Contact Tracing At The Library

Welcome to this week’s Tip of the Hat!

Contact tracing has been used in the past with other diseases which helped curve infection rates in populations, so health and government officials are looking at contact tracing once again as a tool to help control the spread of disease, this time with COVID-19. There have been various reports and concerns about contact tracing through mobile apps, including ones developed by Google and Apple. However, mobile contact tracing will not stop local health and government officials in taking other measures when it comes to other contact tracing methods and requirements, and libraries should be prepared when their local government or health officials require contact tracing as part of the reopening process.

While there are no known cases of libraries doing contact tracing as part of their reopening process, there are some ways in which libraries can satisfy contact tracing requirements while still protecting patron privacy.

Collect only what you absolutely need

What is the absolute minimum you need to contact a patron: name, email address, and/or telephone number are all options. Sometimes patrons do not have a reliable way of contacting them outside the library – health and government officials should have recommendations in handling those cases.

But what about having patrons scan in with their library card and using that as the contact tracing log? What seems to be a simple technological solution is, in reality, one that introduces complexity in the logging process as well as privacy risks:

  • Some of the people visiting the library will not have their library card or are not registered cardholders.
  • Contact logs can be subject to search or request from officials – maintaining the separation between the contact log and any other patron information in the library system will minimize the amount of patron data handed over to officials when there is a request for information.

Paper or digital log?

Some libraries might be tempted to have patrons scan in with their barcodes (see above section as to why that’s not such a good idea) or keep an electronic log of patrons coming in and out of the building. However, an electronic log introduces several privacy and security risks:

  • Where is the digital file being stored? Local drive on a staff computer that isn’t password protected? Network storage? Google Drive (yikes!)?
  • Who has access to the digital file? All staff in the library?
  • How many other copies of the file are floating around the library’s network, drives, or even printed out?

In this instance, however, a paper log will provide better privacy and security protections when you take the following precautions:

  • The paper log should be securely stored in a locked cabinet or desk in a secured area, preferably a locked office or other controlled entry space.
  • During business hours, the paper log should be filled out by designated staff members tasked to collect information from patrons. Do not leave the paper log out for patrons to sign – not only you give patrons the names of others in the building (for example, a law enforcement agent can read the log and see who’s in the building without staff knowledge) you also potentially expose patrons and staff to health risks by having them share the same hard surfaces and pen.
  • Restrict access to the paper log to only staff who are designated to keep logs, and prohibit copying (both physical or electronic copies) of the log.

Equitable service and privacy

Some patrons might not have reliable contact information or might refuse to give information when asked. If the local government or health officials state that someone can’t enter a building if they don’t provide information, how can your library work with your officials in addressing the need for libraries to provide equitable service to all patrons who come to the library?

Retention and disposal

Keep the contact tracing logs for only as long as the government or health officials require. If there is no retention period, ask! Your logs should be properly disposed of – a paper log should be shredded and the shredded paper should go to a secured disposal area or service.

Keeping a log of visits to the library is something not to be taken lightly – you are creating a log of a patron’s use of the library. Several other privacy concerns might be specific to your library that could affect how you go about contact tracing, such as unaccompanied minors. Contact tracing is an effective tool in containing disease outbreaks in the past, but it doesn’t have to come at the expense of losing entire personal privacy if the library works with its staff and government officials in creating a process that minimizes patron data collection, access, and retention.

Choose Privacy Week Recap

Welcome to this week’s Tip of the Hat!

This weekend was hot in Seattle, with temperatures near 90 F. While the Executive Assistant took this time to bask in this heat, we at LDH tried to find a cool spot in the home office to work, away from the Executive Assistant’s gaze.

