Guidelines for Developing a Library Privacy Policy
I. Introduction
Privacy is essential to the exercise of free speech, free thought, and free association.
In libraries, the right to privacy is the right to open inquiry without having
the subject of one’s interest examined or scrutinized by others. Confidentiality
exists when a library is in possession of personally identifiable information (PII)
about users and keeps that information private on their behalf.
With technology changes, increased incidence of identity theft, and new
laws, as well as increased law enforcement surveillance, librarians must act now
to develop and/or revise their privacy policies and procedures in order to ensure
that confidential information in all formats is protected from abuse. They must
also protect their organizations from liability and public relations problems.
When developing and revising policies, librarians need to ensure that they:
• Limit the degree to which personally identifiable information is monitored,
collected, disclosed, and distributed.
• Avoid creating unnecessary records.
• Avoid retaining records that are not needed for efficient operation of the
library, including data-related logs, digital records, vendor-collected data,
and system backups.
• Avoid library practices and procedures that place personally identifiable
information on public view.
A privacy policy communicates the library’s commitment to protecting users’
personally identifiable information. A well-defined privacy policy tells library users how their information is utilized and explains the circumstances under
which personally identifiable information might be disclosed. When preparing
a privacy policy, librarians need to consult an attorney in order to ensure that
the library’s statement harmonizes with the many state and federal laws governing
the collection and sharing of personally identifiable information.
Libraries need to post privacy policies publicly. “Privacy: An Interpretation
of the Library Bill of Rights” states that “Users have the right to be informed
what policies and procedures govern the amount and retention of personally
identifiable information, why that information is necessary for the library, and
what the user can do to maintain his or her privacy.”
PII: Personally Identifiable Information
One of the key concepts to understand when developing policies and procedures
is that defined as “personally identifiable information.” PII connects
individuals to what they bought with their credit cards, what they checked out
with their library cards, and what websites they visited where they picked up
cookies. More than simple identification, PII can build up a picture of tastes
and interests—a dossier of sorts, though crude and often inaccurate. While
targeted advertising is the obvious use for PII, some people would use this information
to assess an individual’s character, decide if they were a security risk,
or embarrass them for opposing a particular position. Because of the chilling
effect that such scrutiny can have on open inquiry and freedom of expression,
libraries and bookstores have long resisted requests to release information that
connects individual persons with specific books.
Privacy Policies and the Law
Library privacy and confidentiality policies must be in compliance with applicable
federal, state, and local laws. The courts have upheld the right to privacy
based on the Bill of Rights of the U.S. Constitution. Many states provide guarantees
of privacy in their constitutions and statute law. Numerous decisions in
case law have defined and extended rights to privacy.
Privacy Policies and ALA
A number of ALA policies and recommendations have been passed in recent
years on privacy and confidentiality issues. But recognition of the importance of
this issue dates back as far as the 1930s in ALA policy. Article 11 of the “Code of
Ethics for Librarians” (1939) asserted that “It is the librarian’s obligation to treat
as confidential any private information obtained through contact with library
patrons.” Article III of the current Code (1995) states: “We protect each library
user’s right to privacy and confidentiality with respect to information sought or
received and resources consulted, borrowed, acquired, or transmitted.”
Your Library’s Policy Should Incorporate
Standard Privacy Principles
In addition to ALA policies, there are many very good frameworks for establishing
privacy policies. The privacy policy guidelines outlined here are based
in part on what are known as the five “Fair Information Practice Principles.”
These five principles outline the rights of Notice, Choice, Access, Security, and
Enforcement. Another widely accepted European legal framework establishing
rights of data privacy and confidentiality calls for ensuring Collection limitation,
Data quality, Purpose specification, Use limitation, Security safeguards,
Openness, Individual participation, and Accountability. These frameworks
provide the basis for recommendations from other consumer and privacy
advocacy groups, whose checklists are well worth reviewing.
II. How to Draft a Library
Privacy Policy
All types of libraries are urged to draft and/or revise privacy and confidentiality
policies. This document offers guidance for public, academic, research,
school, and special libraries, as well as library systems. Special considerations
are raised in part III for school and academic libraries and for public library
services to minors because each are affected by laws and practices unique to
those particular situations. Other considerations may also apply. When drafting
a policy, library administrators should check with their parent institutions to
ensure they are complying with appropriate norms and policies. Some elements
of this guidance may not pertain to all libraries.
1. Notice and Openness
Policies should provide notice to users of their rights to privacy and confidentiality
and of the policies of the library that govern these issues. Such notice should
dictate the types of information gathered and the purposes for and limitations
on its use. It is critical that library privacy policies be made widely available to
users through multiple means. This is because safeguarding personal privacy
requires that individuals know what personally identifiable information is
gathered about them, where and how it is stored (and for how long), who has
access to it and under what conditions, and how that PII is used.
