Privacy and Confidentiality Q&A
The Library Bill of Rights, Article VII, affirms the long-standing commitment of library workers to protect the privacy rights of users, regardless of the format or medium of information in use. All libraries — not just those that are publicly funded — should have in place privacy policies and procedures to ensure that confidential information in all formats is protected. The Intellectual Freedom Committee's (IFC) Privacy Subcommittee developed this Q&A to work in conjunction with "Privacy: An Interpretation of the Library Bill of Rights."
I. Basic Concepts—Definitions, Rights, and Responsibilities
II. Protection of Privacy and Library Records
I. Basic Concepts—Definitions, Rights, and Responsibilities
1. What is the difference between privacy and confidentiality in a library?
In a library, user privacy is the right to open inquiry without having the subject of one’s interest examined or scrutinized by others. Confidentiality exists when a library is in possession of personally identifiable information (see No. 2. “What is personally identifiable information“) about users and keeps that information private on their behalf. Confidentiality is a library’s responsibility. This responsibility is assumed when library procedures create records including, but not limited to closed-stack call slips, computer sign-up sheets, registration for equipment or facilities, circulation records, what websites were visited, reserve notices, or research notes.
Libraries should limit the degree to which personally identifiable information is collected, monitored, disclosed, retained, and transmitted while fulfilling their duty to comply with their state’s library confidentiality statute. Libraries involved in training volunteers, new employees, student assistants, or trustees should inform them of the requirements that they not abuse confidentiality and that they protect library users’ rights of privacy.
2. What is “personally identifiable information,” and why is this phrase used?
“Personally identifiable information” (PII) covers a greater range than “personal identification,” such as an individual’s name, address, telephone number, social security number, driver's license number, email address, etc. PII connects you to what you bought with your credit card, what you checked out with your library card, and what websites you visited where your web browser saved cookies. More than simple identification, PII can build up a picture of your tastes and interests — a dossier of sorts, though crude and often inaccurate.
While targeted advertising is the obvious use for PII, some people would use this information to assess your character, decide if you were a security risk, or embarrass you for opposing them. For minors seeking information about personal, social, and sexual identities, having the subjects of their research or reading known may be embarrassing or put them at risk for teasing or bullying. Because of the chilling effect that such scrutiny can have on open inquiry and freedom of expression, libraries and bookstores have long resisted requests to release information that connects individual persons with specific books or other information resources.
“Personally identifiable information” has become the generally accepted phrase and has been in use in ALA policy since the 1991 adoption of the “Policy Concerning Confidentiality of Personally Identifiable Information about Library Users.”
Additional Resources:
- Electronic Code of Federal Regulations: 2 CFR § 200.79 Personally Identifiable Information
3. What is explicit consent and how is it different from opt-out?
Explicit consent means that users are given an option to agree or disagree with the collection of their data. The user must be informed in a specific and unambiguous manner regarding how their data will be collected, used, and/or shared. Users should be given the choice before choosing to access a service rather than have to opt-out later. Libraries should ensure their online services do not default to opt-out. Opt-out requires action from the user to remove themselves from data collection. This does not allow a user to learn about the specific details of how their data will be utilized.
4. If there is no reasonable expectation of privacy in a public place, how can anyone expect privacy in a library?
A library cannot be responsible for someone being seen or recognized in a library but should take steps to protect user privacy whenever possible. That is, in a library, a user’s face may be recognized, but that does not mean that the subject of the user’s interest must also be known.
All library facilities should be designed to preserve privacy of inquiry, even while the user’s presence and behavior remain observable. This includes both physical and virtual spaces, maintaining both safety and privacy. To the greatest extent possible, the user should be able to work independently, both to afford privacy and to reduce the number of confidential records for which the library must be responsible.
5. Why is it important for my library to have a privacy policy, and what should the policy cover?
The Library Bill of Rights, Article VII, affirms the long-standing commitment of library workers to protect the privacy rights of users, regardless of the format or medium of information in use. All libraries — not just those that are publicly funded — should have in place privacy policies and procedures to ensure that confidential information in all formats is protected. A privacy policy communicates the library’s commitment to protecting user information and helps prevent liability and public relations problems. Library workers should consult with their legal counsel to develop policies that limit the degree to which personally identifiable information is monitored, collected, retained, disclosed, and distributed.
Libraries should use the standards outlined in the NISO Consensus Principles on User’s Digital Privacy in Library, Publisher, and Software-Provider Systems to write their policies. Privacy policies should not be static documents. They should be regularly updated and iterated based on changing technology and vendor contracts. Regular privacy audits ensure that libraries are able to keep their privacy policies up-to-date.
Library workers can learn how to read and write privacy policies in the “Privacy Policies” Field Guide. In addition, Part 1, Chapter 43, “Creating Policy for Your Library - Privacy and Confidentiality“ of the Intellectual Freedom Manual (2021), discusses the process involved in developing a policy.