Last week was a busy week on the Choose Privacy Every Day site for Choose Privacy Week! Here’s what you might have missed:

  • Virtual Programming and Patron Privacy – Jaime Eastman along with the ALSC Children and Technology committee give much-needed guidance for library workers who are moving children-oriented programs and services online due to the pandemic. The post goes into the Children’s Online Privacy Protection Act (COPPA), and what library workers need to do to protect the privacy of children while keeping in compliance with COPPA. Bookmark the ALSC Virtual Storytime Services Resource Guide for additional guidance (coming soon!).
  • Protecting Privacy In A Pandemic: A Resource Guide – On Friday, May 8th, OIF hosted a Privacy Town Hall about patron privacy. While we wait for the recording of the Town Hall event, the blog post lists the main topics and resources covered by the panelists in the Town Hall.
  • When libraries become medical screeners: User health data and library privacy – Some libraries are now giving medical screenings to patrons who want to enter the library building. What privacy risks are there in collecting health data of your patrons? Read the article by LDH to find out why library workers might not be the best choice in handling health data.

Finally, if you have that one library privacy topic that you’ve been meaning to write about or if you want to share your privacy thoughts to a wide audience, Choose Privacy Every Day is looking for blog authors! There are some requirements for being an author for the blog, but this is a great opportunity to get your ideas and thoughts out into the library world.

That’s a wrap! Or, at least, the computer core temperature says it’s time to put the computer in the freezer. If you’re on the West Coast, stay cool, and for those of you who got snow on the East Coast, stay warm!

Week Roundup – In The News and What Would You Do?

Welcome to this week’s Tip of the Hat! Last week was a busy week. Here’s a recap of what you might have missed.

LDH in the News

What Would You Do?

One public library in New Jersey has been finding various ways to support their community while the library building is closed, but one strategy has started a debate on Library Twitter – using patron data to do welfare checks:

Recently, the Library decided to take more direct action to help the Roxbury community. Armed with its enormous patron database, library staffers are going through the list and, literally in descending order, calling the oldest and most vulnerable of Roxbury’s residents to inquire on their well-being, let them know someone cares and will listen, and when need be to connect them to vital resources to get them through this difficult time.

The article goes on to describe how this strategy led to an increase in requests for masks to be distributed by the library.

While this single instance seems to have had a positive outcome, the use of the data collected by the library to do wellness checks brings up the question of “we could, but should we?” concerning using patron data in this manner. Some of the issues and considerations brought up on Library Twitter include:

  • Scope creep – several library workers serve as de facto social workers in their communities. How can libraries in this position support their community while working with local community organizations and local government departments who are better suited for social work? How can this work be done while honoring patron privacy?
  • Data quality – the article stated that the library staff used the age listed in the patron database. How reliable is that data? ILS migrations and even the move to an automated library system can introduce data quality issues in the patron record, including age.
    • For example – one library that moved from a paper-based system to an ILS in the mid-1990s still found patrons whose birthdays were listed as the date of the migration years later.
  • Notice and consent – patrons have certain expectations when giving data to libraries. Some of these expectations come from what the library states in their privacy and confidentiality notices, as well as other communications to patrons from the library. It’s safe to say that libraries don’t list “wellness checks” in their patron privacy notices as one potential use of patron data. This gets into the issue of using data outside of the stated purposes when the data was exchanged between the patron and the library. Recent data privacy legal regulations and best practices address this by requiring businesses to inform about the new use and to get affirmative consent before using the data for said new use.

There are some other items brought up in the Twitter discussion, such as different expectations from patrons, the size of the community, and patron-staff relationships. Some patrons chimed in as well! Like many other real-world data privacy conundrums, this one is not as clear cut in terms of how to best approach addressing the issue at hand – making sure that patrons in under-supported or vulnerable community groups get the support that they need.

We want to hear from you – what would you do in this situation? Email us at newsletter@ldhconsultingservices.com and we’ll discuss the results in a future newsletter. We will not post names or institutions in the newsletter results, so email away and we’ll do the rest to protect your privacy as we discuss patron privacy. Let us know what you think!

#dataspringcleaning, Home Office Edition

Welcome to this week’s Tip of the Hat!

The trees outside the LDH office are now covered in leaves, the tulips and daffodils are blooming, and the grass has started growing again. All of which means one thing – allergy season Spring Cleaning Season! Or, as we at LDH like to call it, #dataspringcleaning season.

