Protecting patron privacy is a fundamental principle and one of the core values of the library profession, according the American Library Association. In fact, the ALA has enshrined the right to privacy as Article VII of the Library Bill of Rights.
That article states:
All people, regardless of origin, age, background, or views, possess a right to privacy and confidentiality in their library use. Libraries should advocate for, educate about, and protect people’s privacy, safeguarding all library use data, including personally identifiable information.
The right to privacy — the right to read, consider, and develop ideas and beliefs free from observation or unwanted surveillance by the government or others — is the bedrock foundation for intellectual freedom. Privacy is essential to free inquiry in the library because it enables library users to select, access, and consider information and ideas without fear of embarrassment, judgment, punishment, or ostracism.
In the digital age, data privacy is more important than ever, and librarians have a responsibility to adopt practical measures that will protect library users' personal data in a more effective way.
Why is privacy in libraries so important?
The fact is, libraries collect and store a vast amount of patron data.
Data points range from personally identifiable information to individual patrons' borrowing histories, which makes it crucial to understand the potential risks associated with mishandling information, and to identify and address vulnerabilities in library systems.
Breaches in privacy and cybersecurity by bad actors can wreak havoc on libraries in a number of ways:
They can erode patrons' trust in the library.
They can compromise the library's reputation.
Fail to comply with data protection regulations can have legal consequences for the library.
In a 2019 Pew Research Center study, about half (52%) of U.S. adults said they had decided not to use a product or service because they were worried about how much personal information would be collected about them. This highlights the public's growing level of awareness about data security, and illustrates the potential consequences of failure to earn and maintain users' trust.
How discovering key privacy concepts can help
The key to creating a trustworthy environment in which patrons can securely access library resources is understanding the fundamental concepts of privacy and implementing measures to protect both individual privacy and the integrity of library services.
Consent and purpose limitation: Libraries should obtain informed consent from patrons before collecting their personal information, clearly explaining the purpose for which this sensitive data will be used. That way, they can help build trust and ensure transparency.
Data minimization: Collect only the minimum necessary data required to fulfill library services. Minimizing data collection reduces the risk of unauthorized access or accidental disclosure.
Anonymization and pseudonymization: When possible, anonymize or pseudonymize patron data to protect individual identities. Replacing personally identifiable information with unique identifiers or data aggregation is the way to go.
Patron data protection is at the heart of everything
The International Federation of Library Associations and Institutions (IFLA) reported that 82% of libraries have privacy policies as a part of a system for protecting patron data.
Nevertheless, to ensure patrons' trust remains steadfast, libraries must continue exploring and adapting robust measures to prevent unauthorized access and breaches. In this case, four time-tested strategies take center stage, ensuring patrons' information is in safe hands.
Using secure data storage: Implement robust security measures to protect patron data from unauthorized access; for example, encryption of sensitive information, secure servers and regularly updated security protocols.
Rethinking access controls: Limit access to patron data to authorized personnel only, further implementing strict authentication measures like strong passwords and two-factor authentication.
Effective staff training: Conduct regular security training sessions to educate staff about library privacy guidelines and best practices of cybersecurity. Staff should understand the ins and outs of safeguarding patron data and be aware of potential security threats such as phishing and social engineering.
Having a data breach response plan in place: According to the Breach Level Index, in the first half of 2021, the education sector, which includes libraries, accounted for 18% of all data breaches globally, highlighting the vulnerability of educational institutions to data breaches. Thus, developing a comprehensive data breach response plan is the perfect way to tackle potential security incidents. Such a plan for libraries includes steps to contain the breach, notify affected individuals and collaborate with relevant authorities.
Mind the legal and ethical roadblocks
In May of 2018, the European Union implemented the General Data Protection Regulation (GDPR). The GDPR has resulted in over €4 billion in fines imposed on organizations for data protection violations since its introduction in May 2018. The biggest of these came this past May when Meta, Facebook's parent company, was fined a record €1.2 billion by Ireland's data regulator for breaching EU data protection rules.
As the landscape becomes increasingly data-driven, libraries must be prepared to navigate the complex realm of regulations before they can realize the objective of safeguarding patron privacy.
Here are a few key considerations:
Compliance with data protection regulations: It starts with familiarizing yourself with the applicable data protection laws in your jurisdiction, such as the EU's General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Ensure that your library's practices align with these regulations, and keep in mind that, like all laws, they are subject to change. The Canadian Parliament, for example, is currently considering a bill, the Digital Charter Implementation Act, 2022, that would significantly strengthen Canada’s private sector privacy law, create new rules for the responsible development and use of artificial intelligence (AI), and continue advancing the implementation of Canada’s Digital Charter. The bill includes three proposed acts: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.
Privacy policies and notices: Create and maintain clear and concise privacy policies and notices that outline how a library user's data is collected, stored, used and shared. Ensure these policies are readily available to library patrons, either through the library's website or in physical locations.
Data sharing and third-party vendors: When sharing patron data with third-party software vendors or service providers, ensure appropriate privacy and security measures. Review vendor contracts to ensure compliance with data protection requirements.
Protecting user privacy is no longer optional
Like it or not, we live in an era when prioritizing data security is no longer optional — it is an absolute must. To ensure the privacy of each library user, library staff must remain vigilant and be proactive.
For libraries looking to play their part in protecting the rights and meeting the expectations of their valued patrons, robust practices can cultivate trust and confidence. This begins with educating staff and adhering to legal and ethical standards.
Protecting patron data is an ongoing commitment, one that will help libraries fulfill their role as a key component of the community's critical social infrastructure. Through the collective efforts of librarians and staff, libraries can safeguard patron information and ensure they remain trusted institutions.
Find out how PressReader helps libraries and institutions to better serve the needs of their communities.