A Flurry of Privacy Bills, FLoC Flies Away, and a Smart Assistant’s Long Memory

Congratulations on making it through the first month of 2022! As we prepare to enter the second month of the year, let’s take a few moments to catch up on a few news items in the privacy world.

A Flurry of State Data Privacy Bills

State legislators wasted no time introducing the latest round of data privacy bills at the start of the legislative year. Some states are reviving previously introduced bills with the hopes of pushing them through in the new session, while other states are finally joining the bandwagon and introducing comprehensive data privacy laws for the first time since the rush for state data privacy laws began several years ago.

Out of all the states introducing bills this legislative session, all eyes are on LDH’s home state, Washington State. The Washington Privacy Act, which failed to pass multiple times in previous legislative years, is back. However, there are currently two other competing comprehensive data privacy bills. The first bill, the People’s Privacy Act, deviates from WPA in several key places, including stricter requirements around data collection and processing (e.g., requiring covered entities to obtain opt-in consent for processing personal data), biometric data handling, and a private right of action. The second bill, the Washington Foundational Data Privacy Act, is a new bill that brings the idea of creating a new governmental commission, something that the two other bills lack. Each bill has its strengths and weaknesses concerning data privacy. Nevertheless, if Washington manages to pass one of these bills – or a completely different bill that is still yet to be introduced – the passed data privacy bill will influence other states’ efforts in passing their privacy bills.

FLoC Flew Away

Rejoice, for FLoC is no more! We previously covered Google’s attempt to replace cookies and the many privacy issues with this attempt. The pushback from the public and organizations has finally led Google to rethink its approach. It also didn’t help that major web browsers, which were supposed to play a critical role in FLoC, refused to play along.

Google didn’t completely abandon the effort to replace cookies, nevertheless. Google announced a new proposal, Topics, as an attempt to create a less privacy-invasive alternative to cookies. It’s still early to tell if this FLoC alternative is truly any better than FLoC, but initial reports seem to suggest that the Topics API is an improvement. However, we did notice that some of these reports mention that users would be primarily responsible for understanding and choosing the level of tracking in browser settings. Ultimately, we are still dealing with businesses pushing tracking user activity by default.

Smart Assistants Have Long Memories

Have you requested a copy of your personal data yet? Even if you are not a resident of the EU or California, you can still request a copy of your personal data from many major businesses and organizations. This includes library vendors! Requesting a copy of your data from a company can highlight how easy it is for a company to track your use of its services. A good library-related example is OverDrive’s tracking of patron borrowing history, even though users might assume that their borrowing history isn’t being recorded after flipping a toggle to “hide” their history in user settings.

The latest example of extensive user tracking comes from a Twitter thread of a person going through the data Amazon has collected about her throughout the years, including all the times she interacted with Amazon Alexia. We’re not surprised about the level of data collection from Amazon – the tracking of page flips, notes, and other Kindle activity by Amazon has been a point of contention around library privacy for years. Instead, this is a reminder for libraries who are currently using or planning to use smart speakers and smart assistants to provide patron services that Amazon (and other companies) will collect and store patron data generated by their use of these services by default. This is also a good reminder that your smart speaker in your work or home office is also listening in on your conversations, including conversations around patron data that is supposed to remain private and confidential.

If you have a smart speaker (or other smart-enabled devices with a microphone) at your library or in your home office, you might want to reconsider. The companies behind these products are not bound to the same level of privacy and confidentiality as libraries in protecting patron data. Request a copy of data collected by the company behind that smart speaker sitting in the library. How much of that data could be tied back to data about patrons? How much do your patrons know about the collection, use, and sharing of data by the company behind the smart speaker at the library? What can your library do to better protect patron privacy around the smart speaker? Chances are, you might end up relocating that smart speaker from the top of the desk to the bottom of a desk drawer.

Data Privacy Day (or Week!) Celebrations and Reflections

The words "Data Privacy Week" surrounded by circles of blue dots of various sizes.

This Friday, January 28, is Data Privacy Day! Don’t worry if you don’t have anything planned to mark the data at your library – you still have some time for some last-minute planning. You can check out last year’s Data Privacy Day post for some last-minute ideas. This year’s Data Privacy Day, though, should include a couple of other things to make it more meaningful at your library.