We covered the basics of #dataspringcleaning in a previous newsletter; however, determining if your data sparks joy might be a challenge this year given the state of current affairs. For this year’s #dataspringcleaning season, here’s a short cleaning list for your newly minted home office to help you in your data cleaning efforts.

Paper documents

Shred! If you don’t have a shredder at home, you have a couple of options:

  • Store documents for shredding at the office in a secured place in your home away from housemates.
  • Buy a shredder for your home. Look for a shredder that can shred at or above Level P-4. Having a shredder at home not only helps you protect patron privacy but also your privacy now that you have a convenient way to shred your personal documents and files.

Shredded paper should not go into your recycling bin – it’s most likely that your recycling center cannot accept shredded paper. In King County (where LDH is located) residents are instructed to use shredded paper for composting. You can also take a few handfuls of shredded paper to top off any garbage cans before closing up the garbage bag when you take the garbage out. Check with your local solid waste and recycling departments in your local area for more guidance about disposing of shredded paper.

Electronic equipment

  • Store patron data on work storage or equipment when necessary. Do not use personal hard drives, flash drives, or other personal storage devices to store patron data.
  • Do a quick data inventory of any personal cloud storage services you use, such as Google Drive or Evernote.
    • What patron data do you have stored in those services?
    • Can you migrate that data to work storage?
    • What data do you need to keep, and what data can be deleted?
  • If you have your work computer at home, now would also be a good time to do a data inventory of what’s stored on the local drive.
  • Remember, deleting a file doesn’t mean that the file is deleted! There are many programs available to help you permanently delete files.
  • If you do end up having to retire a physical disk or drive that held patron data, what tools do you have in your home toolbox? You most likely have a hammer, but you can also get creative depending on what’s available… we’ve mentioned power drills before, but perhaps you might want to try out the nail gun. Remember – safety first!

#dataspringcleaning at home is a good way to spend the time between meetings or to begin or end your workdays at home. A little bit of cleaning each day adds up to help protect patron privacy 🙂 Happy cleaning!

The Obligatory Password Manager Newsletter

We regularly get asked at LDH about password managers: what they are, if people should use them, and which ones to use. While there is some consensus in the information security world about password managers, there is still some debate – if you ask three security experts about password managers, you will get at least five answers. Today we’ll add to the mix and answer the most frequently asked questions about password managers.

What is a password manager?

At its core, a password manager is a software application that generates, stores, and retrieves passwords and other login information for various accounts. These passwords are accessible through the manager via a master password or passphrase. Think of a password manager as a vault – the vault has your passwords and you gain access to the vault through a combination that you and only you know.

Should I use a password manager?

Yes! Password managers are a great way to help you secure your online accounts. Password managers do the remembering of (almost) all the passwords for you, so you can break the bad habits of reusing passwords for multiple accounts or using weaker passwords that you can remember from memory – both habits put you at higher risk of having your account compromised. Some password managers can automatically change your passwords for you, as well as the ability to generate stronger passwords for each of your accounts. Another benefit of password managers is that you can securely share passwords for family accounts with others in your family (as long as they too use a password manager).

The one password that you have to remember is the master password to get into your manager. To create a strong password that you are likely going to remember, I recommend creating a passphrase. You can generate a strong passphrase through Diceware.

Are they safe?

Safety usually comes up when someone asks about password managers, and for good reason. This is a software application that could potentially have information for your financial accounts, your social media accounts, your shopping accounts, your medical accounts, and so on, and if that application has a data breach or leak, you are at high risk for identity theft at best. There is the fact that some password managers have had breaches in the past, the most prominent one being LastPass. You might also have read news stories about how other password managers might be vulnerable to breaches.

Nonetheless, for most folks, the risks associated with the use of a password manager are far less than using weaker passwords or reusing passwords. This gets into your threat model – what are the most realistic risks in terms of who wants your data, why they want your data, and how they’ll get your data. This is a risk assessment where you not only need to consider the severity of if the risk is realized but also the likelihood that a risk will be realized. Yes, a password manager might be breached, but the likelihood of a well-known password manager being breached is lower than a breach of an account that uses a weaker password or a password that was used by another account that was part of another breach or leak.