Sample Library Policies:
- College of William & Mary, Earl Gregg Swem Library, “Faculty Circulation Services”
- Portland State Privacy Policy
- Shelburne Memorial Library
- Seattle Public Library Multonomah County Library
- San José Public Library
6. What are the privacy rights and responsibilities of staff, volunteers, and trustees?
The Library Bill of Rights addresses the rights of library users. When staff are library users, they are entitled to equal protection of their privacy and confidentiality of their records as library users. They may not, however, be entitled to privacy when acting in their capacity as employees.
Employers have a legitimate interest in ensuring efficiency and productivity. Library management has interest in ensuring that employee practices do not adversely impact user service or infringe on user rights, including user rights of privacy and confidentiality. But library employers and educational institutions who use electronic or video surveillance or engage in monitoring of computer, email, or telephone use by employees must carefully evaluate these practices in light of both legal requirements and the profession's ethical commitment to upholding rights of privacy and confidentiality.
Legal issues: Few laws regulate employee monitoring in the private sector, although federal, state, and local government employees benefit from some degree of legal protection. Some state public record and record retention laws may impact the degree to which employee personally identifiable information (PII) is kept confidential. Employee PII not covered by law or regulation must be kept confidential. Further, employees have a right to know what security and information management systems are in place to protect personnel records containing PII, and a right to clear enumeration of the circumstances under which such information may be provided to third parties. Library policy should call for the release of PII to law enforcement requests only when those requests come in the form of a court order from a court of competent jurisdiction.
Monitoring: In many libraries, employees are required to sign Internet and computing use agreements that differ from the policies extended to library users. However, if a library intends to engage in monitoring of staff workstations or work spaces, it should give notice through a written policy providing:
- notice of these practices to employees;
- notice to the public if any staff-user interactions (e.g., virtual reference) are subject to monitoring or recording; and both redaction of PII from and regular purging of all such records;
- notice to employees if their social security numbers are used as unique identifiers in personnel or other records;
- employee access to all PII, including any collected through monitoring, and the right to dispute and delete inaccurate data;
- no monitoring of areas designed for employee health or comfort;
- no collection of data not specifically related to work performance; and;
- restrictions on PII disclosure to third parties without employee consent.
Staff use of library resources: All staff use of library resources or public access workstations that is conducted outside of work hours and/or is not directly job-related should be covered in the same way that any library user's privacy and confidentiality is protected.
For more information on employee privacy rights, and on policy writing to protect those rights, see:
- American Civil Liberties Union, Privacy in America: Electronic Monitoring
- American Civil Liberties Union, Through the Keyhole
- Electronic Privacy Information Center, Workplace Privacy Page
- Privacy Rights Clearinghouse. Fact Sheet 7: Workplace Privacy
7. What role does education play in protecting user privacy?
The library should have a continuous training plan to educate staff, educators, trustees, volunteers, and contract workers about library privacy principles, policies, procedures, and library staff’s legal and ethical responsibilities as stewards of personally identifiable information (PII). It is important that all concerned understand this responsibility includes avoiding any inferences about users based on their library use.
All staff and any others with access to employee PII must understand they are not to look at any stored information without prior authorization to do so, and in accordance with written policies; and that if they accidentally see any such data (such as electronic monitoring logs, email subject lines, file names, etc.) they are bound by confidentiality guidelines.
Library workers must educate their users through a variety of learning methods that provide the information and tools adults and minors need to protect their privacy and the confidentiality of their own PII. For support in this area, see the Training & Programming section.
8. Does privacy include a right to avoid exposure to unwanted materials?
Protecting privacy in the library setting ensures open inquiry without fear of having one’s interests observed by others. Ensuring user privacy not only benefits the user, but also those who prefer not to see what other users view. When there is a conflict between the right of individuals to view constitutionally protected speech and the sensibilities of unwilling viewers, free expression rights have generally prevailed in the Courts unless unwilling viewers are unable to avert their eyes. Libraries may address the concerns of unwilling viewers in a number of different ways, including the strategic placement of workstations and the use of devices such as privacy screens or recessed monitors.
9. What is a privacy audit and whose responsibility is it?
A privacy audit is a technique for assuring that an organization’s goals and promises of privacy and confidentiality are supported by its practices and procedures, thereby protecting confidential information from abuse and the organization from liability and public relations problems. An audit ensures that information processing procedures meet privacy requirements by examining how information about customers and employees is collected, stored, shared, used and destroyed.
Privacy auditing is a process, not a one-time solution, as services, data needs, and technology change. A designated Privacy Officer may lead the audit, but all stakeholders and aspects of privacy need to be represented, from information technology to public relations.
The audit process needs to be capable of dealing with the full extent of the information system. When a library is part of a larger organization such as a university or a K-12 school district that is conducting a privacy audit, specific library issues and needs must be included. The audit process begins by evaluating the organization’s existing policies and procedures for legality and consistency with the organization’s mission and image. When policies have been reviewed (or established), the data collected can be categorized according to the degree of security necessary. The audit assesses the sensitivity, security risks, and public perceptions of the information the organization collects. The audit examines the necessity for each type of data, how it is collected, and what notice and options are provided to the individuals identified by the information. Mapping how data flows through the organization for access, storage, and disposal can reveal security needs, both electronic and physical. The audit process itself must be managed so that it does not increase risks and its recommendations must be addressed quickly once risks are revealed.
