Libraries (and Archives) as Information Fiduciaries? Part Three

A collection of football tickets and postcard invitations in a clear archival sleeve.
Image source: https://flickr.com/photos/27892629@N04/15959524202/ (CC BY 2.0)

Welcome back to the third installment of the information fiduciaries and libraries series! It’s been a while since we explored the concept of libraries acting as a trusted party managing patron personal data. Thanks to Tessa Walsh’s recent demo of Bulk Reviewer, we got the nudge we needed to tackle part three of the series. You can catch up on Parts One and Two if you need a refresher on the subject.

Managing Personal Data in a Collection

We left off the series with the question about what happens to a library’s information fiduciary role when the personal data is entrusted with is part of the collection. The relationship between the personal data in the collection, the person, and the library or archive is not as straightforward as the relationship between the library and the patron generating data from their use of the library. Personal papers and collections donated to archives contain different types of personal data, from financial and medical to personal secrets. What happens in the case where a third party donates these papers containing highly personal information about another person to a library or archive? In the case of a person donating their documents, what happens when they have personal data of another person who may not have consented to have this data included in this donation? Moving from the archive to the institutional repository, what happens when a researcher submits research data that contain identifiable personal data as part of a data set, be it a spreadsheet that includes Social Security Numbers or oral histories containing highly personal information to a living person?

As you probably already guessed, these complications are only the start of the fiduciary responsibilities of libraries and archives surrounding these types of personal data. We’ve covered redacting PII from digital collections in the past, but redaction of personal data to protect the privacy of the people behind that data only addresses a small part of how libraries and archives can fulfill their information fiduciary role. Managing personal data in collections requires managing data in the best interests of the library/archive and the person donating the materials and the best interests of the people behind the personal data included in that donated material, which may not be the same person as the donor.

Thankfully, we don’t have to navigate this complex web of relationships to determine how to manage the collection with the best interest of the people behind the data. The Society of American Archivist’s Privacy & Confidentiality Section can help libraries and archives manage personal data in their collections. If you are looking for documentation around privacy in archives, check out the documentation portal. Have too many types of personal data to know where to start? The section’s bibliography can lead you to the right resources for each major type of personal information you have in your collection. Perhaps you want to know more about current issues and concerns around personal data in collections. The RESTRICTED blog has you covered, alongside webinars such as Tessa’s demo of Bulk Reviewer mentioned at the start of this post. We highly recommend checking out the mini-blog series from Heather Briston, following up on her webinar “It’s Not as Bad as You Think – Navigating Privacy and Confidentiality Issues in Archival Collections.”

Beyond the section, you also might find the following publications helpful in determining how your library or archive should fulfill their responsibilities to the people behind the data in your collections:

  • Botnick, Julie. “Archival Consent.” InterActions: UCLA Journal of Education and Information Studies 14, no. 2 (2018). https://doi.org/10.5070/D4142038539.
  • Mhaidli, Abraham, Libby Hemphill, Florian Schaub, Cundiff Jordan, and Andrea K. Thomer. “Privacy Impact Assessments for Digital Repositories.” International Journal of Digital Curation 15, no. 1 (December 30, 2020): 5. https://doi.org/10.2218/ijdc.v15i1.692.

This is only a small selection of what’s available, but the Privacy & Confidentiality Section’s resources are an excellent place to start to untangle the complex web of determining what is in the best interest of all parties involved in managing the personal data in your collections.

Before we end our post, there is one question that a few of our readers might have – can archivists guarantee the same level of confidentiality as lawyers or doctors can in protecting personal information in legal matters?

A Question of Archival Privilege

Some of our readers might remember discussions about archival privilege in the early 2010s stemming from the litigation surrounding the Belfast Project oral histories. Archival privilege is not legally recognized despite legal arguments for such a privilege or tying such a privilege to researcher privilege in court (such as in Wilkinson v. FBI and Burka v. HHS). These rulings mean that materials in a collection are subject to search via subpoenas and warrants, which leads to privacy harms to those whose personal data is included in those collections. Nevertheless, it’s still worthwhile to revisit the calls for such a privilege and discussions of what archival privilege would look like:

Even though Boston College successfully appealed the initial order to hand over all the records listed in the subpoena, we are still left with whether the archives profession should push for privileged relationships between donors or other individuals represented in the collections and the archives. We will leave discussion of if such a privilege should exist (and in what form) to our readers.