2. Choice and Consent
Choice means giving users options as to how any personal information collected
from them may be used. Provision of many library services requires
the collection and retention of personally identifiable information. Whether this is required (e.g., in order to circulate library material), automatic (e.g.,
as in some Web-based library services), or voluntary (e.g., when engaging in
e-mail-based reference), this information should be retained only as long as is
necessary to fulfill the function for which it was initially acquired. Two commonly
used schemes for choice/consent are “opt-in,” where the default is not
to include the information and affirmative steps are required for inclusion, and
“opt-out,” where the default is to include the information and affirmative steps
are required for exclusion.
3. Access by Users
Users have the right to access their own personally identifiable information.
The user’s right to access his personally identifiable information should be mentioned
in the privacy policy. The right of access covers all types of information
gathered about a library user or about his or her use of the library, including
mailing addresses, circulation records, computer use logs, etc. Access to personal
information should be made available on-site or through online access
with security parameters in effect to verify the existence of individual users.
Right to access should also address instances in which age may be a factor.
The Children’s Online Privacy Protection Act of 1998 (COPPA) provides for “a
parent’s ability to review, make changes to, or have deleted the child’s personal
information.” For more on COPPA, see the section called “School Libraries
and COPPA” below under part III.
4. Data Integrity and Security
Data Integrity: The library needs to assure data integrity. Whenever personally
identifiable information is collected, the library must take reasonable steps to
ensure its integrity, including using only reputable sources of data, providing
library users access to their personal data, updating information regularly,
destroying untimely data or converting it to anonymous form, and stripping PII
from aggregated, summary data. It is the responsibility of library staff to destroy
information in confidential or privacy-protected records in order to ensure
against unauthorized disclosure. Information that should be regularly purged
or shredded includes PII on library resource use, material circulation history,
and security/surveillance tapes and use logs, both paper and electronic.
Shared Data: If patron records are supplied by or shared with a parent institution
such as a college registrar or a library consortium, the library needs to
adopt measures to ensure timely corrections and deletions of data. Likewise,
when the library exchanges data with other departments such as bursars and
tax collectors, vendors, or any other organizations, it must ensure that records
are accurate and up-to-date. Libraries issuing passwords should avoid choosing
passwords or PINs that can reveal a user’s identity, including social security
numbers. Security: Security involves both managerial and technical measures to protect
against loss and the unauthorized access, destruction, use, or disclosure of the
data. Security measures should be integrated into the design, implementation,
and day-to-day practices of the library’s entire operating environment as part of
its continuing commitment to risk management. These measures are intended
to prevent corruption of data, block unknown or unauthorized access to library
systems and information, and provide reasonable protection of private information
in a library’s custody, even if stored off-site on servers or backup tapes.
Administrative Measures: The library needs to implement internal organizational
measures that limit access to data while ensuring that those individuals
with access do not utilize the data for unauthorized purposes. The library must
also prevent unauthorized access through such technical security measures as
including encryption in the transmission and storage of data; limits on access
through use of passwords; and the storage of data on secure servers or computers
that are inaccessible by modem or network connection. If libraries store PII
on servers or backup tapes that are off-site, they must ensure that comparable
measures to limit access to data are followed. Libraries should develop routine
schedules for shredding PII collected on paper.
Electronic Tracking: Neither local nor external electronic systems used by
the library should collect PII by logging or tracking e-mail, chat room use, web
browsing, cookies, middleware, or other usage. Nevertheless, users should be
advised of the limits to library privacy protection when using remote sites. If
the library enables cookies (small files sent to a browser by a website to enable
customization of individual visits), it should alert users how to refuse, disable,
or remove cookies from their hard drives. In addition, the library should not
maintain cookies after users terminate their sessions nor share them with
external third parties. Libraries should regularly remove cookies, web history,
cached files, or other computer and Internet use records and other software
code that is placed on their networks. Those libraries that authenticate patrons
for use of external databases by middleware systems and/or proxy servers should
simply verify the attributes of valid users and not release PII.
Data Retention: It is the responsibility of library staff to destroy information
in confidential or privacy-protected records in order to safeguard data
from unauthorized disclosure. Information that should be regularly purged or
shredded includes PII on library resource use, material circulation history, and
security/surveillance tapes and logs. If this data is maintained off-site, library
administrators must ensure that appropriate data retention policies and procedures
are employed. Libraries that use surveillance cameras should have written
policies stating that the cameras are not to be used for any other purpose. If
the cameras create any records, the library must recognize its responsibility to
protect their confidentiality like any other library record. This is best accomplished
by purging the records as soon as their purpose is served.
