Library privacy and the privacy audit
•Download as PPTX, PDF•
1 like•984 views
Presentation from the 2014 Southeastern Chapter of the American Association of Law Libraries conference in Knoxville, TN on privacy audits in law libraries.
Recommended
More Related Content
Similar to Library privacy and the privacy audit
Similar to Library privacy and the privacy audit (20)
Recently uploaded
Recently uploaded (20)
Library privacy and the privacy audit
- 1. Rachel Gordon Mercer University School of Law
- 2. What is Privacy? In a library (physical or virtual), the right to privacy is the right to open inquiry without having the subject of one’s interest examined or scrutinized by others. – ALA, An Interpretation of the Library Bill of Rights
- 3. Privacy and Confidentiality Confidentiality exists when a library is in possession of personally identifiable information about users and keeps that information private on their behalf. – ALA, An Interpretation of the Library Bill of Rights
- 4. Personally Identifiable Information Generally includes any information that can identify a specific individual Name Address Phone/Fax number Social security number Driver’s license number Bar or Student ID Number Email address Mother’s maiden name Spouse information Financial information Medical information Education information Birth date IP address Signature
- 5. What Laws Govern Library Privacy? Federal 1st Amendment Video Privacy Protection Act Freedom of Information Act (FOIA) Family Educational Rights and Privacy Act (FERPA) State Library privacy statutes Records retention/destruction statutes
- 6. Georgia Library Privacy Statute
- 7. Georgia Business Records Statutes O.C.G.A. § 10-11-2. Time period for retention of business records O.C.G.A. § 10-15-2. Disposal of business records containing personal information
- 8. Privacy Audit What is it? Whose responsibility is it? What is the end product?
- 9. What is a Privacy Audit? Ensure goals supported by practices Protect from liability Process, not a one-time event
- 11. End Products Privacy policy Document retention policy Staff training
- 12. Preliminary Steps 1. Evaluate existing policies and procedures 2. Compile definitions, including what is considered PII 3. Identify a process/department to audit
- 14. Concluding Steps Establish ownership Address issues ○ Process Improvement ○ Training Repeat periodically
- 15. Auditing for PII Patron records Transaction logs Notices for overdue items and fines ILL and document delivery records Visitor registers Reference logs Public terminals
- 16. Data Collection Considerations Why is data being collected? Who is collecting? Who else has access? How stored? For how long? How will data be destroyed?
- 17. Developing a Privacy Policy State that privacy and 1st Amendment rights are protected Specifically discuss patron use info related to books, multimedia resources, and the internet State that general statistical data may be compiled, but that PII is not included Offer an opt-in for contact unrelated to library activities Mention vendors Have it reviewed by legal counsel
- 18. Record Retention Policies Is there a state statute? Minimum time to retain
- 19. Audit Results Existing privacy policy Electronic security Issues in practice Instances of borrowing history revealed Papers not secured/shredded Processes needed updating
- 20. Audit Results – Electronic Info Patron circulation data well protected ILS set to only keep current check outs and unpaid fine information Staff not clearing patron data from circulation computer monitor Scanned files need to be manually deleted
- 21. Official Requests Law Enforcement FOIA Open Records Act
- 22. Social Security Numbers Do not use! Check old records Redact or destroy
- 23. Informal Patron Requests Who has Weinstein on Evidence checked out? Would jury instructions for child molestation be civil or criminal?
- 24. Reference Questions How do I find information on whether I have to tell my boss that I’m HIV positive?
- 25. Holds Balance patron privacy with need to know who receives item Wrap hold items to cover titles if stored on an open shelf
- 26. Routing Slips Routing slips reveal one or more patron names linked to an item Opt in
- 27. Law Enforcement Requests Separate policy Easy reference University-wide THERESA CHMARA, PRIVACY AND CONFIDENTIALITY ISSUES: A GUIDE FOR LIBRARIES AND THEIR LAWYERS (2009).
- 28. Audit Results – Training 10-15 student assistants each semester with a completely new staff every 2 years Students are the main circulation desk contacts Training issues/reinforcement Reminder sign posted next to the circulation computer
- 29. Audit Results – Paper Problems MANY issues Inadvertent prints from the circulation computer Copies of checks Old student info with social security numbers Graded student work left by former employees Staff info page on a bulletin board Print copies of sent overdue notices
- 31. Payment Records Copies of checks
- 32. Overdue and Fine Notices Rachel Gordon 123 Some Street Macon, GA 31204
- 35. Components of a Good Privacy Policy Notice of rights & applicable laws Choice & consent Access & updating Data integrity and security Data aggregation Required disclosures
- 36. Related Issues Internet security Identity theft Social engineering
Editor's Notes
- 3 years; shred, erase, or redact; applies to wide variety of businesses (not government)
- Determine what data is being collected and whether it needs to be collected Categorize data based on degree of security required Assess sensitivity, security risks, and public perceptions of collected information Test your security measures Destroy data when time requirements met Repeat for each type of data collected/process that collects it
- Problem: 1st Amendment and state library privacy laws protect patrons from exposure of borrowing history Solution: Train staff to respond that they cannot reveal this information, but that they can investigate and recall the item or place a hold. Address ongoing individual training issues as they arise. Student worker asking which jury instructions would have instructions on child molestation. It’s not just the impacted patron, but also the one who overhears and thinks that he can’t ask a question for fear that it will be announced to the entire library.
- Reference desks are often centrally placed to encourage patrons to ask questions. Some patrons don’t mind asking sensitive questions in a public area, but others may not be so comfortable. Absent completely rearranging our library, what can we do? Offer patrons a piece of paper to write down a reference question if they look hesitant or offering to move the conversation to a less public area to make them feel more comfortable.
- Inadvertent printing happens a lot in our library. The student workers were just recycling the inadvertently printed pages. We trained them to shred any paper that listed a patron name instead of recycling it.
- There are a lot of old records in my office because it is large and was used for storage for 4 years while my position was unfilled. One of the things that I found that made me think to do a privacy audit was years worth of copies of checks. With the information on a copy of a check, I have a person’s full name, address, bank name, account number, and signature. An identity thief could do a lot of damage with that information. When I looked into it, I found out that the copies were necessary in case a check was returned for insufficient funds because the university accounting office would just give the amount of the check and the check number, not the name of the person who presented it. So in the audit, we determined that we were collecting this information for a valid reason, but we had no rules for how we stored it, how long we kept it, and how we destroyed it. Now we keep the information only until the checks clear. We have no business need to keep it for any longer. We keep the copies locked up in a spot that only three people have access to, and when we discard the information, we take it to the secure shredder in the registrar’s office.
- Records not saved or searchable in our circulation software Print once and then are cleared out We keep a copy of what we’ve sent to patrons with overdue items and fines Was just in a notebook; now locked in a filing cabinet
- Students and staff had trouble remembering to clear patron data from the circulation computer. IT could not install a screen saver because of the restrictions on the machine. Compromise was this screen insert that blocks all but straight on viewing of the information on the screen.
- Post a notice that terminals are restricted to legal research use. This is likely to be reasonable with respect to your library’s purpose (case law) and gives you support to ask patrons to conduct non-legal research computer use elsewhere.
- While you’re keeping an eye out for patron data privacy issues, cast a broader net and you may be able to find related areas where you can save your library or your staff some time and trouble with some small changes/education. BTW, the rolodex is REAL!