[A gentle reminder that using a weak password or reusing a password for your master password for the password manager also puts you at the same level of risk as not using a password manager at all!]

If you’re still wary of using a password manager, there are a couple of strategies I’ve encountered from my discussions with others that can mitigate some risks, including using multiple password managers to store different types of passwords and other sensitive information, or only use their password manager to manage passwords, and not store any other information, like security question answers and payment information.

Which password manager do you recommend?

It depends on your needs.

Some people use their browsers to manage their passwords, but that limits users to the browser that they are using. To get the full benefit, I recommend using a password manager separate from an individual browser’s password vault.
In general, you want to use a password manager that:

  • Uses strong encryption to store and to sync data in and between clients and apps
  • Offers secure cross-platform compatibility (desktop, mobile device) for all the platforms that you use in your daily life
  • Has an established reputation in the password manager world

The question of paid versus free accounts sometimes comes into the conversation. Several password managers have a free plan, while other password managers are free open source software. It depends on your needs and your comfort level when it comes to if you want to stick with a free plan/manager or move to a paid plan.
With all that said, here are some password managers to check out:

Are there alternative ways to store passwords outside a password manager?

There’s always this. ;c)

Special thanks to newsletter subscriber Chris Reimers and the folks in the ALA LITA/OIF webinar last week for the newsletter topic suggestion!

Recording now available for remote work and data privacy

If you missed last week’s “A Crash Course in Protecting Library Data While Working From Home”, don’t worry – we recorded the session! You can access the recording and transcript of of last week’s webinar in Google Drive. Resources and handouts for the webinar can be access at https://is.gd/LDH_RemotePrivacy.

More Zoom Updates and Free Webinar About Remote Work and Data Privacy

Welcome to this week’s Tip of the Hat!

Zoom has had one of those weeks. Since we last wrote about Zoom’s privacy issues last week, the number of additional privacy issues has skyrocketed. It’s gotten to the point where there are news articles just trying to keep track of all these updates. Even those articles are struggling to keep up. On March 31, TechCrunch published an article that listed the known privacy issues at that time, including the misleading advertising of true end-to-end encryption for voice chats, but the article came out a day before an article about zero-day bugs found by an ex-NSA hacker that could allow access to passwords and webcam/mic control if someone had physical access to the computer. Then the next day we learned that Zoom leaked LinkedIn data to other users. Additional reports suggest that Zoom is a very good target for intelligence gathering and interceptions for various governments.

Like we said – it’s hard to keep up with all the updates! Security expert Bruce Schneier’s writeup on Zoom is the most up to date list at the time of this writing.

The best option, in this case, is not to use Zoom, right? Unfortunately, it’s not that clear cut. A conversation on Twitter about Zoom brought up the point that Zoom fairs better than other web conferencing software in terms of screen reader access. While Zoom might be a hot mess when it comes to privacy, it still provides access to those who otherwise wouldn’t have it with other options. Workplaces complying with privacy and accessibility regulations find themselves in a tightrope act with trying to protect employee and patron privacy while at the same time provide tools that their staff can use. Zoom announced that they are addressing the privacy and security issues, which if the company follows through on their promise would solve the issue in the short term. The longer-term issue remains, however, with web conferencing software that have better privacy practices are not accessible for users, including for library workers.

For now, the best you can do is to lock down your Zoom meetings as much as possible and to review user and administration settings to ensure that all privacy and security settings are enabled. Some universities have created publicly accessible guides to more secure Zoom meetings, such as this guide from the University of Washington, as well as FAQs on privacy and security, that can help you formulate messaging to library staff about using Zoom.

Webinar on remote work and data privacy, April 9th

LDH Consulting Services is proud to sponsor this week’s LITA webinar “A Crash Course in Protecting Library Data While Working From Home”. This free webinar will provide strategies and actions in protecting patron privacy for library workers working from home, as well as some of the longer-term implications to patron privacy with libraries moving all essential operations and patron services online for the foreseeable future. Attendees will have the opportunity to share what they are doing to protect data privacy while working from home. Register today!

Zoom and Privacy at the Library

Welcome to this week’s Tip of the Hat!

