Tag: Privacy by design

Posted on

Training is Only One Part of the Library Privacy Equation

A person wearing a red shirt is presenting from a raised stage in a very large, windowless presentation hall. The audience is divided into two long sections of seats.
Photo by Claudio Schwarz on Unsplash

Wouldn’t it be nice if you never had to take another work-mandated training ever again? No more having to block an entire day off to head over to sit in a stuffy windowless room trying to focus on the training slides while all the lights are still on, making the projection barely readable, and you can barely make out what the trainer is saying? Even when you take the pandemic into account, do you really want to sit through a day-long Zoom training session?

If you said no to either question, you’re in good company. Training is either a critical component or a bureaucratic hurdle in the workplace, depending on who you ask. Training quality widely differs from workplace to workplace. Some training sessions are well designed and practical, while others fail. Nevertheless, training serves several critical functions in any organization, including library privacy training:

  • Orienting workers to library privacy policies and procedures
  • Providing opportunities for practicing specific procedures or skills in a controlled environment through the use of scenarios and other exercises
  • Ensuring a baseline knowledge of library privacy codes, ethics, and standards
  • Developing new or updating existing knowledge or skills around protecting patron privacy

Privacy protections are only as strong as those who have the least amount of knowledge about those protections. Lack of training or undertraining library workers creates additional risks to patron privacy through not following or understanding policy or procedure. Regular up-to-date training of library workers reduces that risk to patrons and library alike.

With that said, training can only do so much in protecting patron privacy. Training is only one part of a comprehensive approach to library privacy. On its own, privacy training – no matter how well-designed – cannot reduce or eliminate all privacy risks. Training alone is ineffective when a tool, policy, or procedure is inherently privacy-invasive. Training will not solve the flawed policy, procedure, or tool – as long as the invasiveness is left unaddressed, you’ll continue to see the same results from said bad design. If there is a process that repeatedly leaks or provides unauthorized access to patron data, for example, and there is no dedicated effort on the part of the library in changing this process, training will not fundamentally address the risk to the fullest extent possible.

You might be thinking that training could bring a library’s attention to the risks of such a process, but this is where we have to confront the uncomfortable truth around privacy training. Library privacy training is only as effective as the lowest number of resources or staff dedicated to protecting patron privacy in library operations. If the library only spends dedicated resources and staff time in creating and conducting privacy training, library workers are left trying to implement what they learned in training without the support needed to have a chance to succeed in reducing privacy risks in their daily work. For example, a library privacy training that teaches library workers to write a privacy policy might produce a policy that the library can then adopt. But what happens afterward? There needs to be support in ensuring that library procedures line up with the privacy policy. The privacy policy also needs to be communicated to patrons – how can a library do that effectively so that patrons can easily access and understand the policy without being given the required time and resources to do the necessary work? Where is the time to review vendor contracts and privacy policies to identify misalignment with the library privacy policy, and how will library workers address these risks with the vendors if they cannot get the time dedicated to this work?

Without the organization’s support, the effectiveness of library privacy training is limited at best. Over-relying on privacy training to protect patron privacy is like waiting to address privacy risks at the end of a project – attempts to mitigate risk will be hampered by a lack of resources and time. It will most likely not solve fundamental issues inherent in the end product’s design. Like Privacy by Design in project management, a privacy program prioritizing privacy in all levels of library operations and services can systematically address these fundamental privacy issues. Unlike training, privacy programs focus on the long term – what resources are needed to embed privacy into every level of library work? How can we build a sustainable relationship with our patrons to address their privacy concerns? How can patrons have more agency in helping with determining how the library does privacy?

Library privacy requires every part of library operations to prioritize privacy. Strong privacy policies, privacy-preserving technologies, vendor contract negotiations and privacy assessments, privacy audits, data inventories – these are only some of the things that libraries need to do to protect patron privacy better. Training is part of that library privacy equation, but without dedicating resources and time to a sustainable library privacy program, training alone cannot protect patron privacy.

Posted on

Just Published – Data Privacy Best Practices Toolkit for Libraries

Welcome to this week’s Tip of the Hat!

Today we’re happy to announce the publication of the Data Privacy Best Practices Toolkit for Libraries. This toolkit is part of the Data Privacy Best Practices Training for Libraries project, an LSTA-funded collaborative project between the Pacific Library Partnership and LDH focusing on teaching libraries the basics of data privacy. This introduction into data privacy in libraries serves as a guide for both administration and front-line workers, providing practical advice and knowledge in protecting patron data privacy.

The cover page for Data Privacy Best Practices Toolkit for Libraries: A Guide for Managing and Protecting Patron Data.

What does the toolkit cover? The topics range from the data lifecycle and managing vendor relationships to creating policies and procedures to protect patron privacy. The toolkit covers specific privacy concerns in the library, including law enforcement requests, surveillance, and data analytics. We also get to meet Mel and Rafaël, two library patrons who have unique privacy issues that libraries need to consider when thinking about patron privacy.  At the end of the toolkit is an extensive resource section with library privacy scholarship, professional standards, and regulations for further reading.

This toolkit is part of a larger group of resources, including templates and examples libraries can use to develop contract addendums, privacy policies and procedures, and data inventories and privacy risk assessments. In short, there are a lot of resources that are freely available for you to use in your library! Please let us know if you have any questions about the project resources.

Finally, stay tuned – the project is going into its second year, focusing on “train the trainer” workshops for both data privacy and cybersecurity. We’ll keep you updated as more materials are published!

Posted on

A New Privacy Framework For You

Welcome to this week’s Tip of the Hat!

