Today’s ALA/Booklist webinar, Why Your Library’s Policy Matters, was led by Cherie L. Givens, author of Information Privacy Fundamentals for Librarians and Information Professionals. The webinar seemed almost like a commercial for the book, because Givens only spoke generally, pointing listeners to the book for further detail. In fairness, it would be difficult to cover the topic of library privacy policies in depth in an hour, but I was still hoping for something slightly more concrete and practical. Nevertheless, here are the points she covered:

• When drawing up a library privacy policy, make sure you are aware of relevant federal* and state legislation. State legislation (e.g. California) may be stricter than federal legislation.

*Particularly the Children’s Online Privacy Protection Act (COPPA), Family Education Rights and Privacy Act (FERPA), Protection of Pupil Rights Amendment (PPRA), No Child Left Behind (NCLB), the PATRIOT Act, Foreign Intelligence Surveillance Act (FISA), and National Security Letters (NSLs). (If your library does receive an NSL, the lawyers at ACLU would love to hear about it.)

• The Federal Trade Commission (FTC) is a good resource for consumer protection (“We collect complaints about hundreds of issues from data security and deceptive advertising to identity theft and Do Not Call violations”).
• People should have control over their Personally Identifiable Information (PII), including sensitive personal data such as Social Security Numbers. People should know when, how, and what PII is being communicated to others. It’s always best to collect as little information as possible, only what is necessary; minimize data collection and retention.
• Every library needs a privacy policy, but the policy is just step one. The next step is to make sure your procedures match the policy, and that you contract for privacy with third parties (vendors) to ensure that they handle patron data according to the same standards.*
• Perform a privacy audit/assessment: what information do you collect and how do you use it?
• Look at other libraries’ privacy policies, and the privacy policies of small/medium-sized businesses.
• The library privacy policy should be visible to users: hand it out with new library cards, post it near computers, keep a copy at the reference desk. (And on the library website?)
• Privacy is important not just for intellectual freedom, but intellectual curiosity.

*I haven’t seen the contract language, but I would imagine this is much more difficult than it sounds, especially if a library is working with Overdrive, which allows patrons to check out Kindle books through Amazon. Amazon is a data-hungry beast.

These fair information practice principles I copied directly from slide 10 of Givens’ presentation:

• Notice/Awareness: Provide notice of information collection practices before information is collected.
• Choice/Consent: Give the subjects of data collection options about whether and how their personal information may be used.
• Access/Participation: Provide access to an individual’s personal information so that the individual can review and correct it.
• Integrity/Security: The data collector must take reasonable steps to make sure the data is accurate and secure.
• Accountability or Enforcement/Redress: There must be a mechanism for addressing and resolving complaints for failing to abide by the above four principles.

Lastly, this great article was cited by one of the webinar participants. I remember reading it before (it was a Library Link of the Day on 10/4/14): “Librarians won’t stay quiet about government surveillance,” Washington Post, Andrea Peterson, 10/3/14.

This webinar will be archived with the rest of Booklist’s webinars, probably within the next week.