Conducting a Privacy Audit


An Educational Service of the American Library Association Office

for Information Technology



Prepared by Leslie Harris & Associates - in conjunction with OITP staff -



The audit process begins by evaluating an organization's existing policies and procedures for legality and consistency with the organization's mission and image.  When policies have been reviewed (or established), the data collected can be categorized according to the degree of security necessary.  The audit assesses the sensitivity, security risks, and public perceptions of the information the organization collects.  The audit examines the necessity for each type of data, how it is collected, and what notice and options are provided to the individuals identified by the information.  Mapping how data flows through the organization for access, storage, and disposal can reveal security needs, both electronic and physical.  The audit process itself must be managed so that it does not increase risks and its recommendations must be addressed quickly once risks are revealed.


Below is an outline of tasks for conducting a privacy audit:


Review legal context

-- Federal law

-- State Law

-- Local Ordinances


Review current library policies

-- ALA Policy on Confidentiality (ALA Code of Ethics 54.15 pt. 3)

-- Institution's policy

-- Library privacy policy


Conduct assessment of library systems data

-- Library and library records, including circulation records, patron registration, circulation transaction logs, and overdue, billing and payment records 

-- Determine whether policies adequately restrict access to records and logs that reveal what was borrowed by a patron to library staff who have a legitimate need to see the record

-- Determine whether to delete circulation records from a patron's file once an item is returned

-- Decide whether to delete patron registration records after the expiration of the borrower's privileges

-- Examine library system transaction logs


Assess institutional network

-- Restrict access to server logs to library staff who have a legitimate need to consult


Examine Internet access to determine vulnerability of library patron records via the World Wide Web.

-- Does the system require users to log-in to use the computer to  surf the Internet?

-- Does the system personalize desktop terminals to the personal settings of the user?

-- Do the e-mail features subject the patron to vulnerability?

-- Does the system keep web-server logs of patron Internet activities?


Assess remote systems

-- Inter-Library Loan Partners

-- Database vendors


Define System Rules

-- What data will be retained

-- How user data that is stored on the system protected from unauthorized use

-- Who has access to the data

-- How long is the data retained


Determine & implement desired practices

-- Notify users whenever personally identifiable information will be stored on the system

-- Remove data from dormant accounts

-- Pay attention to system security

-- Set limits on length of time data is stored

-- Create aggregate statistics rather than tracking individual transactions

-- Advise users of limits to library privacy protection when using remote sites.

-- Negotiate for proper and secure logging practices and procedures in contracts


Designate privacy officer


Educate staff


Inform users through library privacy policy



Further information:


Enright, Keith P. [2001]. "Privacy Audit Checklist."


Flaherty, David H. 1998. "How To Do A Privacy And Freedom Of Information Act Site Visit."

David H. Flaherty.


Jerskey, Pamela, Ivy Dodge, Sanford Sherizen. [1998]. "The Privacy

Audit: a Primer."



Copyright 2002, American Library Association, Office for

Information Technology Policy




This Online Privacy Tutorial is a service of the American Library Association. The content of this tutorial is primarily the work of Leslie Harris & Associates in Washington, DC. The views expressed in these messages are not necessarily the views of ALA or Leslie Harris & Associates. This tutorial is for information only and will not necessarily provide answers to concerns that arise in any particular situation. This service is not legal advice and does not include many of the technical details arising under certain laws. If you are seeking legal advice to address specific privacy issues, you should consult an attorney licensed to practice in your state.