Creating a Privacy Policy


An Educational Service of the American Library Association

Office for Information Technology Policy


Prepared by Leslie Harris & Associates in conjunction with OITP staff


In addition to knowing how to identify and use commercial web sites' privacy policies, it may be beneficial to libraries to develop their own privacy policies to set forth how they collect information.  A privacy policy should be a comprehensive statement of the way your library treats the personally identifiable information it collects from patrons.  A well- defined privacypolicy is a clear symbol of your library's honesty, it should tell patrons how you use their information, and it should explain the circumstances under which you may be unable to consult them before disclosing their personal data.  Because of the many state and federal laws governing the collection and sharing of library records, it is recommended that your library consult an attorney with respect to any privacy policy it creates and publishes.  Set forth below are several questions to help guide you in creating a privacy policy:


+    Does your library collect personally identifiable information from your patrons?

+    What kind of personally identifiable information does your library collect?

+    How does your library collect this information - from patrons, from third parties, from public entities?

+    Are library patrons aware that their personally identifiable information is being collected?

+    Who determines what information is collected and how?

+    Why does your library collect this information?

+    How is the information used?

+    How long is the personally identifiable information stored?

+    Who controls the information once it is collected?

+    How and where is the information stored?

+    Who else has access to the information?

+    Is personally identifiable information disclosed to third parties?  Under what circumstances?

+    Do your collection practices comply with local, state and federal laws?

+    Do you allow patrons to access the personally identifiable information you store?  How?

+    Can your patrons correct any inaccurate information?

+    What is the complaint and redress process for patrons?


When drafting your privacy policy, it is important to make your privacy policy easy to read, easy to understand, and easy to find on your web site.  It is also suggested that you promote your policy internally in employee communications and externally in patron communications.  Finally, it is important to update your policy as needed to stay current with changes in your library information collection practices.


Further information:


TRUSTe Privacy Resource Guide:


OECD Privacy Policy Generator:


Sample Library Web Sites:


UT Southwestern Medical Center Library Web Site Privacy Policy:


Jimmy Carter Library Web Site Privacy Statement:


Seattle Public Library - Privacy of Your Library Account


Minnesota Public Library Privacy Statement:



Copyright 2002, American Library Association, Office for

Information Technology Policy




This Online Privacy Tutorial is a service of the American Library Association. The content of this tutorial is primarily the work of Leslie Harris & Associates in Washington, DC. The views expressed in these messages are not necessarily the views of ALA or Leslie Harris & Associates. This tutorial is for information only and will not necessarily provide answers to concerns that arise in any particular situation. This service is not legal advice and does not include many of the technical details arising under certain laws. If you are seeking legal advice to address specific privacy issues, you should consult an attorney licensed to practice in your state.