Questions and Answers on Privacy and Confidentiality
The IFC developed this Q&A to work in conjunction with Privacy: An Interpretation of the Library Bill of Rights, adopted by the ALA Council on June 19, 2002. Revised April 14, 2005; June 26, 2006; October 30, 2006.
| Top |
What prompted the Intellectual Freedom Committee to take on the privacy question now?
In 1999 ALA Council resolved that the Library and Information Technology Association be asked to examine the impact of new technologies on patron privacy and the confidentiality of electronic records. The Taskforce on Privacy and Confidentiality in the Electronic Environment was formed at the 1999 ALA Midwinter Conference with broad participation from across ALA.
In July 2000, ALA Council approved the Final Report of the Task Force on Privacy and Confidentiality in the Electronic Environment (Council Document #62) and referred it to the Intellectual Freedom Committee for review. The recommendations contained therein were:
That ALA revise its policy statements related to Confidentiality of Library Records (rev. 1986), and Concerning Confidentiality of Personally Identifiable Information About Library Users (1991), in order to specifically and appropriately incorporate Internet privacy.
That ALA develop model privacy policies, instructional materials, and privacy “best practices” documents for libraries; and
That ALA urge that all libraries adopt a privacy statement on Web pages and post privacy policies in the library that cover the issues of privacy in Internet use as accessed through the library’s services.
In its own end-of-conference report to Council, the IFC responded to this referral by saying: “The Intellectual Freedom Committee gladly accepts Council’s charge to review the recommendations. IFC has been reviewing and will continue to monitor the appropriateness of all ALA policies regarding privacy and confidentiality and will address all three recommendations in our Midwinter Meeting report to Council.”
At the 2001 ALA Midwinter Meeting, the IFC established a standing Privacy Subcommittee, which is charged to monitor ongoing privacy developments in technology, politics and legislation and identify needs and resources for librarians and library users (cf. 2000–2001 CD#19.1).
At its 2001 spring meeting, the committee returned to Council’s original request to consider developing an Interpretation of the Library Bill of Rights on Privacy. Initial work began on a draft Interpretation at that time and continued through the 2001 Annual Conference and the Committee’s 2001 fall meeting. In its deliberations, the committee thought carefully about the implications of 9/11 on privacy issues. We have sought to develop the Interpretation for lasting impact, knowing that this issue was of importance to libraries prior to those events and that it has enduring importance for those who rely on us in our libraries. (cf. 2002–2003 CD#19).
ALA Council adopted Privacy: An Interpretation of the Library Bill of Rights on June 19, 2002, at the ALA Annual Conference in Atlanta, Georgia.
What is the difference between privacy and confidentiality?
In a library, the right to privacy is the right to open inquiry without having the subject of one’s interest examined or scrutinized by others. Confidentiality exists when a library is in possession of personally identifiable information (see “What is personally identifiable information” below) about users and keeps that information private on their behalf. Confidentiality is a library’s responsibility. This responsibility is assumed when library procedures create records such as closed-stack call slips, computer sign-up sheets, registration for equipment or facilities, circulation records, what Web sites were visited, reserve notices, or research notes.
In protecting the privacy rights and the confidentiality rights of library users, librarians should limit the degree to which personally identifiable information is monitored, collected, disclosed, and distributed.
For ALA’s privacy policies and Privacy: An Interpretation of the Library Bill of Rights, see the Intellectual Freedom Manual, latest edition, and the Web site, “Privacy and Confidentiality.”
What is “personally identifiable information?” Why is it such a wordy phrase?
“Personally identifiable information” (PII) seems to have become the generally accepted language because it covers a greater range than “personal identification,” such as a driver’s license. The phrase has been in use in ALA policy since the 1991 adoption of the Policy Concerning Confidentiality of Personally Identifiable Information about Library Users.
PII connects you to what you bought with your credit card, what you checked out with your library card, and what Web sites you visited where you picked up cookies. More than simple identification, PII can build up a picture of your tastes and interests —a dossier of sorts, though crude and often inaccurate. While targeted advertising is the obvious use for PII, some people would use this information to assess your character, decide if you were a security risk, or embarrass you for opposing them. Because of the chilling effect that such scrutiny can have on open inquiry and freedom of expression, libraries and bookstores have long resisted requests to release information that connects individual persons with specific books.