We won’t be the first privacy folks to admit that it’s hard to get people excited about privacy – even for Data Privacy Day – unless it involves cookies or cake. Now that the National Cybersecurity Alliance expanded Data Privacy Day into an entire week, where does one even begin? The NCA suggests that organizations conduct assessments, adopt privacy frameworks, and create a culture of privacy through educating employees. However, most of these suggestions go well beyond a week that’s supposed to be celebrating and raising awareness, and there’s still a lack of baked goods. We’re not saying that everyone is motivated by baked goods, but while all the suggestions are vital to protect data privacy in daily operations, these suggestions are not precisely celebratory by default.

Data Privacy Day (or Week) should not only raise awareness around data privacy issues, but it should also be a time for recognition and celebration of the work done around data privacy. Like other work in libraries, privacy work can go unacknowledged or unnoticed, even though the work impacts all levels of library operations and services. Data Privacy Day is an opportunity to take stock of what your library has accomplished in the past year and acknowledge the people behind those accomplishments, be it individuals, teams, or collaborations between groups. Highlighting these accomplishments can also help push back against the feeling like no progress is being made. Privacy is multifaceted – it’s not uncommon for us at LDH to get comments from library workers about not realizing just how complex data privacy can be. Making a concerted effort to acknowledge and celebrate progress – no matter how small – can help mitigate feeling overwhelmed about data privacy overall.

Data Privacy Day should also be a day where your library can set priorities around privacy for the following year. Perhaps that could be continuing ongoing work planning to make that work sustainable in the long run. New projects and initiatives can also be on the privacy priority list, but don’t limit yourself to projects that can be wrapped up neatly in a bow by the end of the year. Instead, focus on what can be realistically achieved by next year. Having a dedicated day like Data Privacy Day can also help with accountability – what are persistent privacy issues at your library? How will your library address these ongoing privacy issues? Make an action plan and check in with that plan the next time Data Privacy Day comes around – what progress has been made? What barriers and challenges did you overcome, and which ones still need to be addressed to continue progress?

Overall, Data Privacy Day should be a day to raise awareness of data privacy issues and a day for celebration and reflection. It should be a day where your library recognizes the often-invisible work many library workers do around privacy. It should also be a day where the library holds itself accountable and determine what needs to be done to address persistent privacy issues in the upcoming year. Being deliberate in the day’s celebrations can make Data Privacy Day into something more meaningful for your library.

Three Years and Counting

This last week also marked the third (!) anniversary of LDH! 2021 proved to be as challenging as 2020; nevertheless, we persevered thanks to your support throughout the year. 2021 also proved to be a hectic year! ICYMI, here are some of the things that happened at LDH in the past year:

LDH can help your library or organization protect patron privacy in your data practices, from privacy training and policy reviews to data audits and risk assessments. Contact us to set up an initial consultation – we look forward to hearing from you in the coming year.

Training is Only One Part of the Library Privacy Equation

Wouldn’t it be nice if you never had to take another work-mandated training ever again? No more having to block an entire day off to head over to sit in a stuffy windowless room trying to focus on the training slides while all the lights are still on, making the projection barely readable, and you can barely make out what the trainer is saying? Even when you take the pandemic into account, do you really want to sit through a day-long Zoom training session?

If you said no to either question, you’re in good company. Training is either a critical component or a bureaucratic hurdle in the workplace, depending on who you ask. Training quality widely differs from workplace to workplace. Some training sessions are well designed and practical, while others fail. Nevertheless, training serves several critical functions in any organization, including library privacy training:

  • Orienting workers to library privacy policies and procedures
  • Providing opportunities for practicing specific procedures or skills in a controlled environment through the use of scenarios and other exercises
  • Ensuring a baseline knowledge of library privacy codes, ethics, and standards
  • Developing new or updating existing knowledge or skills around protecting patron privacy

Privacy protections are only as strong as those who have the least amount of knowledge about those protections. Lack of training or undertraining library workers creates additional risks to patron privacy through not following or understanding policy or procedure. Regular up-to-date training of library workers reduces that risk to patrons and library alike.