Is Library Scholarship a Privacy Information Hazard?

A white hazard sign with an image of a human stick figure being sapped by a electric blob. Image is sandwiched between red and black text - "Warning, this area is dangerous"
Image source: https://www.flickr.com/photos/andymag/9349743409/ (CC BY 2.0)

Library ethics, privacy, and technology collided again last week, this time with the publication of issue 52 of the Code4Lib Journal. In this issue, the editorial committee published an article describing an assessment process with serious data privacy and ethical issues and then explained their rationale for publishing the article in the issue editorial. The specifics of these data privacy and ethical issues will not be covered in-depth in this week’s newsletter – you can read about said issues in the comment section of the Code4Lib Journal article in question.

You might have noticed that we said “again” in the last paragraph. This isn’t the first time library technology publications and patron privacy collided. The Code4Lib Journal published a similarly problematic article last year, but the journal is one of many library scholarship venues that have published scholarly and practical literature that are ethically problematic with regard to patron privacy. Technology and assessment are the usual offenders, ranging from case studies of implementing privacy-invasive technologies to research extolling the benefits of surveilling students in the name of learning analytics without discussing the implications of violating student patron privacy. These publications are not set up as a point-counterpoint exploration of these technologies and assessment methods in terms of privacy and ethics. Instead, these publications are entered into the scholarly record as is, with an occasional contextual note or superficial sentence or two about privacy. Retraction is almost unheard of in library scholarship, and retraction is not very effective in addressing problematic research.

Library scholarship is not consistently aligned with the profession’s ethical standards to uphold patron privacy and confidentiality. Whether or not an article is judged on its potential impact on library privacy is currently up to the individual peer reviewer (or in the case of editor-reviewed journals such as Code4Lib, the editor). In addition, library scholarship is not set up to assess the potential privacy risks and harms of the publication in question to specific patron groups, particularly patrons from minoritized populations. Currently, there is no suitable mechanism to do such an assessment that can be included in the original publication so that it would be both meaningful and informative to the reader. We are left with publications in the library scholarship record that promote the uncritical adoption of high-risk practices that go against professional ethics and harm patrons. This becomes more perilous when these publications come across those in the field who do not have the knowledge or experience in assessing these publications with patron privacy and ethics in mind.

What we end up with, therefore, is a scholarly record full of information hazards. An information hazard is a particular piece of information that can potentially cause harm to the knower or create the potential to harm others. This differs from misinformation where the information being spread is false, whereas the truthfulness of the information hazard is intact. Nick Bostrom’s seminal work on information hazards breaks down the specific risks and harms of different types of hazards. Library scholarship has (at least) two information hazards in particular when it comes to library privacy and ethics:

Idea hazard – Ideas hold power. They also come with risks. Even if the dissemination of an idea is kept at a high level without specific details, it can become an idea hazard. The idea that a library can use a particular system or process to assess library use can risk patron privacy. There are ways to mitigate an idea risk of this nature, including evaluating the assessment idea through the Five Whys method or other methods to determine the root need for such an assessment.

Development hazard – A development hazard is when advancement in a field of knowledge leads to technological or organizational capabilities that create negative consequences. Like other fields of technology, library technology falls into this hazard category, particularly when combined with the evolution of library assessment practices and norms. Sharing code and processes (which is a data hazard) can lead to community or commercial development of more privacy-invasive library practices if no care is taken to mitigate patron privacy risks.

