David Lee King: Thinking about privacy

---

We've been thinking about privacy at my library. One of my projects for 2017 is to do a privacy review. What's that, you ask?

A privacy review is just what it sounds like. My technology team will examine all the library's products that potentially gather information about customers. We will find out what data and information is collected, and if it gets deleted (and when).

What types of library products will we examine? Here's a starter list:

1. ILS systems

Our modern library catalogues collect name, address, phone number, email addresses of each card holder. We also collect what they check out, their fines and fees. We need to make sure we delete some of that (you might have library or government policies that dictate this).

2. Catalogue overlays

My library uses Bibliocommons. A Bibliocommons account has some information about customers. Most of that information is pulled from the ILS system. Bibliocommons has optional customer profile fields that include a customer's blog's URL and their Twitter account. Customers also have the option to turn on public sharing of checkouts, holds, comments, and ratings.

3. Databases and Ebook products

Some ebook services collect personally identifiable information. For example, Overdrive collects library card numbers and pins (that's how customers log in to Overdrive). Customers have the option to authenticate using their Facebook or Google accounts. Overdrive also keeps track of ebook checkouts, holds, recommendations and wish lists.

4. 3rd Party Databases

If you use an Amazon Kindle with Overdrive, customers are subject to Amazon's privacy policy. And Amazon has access to the customer's ebook checkout history.

5. Tutorial sites

Sites like Treehouse and Lynda collect names, email addresses, usernames, passwords … and your class-viewing history.

6. Computer reservation systems

My library uses Comprise Technologies for computer management. This system connects to our ILS system for patron data (using a SIP connection). It also has access to a customer's daily computer use habits (i.e., David's here every Wednesday from 3-5pm).

7. Web Browsing history

Your library's data network probably has access (and potentially a history) of web browsing history for each computer in the library.

And that's just the start. Now to back up a bit. None of these vendors purposefully wants to gather and keep customer data - they're not selling your library customer's personal information in order to make a quick buck! They also probably have really strong encryption, solid privacy policies, and other back-end safeguards in place in order to protect customer data.

I think your library also needs to have a handle on privacy issues. Start out with a privacy review, and make sure your library privacy policies and procedures match up with what actually happens.

Some of this you can control, and some you can't (i.e., what other vendors do). The stuff you don't control? Start a conversation with those companies and see if they'll work with you to improve their privacy practices.

Why do all this? Most likely, you tell your customers that you protect their data and their privacy. Because of that, you should know exactly how you protect their privacy. And where there are holes, you should work on improving it.

Why do all this? Most likely, you've told your customers that you protect their data and privacy. Because of that, you should know exactly what's going on with privacy and data at your library. And you work to improve those privacy holes!