With that said, training can only do so much in protecting patron privacy. Training is only one part of a comprehensive approach to library privacy. On its own, privacy training – no matter how well-designed – cannot reduce or eliminate all privacy risks. Training alone is ineffective when a tool, policy, or procedure is inherently privacy-invasive. Training will not solve the flawed policy, procedure, or tool – as long as the invasiveness is left unaddressed, you’ll continue to see the same results from said bad design. If there is a process that repeatedly leaks or provides unauthorized access to patron data, for example, and there is no dedicated effort on the part of the library in changing this process, training will not fundamentally address the risk to the fullest extent possible.

You might be thinking that training could bring a library’s attention to the risks of such a process, but this is where we have to confront the uncomfortable truth around privacy training. Library privacy training is only as effective as the lowest number of resources or staff dedicated to protecting patron privacy in library operations. If the library only spends dedicated resources and staff time in creating and conducting privacy training, library workers are left trying to implement what they learned in training without the support needed to have a chance to succeed in reducing privacy risks in their daily work. For example, a library privacy training that teaches library workers to write a privacy policy might produce a policy that the library can then adopt. But what happens afterward? There needs to be support in ensuring that library procedures line up with the privacy policy. The privacy policy also needs to be communicated to patrons – how can a library do that effectively so that patrons can easily access and understand the policy without being given the required time and resources to do the necessary work? Where is the time to review vendor contracts and privacy policies to identify misalignment with the library privacy policy, and how will library workers address these risks with the vendors if they cannot get the time dedicated to this work?

Without the organization’s support, the effectiveness of library privacy training is limited at best. Over-relying on privacy training to protect patron privacy is like waiting to address privacy risks at the end of a project – attempts to mitigate risk will be hampered by a lack of resources and time. It will most likely not solve fundamental issues inherent in the end product’s design. Like Privacy by Design in project management, a privacy program prioritizing privacy in all levels of library operations and services can systematically address these fundamental privacy issues. Unlike training, privacy programs focus on the long term – what resources are needed to embed privacy into every level of library work? How can we build a sustainable relationship with our patrons to address their privacy concerns? How can patrons have more agency in helping with determining how the library does privacy?

Library privacy requires every part of library operations to prioritize privacy. Strong privacy policies, privacy-preserving technologies, vendor contract negotiations and privacy assessments, privacy audits, data inventories – these are only some of the things that libraries need to do to protect patron privacy better. Training is part of that library privacy equation, but without dedicating resources and time to a sustainable library privacy program, training alone cannot protect patron privacy.

So, What’s Going On With Data Privacy Regulation Nowadays?

An adult white woman wearing a black dotted white shirt and jeans stands facing a white wall with black text. The text lists and describes the five data privacy principles by Mozilla: sensible settings, no surprises, defense in depth, user control, and limited data.
Image source: https://www.flickr.com/photos/vintagedept/15704560667/ (CC BY 2.0)

Welcome to the first post of the year! We hope you all had a restful holiday break. Now that most of us are back from our holiday break, it’s time to figure out what exactly is going on and what to expect in the new year.

2022 is shaping up to be another busy year for privacy professionals. A lot of that work will be around tracking data privacy regulations worldwide, from China’s new data protection regulation (PIPL) to India’s proposed changes to their Personal Data Protection bill. News from the EU is steady with GDPR violations and fines and will continue throughout the year. The EU is also poised to introduce more data regulations, including regulations around AI and cybersecurity.

While other countries are implementing and revising data privacy regulations, the US remains in a perpetual cycle of failed data privacy and security bills. A glance at the US State Privacy Legislation Tracker shows that despite 23 states introducing data privacy bills last year, Virginia and Colorado were the only states to sign a bill into law in 2021. Like LDH’s home state of Washington, some states failed to pass multiple data privacy bills, including bills that were re-introduced after earlier attempts to pass the same bill in previous years.

