What is a Privacy Audit
An Educational Service of the American Library Association
Office for Information Technology Policy
Prepared by Leslie Harris & Associates www.lharris.com in conjunction with OITP staff www.ala.org/oitp
Protecting the privacy of library users is both a professional value of librarianship and a requirement by law and policy. Protecting privacy in information systems is challenging, though, because of legitimate needs that can conflict with complete privacy protection. Some of the goals that may seem in conflict with privacy protection include:
+ Providing customized services to patrons. In order to provide tailored services, libraries need to keep information about patrons and be able to access it easily whenever they connect to the library systems.
+ Tracking statistics and management information to assess and improve library service. Libraries can make better decisions when they have detailed information about who is using their collections and services.
+ Monitoring system use to detect intrusions and abuse. The Information Superhighway has become a mean street, and responsible systems managers must keep a wary eye on system use for signs of unauthorized intrusion and abuse.
+ Identifying those who have used systems for illegal or harmful purposes. When our systems are used inappropriately, there is great pressure to identify those responsible, from management and from law enforcement.
+ Running systems in an efficient and cost-effective manner. Many systems we install come set up to collect a lot of personal information from users. Turning off such practices or adding specialized routines to protect privacy can be costly.
Thoughtful privacy practices can meet these goals without compromising a library's ethical and legal obligation to protect the privacy of library users, by adhering to the following basic principles:
+ Avoid creating unnecessary records. Only record a user's personally identifiable information when necessary for the efficient, effective operation of the library.
+ Avoid retaining records that are not needed for efficient operation of the library. Check with your local governing body to learn if there are laws or policies addressing record retention and in conformity with these laws or policies, develop policies on the length of time necessary to retain a record. Assure that all kinds and types of records are covered by the policy, including data-related logs, digital records, and system backups.
+ Restrict access to personally identifiable information closely and reveal it only with appropriate authority.
+ Tell your users what information you are keeping and why, and how to ask you for more clarification.
+ Be aware of library practices and procedures that place information on public view, e.g., the use of postcards for overdue notices or requested materials, staff terminals placed so that the screens can be read by the public, sign-in sheets to use computers or other devices, and the provision of titles of reserve requests or interlibrary loans provided over the telephone to users' family members or answering machines.
Coyle, Karen. 2002. "Privacy and Library Systems Before & After 9/11."
Matis, Michael. 2002. "The Code of Librarianship: Ethics and Information Architecture."
Texas Department of Information Resources. 2000. "Privacy Issues Involved in Electronic Government."
American Library Association, Office for Intellectual Freedom, Privacy Questions and Answers
Copyright 2002, American Library Association, Office for
Information Technology Policy
This Online Privacy Tutorial is a service of the American Library Association. The content of this tutorial is primarily the work of Leslie Harris & Associates in Washington, DC. The views expressed in these messages are not necessarily the views of ALA or Leslie Harris & Associates. This tutorial is for information only and will not necessarily provide answers to concerns that arise in any particular situation. This service is not legal advice and does not include many of the technical details arising under certain laws. If you are seeking legal advice to address specific privacy issues, you should consult an attorney licensed to practice in your state.