How, then, can library scholarship become less of a privacy information hazard? First and foremost, the responsibility falls on the publishers, editors, peer reviewers, and conference program organizers who control what is and is not added to the library scholarly record. This includes creating a code of ethics for submission authors to follow and guidelines for reviewers and editors to follow to assess the privacy and ethical implications of the submission. However, these codes and guidelines are not effective if they are not acted upon. As Dorothea Salo says, “Research on library patrons that contravenes library-specific ethics is unethical; it should not be published in the LIS literature, and when published there, should be retracted.” Regardless of the novelty or other technical merits of the submission, if the submission violates or goes against library ethics or privacy standards, the editors, reviewers, and publishers have the responsibility as shapers of the scholarly record to not publish the submission lest they add yet another information hazard to the record.

Library privacy and ethics must also be a part of every stage of the submission and publication process. This takes a page from Privacy by Design, taking a proactive approach to privacy instead of rushing to include privacy at the last minute, making any privacy effort ineffective at best. Ethical codes and guidelines are one way to embed privacy into a process; another is to include checkpoints in the process to bring in external subject matter experts to review submissions well in advance to identify or comment on specific privacy or ethical risks. If done early in the submission process, the information received can then be used to revise the submission to address these issues or to change the focus of the submission to one that is more appropriate to address the privacy and ethical implications of the topic at hand. The submission itself doesn’t have to be abandoned, but it must be constructed so that the privacy and ethical risks are front and center, describing why this method, idea, process, or code goes against library ethics and privacy. This option doesn’t eliminate the idea/data hazard, but shifting the focus on privacy and ethical repercussions can mitigate the risks that come with such hazards.

Whether intentional (as in the case of the latest Code4Lib Journal issue) or unintentional, library scholarship places patron privacy at risk through the unrestricted flow of information hazards. Many in the profession face pressure to create a constant stream of scholarship, but at what cost to our patrons’ privacy and professional ethics? A scholarly record full of privacy information hazards has and will continue to have long-lasting implications for the profession’s ability to protect patron privacy as well as how well we can serve everyone in the community (and not just those who have a higher tolerance for privacy risks or won’t be as negatively impacted by poor privacy practices). As the discussion about the Code4Lib Journal’s decision to publish the latest information hazard into the scholarly record continues, perhaps the community can use this time to push for more privacy and ethically-aligned submission and review processes in library scholarship.

Mid-September Readings, Viewings, and Doings

A light brown rabbit sits on top of a keyboard looking up at two computer screens, reading email.
Image source: https://www.flickr.com/photos/toms/127809435/ (CC BY 2.0)

September has proven itself to be a busy month for all of us! This week we’re taking a breather from our usual (longer) posts by highlighting a few resources that you might find of interest, and some homework, to boot.

What to Read

For years there has been a concerted effort in getting libraries to secure their websites through HTTPS, but have those efforts paid off? A recently published article by librarian Gabriel Gardner describes how much further we have to go with HTTPS on library websites, but it doesn’t stop there. The article also describes how libraries are complicit in third-party tracking with various web trackers found on library websites, including (unsurprisingly) Google Analytics. Give this article a read, then hop on over to your library website. How is your library website contributing to surveillance by allowing third parties to vacuum up all the data exhaust your patrons are leaving behind while using the library website? We’ve written about alternatives to Google Analytics and other forms of tracking if you need a place to start in reducing the third-party tracker footprint at your library.

What to Watch/Read

At LDH, we talk a lot about ethics and technology. You might be wondering where you can learn more about the ethics of technology without diving headfirst into a full-time college course. If you have some time to watch a few TikTok videos and read a couple of articles during the week, you’re in luck – Professor Casey Fiesler’s Tech Ethics and Policy class is in session! You can follow along by watching Dr. Fiesler’s TikTok videos and doing the readings posted on Google Docs. But you can do much more than following along – join the office hours or the discussions in the videos!

What to Do

Perhaps you’re looking for something else to do other than website or ethics classwork. We won’t hold that against you (though we really, really recommend reviewing what trackers your library website has). So, here’s a suggestion for your consideration. It’s been a while since we did our #DataSpringCleaning. Do you dread cleaning because there’s always so much stuff to deal with by the time we get around to doing it? Taking five to ten minutes now to dispose of patron data securely can go a long way to reducing the amount of data you have to deal with during the annual #DataSpringCleaning. It’s also an excellent privacy and security hygiene habit to adopt. Spending a few minutes to secure sensitive data can fill in the gaps in your schedule between meetings or projects, or it can be part of your routine for starting or ending your workday. And it does give you some feeling of accomplishment on particularly frustrating days where nothing seems to have gotten done.

