of the individual. Nonetheless, the concept of data as property or an asset for individuals to manage and organizations to commodify has socioeconomic implications, including perpetuating harms created by the privacy violations embedded in societal systems and institutions, including the library.

Personal Data as a Collection…

We’ve only started to explore the concept of libraries as information fiduciaries. The last two posts focused on personal data collected and generated through a patron’s library use. What happens, then, when personal data is *part* of a collection? This often happens in special collections, archives, and institutional repositories that collect research data, to name a few places. What type of information fiduciary relationship exists between the people in the collection and the library or archive that hosts that collection, if any? Stay tuned for the next installment of the series!

Libraries as Information Fiduciaries? Part One

A adult black woman leans against a glass wall of a server room holding an open laptop.
Image source: (CC BY 2.0)

The Resolution on the Misuse of Behavioral Data Surveillance in Libraries, recently passed at ALA Midwinter, calls for libraries and vendors to reject behavioral data surveillance of patrons. While we are familiar with the concept of data surveillance, the last item in the resolution contains something that some in the library world are not as familiar with – information fiduciaries. This concept also appears in the recently published 10th edition of the Intellectual Freedom Manual. There’s a likely chance that “libraries as information fiduciaries” will continue to gain ground in the professional discourse around library privacy, so let’s take some time to explore this concept.

Information Fiduciaries Basics

The fiduciary concept is centuries old. Typically, a fiduciary is a person(s) who is entrusted with a valuable asset from another person(s). You might have come across the fiduciary term when dealing with finances – for example, a financial advisor might be considered a fiduciary for a client. A fiduciary relationship is built on trust. The fiduciary is trusted to act in the interest of the party that trusts them enough to manage valuable assets or represent them in sensitive matters.

The concept of information fiduciaries, popularized by Jack M. Balkin in his 2014 blog post about the concept, took the fiduciary concept of managing assets and expanded the assets definition to include information about a person. This expansion would then charge the fiduciary to manage the person’s information with the person’s interests. In Balkin’s post, the expansion to information assets would call on fiduciaries to practice a higher level of information privacy, including not using or disclosing personal information against the user’s interests.

If this seems similar to the legal concept of “duty of care,” it should be! Duty of care is a legal concept that can be a part of fiduciary duties. The fiduciary is required to act in an informed and responsible way that will not harm others in the relationship. In the case of information fiduciaries, the fiduciary duty of care would be on the company that collects the user’s data; therefore, the company would need to put the user’s interests ahead of their interest.

Too Little, Too Late?

Nonetheless, the information fiduciary concept isn’t without its critics. David E. Pozen and Lina M. Khan argue that the concept cannot reconcile the business models of social media companies who rely on using personal data with the interests of the person to sustain the company’s business model. Pozen and Khan point out the tension between the already existing financial fiduciary relationship with shareholders (that rely on the business model) and the proposed information fiduciary relationship with users. Even Balkin admits that behavioral advertising, which exploits personal information for business gain, might continue after a company takes on an information fiduciary role. In a sense, applying an information fiduciary model to existing digital company business models is trying to close the barn door after the horses escaped – you’re asking a company who has built their revenue model on exploiting user information to give up their revenue stream. Having a company become an information fiduciary after the fact isn’t going to resolve them to move away from personal information abuse.

There are other critiques of the information fiduciary concept to consider. While the Electronic Freedom Frontier generally supports information fiduciary regulations, they recognize that the concept has several limitations including governance of third-party data relationships with other third-parties, limitations around restricting the collection of user data, and the uncertainty of how the recently created concept of information fiduciary would work in practice concerning legal enforcement of any fiduciary regulations. EFF argues that information fiduciary must not replace other data privacy regulations and practices. Information fiduciaries are not comprehensive in protecting user privacy and must be approached as such.

What About Libraries?

The information fiduciary is still relatively new, but there have already been calls from the library world to adopt the fiduciary role in patron data management. We will explore some of these calls, as well as how information fiduciary might look like at the library, in part two in the coming weeks!