On a federal level, several data privacy and security bills – such as the Data Care Act of 2021, the Mind Your Own Business Act of 2021, and the Children and Teens’ Online Privacy Protection Act – remain active; however, there is no strong indication about the fate of these bills in the current session of Congress. Comprehensive data privacy and security legislation, such as the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act and the Consumer Data Privacy and Security Act of 2021, remain in committee. Again, there’s no firm indication if either of these comprehensive bills will become law in 2022.

Where does all of this leave US libraries and library vendors? Internationally, data privacy regulation updates will mean more changes for vendors who fall within the scope of said regulations. The upcoming data initiatives in the EU, for example, can impact the data privacy practices of library vendors and other organizations that fall under the scope of GDPR. In addition, as was the case with GDPR, international data privacy regulations can influence the overall shape of the data privacy legislation in the US. Nevertheless, the US continues to march to the beat of their own drum, still relying on a sectorial approach to data privacy regulation, with states trying to figure out comprehensive data privacy regulation on their terms.

Most of the existing comprehensive data privacy regulations, like CCPA and VCDPA, target for-profit and/or organizations that meet specific revenue or data sharing/selling thresholds, leaving most libraries outside of the scope of these laws. Just because libraries are not currently required to comply with these laws does not mean that they are not impacted by this patchwork approach to data privacy in the US. While GDPR impacted some libraries via their parent institutions (such as higher education institutions with campuses or partnerships in the EU), most libraries have probably noticed changes with library vendor services throughout the year as vendors work toward CCPA compliance. Some of these changes include allowing patrons to request a copy of the personal data the vendor has in their systems. If other states pass data privacy bills, libraries should expect additional change concerning how the vendor handles data privacy, regardless of where the library is located in the US.

In short, the data privacy regulation landscape for 2022 looks a bit like 2021 – a lot of legislative activity, but we’re not sure if that activity will lead to actual regulation. As always, LDH will keep you up to date on data privacy regulations that will impact libraries and library vendors. In the meantime, libraries should continue to work with vendors in not only ensuring compliance to specific data privacy regulations but going beyond a compliance-only approach to better protect patron privacy at the library.

Holiday Break Privacy Reads

The Executive Assistant wishes everyone a happy Festivus season! It’s time to gather around the Festivus pole for the Airing of Grievances, in which we suspect there are many grievances to be aired given how 2021 played out. Nevertheless, a new year brings new opportunities and fewer grievances – unless you’re the Executive Assistant. There is the perpetual grievance of not having enough tuna in the office.

A black and white picture of an one-eyed black cat sitting on a carpeted floor, with a fur-covered cat toy ball by her tail. The cat is adored with neon reindeer antlers and ears.
“Grievances? I have many…”

We will be back after the New Year. We have you covered if you need some privacy reads and videos to tie you over the holiday break. 2021 has been a hectic year in the privacy world, and while we covered a lot in the blog this year, there’s a lot more that we didn’t get to in our posts. Here are some of the reads that you might have missed this past year:

Have a safe and quiet rest of 2021, and we’ll see you next year!

There’s a Post About That!

There’s a saying that makes the rounds at the LDH office – “same problems, different day.” While there is no shortage of unique and exciting privacy challenges out there, eventually there will be a version of a previous privacy issue we dealt with in the past that pops up in our daily work. The same goes for the general privacy discourse in the library world. It’s been a busy couple of weeks in the library discourse where we see versions of the same topics and issues discussed in the past. It can feel like we’re stuck in a time loop, reliving the same conversations.

Bill Murray from the movie Groundhog Day reporting on the holiday celebrations in a small town - "Well, it's 
Groundhog Day... again."
We know we’re a couple months away from Groundhog Day, but still…
GIF source – https://giphy.com/gifs/pr-13USAwkGCTd6xy

Luckily, this gives LDH the opportunity to highlight relevant posts from the Tip of The Hat! Whether you missed the posts the first time around or are looking to revisit some of our older content, the newsletter-turned-blog has covered a lot of ground in the library privacy world. Let’s take some time to review some of those posts as the library world revisits several privacy conversations this week.

Mergers and Acquisitions and Consolidation oh my!

