Before You Share a Patron’s Story, Part 2

A square white neon conversational bubble against a black wall.
Photo by Jason Leung on Unsplash

Welcome back to our series about responsibly sharing patron stories! Last week we talked about the importance of consent for libraries publishing stories about individual patrons. This week we get into the mechanics of consent and some of the complications around seeking consent to share particular stories.

A couple of housekeeping points before we get started:

  • This week’s post is pretty long! We decided to keep the post as-is instead of breaking it up into two more posts because we felt it essential to present the mechanics and complications of consent together in the same post.
  • We primarily focus on libraries sharing patron stories around events and services for marketing and outreach purposes. Consent also plays a critical role in library assessment and research. Though we will not cover specific issues around privacy and consent in this post’s assessment and research processes, we’ll touch on an overlap point between these two topics.

Asking for (Explicit) Consent

There are two types of consent. The first is implied consent. We encounter this through statements in public notices: “by using this service, you give us permission to use your posts, comments, and other content and likeness for…”. Many physical events still rely on implied consent through conspicuous signage depending on the intended use of the photographs and video and what is captured by the photograph or video (e.g., one patron vs. a group of patrons). Implied consent is passive, which means patrons have to seek out these notices and understand what they are consenting to by attending the program or using a service. Patrons might not even know that these notices exist, or they might not fully understand what might be shared by the library, leading to possible data and ethics breaches, among other consequences. Even when patrons share their own stories on library social media pages, some might not expect libraries to republish their stories in different mediums, such as an annual report or a fundraising campaign.

Instead, libraries should seek explicit consent, which requires affirmative action from the patron. When a library wishes to publicly share a story, quote, or other information about an individual patron’s library use, include at least the following in the ask to the patron:

  • Who you are
  • What information you wish to share and why
  • Where and who you want to share the information
  • How to contact you if the patron has any questions or concerns about sharing or privacy

The consent request should be informative and easy to understand. For example, a library can ask for consent to share patron feedback gathered through a program survey or evaluation form by creating a question asking the patron if the library has permission to quote the patron’s feedback in a library report or other publication. The library should also ask if the patron would like to have their name published alongside the feedback in case the patron would rather have their comment published without their name attached to it. In another example, the following is a sample message to a patron asking to share a patron’s post on the library’s social media page:

“Hello! I’m the outreach coordinator for the library. Thank you for sharing your story about our new service. Would it be okay to share your post in our weekly library newsletter to our patrons to show how other patrons benefited from our new service? Would you also be okay with being named along with the post in the newsletter? You can respond back to this message to us know if you would be okay with us sharing the post, and if you have other questions or concerns.”

However, if you wish to share the same story in the annual report, you will need to check back with the patron since the patron only gave explicit consent for publication in the newsletter. Reusing the story for the annual report without explicit consent can violate the patron’s expectations.

Gaining explicit consent can be more involved with events and programs, particularly when the event is being photographed and/or recorded for publication. Web-based programs and events might have consent features built into the application used to host the program, such as Zoom’s consent popup to users when a session is recorded. Physical events and programs can include consent forms before or at the event for presenters and attendees, particularly for individuals prominently featured in photographs or recordings of the event.

Consent Considerations Regarding Publishing Patron Stories

Some of you might notice one critical component missing in the earlier sample ask – the ability for the patron to withdraw their consent at any time. While libraries should honor the withdrawal of previously given consent when a patron requests that a library social media post mentioning them by name be taken down, the library must weigh potential consequences of making a patron’s use of the library public through sharing their story. The persistent nature of published information – physical or online – requires careful thinking and approach regarding sharing patron stories.

One consideration before asking for consent is the nature of the service or topic featured in the story or quote. Publicly associating an individual patron with a late evening study event at a college library does not carry the same potential harms and consequences as associating a particular patron who receives tutoring through a program at the same library. The latter could result in embarrassment and negatively impact relationships based on others’ perceived or actual judgment of the patron’s need for additional educational assistance while attending college. Some patrons in the latter group might be okay with the library sharing their comments about the tutoring program, and that’s okay! It is still the responsibility of the library to gain informed explicit consent before publication. The library should exercise caution with when and how they approach patrons in asking for their consent in publishing their stories depending on the sensitivity of the topic or service, particularly around any story that can reveal patron information about their identity or status, such as race/ethnicity, disability, or class status.