The American Library Association has created a set of Guidelines and Checklists to assist libraries in performing privacy audits. These resources set standards for privacy, confidentiality, and security standards within libraries of all types. Additionally, library workers can use the “Privacy Audit” Field Guide to assist them in performing an audit.
II. Protection of Privacy and Library Records
10. Are there special challenges created for library administration by digital user records?
Any database of personally identifiable information (PII) is a potential target for criminal activity. Data security must be implemented to protect both the library and its users. Libraries should create data retention policies and procedures that are in line with state, federal, and governing institution laws. Library administration should seek ways to permit in-house access to information in all formats without creating a data trail. In general, acquiring the least amount of PII for the shortest length of time reduces the risk of unwanted disclosure. The library should also invest in appropriate technology to protect the security of any PII while it is in the library’s custody, and should ensure that aggregate data has been stripped of any and all PII.
In order to assure their obligations of confidentiality, libraries and schools should implement written policies governing data retention and dissemination of electronic records. These policies should affirm the confidentiality of information about library users and their use of all library materials.
11. Is there a way to use data analytics and/or customer relationship management tools while maintaining user privacy?
Libraries depend on data for decision making, including budgeting and determining which services and programs the library provides. Customer relationship management systems (CRMs) are one way in which libraries collect and analyze library user data for operational and marketing purposes. Other library vendors, including integrated library systems, are adding data analytic tools to their portfolio of services and products, while other libraries are building their own data analytic tools and CRMs with in-house resources. These tools are powerful in their ability in providing library administrators and decision makers detailed analysis of library user data that can aid in data-driven assessment and practices.
People have a right to privacy and confidentiality when they are using library services and resources according to the Library Bill of Rights. At the same time, libraries depend on data to make operational decisions. By default, CRMs and other data analytic tools collect a wide range of personal data from library users, creating a user profile not unlike the profiles created by major companies, such as Amazon and Facebook. User profiling and other methods to track individual users directly conflict with the library user’s right to privacy. Striking a balance between user privacy and data needs requires libraries to take a holistic view of how their library handles user data, as well as how those practices create the risk of harm from improper use of the data for both the library and the user.
Libraries engaged in data analytic work can reduce the risk of harm to the user and the library by the following actions:
- Resist collecting data “just in case”
- One of the most effective ways in protecting user privacy is not collecting data that does not meet a demonstrated need. By working through the business cases and outcomes for data collection, libraries can identify which data points would meet those outcomes and avoid unnecessary data collection.
- Avoid collecting “high risk” data
- “High risk” data is data that can, if improperly used, inflict a great harm on individuals or organizations. Library users from vulnerable or marginalized populations are at greater risk if certain types of data are collected by the library, such as citizenship and immigrant status.
- Work with vendors in ensuring user privacy
- Most CRMs and data analytic tools are hosted by vendors. Libraries can add contract addendums outlining data privacy and security policies and practices required for the vendor to follow. The ALA Privacy Guidelines and Checklists are good places to start in identifying best practices.
- Negotiate with vendors regarding data collection defaults and needs. Most likely the vendor is collecting more information than is needed, as well as collecting “high risk” data.
- Regular security and privacy audits and discussions with the vendor can help libraries keep current on any potential privacy and security concerns.
- Change data collected to reduce risk of identifying individuals
- Some data points, such as age and address, can be manipulated to reduce the privacy risk to users and the library, including by aggregating, truncating, and obfuscating data. At the very least, data that is collected by CRMs and for other data analytic purposes should not be tied to a unique individual, but instead aggregated to reduce risk of identifying individuals based on the collected data. However, this alone will not user privacy, and in some cases will not prevent individuals from using a changed data set from re-identifying a library user.
Additional Resources:
12. How should we work to protect user privacy if our library or institutional policies or services require us to be closely involved with or closely monitoring our library users?
In all libraries, it is the nature of the service rather than the type of the library that should dictate any gathering of personally identifiable information (PII). Some common library practices necessarily involve close communication with — or monitoring of — library users. Services such as bibliographic instruction, reference consultation, teaching and curriculum support in school libraries, readers’ advice in public libraries, and preservation of fragile or rare library materials in special collections libraries are just a few instances of services that require library staff to be aware of users’ information-access habits.
As part of serving the user, it is often necessary for staff to consult with each other. Staff must be careful to conduct such conversations privately, keep strictly to the purpose, and only divulge PII if necessary. In all types of libraries, any compromise of user privacy by library staff carries with it ethical, professional, and often legal obligations to protect the confidentiality of that PII. Most importantly, all gathering of PII should be done in the interests of providing, or improving, particular library services. Any knowledge gathered should not be put to use for anything other than providing service to library users.
13. Our library has been using a lot of new technologies in recent years. How can we stay on top of all the privacy concerns?