It’s official – Clarivate’s acquisition of Proquest is finally complete, furthering the consolidation of the library vendor marketplace. The acquisition isn’t the first one that led many in the library community to worry about the consequences of having only a handful of companies controlling the marketplace and what effects this consolidation would have on data privacy. In addition, there’s the practical concern of what exactly happens to patron data when a business is acquired or goes bankrupt. Here are some previous posts that touch on the relationship between vendors and library data privacy:

The Library Privacy Trope That Nevers Die

Libraries full of dusty books. Librarians reading all day on the job. Librarians shushing patrons. No matter where you go, there’s always a version of one of these tropes whenever libraries come up in the conversation. Most of the time, you find these tropes being brought up by people who don’t work at libraries, be it news reporters with cringeworthy article openers (“Libraries are no longer for books!”) to everyday conversation (“library quiet”). However, sometimes libraries themselves indulge in using library tropes for their own purposes. This week was no different with a social media account for a public library system in the US creating a meme about how the library doesn’t track patron use of library materials.

Longtime readers of the blog might recall our library privacy trope post from last year detailing the dangers of the trope to libraries and patrons. While the profession has a strong ethical mandate to protect patron privacy, including patron data, the reality is that libraries are subject to the same data privacy constraints and issues that show up in any other industry. For example, libraries and their vendors keep track of which patrons use specific resources and services. A library failing to let patrons know how the library or vendor collects, processes, and shares patron data or misrepresents library data privacy practices in communications to patrons is at risk of an ethics breach, losing the trust of their patrons.

While it might be fun to poke fun at the data privacy practices of commercial companies, libraries are best served to remember that they are not above engaging in the same privacy-invasive practices as their commercial counterparts. Case in point – the growth of customer relationship management systems in libraries and how the use of a CRM led a library to be investigated by a civil grand jury. Another case in point – many libraries still use Google Analytics to track patron use of the library website. In any case, meme responsibly.

When Privacy and Security Become a Barrier unto Themselves

A recent Twitter thread touched on many patrons’ struggles with multifactor authentication and how library workers encounter this struggle daily. Take some time to read the thread and the replies. It is a good reminder that not all privacy and security controls work for everyone. In some cases, these controls create barriers to using the library. These controls can disproportionally affect patrons who, for example, do not have reliable access to a mobile phone or limited phone service if the library or vendor requires all patrons to use multifactor authentication for using library resources or services.

Privacy and equity are not mutually exclusive. Sometimes the choices libraries make can put some patrons in a bind, particularly when libraries move core services to newer platforms that collect more data about patron use of the service than before. Our post about ethical design in library privacy practices is a good starting point to consider how to center patrons in how your library approaches patron services and programs.

[Related – sometimes your data privacy and security policies for staff are a liability in themselves! We touched on this liability last October using administrator privileges on work computers. As you think about what data privacy and security measures to put in place at your library, take some time to think about the costs and benefits of each measure. Sometimes it’s better – both for the bottom line and for data privacy and security – to accept certain risks.]

Turning Acknowledgment into Action

Several people putting up a net banner with an orange outline of Chief Seattle's face and text underneath the face - "Chief Seattle is Watching"
Image source: https://www.flickr.com/photos/backbone_campaign/21483972929/ (CC BY 2.0)

We’re going to start the post with a quick exercise. Where do you live and work? Easy enough, right? Some of you probably can name a street, neighborhood, town, city, or state off the top of your head.

Let’s take the first question and change a couple of words – whose land do you live and work on?

Some of you might already know whose land that you live and work on. For those who do not, you can visit https://native-land.ca/ to find more information about the indigenous lands you currently occupy.

As we wrap up  Native American Heritage Month this week, we are taking some time to give some context around the land acknowledgment included in our recent talks. You can use the resources at the end of the post for your acknowledgments that go beyond a statement of whose land you’re on.

Acknowledgment as The First Step

LDH lives and works on the unceded, traditional land of the Duwamish People, the first people of Seattle.

The above-italicized sentence is the start of the land acknowledgment in recent LDH talks. Many of us have encountered similar statements in various events and presentations. Land (or territory) acknowledgments sometimes stop here, naming the peoples whose land we’re on. However, this approach lacks the full acknowledgment of how the land became occupied. It also doesn’t acknowledge the present-day impact this occupation has on the people.