There are times when explicit consent cannot be not freely given. Sometimes this is because there are legal constraints as to the age where one can give consent (in the case of minors). Other times the power dynamic between people might compel or pressure someone to consent to something they wouldn’t have otherwise. Patron groups such as students, minoritized populations, and incarcerated people might feel compelled to consent based on the power dynamic between the individual and the library. Unlike research and assessment, where the Institutional Review Board (IRB) or ethics committee would address issues around consent with vulnerable participants, there might not be a formal process in place for marketing or outreach to locate and handle potential situations where patron consent is coerced, be it intentional or not.

For example, the public library is the only place to offer ESL classes in a rural town. The library reserves the right to use individual patron photos and stories from those classes for library publications. For a patron who is an undocumented immigrant, the publication of their personal data and likeness can put themselves and others in harm’s way. Because the library is the only place where they have access to ESL classes, the patron might feel compelled to consent to the library publishing their identifying photo or story in order to access a much-needed service.

In the example, the patron is likely to experience privacy harms – perceived or actual – through the library, not fully realizing the power dynamics that come into play when consenting to publish individual patron stories. Recognizing when patrons may not freely give consent can mitigate privacy harms. This recognition can also prompt a conversation about the intended purpose of publishing individual patron stories and the actual impact publication might have on the patron. When posting a feel-good patron story, good intentions do not cancel out the negative impact of exploiting specific patron stories (e.g., inspiration porn or performative allyship) for the library’s reputational or financial gain.

The Role of Consent in Sharing Patron Stories

Consent is vital in protecting patron privacy. Consent is also not an automatic “get out of jail free” card for the library when privacy harms are realized after publishing a patron story. Libraries need to recognize the importance of consent – as well as its limitations – in determining which patron stories to share with others. Consent gives patrons control over the “what and how” regarding the library sharing their story, but only if the consent is informed, explicit, and freely given. Taking the time and care around determining how to ask for consent can limit some of the potential pitfalls and limitations discussed earlier, such as recognizing when consent might not protect patrons from privacy harms or when consent might be coerced.

Some patrons are more than happy for the library to share their stories with the world, while others expect the library not to betray their rights to confidentiality and privacy. Nevertheless, libraries should not automatically assume that a patron sharing their story with others gives the library implicit permission to share on behalf of the patron. A patron might be comfortable sharing their story with others they know but might not be as comfortable if the library shared it with strangers. Having a consent process creates a check to protect patron privacy and not take advantage of the relationship the patron has with the library. The process of gaining informed, explicit, and freely given consent should not only take into consideration how the library can responsibly share a patron’s story with minimal privacy risk to the patron but feed into a larger conversation around patron control over how the library uses their information in both daily operations and public communications.

There’s a Post About That!

There’s a saying that makes the rounds at the LDH office – “same problems, different day.” While there is no shortage of unique and exciting privacy challenges out there, eventually there will be a version of a previous privacy issue we dealt with in the past that pops up in our daily work. The same goes for the general privacy discourse in the library world. It’s been a busy couple of weeks in the library discourse where we see versions of the same topics and issues discussed in the past. It can feel like we’re stuck in a time loop, reliving the same conversations.

Bill Murray from the movie Groundhog Day reporting on the holiday celebrations in a small town - "Well, it's 
Groundhog Day... again."
We know we’re a couple months away from Groundhog Day, but still…
GIF source – https://giphy.com/gifs/pr-13USAwkGCTd6xy

Luckily, this gives LDH the opportunity to highlight relevant posts from the Tip of The Hat! Whether you missed the posts the first time around or are looking to revisit some of our older content, the newsletter-turned-blog has covered a lot of ground in the library privacy world. Let’s take some time to review some of those posts as the library world revisits several privacy conversations this week.

Mergers and Acquisitions and Consolidation oh my!

It’s official – Clarivate’s acquisition of Proquest is finally complete, furthering the consolidation of the library vendor marketplace. The acquisition isn’t the first one that led many in the library community to worry about the consequences of having only a handful of companies controlling the marketplace and what effects this consolidation would have on data privacy. In addition, there’s the practical concern of what exactly happens to patron data when a business is acquired or goes bankrupt. Here are some previous posts that touch on the relationship between vendors and library data privacy:

The Library Privacy Trope That Nevers Die

Libraries full of dusty books. Librarians reading all day on the job. Librarians shushing patrons. No matter where you go, there’s always a version of one of these tropes whenever libraries come up in the conversation. Most of the time, you find these tropes being brought up by people who don’t work at libraries, be it news reporters with cringeworthy article openers (“Libraries are no longer for books!”) to everyday conversation (“library quiet”). However, sometimes libraries themselves indulge in using library tropes for their own purposes. This week was no different with a social media account for a public library system in the US creating a meme about how the library doesn’t track patron use of library materials.