Every technology since fire can be used for both good and evil. It is the responsibility of library workers to establish policies to prevent any threat to privacy posed by new technologies. It is attention and commitment to fundamental principles of data security that may best ensure that user rights to privacy and confidentiality are not threatened through their use of library services.
14. Can libraries use Social Security Numbers (SSNs) in user databases or for other means of uniquely identifying our users?
SSNs are not entirely random numbers: the first three digits indicate in which state the number was issued, and the next two numbers indicate the order in which the SSN was issued in each area. Only the last four numbers are randomly generated. Thus, even the disclosure of an SSN without further action does divulge private information.
Some states restrict the use of social security numbers to circumstances explicitly authorized by law, particularly for the reporting of income for employees. Section 7 of the Federal Privacy Act of 1974 provides that any agency requesting an individual to disclose his or her SSN must “inform that individual whether that disclosure is mandatory or voluntary, by what statutory authority such number is solicited, and what uses will be made of it.” The Family Educational Rights and Privacy Act (FERPA) requires publicly-funded schools to obtain written consent for the release of personally identifiable information, which courts have ruled includes SSNs. The widespread use of SSNs by public and private agencies had created a dual threat of fraud victimization and the invasion of privacy, by linking significant amounts of personal and financial information through a single number. In November 2004 the U.S. Government Accountability Office (GAO) in “Social Security Numbers,“noted that “. . . it is clear that the lack of a broad, uniform policy allows for unnecessary exposure of personal Social Security numbers.”
Libraries have long used SSNs to trace users who have outstanding fines or overdue materials, often through collection agencies. In fact, the current state of internet technology often allows an individual to be located without the use of an SSN. Libraries that choose to use SSNs in user databases or to identify users should:
- inform users whether providing their SSNs is mandatory or voluntary, and under what statutory authority the SSNs are solicited;
- inform users of the purpose for which SSNs will be used;
- use encryption to protect SSNs within user databases, and;
- investigate other methods of uniquely identifying users and tracing those who have outstanding fines or overdue materials.
Additional Resources:
- Electronic Privacy Information Center, Social Security Number (SSN) Privacy Page
- Family Educational Rights and Privacy Act (FERPA)
- Privacy Act of 1974 and Amendments (as of January 3, 2005)
- Privacy Rights Clearinghouse, My Social Security Number: How Secure Is It?
15. How can I allow users to pick up their holds while still protecting their confidentiality?
Allowing users to pick up their own holds from an open shelf is a popular service, but one that can violate your library's confidentiality policy and potentially violate state laws. Libraries that offer this option should minimize linking a title with a particular user and shield users' names from public view. With these goals in mind, your library can offer this service without abandoning confidentiality. To protect users' identities while still allowing them to find their own items, use pseudonyms, codes, numbers or other means of masking identity. Provide your users with the ability to opt out of the open hold arrangement if they request it.
See “Resolution to Protect Library User Confidentiality in Self-Service Hold Practices.”
16. Will smart cards, or ID cards that use biometric enhancements, help protect privacy?
Smart cards have the ability to store personal data for a variety of applications. With the best intentions, government agencies sometimes propose sharing data on people who receive government services. Library policies on confidentiality should state clearly that personally identifiable information collected by the library will not be shared with any other agency or organization unless required by a court order. If agencies are jointly issuing a smart card, library data must be partitioned with no leakage to other agencies.
The more agencies using a shared card, the greater the need for strong identification confirmation. Various biometrics, from photographs to fingerprints to iris scans, are proposed to ensure that identification cards are authentic. This raises correspondingly greater risks that tampering with the encoding of identification will affect every aspect of an individual's life.
One of the most intrusive forms of biometrics is facial recognition, which uses a user’s face as authentication. Unfortunately, this very convenient method of authentication comes at the cost of future anonymity. Software aggregates this information into a database which is shared, usually without the knowledge of the user. Once this information is aggregated it is possible to follow that user with facial recognition software that is quickly becoming ubiquitous.
Biometrics can offer increased convenience, as in the suggestion of children checking out books by thumb print, but the risks must be carefully weighed. For instance, unlike a password, biometrics are not easily changed, and if a breach happens your biometric information is permanently compromised. Libraries have a responsibility to invite public discussion on the pros and cons of identification technology proposals.
17. How does FERPA impact academic libraries and the privacy of students’ library records?
“The Federal Educational Rights and Privacy Act,” 20 U.S.C. § 1232g, (FERPA) controls disclosure of a student's educational records and information. It requires educational institutions to adopt policies that permit students to inspect and correct their educational records. It also prohibits disclosure of a student's records without the student's written permission. This applies to the records of any student enrolled at a post-secondary educational institution, even if that student is under the age of 18.
The Family Policy Compliance Office (FPCO), a part of the U.S. Department of Education, is the federal office charged with overseeing and enforcing FERPA. According to FPCO, any record maintained by an educational institution directly related to a student, in any format, that allows the student to be identified from the information contained in it, is considered an “educational record.” Analysts within FPCO have issued guidance stating that library circulation records and similar records maintained by a university library are “educational records” under FERPA.