The National Institute of Standards and Technology recently published version 1.0 of their Privacy Framework. The purpose of the framework is to create a holistic approach to manage privacy risks in an organization. The Framework is different from other standards in such that the goal is not full compliance with the Framework. Instead, the Framework encourages organizations to design a privacy program that best meets the current realities and needs of the organization and key stakeholders, such as customers.

The Framework structure is split into three parts:

  • The Core is the activities and outcomes for protecting privacy in an organization. These are broken down by Function, Category, and Subcategory. For example:
    • Identify-P (the P is there to differentiate from NIST’s Cybersecurity Framework) is a Function in which the organization is developing an organizational awareness of privacy risks in their data processing practices.
    • A Category of the Identify-P Function is Inventory and Mapping, which is taking stock of various systems and processes.
    • The Subcategories of the Category are what you would expect from a data inventory: what data is being collected where, when, how, by who, and why.
  • The Profile plays two roles – it can represent the current privacy practices of an organization, as well as a target set of practices for which the organization can aim for. A Current Profile lists the current Functions, Categories, and Subcategories the organization is currently doing to manage privacy risks. The Target Profile helps businesses figure out what Functions, Categories, and Subcategories should be in place to best protect privacy and to mitigate privacy risk.
  • The Implementation Tiers are a measurement of how the organization is doing in terms of managing privacy risk. There are four Tiers in total, ranging from minimal to proactive privacy risk management. Organizations can use their Current Profile to determine which Tier describes their current operations. Target Profiles can be developed with the desired Tier in mind.

Why should libraries care about this framework? Libraries, like other organizations, have a variety of risks to manage as part of their daily operations. Privacy risks come in a variety of shapes and sizes, from collecting more data than operationally necessary and not restricting sharing of patron data with vendors to lack of clear communications with staff about privacy-related policies and procedures. Some organizations deal with privacy risks through privacy risk assessments (or privacy impact assessments). The drawback is that the assessments are best suited for focusing on specific parts of an organization and not the organization itself.

The Privacy Framework provides a way for organizations to manage privacy risks on an organizational level. The Framework takes the same approach to privacy as Privacy by Design (PbD) by making privacy a part of the entire process or project. The Framework can be integrated into existing organizations, which is by design – one of the criticisms of PbD is the complications of trying to implement it in existing projects and processes. The flexibility of the Framework can mean that different types of libraries – school, academic, public, and special – can create Profiles that both address the realities of their organization as well as creating Target Profiles that incorporate standards and regulations specific for their library. School libraries can address the risks and needs surrounding student library data as presented in FERPA, while public libraries can identify and mitigate privacy risks facing different patron groups in their community. The Framework also allows for the creation of Subcategories to cover any gaps specific to an industry or organization not covered by the existing Framework, which gives libraries added flexibility to address library industry-specific needs and risks.

The flexibility of the Framework is a strength for organizations looking for a customized approach to organizational privacy risk management. This same flexibility can also be a drawback for libraries looking for a more structured approach. The Framework incorporates other NIST standards and frameworks, which can help ease apprehension of those looking for more structure. Nonetheless, libraries that want to explore risk management and incorporate privacy into their organization should give NIST Privacy Framework some consideration.

Posted on

Baking Privacy Into Your Library: The What, How, and Why of Privacy by Design

Welcome to this week’s Tip of the Hat!

This week’s topic comes to you thanks to the endless hours spent last week cleaning up inactive online accounts as part of our #dataspringcleaning efforts at LDH. It’s frustrating as a user not to have the ability to choose how applications and third parties collect and process your data. Not having the ability to delete your account is one example – some systems were not built to delete data. You all have run across other examples, such as the lack of opting out of having certain personal data collected, processed, or shared with other third parties. To an extent, library workers and vendors can determine how much control patrons have over how applications and services collect and process personal data. However, these controls are put into place after the fact, leaving patrons in a lurch with limited privacy options. How can library workers and vendors avoid this lurch?

Enter Privacy by Design (PbD). First created by Ann Cavoukian, then refined by various international organizations, PbD advocates making privacy a priority throughout the lifecycle of a service or application, including the planning and implementation stages. PbD has made a major impact in the privacy and systems development worlds, as well as the legal realm – GDPR is the latest regulation where PbD has made an appearance.

There are seven foundational principles of PbD:

  1. Proactive not reactive; preventative not remedial
  2. Privacy as the default setting
  3. Privacy embedded into design
  4. Full functionality – positive-sum, not zero-sum
  5. End-to-end security – full lifecycle protection
  6. Visibility and transparency – keep it open
  7. Respect for user privacy – keep it user-centric

What would PbD look like for library workers and vendors? An example is turning off any features that might share user activity to others by default. Users who want to share their activity would have the option to turn on the feature, giving the application their consent in doing so. Another example comes from our tale of woe at the beginning of the newsletter – building a system so that a user can delete their account or personal data without consequence to the system’s integrity. It is much easier to create a system that can handle such deletions than to try to retroactively get a legacy system to learn a new trick!

Both examples highlight the user’s ability to control what data is collected, stored, and shared. Notice that privacy by default does not mean not collecting or processing data at all, but instead takes the position of letting users decide what level of privacy they are most comfortable with. On another level, PbD’s integrated approach to privacy in the development lifecycle guides all those involved in the development and planning processes in assessing how systems can protect user privacy and meet business needs at the same time. Discussing data collection and processing, privacy features, and how to address potential user concerns early in the development process can save both time and headaches when the system launches to users.

Below are a few resources to get you started with PbD:

[H/T to Chad Nelson for the inspiration for this week’s newsletter title!]