If you come across any library privacy-related resources that you would like highlighted in the newsletter, let us know by emailing newsletter@ldhconsultingservices.com. In the meantime, best of luck with the workweek, and we’ll catch you next week.

Vendor Ethics and You, Or Giving a Damn About Who’s Sharing Your Patron Data

A red sticker on a metal utility pole reads "do you want a future of decency, equality, and real social justice"
Photo by Jon Tyson on Unsplash

The news cycle did not stop during our Cherry Blossom Break last week, alas. Last week LexisNexis signed a contract with U.S. Immigration and Customs Enforcement (ICE) to provide massive amounts of personal information, including financial data, consumer data (such as purchases), and criminal data. The data provided by LexisNexis captures a very intimate view of a person’s personal and public life. As Sam Biddle states in the investigative article about the contract, “While you can at least attempt to use countermeasures against surveillance technologies… it’s exceedingly difficult to participate in modern society without generating computerized records of the sort that LexisNexis obtains and packages for resale.” If you haven’t already done so, read the article to get a sense of the contract details.

It is not the first time LexisNexis has been under scrutiny for its personal data dealings. We wrote about LexisNexis back in 2019 about their relationship with ICE, including LexisNexis’s interest in building an “extreme vetting” immigration system. This interest did not go unnoticed or unchallenged, particularly from library workers who led the calls to boycott the company. The latest contract news has renewed calls for libraries and scholarly communities – such as this statement from SPARC – to question their relationships with businesses such as LexisNexis that increasingly play significant roles in surveillance systems through their roles as data brokers.

“But Becky,” you might say, “we don’t do business with LexisNexis or Thomson Reuters. As long as we don’t do business with them, we don’t have anything to worry about.” While your vendors may have escaped the public scrutiny that LexisNexis has received throughout the years, your vendors are most likely, at the very least, collecting and sharing patron data as part of their business model (e.g. surveillance capitalism). Read the vendor contract:

  • What patron data does the vendor collect from patrons? From the library?
  • Under what circumstances does the vendor disclose patron data to fourth parties?
  • Does the vendor reserve the right to resell patron data collected from patrons and the library, even in aggregated or “anonymized” form?
  • Does the vendor reserve the right to keep patron data, even in aggregated or “anonymized” form, after the end of the business relationship? For what purposes do they keep the data?

After reading the vendor contract (as well as the vendor privacy policy), you might have a sense as to how a vendor works with patron data; however, the contract and policy are not telling the entire story. While a contract might state a vendor’s right to disclose or resell data, the details about where that data’s going and how it’s going to be used are sparse. Vendors like LexisNexis have multiple revenue streams. Your vendor might have another product not targeted toward the library market but still uses patron data in ways in which can harm patrons. How can a library figure out if a vendor’s business model doesn’t violate patron privacy?

This is where ethics comes into play. The library profession has several codes of ethics, such as the codes from ALA and IFLA. Library vendors by default are not beholden to these codes; however, this does not mean that libraries cannot hold vendors to a level of ethical practices or standards before they will do business with them. For example, Auraria Library conducts a comprehensive ethics review of library vendors, ranging from privacy and accessibility to sustainability and diversity, using both consultants and an internal ethics questionnaire. At the end of their article detailing the review process, Auraria Library’s Katy DiVittorio and Lorelle Gianelli make a call to other libraries to proactively review their relationships with vendors and taking measures in encouraging vendors to adopt a business model that aligns with Corporate Social Responsibility. As we have encountered in the past, a critical mass of libraries demanding changes to a vendor’s practices can make that change happen. Having more libraries conduct ethics reviews of vendors can prompt vendors to change their business models if their current models cause libraries to do business elsewhere.