The amount that you spent web conferencing has most likely increased exponentially in the last few weeks. Library workers working from home now rely on web conferencing software for daily operations, including meetings and check-ins with other colleagues. With this shift to web conferencing, though, comes a shift in the level of risk to patron privacy.

Most libraries rely on third party web conferencing software which, like any other third-party vendor, brings its own set of risks to patron privacy. However, when you fundamentally change library operations to embed a third-party application into almost all parts of core operations, the existing privacy risks of that application change dramatically. You also introduce new risks into the mix! It’s already hard to keep up with all the risks to patron privacy in normal operations, and a rapidly changing work landscape compounds matters.

Let’s take Zoom, for example. Many libraries and library vendors use Zoom as their primary web conferencing application before the COVID-19 outbreak. That number only increased as many workplaces went remote, with many workers relying on their institutional Zoom accounts for both professional and personal online meetings. Other workers took advantage of Zoom’s generous free plan. What was once a tool used for webinar presentations and professional organizational group meetings, Zoom has become a lifeline for many remote library workers to stay connected to the library world for the foreseeable future.

With the increased use of Zoom came increased scrutiny of the application from the increasing number of remote workers in several industries. Soon after the shift to remote work started in earnest across the US, news media started reporting on privacy and security concerns with Zoom. One of the earlier news reports described Zoom’s “attention tracking” function, where an administrator can keep track of meeting participants who clicked away from the Zoom window. This level of tracking by the meeting organizer does not reach the level of other tracking software used by businesses to monitor employee productivity, but this tracking can still encroach on employee privacy. “Zoombombing” – the act of gatecrashing a public Zoom meeting and bombarding it with inappropriate material or attacks – is also on the rise, compromising the security of business and other meetings held by users who are newer to the platform.

Zoom’s data privacy practices have received increased scrutiny in the last week with the mass movement to remote work. In the same article about “attention tracking”, the reporter also touched on Zoom’s privacy policy’s vague language around selling personal data. The privacy policy has since been updated to remove the first sentence which caused the most concern, but the vague last sentence in the paragraph remains – “So in our humble opinion, we don’t think most of our users would see us as selling their information, as that practice is commonly understood.” – which is still a privacy concern. In addition, Zoom’s iOS App was sending user information to Facebook, which again wasn’t made explicitly clear in the privacy policy. Zoom released a statement that they will change the app to no longer send this information, but Zoom’s overall privacy practices and policies remain unchanged as described in this Twitter thread.

Your library might be using Zoom for business meetings, or it might be using Zoom for library programs, such as delivering online programs (like storytime or classes) or research/reference services. In both cases, Zoom might be collecting and processing patron data for their business purposes, increasing the risk of a privacy breach. You can take some actions to mitigate the new risks to patron privacy from using Zoom:

  • Use Zoom’s end-to-end encrypted chat feature [Update – the E2EE feature turned out to be false advertising.]
  • Limit the amount of patron data disclosed in Zoom, including text chats
  • Do not record video, voice, or text chats that involve patron data, including services to patrons conducted over Zoom
  • Do not share files with patron data over Zoom’s filesharing feature
  • Review privacy and security settings on the administrator, organizer, and user levels
  • Follow best practihttps://lifehacker.com/how-to-prevent-jerks-from-ruining-your-zoom-meetings-1842453487ces to prevent Zoombombing, including enabling the waiting room feature, limiting screen-sharing and voice controls (muting participants by default when they join), and locking the session when all attendees have arrived.

Limiting patron data disclosure on third-party applications is a challenge for a remote workforce. Choosing third-party applications with strong privacy and security practices is one of the best ways to mitigate privacy risks. Taking the time to assess privacy and security during a major global health crisis, nonetheless, doesn’t come naturally if you are not used to making critical privacy decisions under pressure. Settling into the new normal provides the opportunity to reassess data privacy and security practices in the workplace, including mitigating expanded or new risks to patron privacy. In the case of Zoom, limiting the amount of patron data transmitted through the application as well as making full use of privacy and security settings can help mitigate these privacy risks.