If there is no reasonable expectation of privacy in a public place, how can anyone expect privacy in a library?
A library cannot be responsible for someone being seen or recognized in a library, but should take steps to protect user privacy whenever possible. That is, in a library, a user’s face may be recognized, but that does not mean that the subject of the user’s interest must also be known. Library buildings, interior design, and functions can be planned to preserve privacy of inquiry, even while the user’s presence and behavior remain observable. Thus, both safety and privacy are maintained. To the greatest extent possible, the user should be able to work independently, both to afford privacy and to reduce the quantity of confidential records for which the library must be responsible.
What about the rights of staff, volunteers, and trustees?
Privacy: an Interpretation of the Library Bill of Rights, like the Library Bill of Rights itself, addresses the rights of library users. As such, this latest Interpretation does have implications for staff, volunteers, and trustees. Librarians involved in training volunteers, new employees, or trustees should inform them of the requirements that they not abuse confidentiality and that they protect library users rights of privacy. When staff are themselves library users, they are entitled to equal protection of their privacy and confidentiality of their records as library users.
If users have rights and librarians have responsibilities, don’t users also have responsibilities to protect their own privacy?
Privacy: an Interpretation of the Library Bill of Rights, like the Library Bill of Rights itself, addresses the rights of library users. Text is included in this latest Interpretation about the right of the user to be informed of library policy and practices that create choices for the user about personal privacy.
Librarians should educate the public, through a variety of methods, about information and tools that can help to preserve privacy or protect the confidentiality of personally identifiable information. In each library transaction in which an individual is asked to divulge personally identifiable information, library staff need to ensure that the individual is making an informed choice. Librarians should clarify any trade-offs between greater convenience and greater privacy. Users also need to understand their own responsibility to respect each one another’s privacy.
Does privacy include a right to avoid exposure to unwanted images?
Protecting privacy in the library setting ensures open inquiry without fear of having one’s interests observed by others. Ensuring user privacy not only benefits the user, but also those who prefer not to see what other users view. When there is a conflict between the right of individuals to view constitutionally protected speech and the sensibilities of unwilling viewers, free expression rights have generally prevailed in the Courts unless unwilling viewers are unable to avert their eyes. Libraries may address the concerns of unwilling viewers in a number of different ways, including the strategic placement of workstations and the use of devices such as privacy screens or recessed monitors.
What role does education play in protecting patron privacy?
The library should have a continuing training plan to educate staff, trustees, volunteers, and contract workers about library privacy principles, policies and procedures, and library staff’s legal and ethical responsibilities as custodians of personally identifiable information. It is important that all concerned understand that this responsibility includes avoiding any inferences about users based on their library use.
Library staff should also be informed of their responsibility to cooperate with other organizations that work to protect privacy and challenge intrusions.
Librarians must educate the public through a variety of learning methods that provide the information and tools individuals need to protect their privacy and the confidentiality of their own personally identifiable information. For support in this area, see the "Privacy and Confidentiality" section of the ALA Office for Intellectual Freedom's Web site.
I know people can be suspicious of what bureaucrats might do with personal information, but I’m a librarian — can’t people just trust me?
While we librarians don’t often think of ourselves as government bureaucrats, members of the public may see us as authorities just like a uniformed police officer or a robed judge. In fact, staff in publicly funded libraries are part of government and are constrained by all the laws that restrict the power of government. One of the lessons learned on the way to democracy was that no matter how nice the current office holder may be, someday someone else may try to abuse the position. Laws and institutional policies are among the ways we make sure that we aren’t totally dependent on the character of the person in the job. Especially when new technology makes issues look different, policies can provide guidance and strength. By establishing strong privacy and confidentiality policies, libraries can protect staff from pressure to violate users’ rights.
Protection of Privacy and Library Records
What is a Privacy Audit and whose responsibility is it?