Though FERPA generally requires institutions to protect the privacy of educational records, it contains many exceptions that allow disclosure of a student's educational records without the student's consent or permission. For example, FERPA permits educational institutions to release information contained in a student's records to any school official who has a “legitimate educational interest” in the records; to appropriate public officials in health and safety emergencies; and to courts and law enforcement agencies in response to a judicial order or lawfully issued subpoena. FERPA also permits educational institutions to disclose information about international students to the Department of Homeland Security and the Immigration and Customs Enforcement Bureau. In addition, colleges and universities may disclose records and information to the parents of adult students if the student is a tax dependent or if the student is under 21 and has violated any law or regulation concerning the illegal use of drugs or alcohol.
FERPA thus permits disclosure when state library confidentiality statutes and professional ethics would otherwise prohibit the disclosure of library records. FERPA, however, does not require the institution to disclose records under these circumstances, nor does FERPA require institutions to create or maintain particular records. University and college libraries may therefore draw upon professional ethics and academic freedom principles to craft policies that extend additional privacy protection to users' library records; adopt record retention policies that protect user confidentiality; and, where applicable, incorporate state law protections for library records.
Additional Resources:
- Overview Family Educational Rights and Privacy Act, 20 U.S.C. 1232g
- Code of Federal Regulations, Family Educational Rights and Privacy, 34 C.F.R. Part 99
- Protecting Student Privacy, U.S. Department of Education
18. How should we handle additional records kept by the library for the purpose of serving users with disabilities?
For libraries that create additional records for special purposes, the same responsibility to maintain the confidentiality of those records applies. However, libraries that choose to keep such information on an ongoing basis acquire a correspondingly greater responsibility to maintain the continuous confidentiality of that information. Policies and procedures should address the collection, retention, and disclosure of records in any format that contain personally identifiable information in compliance with statutory requirements. Libraries should also apply the Fair Information Practice Principles: Notice, Consent, Access, Security and Enforcement. When complying with ALA’s “Library Services for People with Disabilities Policy,” all attempts should be made to protect the privacy and confidentiality of library users with disabilities. See “Services to People with Disabilities: An Interpretation of the Library Bill of Rights.”
19. Should libraries use data encryption to protect privacy?
Privacy rights advocates encourage increased use of data encryption as a method for enhancing privacy protection. Encrypted data requires others to use a predefined electronic “key” to decipher the contents of a message, file, or transaction. Data encryption is commonly used in online banking and commerce. Libraries should negotiate with vendors to ensure the use of such technology in library systems (e.g., in the document delivery, saved searches, and email features now offered by many OPAC vendors). Libraries should consider making encryption tools available to library users who are engaging in personalized online transactions or communications.
Additional Resources:
- Electronic Privacy Information Center, “Cryptography Policy”
- Electronic Privacy Information Center, “EPIC Online Guide to Practical Privacy Tools”
- Let's Encrypt
20. My library is considering implementing a Radio Frequency Identification (RFID) system for circulation and stacks maintenance. What are the implications for user privacy of such a system?
Some libraries have already implemented RFID; others are waiting until some of the industry technical standards and privacy implications have been better resolved. Libraries should adopt and enforce privacy policies prior to implementing RFID and should not include personal information on RFID tags. Libraries should safeguard user privacy by consulting ALA's “RFID in Libraries: Privacy and Confidentiality Guidelines,” in order to adopt best practices to protect privacy and confidentiality.
Additional Resources:
- Lori Bowen Ayre, RFID
- Electronic Privacy Information Center, Radio Frequency Identification (RFID) Systems
- San Francisco Public Library’s, RFID Security and Privacy Sample Questions
21. Can circulation or registration information be used for other library purposes, such as to generate mailing lists for fund-raising by the library or its Friends group?
The Fair Information Practice Principles of “Notice and Openness” and “Choice and Consent” should be reflected in library privacy policies. See the “Privacy Policies” Field Guide.
Some states impose restrictions on the use of personally identifiable information (PII) for any purposes other than circulation or administration. In other states it is illegal to provide library user PII to any third party except under court order. See “State Privacy Laws Regarding Library Records.” In all states, regardless of the status of the law, library policies regarding the collection, use and dissemination of PII should be carefully formulated and administered to ensure that they do not conflict with the ALA Code of Ethics that states “we protect each user's right to privacy and confidentiality.” Libraries choosing to use PII for any library-related purpose other than for which the PII was gathered should consider the following standard “opt-in” practices:
- Notice should be provided to all users of any library use of PII.
- Any use of PII beyond circulation or administration should be authorized only on an opt-in basis. At the time of registration, users should be asked to opt-in to additional and specifically enumerated uses of their PII (e.g., for fund-raising appeals). The PII of those who decline to 'opt-in' should not be made available for any additional uses.
- Any time a library decides to extend use of PII in ways not already authorized, it must seek user opt-in. Libraries should presume that all non-responders wish to opt out of the new use.