Where should libraries start with reviewing vendors’ business ethics? The Auraria Library review process is one place to start. Even creating a statement such as Auraria’s can start the conversation about vendor ethics at your library, particularly with library patrons who might be at higher risk for harm due to the vendor’s business practices. The selection process of the vendor relationship lifecycle can be modified to include a review of the vendor’s business model, including checking the vendor against the Library Freedom Institute’s Vendor Privacy Scorecard or scorecards from independent third parties such as EcoVadis (if one is on file, that is).  Vendor assessments and audits are other places where scorecards and metrics can be used. Being detailed about the appropriate uses of patron data in the vendor contract – including details around patron data collection, processing, retention, and disclosure – can give libraries some legal leverage in protecting patron data from questionable vendor business practices. The more libraries demand ethical business practices from their vendors, the more likely vendors will notice.

With these suggestions, however, comes a warning for libraries. Vendors might start marketing themselves as socially responsible or abiding by library ethics codes as more libraries ask for details about the ethics of a vendor’s business model. If a vendor’s marketing around social responsibility and ethics centers around legal compliance or if the marketing lacks specific details about their practices, then you might have a case of “ethics washing.”  Commonly encountered in tech companies, “ethics washing” can obscure or obfuscate problematic business practices through the use of savvy marketing tactics or pointing customers to one non-problematic area of the business while not drawing attention to a more problematic area (e.g. Google’s ethical AI work and, well, Google being Google). While it is tempting for libraries to accept vendors at their word through their marketing materials and sales pitches, it is not enough. Libraries must actively review vendor practices throughout the entire business relationship to ensure that the vendor’s ethics are in line with the ethics of the library profession.

In the end, libraries compromise their ability to live up to our professional ethics when working with vendors that violate those ethics. If libraries cannot or will not work with vendors that respect and uphold patron privacy, we as a profession then must have the difficult conversation about the inclusion of a patron’s right to privacy in our professional ethics codes. At the very least, we owe patrons the truth about the library’s data practices, including our relationships with vendors who use patron data in ways that can come back to harm them and not engage in ethics washing of our own.

Libraries, Privacy, and… Tropes?

Welcome to this week’s Tip of the Hat!

A popular way to procrastinate at LDH is to dig through the pile of articles and other literature about all facets of privacy: regulations, ethics, practices, current events… the current events pile is at overcapacity at the moment. In these piles of articles, we come across one particular trope that we’d like to address – libraries as exemplars of privacy ethics and practices.

This trope is similar to others in other mainstream stories that use libraries as exemplars for other things, such as community engagement, democracy, and learning centers. The “library as privacy exemplar” trope coexists with these other tropes, sometimes in the same story. Other times the trope is front and center of an article. An example of this is an IAPP article about general privacy practices at the library. At best, this article demonstrates the attitude and tone of how many writers think about the library as an enlightened entity with their focus on privacy. Near the end of the article comes another trait that these articles tend to share, which is modeling privacy practices off of the library profession: “While library culture tilts heavily in favor of protecting the ‘citizen from state’ intrusion, that same culture can be mobilized to advocate for ‘customer’ privacy as well in relation to third-party service providers.”

All of this leads us to a hidden danger in the “library as privacy exemplar” trope, which is unquestioned trust in libraries in all matters of privacy and data ethics. Some of that trust has been earned – there are several library privacy initiatives, such as the Library Freedom Institute, that are very active in the greater community in their advocacy and education around data privacy. In addition, LDH’s conversations with technology workers in other fields have made it clear that professionals in other industries wished that they had strong professional ethics and standards like the library profession.

Nonetheless, others from outside the library profession take this trust too far. For example, in Emma Trotter’s “Patron Data Privacy Protection at Public Libraries: The Ethical Model Big Data Lacks”, Trotter proposes that libraries should become personal data stores (PDS) where people can gather their data in one secure place and then manage the processing of their data by third parties. Trotter is very confident that libraries can become the ethical role model for Big Data with this marriage between PDS and library privacy ethics. Overall, Trotter believes that the ethical issues around Big Data would be negated once libraries become front and center in the overall management of Big Data.