A privacy audit is a technique for assuring that an organization’s goals and promises of privacy and confidentiality are supported by its practices, thereby protecting confidential information from abuse and the organization from liability and public relations problems. An audit ensures that information processing procedures meet privacy requirements by examining how information about customers and employees is collected, stored, shared, used and destroyed. Privacy auditing is a process, not a one-time solution, as services, data needs, and technology change. A designated Privacy Officer may lead the audit, but all stakeholders and aspects of privacy need to be represented, from information technology to public relations. The audit process needs to be capable of dealing with the full extent of the information system. When a library is part of a larger organization that is conducting a privacy audit, specific library issues and needs must be included.
The audit process begins by evaluating the organization’s existing policies and procedures for legality and consistency with the organization’s mission and image. When policies have been reviewed (or established), the data collected can be categorized according to the degree of security necessary. The audit assesses the sensitivity, security risks, and public perceptions of the information the organization collects. The audit examines the necessity for each type of data, how it is collected, and what notice and options are provided to the individuals identified by the information. Mapping how data flows through the organization for access, storage, and disposal can reveal security needs, both electronic and physical. The audit process itself must be managed so that it does not increase risks and its recommendations must be addressed quickly once risks are revealed.
Coyle, Karen. 2002. "Privacy and Library Systems Before & After 9/11." (last accessed December 15, 2004).
Enright, Keith P. . "Privacy Audit Checklist." (last accessed December 15, 2004).
Flaherty, David H. 1998. "How To Do A Privacy And Freedom Of Information Act Site Visit." David H. Flaherty. (last accessed December 15, 2004).
Jerskey, Pamela, Ivy Dodge, Sanford Sherizen. . "The Privacy Audit: a Primer." (last accessed December 15, 2004).
Matis, Michael. 2002. "The Code of Librarianship: Ethics and Information Architecture." (last accessed December 15, 2004).
Texas Department of Information Resources. 2000. "Privacy Issues Involved in Electronic Government." (last accessed December 15, 2004).
Can libraries use social security numbers (SSNs) in patron databases or for other means of uniquely identifying our users?
SSNs are not entirely random numbers: the first three digits indicate in which state the number was issued, and the next two numbers indicate the order in which the SSN was issued in each area. Only the last four numbers are randomly generated. Thus, even the disclosure of an SSN without further action does divulge private information.
Some states restrict the use of social security numbers to circumstances explicitly authorized by law, particularly for the reporting of income for employees. Section 7 of the Federal Privacy Act of 1974 provides that any agency requesting an individual to disclose his or her SSN must "inform that individual whether that disclosure is mandatory or voluntary, by what statutory authority such number is solicited, and what uses will be made of it." The Family Educational Rights and Privacy Act (FERPA) requires publicly-funded schools to obtain written consent for the release of personally identifiable information, which courts have ruled includes SSNs. The widespread use of SSNs by public and private agencies had created a dual threat of fraud victimization and the invasion of privacy, by linking significant amounts of personal and financial information through a single number. In November 2004 the GAO noted that ". . . it is clear that the lack of a broad, uniform policy allows for unnecessary exposure of personal Social Security numbers."
Libraries have long used SSNs to trace patrons who have outstanding fines or overdue materials, often through collection agencies. In fact, the current state of internet technology often allows an individual to be located without the use of an SSN. Libraries that choose to use SSNs in patron databases or to identify users should:
inform patrons whether providing their SSNs is mandatory or voluntary, and under what statutory authority the SSNs are solicited;
inform patrons of the purpose for which SSNs will be used;
use encryption to protect SSNs within patron databases, and;
investigate other methods of uniquely identifying patrons and tracing those who have outstanding fines or overdue materials.
EPIC. Social Security Number (SSN) Privacy Page (last accessed December 15, 2004).
Family Educational Rights and Privacy Act (FERPA) (last accessed November 19, 2004).
Governmental Accounting Office. Social Security Numbers: Governments Could Do More to Reduce Display in Public Records and on Identity Cards, GAO-05-59, November 9, 2004 (last accessed November 19, 2004).
Privacy Act of 1974 and Amendments (as of Jan 2, 1991) (last accessed November 19, 2004).