22. Does the library’s responsibility for user privacy and confidentiality extend to licenses and agreements with outside vendors and contractors?
Most libraries conduct business with a variety of vendors in order to provide access to electronic resources, to acquire and run their automated systems, to offer remote storage (e.g. “cloud computing), or to enable access to the internet. Libraries need to ensure that contracts and licenses reflect their policies and legal obligations concerning user privacy and confidentiality. Whenever a third party has access to personally identifiable information (PII), the agreements need to address appropriate restrictions on the use, aggregation, dissemination, and sale of that information, particularly information about minors. In circumstances in which there is a risk that PII may be disclosed, the library should warn its users and/or discontinue use of that service. In addition, all library vendors and contractors that handle PII should be expected to maintain a publicly available privacy policy that commits to compliance with the NISO Consensus Principles on User’s Digital Privacy in Library, Publisher, and Software-Provider Systems.
Additional Resources:
23. How does the library’s responsibility for user privacy and confidentiality relate to the use by library users of third party services in accessing their own circulation records?
Free third-party services are now available that remind library users of due dates and circulation fines via email or RSS feeds. Libraries should advise users about the risks associated with providing library card numbers, passwords, or other library account information to any third party. These risks include changes in the privacy policies of the third-party service without customer notification and disclosure of the user's library circulation records or other personally identifiable information, whether such disclosure is inadvertent or purposeful. Third parties are not bound by library confidentiality statutes or other laws protecting the privacy of user records. For these reasons, neither the library nor the library user can be certain that confidentiality will be adequately protected.
III. Security Concerns
24. What are the needs of systems personnel to ensure the security of computers and networks?
Those responsible for maintaining the security of the library’s computing equipment and networks have a special obligation to recognize when they may be dealing with sensitive or private information. Like other staff whose jobs are not direct library service (principals, teachers and other educators, custodians, guards, etc.), those with access to personally identifiable information (PII) or to users’ personal files need to be informed of library ethics and of job expectations that they will not abuse confidentiality.
Library systems personnel should regularly perform privacy audits and ensure their technology is meeting privacy standards. While many industries bank on data collection, library systems should be structured to collect and retain the least amount of user information possible. Policies and procedures should be in place to only store data for the length that is necessary to perform business operations.
A library’s Information Technology Department may also be asked by their governing bodies to install tracking and monitoring software or “sniffer software.” Sniffer software are programs that monitor online activity and, once triggered by the use of keywords and phrases, can record an online transaction in its entirety. Spyware are programs that record all activity on a computer, such as keyloggers. The records generated by these programs can then be stored for future reference. Even if records are not released unless a law enforcement agency gets a court order, the privacy implications of such a program are significant and serious.
First, installing this software in the absence of a court order or user consent may violate the Electronic Communications Privacy Act (ECPA). Second, the records created by these programs are records of library use, and like all other library user records, are subject to state library confidentiality statutes. Third, a library's mission is to provide access to information, not to serve as a surveillance outpost for law enforcement. Just as we do not keep a history of who checked out library materials (see “Resolution on the Retention of Library Usage Records” 2006), we should not collect and store information from our users' online activities.
25. Should staff be instructed to monitor library use to determine inappropriate or illegal behavior by users?
Library user behavior policies and internet use policies should clearly state that illegal activity is prohibited. Staff should be trained carefully to deal with any illegal user behavior that is apparent to them or has been brought to their attention. General monitoring by staff of the content or use of library materials and resources in any format by users is inappropriate. User Behavior and Internet Use policies should clearly state all of the steps to be taken by staff when illegal behavior or activity in violation of the above policies is observed. The steps in these guidelines will vary from library to library and should be determined locally. Clear evidence of illegal behavior is best referred to law enforcement who know the processes of investigation that protect the rights of the accused.
If staff observe illegal behavior, this should be reported to law enforcement. A library should have clear, written procedures for responding to criminal behavior, in addition to behavior that violates policy. Neither libraries, their resources, nor their staff should be used in any scheme to elicit and catch criminal behavior.
If library personnel believe surveillance cameras have recorded evidence of a crime, they should preserve those images and turn them over to the library director or the library’s legal counsel, who can then turn over the images to law enforcement in accordance with the law. Such images may be protected by state library confidentiality laws that prohibit the disclosure of information about a person’s use of library materials without a court order.
As a legal matter, libraries may voluntarily disclose surveillance camera images to law enforcement if the images do not reveal any person’s use of specific library materials or resources. The decision to disclose surveillance camera images should be made by the library’s director in consultation with the library’s legal counsel. When state law requires the police to obtain a court order before viewing or copying protected library records, the library can extend cooperation by identifying relevant records and preserving those records until a court order is served on the library.
26. What if law enforcement requests disclosure of library records? What if laws applicable to my library require the disclosure of some or all library records or other personally identifiable information without a court order?