Longtime readers of the blog might recall our library privacy trope post from last year detailing the dangers of the trope to libraries and patrons. While the profession has a strong ethical mandate to protect patron privacy, including patron data, the reality is that libraries are subject to the same data privacy constraints and issues that show up in any other industry. For example, libraries and their vendors keep track of which patrons use specific resources and services. A library failing to let patrons know how the library or vendor collects, processes, and shares patron data or misrepresents library data privacy practices in communications to patrons is at risk of an ethics breach, losing the trust of their patrons.

While it might be fun to poke fun at the data privacy practices of commercial companies, libraries are best served to remember that they are not above engaging in the same privacy-invasive practices as their commercial counterparts. Case in point – the growth of customer relationship management systems in libraries and how the use of a CRM led a library to be investigated by a civil grand jury. Another case in point – many libraries still use Google Analytics to track patron use of the library website. In any case, meme responsibly.

When Privacy and Security Become a Barrier unto Themselves

A recent Twitter thread touched on many patrons’ struggles with multifactor authentication and how library workers encounter this struggle daily. Take some time to read the thread and the replies. It is a good reminder that not all privacy and security controls work for everyone. In some cases, these controls create barriers to using the library. These controls can disproportionally affect patrons who, for example, do not have reliable access to a mobile phone or limited phone service if the library or vendor requires all patrons to use multifactor authentication for using library resources or services.

Privacy and equity are not mutually exclusive. Sometimes the choices libraries make can put some patrons in a bind, particularly when libraries move core services to newer platforms that collect more data about patron use of the service than before. Our post about ethical design in library privacy practices is a good starting point to consider how to center patrons in how your library approaches patron services and programs.

[Related – sometimes your data privacy and security policies for staff are a liability in themselves! We touched on this liability last October using administrator privileges on work computers. As you think about what data privacy and security measures to put in place at your library, take some time to think about the costs and benefits of each measure. Sometimes it’s better – both for the bottom line and for data privacy and security – to accept certain risks.]

Turning Acknowledgment into Action

Several people putting up a net banner with an orange outline of Chief Seattle's face and text underneath the face - "Chief Seattle is Watching"
Image source: https://www.flickr.com/photos/backbone_campaign/21483972929/ (CC BY 2.0)

We’re going to start the post with a quick exercise. Where do you live and work? Easy enough, right? Some of you probably can name a street, neighborhood, town, city, or state off the top of your head.

Let’s take the first question and change a couple of words – whose land do you live and work on?

Some of you might already know whose land that you live and work on. For those who do not, you can visit https://native-land.ca/ to find more information about the indigenous lands you currently occupy.

As we wrap up  Native American Heritage Month this week, we are taking some time to give some context around the land acknowledgment included in our recent talks. You can use the resources at the end of the post for your acknowledgments that go beyond a statement of whose land you’re on.

Acknowledgment as The First Step

LDH lives and works on the unceded, traditional land of the Duwamish People, the first people of Seattle.

The above-italicized sentence is the start of the land acknowledgment in recent LDH talks. Many of us have encountered similar statements in various events and presentations. Land (or territory) acknowledgments sometimes stop here, naming the peoples whose land we’re on. However, this approach lacks the full acknowledgment of how the land became occupied. It also doesn’t acknowledge the present-day impact this occupation has on the people.

The Duwamish Tribe was the first signatories on the Treaty of Point Elliott in 1855. The Tribe has been denied the rights established in the treaty for over 165 years. The United States Federal Government currently does not recognize the Duwamish Tribe, denying the Tribe the rights and protections of federal recognition.

Naming the treaty is important in giving the historical context around the occupation of the land, but equally important is the explicit statement that the treaty has still to be honored by the federal government. The Duwamish Tribe is not federally recognized, which is important to acknowledge because of its historical impact on the Tribe and its current impact on the Tribe’s rights to funding for and access to housing, social services, and education, among other resources and services.

The Duwamish People are still here, continuing to honor and bring to light their ancient heritage.