Privacy Rights Clearinghouse. "Your Social Security Number: How Secure Is It?" (last accessed December 15, 2004).
Sample library policies:
Maine State Library. "Note on Use of Social Security Numbers as ID Number."
College of William & Mary. Earl Gregg Swem Library. "Faculty Circulation Services."
Are there special challenges created for library administration by digital patron records?
Any database of personally identifiable information is a potential target for computer crime and identity theft. Data security must be planned to protect both the library itself and its promise of confidentiality, and to ensure the thorough removal of patron records as soon as each ceases to be needed. Library administration should seek ways to permit in-house access to information in all formats without creating a data trail. Library policies should clearly state the purposes for which users’ personally identifiable information is needed; these records should be deleted as soon as the original purpose for collection has been satisfied.
In general, acquiring the least amount of personally identifiable information for the shortest length of time reduces the risk of unwanted disclosure. The library should also invest in appropriate technology to protect the security of any personally identifiable information while it is in the library’s custody, and should ensure that aggregate data has been stripped of personally identifiable information.
In order to assure their obligations of confidentiality, libraries should implement written policies governing data retention and dissemination of electronic records. These policies should affirm the confidentiality of information about library users and their use of all library materials.
What if our library or institutional policy requires us to be closely involved with or closely monitoring our library users?
In all libraries, it is the nature of the service rather than the type of the library that should dictate any gathering of personally identifiable information. Some common library practices necessarily involve close communication with—or monitoring of—library users. Services such as bibliographic instruction, reference consultation, teaching and curriculum support in school libraries, readers’ advice in public libraries, and preservation of fragile or rare library materials in special collections libraries are just a few instances of services that require library staff to be aware of users’ information-access habits. As part of serving the user, it is often necessary for staff to consult with each other. Staff must be careful to conduct such conversations privately and keep strictly to the purpose. But in all types of libraries, any such compromising of user privacy by library staff carries with it an ethical and professional (and often legal) obligation to protect the confidentiality of that personally identifiable information. Most important, all gathering of personally identifiable information should be done in the interests of providing, or improving, particular library services.
What else besides library records might compromise user privacy?
It is inevitable that library staff will recognize users. It is also necessary that staff be aware of activity and behavior inside the library to ensure that users’ needs are met and for security purposes. This knowledge should not be put to any purpose other than service to library users.
Does the library’s responsibility for user privacy and confidentiality extend to licenses and agreements with outside vendors and contractors?
Most libraries conduct business with a variety of vendors in order to provide access to electronic resources, to acquire and run their automated systems, and in some instances, to enable access to the Internet. Libraries need to ensure that contracts and licenses reflect their policies and legal obligations concerning user privacy and confidentiality. Whenever a third party has access to personally identifiable information, the agreements need to address appropriate restrictions on the use, aggregation, dissemination, and sale of that information, particularly information about minors. In circumstances in which there is a risk that personally identifiable information may be disclosed, the library should warn its users.
How does the library’s responsibility for user privacy and confidentiality relate to the use by library users of third party services in accessing their own circulation records?
Free third-party services are now available that remind library users of due dates and circulation fines via e-mail or RSS feeds. Libraries should advise users about the risks associated with providing library card numbers, passwords, or other library account information to any third party. These risks include changes in the privacy policies of the third-party service without customer notification, and disclosure of the user's library circulation records or other personally identifiable information, whether such disclosure is inadvertent or purposeful. Third parties are not bound by library confidentiality statutes or other laws protecting the privacy of user records. For these reasons, neither the library nor the library user can be certain that confidentiality will be adequately protected.
Are privacy rights of minors the same as those of adults? What information about a minor’s use of the library should be kept confidential and what may be released to parents?
The rights of minors vary from state to state. Libraries may wish to consult the legal counsel of their governing authorities to ensure that policy and practice are in accord with applicable law. In addition, the legal responsibilities and standing of library staff in regard to minor patrons differ substantially in school and public libraries. In all instances, best practice is to extend to minor patrons the maximum allowable confidentiality and privacy protections.