The Duwamish Tribe was the first signatories on the Treaty of Point Elliott in 1855. The Tribe has been denied the rights established in the treaty for over 165 years. The United States Federal Government currently does not recognize the Duwamish Tribe, denying the Tribe the rights and protections of federal recognition.

Naming the treaty is important in giving the historical context around the occupation of the land, but equally important is the explicit statement that the treaty has still to be honored by the federal government. The Duwamish Tribe is not federally recognized, which is important to acknowledge because of its historical impact on the Tribe and its current impact on the Tribe’s rights to funding for and access to housing, social services, and education, among other resources and services.

The Duwamish People are still here, continuing to honor and bring to light their ancient heritage.

Indigenous people are still here. It’s easy to leave the land acknowledgment to acknowledge the past and not venture into the present. But an acknowledgment of the present has to go beyond education and head into action.

Calls to Action

A portion of the speaker’s fee from the conference will be donated to Real Rent Duwamish. Real Rent serves as a way for people occupying this land to provide financial compensation to the Tribe for use of their land and resources – https://www.realrentduwamish.org/

The Tribe has started a petition to send to our state congresspeople to create and support a bill in Congress that would grant the Tribe federal recognition. The link to the petition is on the slide – https://www.standwiththeduwamish.org/

You are welcome to join me in donating to Real Rent or signing the petition.

The second half of the acknowledgment are two specific calls to action. Each action provides the opportunity for event attendees to support or advocate for the Duwamish People whose land LDH occupies. Real Rent Duwamish provides financial support and resources for the Tribe through a voluntary land tax. The petition aims to gather support for a bill granting the Tribe federal recognition, giving the Tribe access to services and resources available to other treaty tribes. If attendees cannot financially donate to Real Rent, they can provide non-financial support through the petition.

LDH’s acknowledgment focuses on calls to action around solidarity with the Duwamish People. Other land acknowledgments make the additional call for event attendees to research whose lands they occupy through https://native-land.ca/. Clicking on a specific territory will provide a page with resources where attendees can learn more about the Indigenous people whose land they’re on. For example, the Duwamish Tribe page on the site also links to ways to support the Tribe. Other calls to action found in land acknowledgments include supporting water protectors, such as supporting water protectors in stopping Line 3.

Resources

The list below is some resources you can use to inform not only yourself and others about the land you occupy but also what you and others can do to be in solidarity with Indigenous people in your acknowledgments and beyond.

Libraries (and Archives) as Information Fiduciaries? Part Three

A collection of football tickets and postcard invitations in a clear archival sleeve.
Image source: https://flickr.com/photos/27892629@N04/15959524202/ (CC BY 2.0)

Welcome back to the third installment of the information fiduciaries and libraries series! It’s been a while since we explored the concept of libraries acting as a trusted party managing patron personal data. Thanks to Tessa Walsh’s recent demo of Bulk Reviewer, we got the nudge we needed to tackle part three of the series. You can catch up on Parts One and Two if you need a refresher on the subject.

Managing Personal Data in a Collection

We left off the series with the question about what happens to a library’s information fiduciary role when the personal data is entrusted with is part of the collection. The relationship between the personal data in the collection, the person, and the library or archive is not as straightforward as the relationship between the library and the patron generating data from their use of the library. Personal papers and collections donated to archives contain different types of personal data, from financial and medical to personal secrets. What happens in the case where a third party donates these papers containing highly personal information about another person to a library or archive? In the case of a person donating their documents, what happens when they have personal data of another person who may not have consented to have this data included in this donation? Moving from the archive to the institutional repository, what happens when a researcher submits research data that contain identifiable personal data as part of a data set, be it a spreadsheet that includes Social Security Numbers or oral histories containing highly personal information to a living person?

As you probably already guessed, these complications are only the start of the fiduciary responsibilities of libraries and archives surrounding these types of personal data. We’ve covered redacting PII from digital collections in the past, but redaction of personal data to protect the privacy of the people behind that data only addresses a small part of how libraries and archives can fulfill their information fiduciary role. Managing personal data in collections requires managing data in the best interests of the library/archive and the person donating the materials and the best interests of the people behind the personal data included in that donated material, which may not be the same person as the donor.