Indigenous people are still here. It’s easy to leave the land acknowledgment to acknowledge the past and not venture into the present. But an acknowledgment of the present has to go beyond education and head into action.

Calls to Action

A portion of the speaker’s fee from the conference will be donated to Real Rent Duwamish. Real Rent serves as a way for people occupying this land to provide financial compensation to the Tribe for use of their land and resources – https://www.realrentduwamish.org/

The Tribe has started a petition to send to our state congresspeople to create and support a bill in Congress that would grant the Tribe federal recognition. The link to the petition is on the slide – https://www.standwiththeduwamish.org/

You are welcome to join me in donating to Real Rent or signing the petition.

The second half of the acknowledgment are two specific calls to action. Each action provides the opportunity for event attendees to support or advocate for the Duwamish People whose land LDH occupies. Real Rent Duwamish provides financial support and resources for the Tribe through a voluntary land tax. The petition aims to gather support for a bill granting the Tribe federal recognition, giving the Tribe access to services and resources available to other treaty tribes. If attendees cannot financially donate to Real Rent, they can provide non-financial support through the petition.

LDH’s acknowledgment focuses on calls to action around solidarity with the Duwamish People. Other land acknowledgments make the additional call for event attendees to research whose lands they occupy through https://native-land.ca/. Clicking on a specific territory will provide a page with resources where attendees can learn more about the Indigenous people whose land they’re on. For example, the Duwamish Tribe page on the site also links to ways to support the Tribe. Other calls to action found in land acknowledgments include supporting water protectors, such as supporting water protectors in stopping Line 3.

Resources

The list below is some resources you can use to inform not only yourself and others about the land you occupy but also what you and others can do to be in solidarity with Indigenous people in your acknowledgments and beyond.

A Forced Exercise in Risk Management

A mustached adult white man leaning back in his office chair holding a beer. Text overlay "well that escalated quickly"
Image Source: https://knowyourmeme.com/photos/353279-that-escalated-quickly

When we asked readers last week about library discussions around campus or organization mandates requiring COVID-19 vaccinations, we expected that libraries would have time to plan to adjust to the mandate. Responses from last week indicated as such. The consensus was various employee groups meeting and discussing who must be vaccinated and how workplaces can confirm vaccination status.

Then Thursday came around, and the CDC escalated things a tiny bit with their new mask guidelines. And by “a tiny bit,” we mean “blowing away any incremental steps in loosening mask guidelines and went straight to a free-for-all mask honor system.”

Britney Spears grimacing while listening to a contestant on a popular singing competition show.
Yikes.

This sudden decision took many businesses and organizations – libraries included – by surprise. Most planned for a multi-month phased reduction in mask requirements, but here we are. After a year of struggling to get even the most reluctant patrons to mask up in the library, library workers now face several conundrums including dealing with patrons who refuse to follow library mask requirements based on the CDC announcement and libraries required by their parent organization to check for vaccination status for patrons going maskless in the library.

Libraries that can still require masks for everyone regardless of vaccination status can bypass the privacy issues around checking patron vaccination status. The libraries relying on local or state mask mandates to enforce their own can’t rely on them, though, given how quickly some state and local governments are dropping their mask mandates. While the CDC said that only fully vaccinated people can be maskless in most public spaces, the lifting of state and local mask mandates when many places haven’t reached the 50% vaccination mark (such as Washington State at the time of the announcement) turns this privacy issue into a privacy and health issue for both patrons and library workers. What we have is the privacy risks discussed last week now compounded by health risks presented with the new guidelines.

Managing risk is rarely a clear-cut process. Reducing one risk could inadvertently create or increase the chances for another risk. Keeping a detailed access log of who logs into a particular electronic resource through a proxy server can aid in investigations and quicker resolutions to issues around systematic unauthorized content harvesting, but this mitigation comes at the cost of privacy through increased collection and retention of detailed patron data, increasing the risk of improper reuse of this data through the library or third parties (such as creating user profiles for targeted marketing or reselling this data to fourth parties) or through a data breach or leak. Risk management is a process of checks and balances where one needs to consider the consequences of choosing risk management strategies and avoiding a “min-max” outcome with unaddressed risk.

Libraries who want or are now required by their organization to enforce CDC guidelines in their libraries now face the issue of suddenly needing to manage the risks around checking the vaccination status of maskless patrons. The US has not widely adopted a vaccine passport system (which has privacy issues), and fake vaccination cards abound. We listed the issues around contact tracing in libraries in a previous post, and all of those privacy concerns apply to libraries required to check vaccination status. The equitable service issues also apply, but it is compounded with health risks. Library workers who are still waiting to be vaccinated or cannot get vaccinated for medical reasons are stuck in limbo alongside patrons in the same situations.