Parents are responsible not only for the choices their minor children make concerning the selection of materials and the use of library facilities and resources, but also for communicating with their children about those choices. Librarians should not breach a child’s confidentiality by giving out information readily available to the parent from the child directly. Libraries should take great care to limit the extenuating circumstances in which they will release such information.
Parental responsibility is key to a minor’s use of the library. Notifying parents about the library’s privacy and confidentiality policies should be a part of the process of issuing library cards to minors. In some public libraries, the privacy rights of minors may differ slightly from those of adults, often in proportion to the age of the minor. The legitimate concerns for the safety of children in a public place can be addressed without unnecessary invasion of minors’ privacy while using the library.
The rights of minors to privacy regarding their choice of library materials should be respected and protected. More information on the privacy rights of children can be found on the OIF’s page "Privacy Resources for Librarians, Library Users, and Families."
This new Interpretation of the Library Bill of Rights is intended to reaffirm and clarify the long-standing commitment of librarians to protect the privacy rights of our users, regardless of the format or medium of information in use. This commitment has not changed in the era of the World Wide Web. In fact, it has only strengthened in the years since the Internet was introduced into America’s libraries. See for example Access to Electronic Information, Services, and Networks , in which ALA reaffirmed that “Users have both the right of confidentiality and the right of privacy.”
Many non-library Web sites now have privacy policies that explain whether personally identifiable information is collected, how it is used if it is collected, and whether they sell or share this information to third parties. Such policies often explain how “cookies” are placed on hard drive and how they are used to track Web surfing. The privacy policies on governmental Web sites—including governmental library sites—may be covered by applicable local, state, and federal laws. However, regardless of whether such laws are in place or not, libraries of all types—not just those that are publicly funded—need policies outlining the protections in place governing the online and offline privacy and confidentiality rights of library users.
Links to selected sample library privacy policies can be found at Privacy Resources for Librarians, Library Users, and Families. In addition, Chapter 2, part V, of the Intellectual Freedom Manual (latest edition) discusses the process involved in developing a confidentiality policy. See also, “Developing a Confidentiality Policy."
What about additional records kept by libraries for the purpose of serving patrons with special needs?
If libraries create additional records for special purposes, the same responsibility to maintain the confidentiality of those records applies. However, libraries that choose to keep such information on an ongoing basis acquire a correspondingly greater responsibility to maintain the ongoing confidentiality of that information. Policies and procedures should address the collection, retention, and disclosure of records in any format that contain personally identifiable information in compliance with statutory requirements. Libraries should also apply the Fair Information Practice Principles: Notice, Consent, Access, Security and Enforcement. When complying with ALA’s Library Services for People with Disabilities Policy, all attempts should be made to protect the privacy and confidentiality of library users with disabilities.
What about smart cards, or ID cards that use biometric enhancements? Won't they help protect privacy?
Smart cards are getting a lot of attention for their ability to store personal data for a variety of applications. With the best intentions, government agencies sometimes propose sharing data on people who receive government services. Library policies on confidentiality should state clearly that personally identifiable information collected by the library will not be shared with any other agency or organization unless required by a court order. If agencies are jointly issuing a smart card, library data must be partitioned with no leakage to other agencies.
The more agencies using a shared card, the greater the need for strong identification confirmation. Various biometrics, from photographs to fingerprints to iris scans, are proposed to ensure that identification cards are authentic. This raises correspondingly greater risks that tampering with the encoding of identification will affect every aspect of an individual's life. Biometrics can offer increased convenience, as in the suggestion of children checking out books by thumb print, but the risks must be carefully weighed. Libraries have a responsibility to invite public discussion on the pros and cons of identification technology proposals. The following URLs consider various aspects of new identification card technology:
American Library Association. Resolution on Privacy and Standardized Driver's Licenses and Personal Identification Cards (adopted January 19, 2005; last accessed February 2, 2005). Barnes, Bill. 2001. "The National ID Card: If They Build it, Will it Work?" Slate. (last accessed December 15, 2004).