Doxing: How to Protect Yourself and Patrons

Welcome to this week’s Tip of the Hat!

The Executive Assistant has her paws full this week with rescheduling and shifting various project timelines around thanks to recent events. She was batting objects off of ledges redoing Gantt charts when she came across a small list of privacy-related things to do on a rainy day and promptly knocked the list off the pile and onto the floor. While this is not a rainy day, a few of us could use a distraction, so what can be a better distraction than protecting your privacy?

Today we’ll explore doxing: what it is, how it can harm you and your patrons, and what you can do to protect yourself and patrons from being doxed.

Doxing and You

Doxing is the act of publishing private or otherwise identifying information about a person to the public. This can include your home address, phone number, private email address, or bank account details, but it can also involve publishing private information about those close to you, like family members, along with your private information. Most times doxing is used as a tactic to intimidate or to harm a person or their loved ones – an infamous example of doxing in action is Gamergate, where online harassers doxed several games journalists, researchers, and others in the gaming industry.

Being doxed can mean a stranger showing up at your home or otherwise harassing you as you try to go about your daily life, but it can also mean that your identity can be stolen. With just a few pieces of private personal information, you can social engineer your way through customer service staff and help desk representatives to get access to critical accounts, potentially destroying the financial and reputational aspects of a person’s life in the process.

How to Dox Yourself (@ the Library)

The scary part about doxing is that anyone with little time and effort you can get access to private information. The New York Times recently published a guide on how to dox yourself, describing the various places where you can find information that you thought was not available to the public. Search engines, social media, and data brokers are all potential sources for doxers looking for your private information. Take some time to study their resource guide and perform some searches on your favorite search engine. You might be (un)pleasantly surprised as to what you can find about yourself.

Libraries are not exempt from being potential targets for doxers to gain information about a person. Library patrons routinely contact library staff with requests or questions about their patron account or another person’s patron account. What can be in the patron record that can potentially be used to dox someone? Legal name, home address, and birth date are three pieces of patron data that come to mind. Chances are, though, that your patron record includes much more, including telephone numbers, email addresses, and even government or organization-issued identification numbers, such as driver’s license numbers or student or employee id numbers.

Library workers also face the possibility of being doxed and harassed. An article by American Libraries recounted the experiences of two library school professors who were doxed for their research on racial microaggressions in academic libraries. Library workers are subject to the same harassment and doxing that their patrons face in daily life, as documented in the article. Any private information of both patrons and library workers is fair game to a doxer, even at the library.

Dox Defenses

How can you protect yourself and others from doxing?
On the personal front:

On the library front, review policies and procedures surrounding patron data confidentiality, particularly surrounding requests to disclose patron information:

  • Do you have a procedure in place to verify the patron’s identity if they request access to information in their patron record? What are the procedures regarding identity verification in-person versus over the phone versus online?
  • What information is used in the verification process?
  • What information do you disclose in the patron record in person? Over the phone? Online?
  • What is the procedure when the patron doesn’t have this information for verification?
  • What is the procedure if the patron requests access to another patron’s record?

Employee information also needs protection; however, a different set of regulations, policies, and procedures apply. Check with your human resources staff as well as legal counsel to determine what information is private, what is public, and when employers are allowed to disclose employee information to others.

Doxing is scary and can lead to harassment and other dangerous situations. The best personal defense against doxing is to be proactive in limiting the amount of private information a random person off the street can access through a data broker, your online presence, or other places where private information can be accessed by someone with a little bit of time and resources. The best library defense is making sure that there are policies and procedures in place for verification of the patron’s identity before disclosing patron information in certain situations, as well as protecting the privacy of library worker information, be it from not publishing private information such as home addresses to protecting the data from unauthorized access.

COVID-19 Updates And More Privacy Considerations

Welcome to this week’s Tip of the Hat, everyone.

It’s been a week for many of us as COVID-19 rapidly changed both work and personal lives. During the last newsletter, public events were still going on, schools and libraries were still open, and we were not in a pandemic. This newsletter is being composed in a completely different world in Seattle – closed schools and libraries, canceled events, and the realization that COVID-19 is much more widespread than previously thought.