In the event of a request for information from a federal or local law enforcement agency, library workers should consult with their library administration and legal counsel before complying with such requests. If a library worker is compelled to release information by a valid subpoena or court order, further breaches of user confidentiality will be minimized if the library worker personally retrieves the requested information and supplies it to the law enforcement agency. Otherwise, allowing the law enforcement agency to perform its own retrieval may compromise confidential information that is not subject to the current request.
Library policies must not violate applicable federal, state, and local laws. However, In accordance with Article VII of the Library Bill of Rights, library workers should oppose the adoption of laws that abridge the privacy rights of any library user. Forty-eight states have statutes that protect the confidentiality of library records. The other two have attorneys’ general opinions that support the confidentiality of library records. For your state statute or opinion, see “State Privacy Laws regarding Library Records.”
Library policy should require that law enforcement requests for any library record be issued by a court of competent jurisdiction that shows good cause and is in proper form. See ALA’s documents “Policy on Confidentiality of Library Records.” The library governing authority needs to be aware that privacy, and especially the privacy of children and students, may be governed by additional state and federal laws. For example, on April 21, 2000, the Federal law, the “Children’s Online Privacy Protection Act (COPPA),” went into effect. This law, designed to protect children’s privacy on the Internet, directly impacts how children access Internet content.
When creating its privacy policies, library and educational institution governing authorities need to be fully aware of any such laws regarding disclosure and the rights of parents, and create policies accordingly. Faculty and school administrators do not have parental authority over students’ privacy.
27. Are video or electronic surveillance technologies in libraries a violation of user privacy?
Today’s sophisticated high-resolution surveillance equipment is capable of recording a user’s reading and viewing habits and movements throughout the library in ways which are as revealing as the circulation records libraries routinely protect. When a library considers installing surveillance equipment, the administrative necessity of doing so must be weighed against the fact that most of the activity being recorded is innocent and harmless. Any records kept may be subject to Freedom of Information Act (FOIA) requests. Since any such personal information is sensitive and has the potential to be used inappropriately in the wrong hands, gathering surveillance data has serious implications for library management and school administrators.
If the library decides surveillance is necessary, it is essential for the library to develop and enforce strong policies protecting user privacy and confidentiality appropriate to managing the equipment, including routine destruction of the tapes in the briefest amount of time possible, or as soon as permitted by law.
Such policies should state the cameras are to be used only for the narrow purpose of enhancing the physical security of the library, its property, staff, and users. Policies should include: protocols for posting signs and giving notice about the presence of surveillance equipment, storage of data and/or media in a secure location, and routine destruction of data as soon as permitted by law. If the equipment creates any records, the library must recognize its responsibility to protect their confidentiality like any other library record. In addition, some state laws indicate that libraries shall not disclose any information that identifies a person as having used a library or a library service, even if that information is not in the form of a “record.” Protecting user confidentiality is best accomplished by purging the records or images as soon as their purpose is served.
Concerned about increasing school violence, some K-12 schools have installed security equipment in areas where no reasonable expectation of privacy may be expected. This includes computer labs, hallways, cafeterias, and playgrounds. It is important that the resulting data is securely handled and that use is based on board approved policy and follows state and federal laws.
IV. Minors’ Privacy Rights
28. Are the privacy rights of minors the same as those of adults? What information about a minor’s use of the library should be kept confidential and what may be released to parents?
The rights of minors vary from state to state, and the legal responsibilities and standing of library staff in regard to minor users differ substantially in school, academic, and public libraries. Generally, a minor’s right to keep thier library records private will be governed by a state’s library confidentiality statute; however, in public educational institutions, the Family Educational Rights and Privacy Act (FERPA) also determines the confidentiality and release of minors’ library records. Libraries may wish to consult the legal counsel of their governing authorities to ensure that the library’s policy and practice are in accord with applicable law.
In public libraries, parental responsibility is key to a minor’s use of the library. Notifying parents or caregivers about the library’s privacy and confidentiality policies should be a part of the process of issuing library cards to minors. In some public libraries, the privacy rights of minors may differ slightly from those of adults, often in proportion to the age of the minor. The legitimate concerns for the safety of children in a public place can be addressed without unnecessary invasion of minors’ privacy while using the library.
In public and school libraries, parents or caregivers are responsible not only for the choices their minor children make concerning the selection of materials and the use of library facilities and resources, but also for communicating with their children about those choices. Library workers should not breach a child’s confidentiality by giving out information readily available to the parent or caregiver from the child directly. Libraries should take great care to limit the extenuating circumstances in which they will release such information.
Privacy: An Interpretation of the Library Bill of Rights states: “All users have a right to be free from any unreasonable intrusion into or surveillance of their lawful library use. ALA and its members recognize that children and youth have the same rights to privacy as adults.” In all libraries, the rights of minors to privacy regarding their choice of library materials should be respected and protected. Article VII of the Library Bill of Rights states “All people, regardless of origin, age, background, or views, possess a right to privacy and confidentiality in their library use. Libraries should advocate for, educate about, and protect people’s privacy, safeguarding all library use data, including personally identifiable information.” Article III of the ALA Code of Ethics directs library workers “to protect each library user’s right to privacy and confidentiality.” “Minors and Online Activity: An Interpretation of the Library Bill of Rights,” asserts minors’ right to seek, create, share, and interact with information on the Internet as extensions of their First Amendment rights. The statement also acknowledges that use of social media and web tools require the balancing of two intellectual freedom priorities — preservation of minors’ privacy and the right of free speech.