While libraries do have a strong ethical basis around advocacy and adoption of privacy practices, libraries also have their fair share of privacy issues and gaps. Libraries are not immune to the same threats and vulnerabilities as other professions and industries, such as data leaks and breaches, ransomware attacks, phishing, and even underfunding or undertraining staff in ways to protect patron privacy. Librarianship also deals with ethical issues around their collection and processing of patron data, particularly for marketing and user profiling, as well as working with vendors who also collect and process patron data without giving the patron control over what is collected and processed. One doesn’t need to search too far to find an example of such – one being the Santa Cruz Public Library’s Civil Grand Jury Report about the numerous ethics breaches surrounding their use of patron data without full patron notice and consent, among other violations of patron privacy.

Yes, other industries can learn from libraries about how to approach privacy in their daily work, including ethics and advocacy, but libraries also have to be honest about the profession’s struggles around data privacy, both on a practical and ethical level. Part of that is being public with these struggles in the public discourse, be it with patrons or with people from other industries who are looking for a model to base their professional privacy ethics and practices on. Another part is re-evaluating how we, as a library profession, market ourselves as privacy experts and safe-keepers of data to our patrons. Again, libraries set themselves apart from other industries regarding privacy ethics and advocacy, but they cannot set themselves apart from the reality that is working with data in the real world that has real needs that fall into ethical gray areas and real data security and privacy risks.

Black Lives Matter

Hello everyone,

Black Lives Matter.

If your library or archive is thinking about collecting photographs, videos, or other materials from the protests around George Floyd’s death caused by Minneapolis police, what are you doing to protect the privacy of the protesters? Black Lives Matter protestors and organizers, as well as many protesters and organizers in other activist circles, face ongoing harassment due to their involvement. Some have died. Recently Vice reported on a website created by white supremacists to dox interracial couples, illustrating how easy it is to identify and publish personal information with the intent to harm people. This isn’t the first website to do so, and it won’t be the last.

Going back to our question – if your response to the protests this weekend is to archive photos, videos, and other materials that personally identifiable information about living persons, what are you doing to protect the privacy and security of those people? There was a call made this weekend on social media to archive everything into the Internet Archive, but this call ignores the reality that these materials will be used to harass protesters and organizers. Here is what you should be considering:

  • Scrubbing metadata and blurring faces of protesters – a recently created tool is available to do this work for you: https://twitter.com/everestpipkin/status/1266936398055170048
  • Reading and incorporating the resources at https://library.witness.org/product-tag/protests/ into your processes and workflows
  • Working with organizations and groups such as Documenting The Now
    A tweet that summarizes some of the risks that you bring onto protestors if you collect protest materials: https://twitter.com/documentnow/status/1266765585024552960

You should also consider if archiving is the most appropriate action to take right now. Dr. Rachel Mattson lists how archives and libraries can do to contribute right now – https://twitter.com/captain_maybe/status/1267182535584419842

Archives, like libraries, are not neutral institutions. The materials archivists collect can put people at risk if the archives do not adopt a duty of care in their work in acquiring and curating their collections. This includes protecting the privacy of any living person included in these materials. Again, if your archive’s response is to archive materials that identify living people at these protests, how are you going to ensure that these materials are not used to harm these people?

Black Lives Matter.

Contact Tracing At The Library

Welcome to this week’s Tip of the Hat!

Contact tracing has been used in the past with other diseases which helped curve infection rates in populations, so health and government officials are looking at contact tracing once again as a tool to help control the spread of disease, this time with COVID-19. There have been various reports and concerns about contact tracing through mobile apps, including ones developed by Google and Apple. However, mobile contact tracing will not stop local health and government officials in taking other measures when it comes to other contact tracing methods and requirements, and libraries should be prepared when their local government or health officials require contact tracing as part of the reopening process.

While there are no known cases of libraries doing contact tracing as part of their reopening process, there are some ways in which libraries can satisfy contact tracing requirements while still protecting patron privacy.

Collect only what you absolutely need

What is the absolute minimum you need to contact a patron: name, email address, and/or telephone number are all options. Sometimes patrons do not have a reliable way of contacting them outside the library – health and government officials should have recommendations in handling those cases.