Computer Professionals for Social Responsibility. 2002. "National Identification Schemes: Links to Resources." (last accessed December 15, 2004)
Electronic Privacy Information Center. 2002. "National ID Cards." (last accessed December 15, 2004)
Ellison, Larry. 2001. "Smart Cards: Digital IDs Can Help Prevent Terrorism," Wall Street Journal, Monday, October 8, 2001, (last accessed December 15, 2004)
Garfinkel, Simson. 2002. "Identity Card Delusions," Technology Review, April 2002, (last accessed December 15, 2004)
Glasner, Joanna. 2001. "Linking Records Raises Risks." Wired News, April 20, 2001, (last accessed December 15, 2004)
Ham, Shane and Robert D. Atkinson. 2002. "Frequently Asked Questions about Smart ID Cards." Progressive Policy Institute. (last accessed December 15, 2004)
Smart Card Basics. "A sponsored site brought to you by a number of companies in the smart card industry." (last accessed January 24, 2005)
Wylie, Margie. 2001. "Database Flaws Could Hamper Any National ID System, Experts Warn." Newhouse News Service. (last accessed December 15, 2004)
What about data encryption?
Some privacy rights advocates encourage increased use of data encryption as a method for enhancing privacy protection. Encrypted data requires others to use a pre-defined electronic "key" to decipher the contents of a message, file, or transaction. While not yet in widespread use by individuals, data encryption is commonly used in online banking and commerce. Libraries should negotiate with vendors to encourage the use of such technology in library systems (e.g., in the document deliver, saved searches, and email features now offered by many OPAC vendors). Whenever possible, libraries should consider making encryption tools available to library users who are engaging in personalized online transactions or communications.
Center for Democracy and Technology Resource Library: Encryption. (last accessed March 4, 2005)
CERT Coordination Center List of Security Tools. Revised June 2001. (last accessed March 4, 2005)
Electronic Frontier Foundation Encryption Archive. (last accessed March 4, 2005)
Electronic Privacy Information Center Cryptography Policy. Revised October 2001. (last accessed March 4, 2005)
Electronic Privacy Information Center Online Guide to Practical Privacy Tools. Updated March 2005. (last accessed March 4, 2005)
MyCrypto.net - Encryption, Privacy and Internet Security. (last accessed March 4, 2005)
Our library has been using a lot of new technologies in recent years. How can we stay on top of all the privacy concerns?
Every technology since fire can be used for both good and evil. It is the responsibility of librarians to establish policies to prevent "function creep." As much as any threat or promise to privacy posed by new technologies, it is attention and commitment to fundamental principles of data security that may best ensure that user rights to privacy and confidentiality are not threatened through their use of library services. To help define and assess your local data security practices, consider reviewing these guidelines:
Fact Sheet 12: Responsible Information-Handling. Utility Consumers' Action Network/Privacy Rights Clearinghouse. Revised May 2002. (last accessed May 27, 2005)
Infopeople Project How-To Guides: Library Computer and Network Security. Updated November 2004. (last accessed May 27, 2005)
My library is considering implementing a Radio Frequency Identification (RFID) system for circulation and stacks maintenance. What are the implications for patron privacy of such systems?
Some libraries have already implemented RFID; others are waiting until some of the industry technical standards and privacy implications have been better resolved. ALA has approved RFID Privacy Principles that encourage libraries to adopt and enforce privacy policies and discourage inclusion of personal information on RFID tags. When considering, selecting and implementing RFID, libraries should safeguard user privacy by consulting ALA's RFID in Libraries: Privacy and Confidentiality Guidelines in order to adopt best practices to protect privacy and confidentiality. Additional resources are also available:
ALA. Resolution on Radio Frequency Identification (RFID) Technology and Privacy Principles. January 19, 2005.
ALA Library. "Fact Sheet 25 - RFID: A Brief Bibliography."
ALA Office for Intellectual Freedom. "RFID: Radio Frequency IDentification Chips and Systems."
Ayre, Lori Bowen, The Galecia Group. "Position Paper: RFID and Libraries. August 19, 2004."
Book Industry Study Group. "BISG Policy Statement #002: RFID - Radio Frequency Identification Privacy Principles. Approved : September 23, 2004."
Electronic Frontier Foundation. "Radio Frequency Identification (RFID)."