Encryption: Data encryption can be used to enhance privacy protection. En-
crypted data requires others to use a predefined electronic “key” to decipher the contents of a message, file, or transaction. Libraries should negotiate with
vendors to encourage the use of such technology in library systems (e.g., in the
document delivery, saved searches, and e-mail features now offered by many
OPAC vendors). Whenever possible, libraries should consider making encryption
tools available to library users who are engaging in personalized online
transactions or communications.
5. Enforcement and Redress
Libraries that develop privacy policies need to establish and maintain an effective
mechanism to enforce them. They should conduct regular privacy audits in
order to ensure that all library programs and services are enforcing this privacy
policy. Redress must be available for library users who feel their privacy and
confidentiality rights are violated. Libraries should provide a means to investigate
complaints and re-audit policy and procedures in cases of potential violation
of library privacy and confidentiality. Library educational efforts should
include informing users how to protect their own privacy and confidentiality,
both in and outside of the library setting.
Libraries must ensure they have well-established procedures to enforce their
policies by informing users about the legal conditions under which they might
be required to release personally identifiable information. Libraries should
only consider a law enforcement request for any library record if it is issued
by a court of competent jurisdiction that shows good cause and is in proper
form. Only library administrators after conferring with legal counsel should
be authorized to accept or comply with subpoenas, warrants, court orders, or
other investigatory documents directed to the library or pertaining to library
property. All library staff, however, should be trained and required to contact
a designated Library Privacy Officer or previously designated administrator
immediately should a law enforcement officer appear and request the library
comply with a request to release PII.
Libraries should develop and implement procedures for dealing with law
enforcement requests before, during, and after a visit.
III. Special Privacy Policy Considerations:
Academic Libraries, School Libraries,
and Public Library Services to Minors
Academic Libraries
The heart of the mission of academic institutions is the freedom to research
unfamiliar and controversial topics. Academic libraries serve those needs well.
Often, they offer their personal, professional, and educational information
services to a wide variety of users. If academic libraries provide different levels
of service or access to different categories of borrowers (e.g., faculty, graduate
students, undergraduate students, or community members), they must ensure
that their services and access are offered equitably within a borrower type. Such
restrictions should not impede intellectual freedom.
Academic Libraries and Students: Students in academic institutions are
adults and must be accorded the same privacy safeguards as adults in other
types of libraries. The mere fact that students are enrolled in courses should
not jeopardize their privacy rights. Thus, student circulation records for courserequired
and reserve reading should be protected from inquiry with the same
rigor as their circulation records for personal reading. Librarians assisting in
investigations of plagiarism should take care to protect the usage records of individual
students. Librarians can assist faculty in the development of classroom
instruction and procedures that meet educational goals without compromising
student rights to privacy.
Academic Libraries and FERPA and SEVIS: The Family Educational
Rights and Privacy Act (FERPA) was passed to protect the privacy of student
education records and to define who can access these records. FERPA grants
parents the rights until the child turns eighteen years old or attends a school
beyond the high school level. The Student and Exchange Visitors Information
System (SEVIS) maintains updated information on approximately one million
nonimmigrant foreign students and exchange visitors during the course
of their stay in the United States each year. Colleges and universities are now
required to report a foreign student’s failure to enroll or if students drop out of
their programs. Colleges and university librarians need to identify how their
institutions implement these laws and whether they have any impact on the
collection and retention of library-user records.
Academic Libraries and Faculty: Academic institutions often rely on principles
of academic freedom to protect the intellectual freedom of faculty. While
the principles of academic freedom are intended to protect faculty from the
professional consequences of researching in unpopular or controversial areas,
they do not necessarily protect the privacy of faculty. Academic libraries should
also have in place appropriate policies based on First Amendment and Fourth
Amendment rights to protect the privacy of faculty members’ library records.
Academic Libraries and Computer Systems: The computer networks of
academic libraries are often part of institutional networks, under the ultimate
control of units outside the library. Academic libraries should work with campus
computer departments to ensure that student and faculty information-seeking
activity is kept confidential and well protected throughout the institution. In
addition, library personnel should review library procedures and arrangements
with outside vendors to ensure the highest level of protection for such records
as online digital reference logs, proxy server and other authentication devices,
e-mail reference transactions, personalized searching, and similar research tools. School Libraries
School library media specialists have an ethical obligation to protect and
promote student privacy. Although the educational level and program of the
school necessarily shapes the resources and services of a school library, the
principles of the Library Bill of Rights apply equally to all librarians, including
school library media specialists.
School Libraries and FERPA: School records are governed by the Family
Educational Rights and Privacy Act, which grants parents the rights to access
student educational records until the child turns eighteen years old. School
library media specialists need to identify how their institutions implement this
law and its impact on collection and retention of library-user records.