29. How does the Family Educational Rights and Privacy Act (FERPA) affect minors’ library records in K-12 schools? Do state library records laws affect students records?
“The Federal Educational Rights and Privacy Act,” 20 U.S.C. § 1232g, (FERPA) controls disclosure of a student's educational records and information in both K-12 schools and post-secondary libraries. It requires educational institutions to adopt policies that permit parents or caregivers of minor children to inspect and correct their educational records. It also prohibits disclosure of a student's records without the parent's or caregiver's written permission.
The Family Policy Compliance Office (FPCO), a part of the U.S. Department of Education, is the federal office charged with overseeing and enforcing FERPA. According to FPCO, any record maintained by an educational institution directly related to a student, in any format, that allows the student to be identified from the information contained in it, is considered an “educational record.” FPCO staff have issued guidance stating that library circulation records and similar records maintained by a school library are “educational records” under FERPA.
Although FERPA generally requires institutions to protect the privacy of educational records, it contains many exceptions that allow disclosure of a student's educational records without a parent, caregiver, or student's consent or permission. For example, FERPA permits educational institutions to release information contained in a student's records to any school official who has a “legitimate educational interest” in the records; to appropriate public officials in health and safety emergencies, and to courts and law enforcement agencies in response to a judicial order or lawfully issued subpoena. FERPA also permits educational institutions to disclose information about international students to the Department of Homeland Security and the Immigration and Customs Enforcement Bureau.
FERPA thus permits disclosure when state library confidentiality statutes and professional ethics would otherwise prohibit the disclosure of library records. FERPA, however, does not require the institution to disclose records under these circumstances, nor does FERPA require institutions to create or maintain particular records.
State library confidentiality laws may apply to K-12 libraries as well as public libraries, and may impose additional responsibilities to protect students’ library records that go beyond FERPA’s requirements/permissions. Therefore, school libraries should craft policies that extend additional privacy protection to students’ library records and, where applicable, incorporate state law protections for students’ library records. The best protection lies in collecting the least amount of information and expunging it as quickly as possible.
30. How can the confidentiality of minors’ library records be protected in school libraries?
The Library Privacy Guidelines for K-12 Students lay out both the challenges to, and opportunities for, protecting minors’ privacy in public elementary, middle, and high schools. School libraries are often no longer independent entities and are frequently integrated into the district’s administrative and technology infrastructure. As a result, it becomes more difficult for school library workers to act autonomously to implement privacy policies and practices when library resource management systems, digital resources, and other applications are tied into the districtwide infrastructure. It is now common for parents or caregivers to be able to view the digital library records of their children in real time through the district’s educational technology portal. In many districts, parents or caregivers receive regular reports of the websites their children visit. These uses of technology seriously undermine students’ privacy in school libraries.
31. What can school library workers do to protect their students’ privacy?
It is critical that every school library have a privacy policy, approved by its governing body, outlining how students’ library records are protected, and under what circumstances they may be released, and to whom. The policy should refer to Article VII of the Library Bill of Rights, Article III of the ALA Code of Ethics, and other policy statements related to protecting minors’ privacy rights in libraries. The privacy policy should reference and incorporate the state library confidentiality law, if applicable, and also include FERPA guidelines. Without strong policies, school library workers will be left uncertain about the legal course of action and in a weaker position to respond to requests for release of library records.
After the privacy policy has been approved by the school’s governing body, it should be disseminated to school staff, students, and parents. Minors’ privacy and the confidentiality of their records will be better protected when school employees and the community understand the laws involved.
In addition to an official privacy policy, school libraries should also have a records retention policy detailing the types of records maintained, the length of retention, and a schedule for their expungement. Minors’ records are best protected when minimal library records are maintained for the shortest period possible.
Beyond strong policies, school library workers can protect students’ privacy through best practices such as by:
- Training library staff, volunteers, and student assistants about the legal and ethical nature of privacy in the library and the confidentiality of all library records.
- Educating teachers and administrators about student privacy and the confidentiality of library records.
- Teaching students to protect their personal privacy and respecting the privacy of others.
- Reaching out to parents or caregivers to communicate library policies related to privacy.
- Collaborating with IT staff to evaluate technology-related hardware, software, filtering programs, and apps to ensure student privacy is protected.
- Discussing privacy concerns with vendors of current resources or those under consideration for purchase.
Additional Resources:
The Intellectual Freedom Committee's (IFC) Privacy Subcommittee developed this Q&A to work in conjunction with Privacy: An Interpretation of the Library Bill of Rights. The Q&A was approved by the IFC April 14, 2005; amended June 26, 2006; October 30, 2006; January 23, 2012; July 1, 2014; and July 29, 2019.