These risks around privacy, service, and health would have been easier to manage through a gradual phasing out of mask mandates. Unfortunately, we are in the timeline where that isn’t happening. Requiring masks mitigates the privacy and health risks until the local population reaches a vaccination threshold where the health risks are at acceptable levels for both patrons and library workers. Libraries mitigated equitable service risks created by mask requirements by offering free masks to patrons or making alternative service arrangements for patrons who medically cannot wear a facial covering. This sudden turnabout from the CDC makes this strategy more fraught with risk. It creates a new type of service issue in the form of maskless patrons claiming vaccination status, which then creates new privacy and health issues alongside additional service issues for those who do not want to or cannot prove their vaccination status.

Some libraries that can no longer mandate masks for all might go with an honor system and allow patrons to go maskless without proving their vaccination status. That avoids the privacy and ethical risks involved in checking vaccination status but, depending on local population vaccination levels, the policy could increase the health risks to both unvaccinated patrons and library workers. It’s also an equitable service risk for patrons wanting to use the physical library but at the same time are not fully vaccinated due to medical reasons or are still waiting to start/complete their vaccination schedule.

This is all to say that there’s no good way to address the chaos created by the CDC last Thursday. We’re 14 months into the pandemic, and the pandemic fatigue settling in at the start of the year has grown at a rapid pace. Libraries – like other service and retail industries – are stuck in the middle of this, struggling with a public who are tired, confused, and ready to be done with all of this back and forth with guidelines and restrictions. Any decisions around COVID-19 policies at the library, including masks and vaccination checks, need to balance the privacy, equity, and health risks while acknowledging how that decision will impact library workers’ morale and safety.

Stop Collecting Data About Your Patrons’ Gender Identity

A four-way stop sign in front of snow-covered tree branches.
Image source: https://www.flickr.com/photos/ben_grey/4383358421/ (CC BY-SA 2.0)

tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity.

Longer tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity for library workers to do their daily work.

Nuanced tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity 99% of the time, and in that 1% where the data is required, you’re probably doing more harm than good in your collection methods.

This post is brought to you by yet another conversation about including gender identity data in patron records. Libraries collected this data on their patrons for decades; it’s not uncommon to have a “gender” field in the patron record of many integrated library systems and patron-facing vendor services and applications. But why collect this data in the first place?

Two explanations that come up are that gender identity data can be used for marketing to patrons and for reading recommendations. However, these explanations do not account for the problem of relying on harmful gender stereotypes. Take the belief that boys are reluctant readers, for example. Joel A. Nichols wrote about his experience as a children’s librarian and how libraries do more harm than help in adopting this belief:

These efforts presume that some boys are not achieving well in school because teachers and librarians (who are mostly women) are offering them books that are not interesting to them (because they are boys). I find this premise illogical and impracticable, in particular because I am queer: the things that were supposed to interest boys did not necessarily interest me, and the things that were supposed to interest girls sometimes did. Additionally, after years of working in children’s departments, I found over and over again that lots of different things interested lots of different kids. In my experience, it was the parents that sometimes asked for “boy books” or “girl books.” The premise that boys need special “boy” topics shortchanges librarians and the children themselves, and can alienate kids who are queer or genderqueer.

This collection of patron data can be used to harm patrons in other ways, such as library staff misgendering and harassing patrons based on the patron’s gender identity. A recent example comes from the 2019 incident where library staff repeatedly misgendered a minor patron when she was with her parent to sign up for her library card. While the library decided to stop collecting gender identity data on library card applications as a result of the incident, the harm done cannot be remedied as easily as changing the application form.

The ALA Rainbow Round Table recommends that libraries do not collect gender identity data from patrons unless absolutely needed. Since the recommendation in 2015, several libraries evaluated their collection of gender identity data only to find that they were not using that data. Collecting data for “just in case” opens library patrons to additional harm if the library suffers a data breach. If there is no demonstrated business need for a data point, do not collect that data point.