Electronic Privacy Information Center. "Radio Frequency Identification (RFID) Systems."
Givens, Beth, Director of the Privacy Rights Clearinghouse. "RFID Implementation in Libraries: Some Recommendations for 'Best Practices.'"
Library and Information Technology Association. "Technology and library users, an ongoing discussion. The Top Trends, Issue Two: RFID." January 11, 2004.
Molnar, David and David Wagner. "Privacy and Security in Library RFID Issues, Practices, and Architectures." (CCS'04, October 25-29, 2004, Washington, DC)
"RFID Position Statement of Consumer Privacy and Civil Liberties Organizations." November 20, 2003.
Weblog: "RFID in Libraries."
Can circulation or registration information be used for other library purposes, such as to generate mailing lists for fund-raising by the library or its Friends group?
- Notice should be provided to all users of any library use of PII.
- Any use of PII beyond circulation or administration should be authorized only on an opt-in basis. At the time of registration, users should be asked to opt-in to additional and specifically enumerated uses of their PII (e.g., for fund-raising appeals). The PII of those who decline to 'opt-in' should not made available for any additional uses.
- Any time a library decides to extend use of PII in ways not already authorized, it must seek user opt-in. Libraries should presume that all non-responders wish to opt out of the new use.
What privacy rights do library employees enjoy in the workplace?
Employers have a legitimate interest in ensuring efficiency and productivity. Library management has an obvious further interest in ensuring that employee practices do not adversely effect user service or infringe on user rights, including user rights of privacy and confidentiality. But library employers who use electronic or video surveillance or engage in monitoring of computer, e-mail, or telephone use must carefully evaluate these practices in light of both legal requirements and the profession's ethical commitment to upholding rights of privacy and confidentiality.
- Legal issues: Few laws regulate employee monitoring in the private sector, although federal, state, and local government employees benefit from some degree of legal protection. However, some state public record and record retention laws may impact the degree to which employee personally identifiable information (PII) is kept confidential. Employee PII not covered by law or regulation must be kept confidential. Further, employees have a right to know what security and information management systems are in place to protect personnel records containing PII, and a right to a clear enumeration of the circumstances under which such information may be provided to third parties. Library policy should call for the release of PII to law enforcement requests only when those requests come in the form of a court order from a court of competent jurisdiction.
- Monitoring: In many libraries, employees are required to sign Internet and computing use agreements that differ from the policies extended to library users. However, if a library intends to engage in monitoring of staff workstations or work spaces, it should give notice through a written policy providing:
- notice of these practices to employees
- notice to the public if any staff-user interactions (e.g., virtual reference) are subject to monitoring or recording; and both redaction of PII from and regular purging of all such records
- notice to employees if their social security numbers are used as unique identifiers in personnel or other records
- employee access to all PII, including any collected through monitoring, and the right to dispute and delete inaccurate data
- no monitoring of areas designed for employee health or comfort
- no collection of data not specifically related to work performance
- restrictions on PII disclosure to third parties without employee consent
- Staff with access to employee PII: All staff and any others with access to employee PII must understand they are not to look at any stored information without prior authorization to do so, and in accordance with written policies; and that if they accidentally see any such data (such as electronic monitoring logs, e-mail subject lines, file names, etc.) they are bound by confidentiality guidelines.
- Staff use of library resources: All staff use of library resources or public access workstations that is conducted outside of work hours and/or is not directly job-related should be covered in the same way that any library user's privacy and confidentiality is protected.
For more information on employee privacy rights, and on policy writing to protect those rights, see:
- ACLU. Privacy in America: Electronic Monitoring. (Oct. 22, 2003).
- ACLU. Through the Keyhole. (July 26, 1998).
- EPIC. Workplace Privacy Page. (Aug. 3, 2004).
- Privacy Rights Clearinghouse. Fact Sheet 7: Workplace Privacy. (Rev. Sept. 2002).
What if law enforcement requests disclosure of library records? What if laws applicable to my library require the disclosure of some or all library records or other personally identifiable information without a court order?
Library policies must not violate applicable federal, state, and local laws. However, in accordance with Article IV of the Library Bill of Rights, librarians should oppose the adoption of laws that abridge the privacy rights of any library user.