This week, many libraries are closed to the public, while other libraries that are still open are being pressured to close to protect the health of their staff. This means staff might be working from home for the first time, or are trying to move in-person library instruction online. The Library Freedom Project provides a good list of privacy considerations for online instruction. Academic and school libraries should also be aware of the updated guide on FERPA and COVID-19 and how student privacy is impacted by the COVID-19 pandemic. In the general world, healthcare professionals, as well as employers, are struggling to find a balance between personal privacy and disclosure in the context of HIPAA regulations.

The rapid developments of last week also presented a challenge – how do you protect privacy while at the same time keeping up with changes at work? Many work from home arrangements were hastily put together with less than 24 hours’ notice, leaving IT departments scrambling to figure out if VPN or other remote access to staff systems can handle the increased user traffic, but at the same time might not realize that the remote access method has a vulnerability, such as an unknown open port, or even providing access to internal applications without special logins or IP restrictions. IT staff should ensure that only staff can access work systems and network drives, including requiring VPN use to access these places as well as additional authentication and user access rules. In short, IT staff have their work cut out for them in the next few weeks. Nonetheless, there have been many guides published in the last week, like this one from NC Department of Information Technology, for people working from home and what they can do to protect their digital privacy and security.

On the public services side, online communications between staff might take a variety of forms, from an increased number of emails to online web conferencing. If the organization doesn’t offer an online group collaboration platform, like Microsoft Teams, staff might take to free third party applications, such as Slack, Discord, or your tried and true suite of Google products. Patron privacy might be compromised if patron data is shared on unsecured applications, as well as places that are subject to a public records disclosure request. Therefore, it’s a good time to remind everyone to keep patron privacy in mind in working from home, including limiting storing and communicating patron data to secure communication channels controlled by the organization.

It’s impossible to keep track of every COVID-19 development, and libraries have struggled to respond to these changes. With more libraries closing and trying to keep staff busy, we cannot forget that the choices we make during the COVID-19 pandemic will have long-lasting consequences on data privacy for some time to come. It’s hard to step back and take a breath to reassess where everything stands on patron privacy, but it’s worth the effort to take a few moments to go through the library’s response so far and ask how each response might put patron privacy at risk.

COVID-19: Resources and Privacy Considerations

Welcome to this week’s Tip of the Hat!

Some of you might already know that LDH is based out of Seattle. Seattle has been in the news with the recent COVID-19 cases and deaths in the area. We at LDH are staying relatively healthy (outside of it being allergy season in town). Nonetheless, some of you have also been impacted by COVID-19, including institutional travel restrictions, dusting off the disaster policy and procedures, and fielding questions from both staff and patrons about what will happen when there’s an outbreak of COVID-19 in your area.

There’s a lot of information out there regarding COVID-19 and what you should do to help slow the spread of the infection. Some sources include:

The most important things to keep in mind during this time:

  • WASH YOUR HANDS WITH SOAP AND WATER. It doesn’t matter if it’s hot or cold water. There are several memes out there with lists of songs you can sing for about 20 seconds, be it Happy Birthday, the opening trumpet solo in Mahler’s 5th, or the chorus to this song.
    Hand sanitizer (store-bought, not homemade) is also an option, but not as effective as washing your hands with soap and water. [1]
  • Cover coughs and sneezes using your elbow or tissue (then throwing the tissue away).
  • If you are able, stay home if you are sick. This is not an option for those who do not have paid sick time, or if there’s a lack of coverage at work. If you do have the privilege to stay home, do so.
  • Extra cleaning of any hard surfaces as well as public or shared areas, such as open offices and break rooms.

COVID-19 has also brought up some good reminders and discussions surrounding privacy in a time of a possible pandemic:

Here are a few more articles surrounding the COVID-19 and the possible long-term implications to privacy regulations and public discourse:

Stay safe and healthy in the coming weeks!

[1] You would be surprised by the number of people who do not wash their hands regularly; this is something you should be doing anyway in normal circumstances. Hence, the shouting. Forever shouting about the washing of hands.