In the rare case that your library absolutely must collect data about the gender identity of your patrons (such as a requirement to report on aggregated patron demographic data for a grant-funded project), care must be taken in collecting this data to mitigate additional harms through alienation and exclusion.  The Rainbow Round Table recommends the Williams Institute’s report “Best Practices for Asking Questions to Identify Transgender and Other Gender Minority Respondents on Population-Based Surveys” as a guide to collecting such data. The Williams Institute has also created a short guide to create survey questions around gender identity. Here are more resources that can guide respectful demographic data collection:

Again, the resources above are only for the rare case that your library absolutely must collect this data from your patrons. Libraries considering collecting gender identity data must review the rationale behind the collection. A patron should not be required to tell the library their gender identity to use the library’s collections and services. Even the act of collecting this data can harm and disenfranchise patrons.

tl;dr – Your library doesn’t need to collect data about your patrons’ gender identity.

Contact Tracing At The Library

Welcome to this week’s Tip of the Hat!

Contact tracing has been used in the past with other diseases which helped curve infection rates in populations, so health and government officials are looking at contact tracing once again as a tool to help control the spread of disease, this time with COVID-19. There have been various reports and concerns about contact tracing through mobile apps, including ones developed by Google and Apple. However, mobile contact tracing will not stop local health and government officials in taking other measures when it comes to other contact tracing methods and requirements, and libraries should be prepared when their local government or health officials require contact tracing as part of the reopening process.

While there are no known cases of libraries doing contact tracing as part of their reopening process, there are some ways in which libraries can satisfy contact tracing requirements while still protecting patron privacy.

Collect only what you absolutely need

What is the absolute minimum you need to contact a patron: name, email address, and/or telephone number are all options. Sometimes patrons do not have a reliable way of contacting them outside the library – health and government officials should have recommendations in handling those cases.

But what about having patrons scan in with their library card and using that as the contact tracing log? What seems to be a simple technological solution is, in reality, one that introduces complexity in the logging process as well as privacy risks:

  • Some of the people visiting the library will not have their library card or are not registered cardholders.
  • Contact logs can be subject to search or request from officials – maintaining the separation between the contact log and any other patron information in the library system will minimize the amount of patron data handed over to officials when there is a request for information.

Paper or digital log?

Some libraries might be tempted to have patrons scan in with their barcodes (see above section as to why that’s not such a good idea) or keep an electronic log of patrons coming in and out of the building. However, an electronic log introduces several privacy and security risks:

  • Where is the digital file being stored? Local drive on a staff computer that isn’t password protected? Network storage? Google Drive (yikes!)?
  • Who has access to the digital file? All staff in the library?
  • How many other copies of the file are floating around the library’s network, drives, or even printed out?

In this instance, however, a paper log will provide better privacy and security protections when you take the following precautions:

  • The paper log should be securely stored in a locked cabinet or desk in a secured area, preferably a locked office or other controlled entry space.
  • During business hours, the paper log should be filled out by designated staff members tasked to collect information from patrons. Do not leave the paper log out for patrons to sign – not only you give patrons the names of others in the building (for example, a law enforcement agent can read the log and see who’s in the building without staff knowledge) you also potentially expose patrons and staff to health risks by having them share the same hard surfaces and pen.
  • Restrict access to the paper log to only staff who are designated to keep logs, and prohibit copying (both physical or electronic copies) of the log.

Equitable service and privacy

Some patrons might not have reliable contact information or might refuse to give information when asked. If the local government or health officials state that someone can’t enter a building if they don’t provide information, how can your library work with your officials in addressing the need for libraries to provide equitable service to all patrons who come to the library?

Retention and disposal

Keep the contact tracing logs for only as long as the government or health officials require. If there is no retention period, ask! Your logs should be properly disposed of – a paper log should be shredded and the shredded paper should go to a secured disposal area or service.

Keeping a log of visits to the library is something not to be taken lightly – you are creating a log of a patron’s use of the library. Several other privacy concerns might be specific to your library that could affect how you go about contact tracing, such as unaccompanied minors. Contact tracing is an effective tool in containing disease outbreaks in the past, but it doesn’t have to come at the expense of losing entire personal privacy if the library works with its staff and government officials in creating a process that minimizes patron data collection, access, and retention.

Leaving Platforms and Patrons Behind

Welcome to this week’s Tip of the Hat!

Remember when the online library catalog was just a telnet client? For some of you, you might even remember the process of moving from the card catalog to an online catalog. The library catalog has seen many different forms in recent decades.