But what about having patrons scan in with their library card and using that as the contact tracing log? What seems to be a simple technological solution is, in reality, one that introduces complexity in the logging process as well as privacy risks:

  • Some of the people visiting the library will not have their library card or are not registered cardholders.
  • Contact logs can be subject to search or request from officials – maintaining the separation between the contact log and any other patron information in the library system will minimize the amount of patron data handed over to officials when there is a request for information.

Paper or digital log?

Some libraries might be tempted to have patrons scan in with their barcodes (see above section as to why that’s not such a good idea) or keep an electronic log of patrons coming in and out of the building. However, an electronic log introduces several privacy and security risks:

  • Where is the digital file being stored? Local drive on a staff computer that isn’t password protected? Network storage? Google Drive (yikes!)?
  • Who has access to the digital file? All staff in the library?
  • How many other copies of the file are floating around the library’s network, drives, or even printed out?

In this instance, however, a paper log will provide better privacy and security protections when you take the following precautions:

  • The paper log should be securely stored in a locked cabinet or desk in a secured area, preferably a locked office or other controlled entry space.
  • During business hours, the paper log should be filled out by designated staff members tasked to collect information from patrons. Do not leave the paper log out for patrons to sign – not only you give patrons the names of others in the building (for example, a law enforcement agent can read the log and see who’s in the building without staff knowledge) you also potentially expose patrons and staff to health risks by having them share the same hard surfaces and pen.
  • Restrict access to the paper log to only staff who are designated to keep logs, and prohibit copying (both physical or electronic copies) of the log.

Equitable service and privacy

Some patrons might not have reliable contact information or might refuse to give information when asked. If the local government or health officials state that someone can’t enter a building if they don’t provide information, how can your library work with your officials in addressing the need for libraries to provide equitable service to all patrons who come to the library?

Retention and disposal

Keep the contact tracing logs for only as long as the government or health officials require. If there is no retention period, ask! Your logs should be properly disposed of – a paper log should be shredded and the shredded paper should go to a secured disposal area or service.

Keeping a log of visits to the library is something not to be taken lightly – you are creating a log of a patron’s use of the library. Several other privacy concerns might be specific to your library that could affect how you go about contact tracing, such as unaccompanied minors. Contact tracing is an effective tool in containing disease outbreaks in the past, but it doesn’t have to come at the expense of losing entire personal privacy if the library works with its staff and government officials in creating a process that minimizes patron data collection, access, and retention.

Week Roundup – In The News and What Would You Do?

Welcome to this week’s Tip of the Hat! Last week was a busy week. Here’s a recap of what you might have missed.

LDH in the News

What Would You Do?

One public library in New Jersey has been finding various ways to support their community while the library building is closed, but one strategy has started a debate on Library Twitter – using patron data to do welfare checks:

Recently, the Library decided to take more direct action to help the Roxbury community. Armed with its enormous patron database, library staffers are going through the list and, literally in descending order, calling the oldest and most vulnerable of Roxbury’s residents to inquire on their well-being, let them know someone cares and will listen, and when need be to connect them to vital resources to get them through this difficult time.

The article goes on to describe how this strategy led to an increase in requests for masks to be distributed by the library.

While this single instance seems to have had a positive outcome, the use of the data collected by the library to do wellness checks brings up the question of “we could, but should we?” concerning using patron data in this manner. Some of the issues and considerations brought up on Library Twitter include:

  • Scope creep – several library workers serve as de facto social workers in their communities. How can libraries in this position support their community while working with local community organizations and local government departments who are better suited for social work? How can this work be done while honoring patron privacy?
  • Data quality – the article stated that the library staff used the age listed in the patron database. How reliable is that data? ILS migrations and even the move to an automated library system can introduce data quality issues in the patron record, including age.
    • For example – one library that moved from a paper-based system to an ILS in the mid-1990s still found patrons whose birthdays were listed as the date of the migration years later.
  • Notice and consent – patrons have certain expectations when giving data to libraries. Some of these expectations come from what the library states in their privacy and confidentiality notices, as well as other communications to patrons from the library. It’s safe to say that libraries don’t list “wellness checks” in their patron privacy notices as one potential use of patron data. This gets into the issue of using data outside of the stated purposes when the data was exchanged between the patron and the library. Recent data privacy legal regulations and best practices address this by requiring businesses to inform about the new use and to get affirmative consent before using the data for said new use.

