Just Published – Data Privacy Best Practices Toolkit for Libraries

Welcome to this week’s Tip of the Hat!

Today we’re happy to announce the publication of the Data Privacy Best Practices Toolkit for Libraries. This toolkit is part of the Data Privacy Best Practices Training for Libraries project, an LSTA-funded collaborative project between the Pacific Library Partnership and LDH focusing on teaching libraries the basics of data privacy. This introduction into data privacy in libraries serves as a guide for both administration and front-line workers, providing practical advice and knowledge in protecting patron data privacy.

The cover page for Data Privacy Best Practices Toolkit for Libraries: A Guide for Managing and Protecting Patron Data.

What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy.  At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.

This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.

Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!

News and Resource Roundup – Michigan Privacy Law Update, Privacy Literacy Toolkit, and Testing Your Infosec+Digital Literacy Knowledge

Welcome to this week’s Tip of the Hat! This week we bring you an important state legislative update, a resource guide, and three quizzes to start your week.

Michigan library patron data law amendment update

Last December LDH reported on SB 0611, an amendment that would considerably weaken Michigan’s library data privacy laws. The bill allows for libraries to release patron data to law enforcement without a court order:

A library may disclose library records without a court order or the written consent described in subsection (2) under any of the following circumstances:

(a) Upon the request of a law enforcement officer who is investigating criminal activity alleged to have occurred at the library or if the library requests the assistance of a law enforcement officer regarding criminal activity alleged to have occurred at the library, the library may disclose to the law enforcement officer any library record pertinent to the alleged criminal activity. The library director and any other person designated by the library board or commission is authorized to determine whether to disclose library records subject to this subdivision. The library is not required to release library records under this subdivision and may require the law enforcement officer to obtain written consent or an order of the court as required in subsection (2)

After almost a year of inactivity, the bill is now progressing through the state legislature. If you are a Michigan library and concerned about this bill, please contact your state representative and senator about your concerns.

Privacy literacy clearinghouse

If you are searching for resources or examples of privacy literacy instruction after reading our last post, you’re in luck! Digital Shred is a collection of teaching resources and case studies for anyone wanting to incorporate privacy literacy into their instruction work, from information literacy sessions to dedicated privacy workshops. Created and curated by Sarah Hartman-Caverly and Alexandria Chisholm, the authors of the article featured in the last TotH post, Digital Shred also provides another way to keep current on ongoing privacy and surveillance news and issues. Explore the site, and don’t forget to check out the teaching resources and materials for the privacy workshop series created by the authors!

Quiz time

The school year is in full swing, and students are now facing their first round of quizzes and tests. We want to share the pain joy of test-taking by highlighting three quizzes to test your information security – as well as literacy! – knowledge and skills:

  • Spot the Phish – This quiz tests how well you can spot a phishing email in the Gmail email service. While the focus is only on one email platform, the lessons here can apply to any email service!
  • Spot the Deepfake – Deepfakes are images or videos that have been altered to create a realistic image or recording of someone’s likeness doing or saying things that, in reality, did not happen. AI, machine learning, and other developments in technology have made it so that some deepfakes are almost indistinguishable from unaltered media. This quiz will test your observational skills along with your critical thinking by asking you which videos are deepfakes and which ones are the real thing.
  • Spot the Troll – our last quiz focuses on identifying which social media accounts are real, and which ones are fake. It’s not as easy as you’d think…

Summer Homework – Understanding Your State’s Library Privacy Law

Welcome to this week’s Tip of the Hat!

Have you always dreamed of spending countless hours reading legal regulations and reviews? If so, you might be suited for legal life! Reading laws is probably not high on your list of things to do; nonetheless, it’s always good to know how to navigate the text of a legal regulation when you are researching what laws could apply to you or to the third parties that you do business with. Even though we’re not lawyers, knowing how to read legal regulation text enables people to have more productive conversations with legal staff.

Here are three questions that can help you start understanding a law or statute:

  1. Who is covered by this law?
    • Does your state library privacy law cover only for publicly-funded libraries, or does the scope include other types of libraries, no matter the funding source? Does it include third parties acting on behalf of the library?
  2. What types of information (and what uses of information) are covered?
    • What does the law mean when it says “patron data”? Are there any definitions or descriptions of specific data points covered by the law?
  3. What exactly is required or prohibited?
    • In particular, what exemptions are listed in the law?

You might not be able to answer all the questions depending on what law you choose to study. However, not being able to answer a question might be a topic of discussion with legal staff, particularly around the specifics of who is within the scope of the law. There’s also the question of preemption between different governmental levels of legal regulation (or even within the same level of government). Sometimes a lower government’s law is stricter than a higher government’s law, but if the higher government’s law states that their law preempts any laws from lower governments, then you are not bound to follow the lower government’s law in that specific matter.

Now it’s time to take what you learned and put it into practice. Find your state’s library privacy law and read the law while trying to answer the questions above. Let us know if these questions help you through the legal text! Don’t be afraid to let us know if this exercise brings up more questions than it answers – we’ll do our best in addressing them, or at least help you prepare in asking these questions to your legal staff.

[Legal questions source: Swire, Peter, and DeBrae Kennedy-Mayo. (2018). U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals, 2nd ed.]