The most recent wave of transitions is the migration from an old web catalog – in most cases an OPAC that came standard with an ILS – to a newer discovery layer. This discovery layer is typically hosted by the vendor and offers the ability to search for a wider array of collections and materials. Another main draw of the discovery layers in the market is the enhanced user experience. Many discovery layers allow users to add content to the site, including ratings, comments, and sharing their reading lists to others on the site.

While being able to provide newer services to patrons is important, this also brings up a dilemma for libraries. Many discovery layers are hosted by vendors, and many have separate Terms of Service and Privacy Policies attached to their products outside of the library’s policies. The majority of library catalogs that the discovery layers are meant to replace are locally hosted by the library, and fall under the library’s privacy policies. Libraries who made the transition to the discovery layer more often than not left their older catalog up and running, marketed as the “classic” catalog. However, the work necessary to keep up two catalogs can be substantial, and some libraries have retired their classic catalogs, leaving only the discovery layer for patrons to use.

The dilemma – How will the library provide a core library service to patrons objecting to the vendor’s TOS or privacy policy when the library only offers one way to access that core service?

We can use the Library Bill of Rights [LBR] interpretations from ALA to help guide us through this dilemma. The digital access interpretations of the LBR provides some guidance:

Users have the right to be free of unreasonable limitations or conditions set by libraries, librarians, system administrators, vendors, network service providers, or others. Contracts, agreements, and licenses entered into by libraries on behalf of their users should not violate this right… As libraries increasingly provide access to digital resources through third-party vendors, libraries have a responsibility to hold vendors accountable for protecting patrons’ privacy. [Access to Digital Resources and Services: An Interpretation of the Library Bill of Rights]

Moving core services to third-party vendors can create a barrier between patrons and the library, particularly when that barrier is the vendor’s TOS or privacy policy. The library then needs to decide what next steps to take. One step is to negotiate with the vendor regarding changes to the TOS and privacy policy-based to address patron concerns. Another step is a step that several libraries have opted for – keeping the classic catalog available to patrons alongside the discovery layer. Each step has its advantages and disadvantages in terms of resources and cost.

The classic catalog/discovery layer dilemma is a good example of how offering newer third-party platforms to provide core library services can create privacy dilemmas for your patrons and potentially lock them out from using core services. If your library finds itself making such a transition – be it the library catalog or another core service platform – the ALA Privacy Checklists and the interpretations of the LBR can help guide libraries through the planning process. Regardless of the actions taken by the library, ensuring that all patrons have access to core library services should be a priority, and that includes taking privacy concerns to account when replacing core service platforms.

Caring Who Is Sharing Your Patron Data

Welcome to this week’s Tip of the Hat! Last week Tom Boone stated his intent to boycott two vendors – Thomson Reuters and RLEX Group – at the American Association of Law Librarians annual conference based on the current business relationships that both companies have with U.S. Immigration and Customs Enforcement [ICE]. While the objections are based on the relationships themselves, the boycott posts brings us back to a question posed by Jason Griffey about LexisNexis’s interest in assisting ICE in building an “extreme vetting” system for immigrants to the US – what role would data collected from libraries that subscribe to those vendors’ products play in building such a system? For this week’s letter, we’ll broaden the – what do vendors do with library patron data and what say do libraries have in the matter?

Patron data is as valuable to vendors as it is to libraries. To vendors, patron data can be used to refine existing services while building newer services based off of patron needs and behaviors. The various recommendation systems in several library products are powered partially by patron borrowing activity, for example. Nonetheless, while vendors use patron data for their products and services, many vendors share patron data with other service providers and third-party businesses for a variety of reasons. For example, some vendors run their applications on commercial cloud servers, which could mean storing or transferring patron data to and from these servers. Depending on the agreement between the vendor and the commercial cloud service, the service might also have access to the data for performance tracking and analysis purposes.

How do you find out what vendors are doing with your patron data? One of the first places to look is their privacy policy. Like libraries, vendors too should inform patrons how they are handling patron data. The library should have a separate privacy policy that indicates how library data is shared with vendors, but vendors also need a privacy policy that clearly communicates to patrons using the vendor service on how the data is handled by the vendor, including any sharing of data with service providers or other third parties. LexisNexis’ privacy policy provides some of this information in their How We Use Your Information and Sharing of Your Information sections (which, BTW, you should read if you do use LexisNexis!).