Thankfully, we don’t have to navigate this complex web of relationships to determine how to manage the collection with the best interest of the people behind the data. The Society of American Archivist’s Privacy & Confidentiality Section can help libraries and archives manage personal data in their collections. If you are looking for documentation around privacy in archives, check out the documentation portal. Have too many types of personal data to know where to start? The section’s bibliography can lead you to the right resources for each major type of personal information you have in your collection. Perhaps you want to know more about current issues and concerns around personal data in collections. The RESTRICTED blog has you covered, alongside webinars such as Tessa’s demo of Bulk Reviewer mentioned at the start of this post. We highly recommend checking out the mini-blog series from Heather Briston, following up on her webinar “It’s Not as Bad as You Think – Navigating Privacy and Confidentiality Issues in Archival Collections.”

Beyond the section, you also might find the following publications helpful in determining how your library or archive should fulfill their responsibilities to the people behind the data in your collections:

  • Botnick, Julie. “Archival Consent.” InterActions: UCLA Journal of Education and Information Studies 14, no. 2 (2018). https://doi.org/10.5070/D4142038539.
  • Mhaidli, Abraham, Libby Hemphill, Florian Schaub, Cundiff Jordan, and Andrea K. Thomer. “Privacy Impact Assessments for Digital Repositories.” International Journal of Digital Curation 15, no. 1 (December 30, 2020): 5. https://doi.org/10.2218/ijdc.v15i1.692.

This is only a small selection of what’s available, but the Privacy & Confidentiality Section’s resources are an excellent place to start to untangle the complex web of determining what is in the best interest of all parties involved in managing the personal data in your collections.

Before we end our post, there is one question that a few of our readers might have – can archivists guarantee the same level of confidentiality as lawyers or doctors can in protecting personal information in legal matters?

A Question of Archival Privilege

Some of our readers might remember discussions about archival privilege in the early 2010s stemming from the litigation surrounding the Belfast Project oral histories. Archival privilege is not legally recognized despite legal arguments for such a privilege or tying such a privilege to researcher privilege in court (such as in Wilkinson v. FBI and Burka v. HHS). These rulings mean that materials in a collection are subject to search via subpoenas and warrants, which leads to privacy harms to those whose personal data is included in those collections. Nevertheless, it’s still worthwhile to revisit the calls for such a privilege and discussions of what archival privilege would look like:

Even though Boston College successfully appealed the initial order to hand over all the records listed in the subpoena, we are still left with whether the archives profession should push for privileged relationships between donors or other individuals represented in the collections and the archives. We will leave discussion of if such a privilege should exist (and in what form) to our readers.

Just Published – Licensing Privacy Vendor Contract and Policy Rubric (Plus Bonus Webinar!)

Happy National Spicy Hermit Cookie Day! Today is your day if you need an excuse to make a batch of cookies to prepare for the baking rush in a few weeks. While the term “hermit” refers to the cookie’s ability to keep for months, we at LDH are not exactly sure if we can call a cookie a literal hermit. Nevertheless, we know what can make someone into a hermit – spending countless hours reading vendor contracts.

(We would like to apologize for that transition. Here is a picture of a tray of freshly baked cookies to make up for it.)

The lucky academic library people who deal with content platform vendor contracts know all too well the frustrations with these contracts, particularly around data privacy and security. Contracts are notorious for being obtuse and dense, but an added complication with content platform contracts is the limited and vague language around our patrons’ data – what data is collected, why the vendor is collecting it, how they’re collecting patron data and sharing it to other third parties, what data rights patrons have, and so on. The complications don’t stop there. Academic library workers not only have to negotiate data privacy with the vendor, but more often than not, they find themselves internally negotiating for privacy at an institutional level, advocating and educating institutional peers about patron privacy rights and needs. Protecting patron privacy shouldn’t be this hard, but this is the reality that many academic library workers face in the contract evaluation and negotiation processes.