There are some other items brought up in the Twitter discussion, such as different expectations from patrons, the size of the community, and patron-staff relationships. Some patrons chimed in as well! Like many other real-world data privacy conundrums, this one is not as clear cut in terms of how to best approach addressing the issue at hand – making sure that patrons in under-supported or vulnerable community groups get the support that they need.

We want to hear from you – what would you do in this situation? Email us at newsletter@ldhconsultingservices.com and we’ll discuss the results in a future newsletter. We will not post names or institutions in the newsletter results, so email away and we’ll do the rest to protect your privacy as we discuss patron privacy. Let us know what you think!

Ethics Breach As Privacy Breach

Welcome to this week’s Tip of the Hat! We’re still sorting through the big pile of notes and handouts from our trip to #PSR19 last month. This week’s newsletter will cover another session from the conference. Escaping the clutches of CCPA we focus on another important topic – particularly for libraries – for reasons that will become clear below.


Data breaches are a common occurrence in life. We get email notifications from Have I Been Pwned, credit monitoring referrals, and the inevitable “we value your privacy” statement from the breached company. Breaches also happen at libraries and library vendors; there’s no escaping from the impact from a data breach.

What you might not know, though, is that breaches come in different forms. In their presentation “The Data Breach vs. The Ethics Breach: How to Prepare For Both,” James Casey and Mark Surber broke down the three types of data breaches: security, data, and ethics. Security and data breaches take many forms: improper staff access levels to a database, a stolen unencrypted laptop, or sending an email with sensitive data to the wrong email address.

While security and data breaches focus primarily on failures to secure data on a technical, procedural, or compliance level, ethics breaches focus on the failure to handle the data consistent with organizational or professional values. A key point is that you can still have an ethics breach even if you follow rules and regulations. Ethics breaches involving privacy can include using consumer data for purposes that, while not violating any legal regulations, the consumer would not expect their data to be used for such a purpose. Another example is doing the absolute minimum for data security and privacy based on regulations and industry standards, even when the reality is that these minimum requirements will not adequately protect data from a breach.

Ethics breaches damage an organization’s reputation and public trust in that organization and, given the difficult nature of cultivating reputation and trust with the public, are hard to restore to pre-breach levels. Monetary fines and settlements make data and security breaches costly, but the lost reputation and trust from ethics breaches could very well be the more expensive type of loss even before you factor in the harm to the persons whose data was caught in the breach.

Casey and Surber’s talk proposed an Ethics by Design approach to aligning data practices in all stages of development and processes to ethical standards and practices. Ethics by Design might look something like this in libraries:

  • Adherence to professional ethics codes and standards, including:
  • Auditing vendors for potential ethics breaches – this audit can be done at the same time as your regularly scheduled privacy and security audits.
  • Considering patron expectations – patrons expect libraries to respect and protect their privacy. That privacy extends to the library’s data practices around collection, use, and sharing with third parties. They do not expect to be subject to the same level of surveillance and tracking as practiced by the commercial sector. The ethics breach litmus test from Casey and Surber’s talk can help identify an unethical data practice – upon learning of a particular practice, would a consumer (or in this case, patron) respond by saying “you did WHAT with my data?!”? If so, that practice might lead to an ethics breach and needs to be re-evaluated.

Ethics by Design asks us to “do the right thing”. Ethical practices need money, time, and resources – all which many libraries are short of at one time or another. It is easy to bypass ethical standards and practices, as well as doing the absolute minimum to follow regulations, particularly when “everyone else is doing it.” The nature of library work at its core is to uphold our patrons’ human rights to access information. Ethics guides libraries in creating practices that uphold and protect those rights, including the right to privacy. Protecting patron privacy should not only focus on preventing a security or data breach but also preventing an ethics breach.