If you can’t find the information you need in the privacy policy, the vendor contract might have some information regarding the collection, use, and sharing of patron data by the vendor. The vendor contract can also serve another purpose, particularly when you are at the contract negotiation or contract renewal stages. The contract can be a good place to lay out expectations to the vendor as to what level of data collection and sharing is permissible. Some data sharing is unavoidable or necessary, such as using aggregated patron data for analyzing infrastructure performance, so if you come to the negotiation table with a hardline “no reuse or sharing with third parties” position, you will most likely be making some compromises. This is also a good place to bring up the question about “selling” vs “sharing” data with service providers – while some vendors state in their privacy policy that they do not sell patron data, they might not mention anything about sharing it with others. Setting expectations and requirements at the point of negotiations or renewal can mitigate any surprises surrounding data use and sharing down the road for all parties involved.

Having the discussion about patron data use and sharing by the vendor will not only allow you to find out what exactly happens to your patrons’ data when they use vendor products, but it also opens up the opportunity for your library to introduce language in the contract that will protect your patrons’ data. You can do this through line edits, or through a contract addendum that has been vetted by your local legal team. Before going to the negotiation table with your proposed changes and requests, you will need to determine what points will you be willing to compromise on, and which points are dealbreakers. Ideally negotiations provide a workable outcome for all, but in reality, sometimes the best outcome for your patrons and staff is to leave the negotiations. Not giving a vendor your library’s business is a valid option – an option that could signal to the vendor that some of their practices need to change if enough libraries choose to follow suit.

Humans, Tech, and Ethical Design: A Summit Reflection

Welcome to this week’s Tip of the Hat!

Last Saturday LDH attended the All Tech Is Human Summit with 150+ other technologists, designers, ethics professionals, academics, and others in discussing issues surrounding technology and social issues. There were many good conversations, some of which we’re passing along to you all as you consider how your organization could approach these issues.

The summit takes inspiration from the Ethics OS Toolkit which identifies eight risk zones in designing technology:

  1. Truth, Disinformation, Propaganda
  2. Addiction & the Dopamine Economy
  3. Economic & Asset Inequalities
  4. Machine Ethics & Algorithmic Biases
  5. Surveillance State
  6. Data Control & Monetization
  7. Implicit Trust & User Understanding
  8. Hateful & Criminal Actors

Each risk zone has the potential to create social harm, and the Toolkit helps planners, designers, and others in the development process to mitigate those risks. One of the ways you can mitigate risk in many of the areas in the design process (like the Data Control and Surveillance zones) is incorporating privacy into the design and development processes. Privacy by Design is an example of integrating privacy throughout the entire process, instead of waiting to do it at the end. Much like technical debt, incorporating privacy and other risk mitigation strategies throughout the design and development process will lessen the need for intensive resource investment on short notice when something goes wrong.

Another way to approach ethical design comes from George Aye, co-founder of the Greater Good Studio. In his lightning talk, George identified three qualities of good design:

  • Good design honors reality
  • Good design creates ownership
  • Good design builds power

Viewed through a privacy lens (or, in the case of LDH, with our data privacy hat on), these qualities can also help approach designers and planners in addressing the realities surrounding data privacy:

  • Honoring reality – how can the product or service meet the demonstrated/declared needs of the organization while honoring the many different expectations of privacy among library patrons? Which patron privacy expectations should be elevated, and what is the process to determine that prioritization? What societal factors should be taken into account when doing privacy risk assessments?
  • Creating ownership – how can the product or service give patrons a sense that they have ownership over their data and privacy? How can organizations cultivate that sense of ownership through various means, including policies surrounding the product? For vendors, what would it take to cultivate a similar relationship between library customers and the products they buy or license?
  • Building power – building off of the ownership questions, what should the product or service do in order to provide agency to patrons surrounding data collection and sharing when using the product or service? What data rights must be present to allow patrons control over their interactions with the product or process? Libraries – how can patrons have a voice in the design process, including those more impacted by the risk of privacy harm? Vendors – how can customers have a voice in the design process? All – how will you ensure that the process will not just be a “mark the checkbox” but instead an intentional act to include and honor those voices in the design process?

There’s a lot to think about in those questions above, but the questions illustrate the importance of addressing those questions while still in the design process. It’s hard to build privacy into a product or services once the product is already out there collecting and sharing high-risk data. Addressing the hard ethical and privacy questions during the design process not only avoids the pitfalls of technical debt and high-risk practices, but also provides the valuable opportunity to build valuable relationships between libraries, patrons, and vendors.