Students as Library Users: Students who use school libraries need to learn
about the concepts of privacy and confidentiality. They may not know the
dangers of sharing personally identifiable information with others. School
library media specialists may face the situation of an adult asking for information
pertaining to students’ library use. These situations must be handled
in accordance with all school and library policies. In an ideal situation, that
information would not be released. Teachers should not be able to “check”
on students to see if they have borrowed assigned readings or used specific
resources. School library media specialists are best served when they assist
teachers in developing classroom procedures and policies that preserve user
privacy and meet educational goals.
School Library Procedures: School library media specialists have a responsibility
to “assume a leadership role in promoting the principles of intellectual
freedom within the school by providing resources and services that create and
sustain an atmosphere of free inquiry.” This includes safeguarding student and
teacher privacy. School library personnel must strive to: educate all members
of the school community about the value of privacy to school library media
center users; develop board-approved policies that provide the highest level
of protection for all records; and teach all members of the educational community
about the policies and procedures that govern privacy. School libraries
operate as part of larger educational structures. In some cases, school systems
may create policies and procedures that infringe on students’ rights to privacy.
School library personnel are encouraged to educate all policy makers about
the dangers of abridging students’ privacy rights.
School Libraries and COPPA: The Children’s Online Privacy Protection
Act of 1998 (15 U.S.C. § 6501–6506) directly affects commercial websites
targeted to children, as well as those sites that know they are collecting personally
identifiable information from children twelve and under. Such sites have
a legal obligation to comply with the law. Prosecution is one of the penalties
for noncompliance. Noncommercial websites, such as library, nonprofit,
community groups, and government agencies, are not covered by COPPA.
A library collecting personal information from children in order to e-mail them summer reading lists or reference assistance is not required to seek parental
consent. Although libraries are not directly impacted by COPPA, children
using the Internet in a library may need help understanding the law and getting
consent from their parents. In some instances, children will find that COPPA
may restrict their ability to participate in some activities on websites while they
await parental approval. It is the librarians’ role to guide children through the
process or help them find alternative activities online. Parents may need assistance
in understanding the law and the significance of the requests they receive
from websites. Librarians and libraries should play a key role in helping all
library users understand and comply with COPPA. (Note: The extent to which
schools can or do assume parental responsibilities for students will depend in
large part on decisions made by the local school board or superintendent. It
also will depend on the nature of the resources being used in the classroom
and whether those resources require students to divulge personally identifiable
information. Some schools may decide to act on behalf of the child, others may
decide to seek consent through an Acceptable Use Policy signed by students
and parents at the beginning of the year, while others may take no responsibility
at all and leave it up to parents. However the school implements the law,
it must take care not to allow COPPA to interfere with curricular decisions.)
Public Library Services to Minors
The rights of minors vary from state to state. Libraries may wish to consult the
legal counsel of their governing authorities to ensure that policy and practice
are in accord with applicable law. In addition, the legal responsibilities and
standing of library staff in regard to minors differ substantially in school and
public libraries. In all instances, best practice is to extend to minors the maximum
allowable confidentiality and privacy protections.
The Children’s Online Privacy Protection Act requires commercial websites
that collect personally identifiable information from children twelve and
under to obtain consent from their parents or guardians in advance. COPPA
was written with three parties in mind: parents, children, and commercial
websites. Although COPPA does not place any special obligations on public
libraries, there are two impacts to consider:
1. When children use Internet access in libraries, library staff need to be
able to explain COPPA’s effects to children and their parents.
2. When a library designs web pages and services for children, it may wish
to provide the same privacy protections as the protections mandated for
commercial websites.
Parents are responsible not only for the choices their minor children make
concerning the selection of materials and the use of library facilities and
resources, but also for communicating with their minor children about those
choices. Librarians should not breach a minor’s confidentiality by giving out information readily available to the parent from the minor directly. Libraries
should take great care to limit the extenuating circumstances in which they
release such information.
Parental responsibility is key to a minor’s use of the library. Notifying parents
about the library’s privacy and confidentiality policies should be a part of the
process of issuing library cards to minors. In some public libraries, the privacy
rights of minors may differ slightly from those of adults, often in proportion to
the age of the minor. The legitimate concerns for the safety of children in a
public place can be addressed without unnecessary invasion of minors’ privacy
while using the library.
The rights of minors to privacy regarding their choice of library materials
should be respected and protected.
IV. Questions to Ask When Drafting
Privacy and Confidentiality Policies
and Procedures
Policy drafts should be reviewed against existing local policies, state and local
legislation, and ALA recommendations and guidelines. It may also help policydrafting
teams and trainers to ask themselves and their staff questions from
the checklists below, considering how and whether policies and procedures
under consideration provide appropriate guidance. Common privacy- or
confidentiality-violating scenarios are also available for use in training or policy
review.