The Licensing Privacy Project is here to help. The Mellon Foundation-funded project just published the Vendor Contract and Policy Rubric to streamline the evaluation and negotiation processes for content vendor contracts and policies. Academic library workers can use the rubric to evaluate contracts for potential data privacy and security issues in eight key privacy domains, including data collection and user surveillance. The rubric brings together several well-known library privacy standards and practices to streamline the evaluation process, noting which vendor privacy practices could meet those standards and which to flag for further evaluation and negotiation. The supplementary glossary and example contract language resources provide definitions for common privacy terms and what type of contract language to look out for in specific privacy domains. The interactive features of the rubric allow for sharing evaluation notes, identified privacy risks, and ways to mitigate those risks within the library and institutional staff who are part of the negotiation process.

If you want to learn more about the rubric and how you can use it at your academic library, make sure to sign up for the webinar this Wednesday (11/17) at 1 pm Central Standard Time. Not only will you learn more about the rubric, but you will also get a chance to talk to other colleagues in brainstorming all the possible ways this rubric can help you advocate for patron privacy during the contract negotiation process. If you can’t make it, don’t worry – the webinar will be recorded. We hope to see you there!

Don’t Forget About Privacy While Turning Back The Clock

Last weekend was when we finally got our one hour back (for those of us still observing Daylight Savings Time [DST] in the US). Instead of sleeping in, though, we are barraged with public service announcements and reminders to spend that hour taking care of things that otherwise get ignored. That fire alarm battery isn’t going to change itself! Like #DataSpringCleaning, the end of DST is a great opportunity to take care of privacy-related things that we’ve been putting off since spring.

What are some things you can do with the reclaimed hour from DST?

  • Choose and sign up for a password manager – If you’re still on the fence about choosing a password manager, check out our post about the basics of selecting a manager. Once you get past the inertia of selecting a password manager, switching to a password manager becomes a smoother process. Instead of switching all your accounts to the password manager at once, you can enter the account information into the manager when you sign into that specific account. Using the password manager’s password generator, you can also use that time to change the password to a stronger password. And while you’re logged in…
  • Set up multifactor authentication (MFA) – You should really turn on MFA if you haven’t already done so for your accounts. Use a security key (like a YubiKey) or an authenticator app for MFA if possible; nevertheless, the less secure versions of MFA – SMS and email – are better than no MFA. Read about MFA on the blog if you’re curious to learn more about MFA.
  • Review privacy and security settings for social media accounts – Social media sites are constantly adding and changing features. It’s good to get into the habit of checking your social media account settings to make sure that your privacy and security settings are where you want them to be. Another thing you might want to check is how much of your data is being shared with advertisers. Sites like Facebook and Twitter have account setting sections dedicated to how they use your data to generate targeted ads.

Your library also has a reclaimed hour from DST. What can you do at work with that reclaimed hour?

  • Review the privacy policy – It never hurts to review the privacy policy. Ideally, the privacy policy should be updated regularly, but sometimes even having a review schedule in place doesn’t necessarily guarantee that the review actually gets done. If the policy missed its regularly scheduled review, it might be worthwhile to push for the overdue review of the policy to ensure the policy’s alignment with current professional standards, codes, and legal regulations.
  • Check your department or team procedures against the privacy policy – Your department work procedures change regularly for various reasons, such as changes in technology or personnel. These changes might take these procedures out of alignment with the current privacy policy. Relatedly, an update to the privacy policy might need to be reflected in changes to the procedure. Review the two sets of documents – if they’re not in alignment, it’s time to set up a more formal document review with the rest of the department. Now is also an excellent time to set up a schedule for reviewing procedures against the privacy policy (as well as privacy-adjacent policies) on a regular basis if such a schedule doesn’t already exist.
  • Shred paper! – Take time to look around your workspace for all the pieces of paper that have sensitive or patron data. Do you need that piece of paper anymore? If not, off to the office shredder it goes. Grab a coffee or a treat on your way back from the shredder while you’re at it – you earned it ☕🍫

We won’t judge you if you ultimately decide to spend your reclaimed hour sleeping in (or changing that fire alarm battery). Nevertheless, making a habit of regularly checking in with your privacy practices can save you both time and trouble down the road.