Forty-eight states have statutes that protect the confidentiality of library records. The other two have attorneys general opinions that support the confidentiality of library records. For your state statute or opinion, see State Privacy Laws regarding Library Records.
Library policy should require that law enforcement requests for any library record be issued by a court of competent jurisdiction that shows good cause and is in proper form. See ALA’s documents, Suggested Procedures for Implementing Policy on Confidentiality of Library Records and Policy on Confidentiality of Library Records. The library governing authority needs to be aware that privacy, and especially the privacy of children and students may be governed by additional state and federal laws. For example, on April 21, 2000, a new Federal law, the Children’s Online Privacy Protection Act (COPPA), went into effect. This law, designed to protect children’s privacy on the Internet, directly impacts how children access Internet content.
When creating its privacy policies, library governing authorities need to be fully aware of any such laws regarding disclosure and the rights of parents, and create policies accordingly. Faculty and school administrators do not have parental authority over students’ privacy.
What about library staff’s civic duty to help law enforcement?
If staff observe illegal behavior, this should be reported to law enforcement. A library should have clear, written procedures for responding to criminal behavior, in addition to behavior that violates policy. Neither libraries, their resources, nor their staff should be used in any scheme to elicit and catch criminal behavior.
In the event of a request for information from a federal or local law enforcement agency, librarians should consult with their library administration and/or legal counsel before complying with such requests. Librarians should note that requests made under the USA PATRIOT Act (http://www.ala.org/alaorg/oif/usapatriotact.html) must come from the Federal Bureau of Investigation and are not valid if coming from state agencies. If a librarian is compelled to release information, further breaches of patron confidentiality will be minimized if the librarian personally retrieves the requested information and supplies it to the law enforcement agency. Otherwise, allowing the law enforcement agency to perform its own retrieval may compromise confidential information that is not subject to the current request.
Library policies protecting patron privacy and confidentiality are grounded in the profession’s ethical commitment to providing an atmosphere conducive to free intellectual inquiry. We must always remember that we have a unique and important contribution to make to society through this protection, and that as such we have a duty to make it a priority.
Are video or electronic surveillance cameras in libraries a violation of patron privacy?
Today’s sophisticated high-resolution surveillance equipment is capable of recording patron reading and viewing habits in ways that are as revealing as the written circulation records libraries routinely protect. When a library considers installing surveillance equipment, the administrative necessity of doing so must be weighed against the fact that most of the activity being recorded is innocent and harmless. Any records kept may be subject to FOI requests. Since any such personal information is sensitive and has the potential to be used inappropriately in the wrong hands, gathering surveillance data has serious implications for library management.
If the library decides surveillance is necessary, it is essential for the library to develop and enforce strong policies protecting patron privacy and confidentiality appropriate to managing the equipment, including routine destruction of the tapes in the briefest amount of time possible, or as soon as permitted by law.
What about security? Shouldn’t priority be given to the legitimate needs of security personnel who are responsible for protecting the physical safety of users and staff? And what about the needs of systems personnel to ensure security of computers and networks?
Those responsible for maintaining the security of the library, its users, staff, collections, computing equipment and networks all have a special obligation to recognize when they may be dealing with sensitive or private information. Like other staff whose jobs are not direct library service (custodians, guards, etc), those with access to personally identifiable information or to users’ personal files need to be informed of library ethics and of job expectations that they will not abuse confidentiality.
It is the responsibility of library staff to destroy information in confidential or privacy protected records in order to protect from unauthorized disclosure. Information that should be regularly purged or shredded includes personally identifiable information on library resource use, material circulation history, and security / surveillance tapes and logs. Libraries that use surveillance cameras should have written policies stating that the cameras are not to be used for anything else to avoid “function creep.” If the cameras create any records, the library must recognize its responsibility to protect their confidentiality like any other library record. This is best accomplished by purging the records as soon as their purpose is served.
Won’t privacy policies create a situation that will protect illegal acts?
All libraries are advised to have in place Patron Behavior policies as well as Internet Use policies. In both instances it should be clearly stated that engaging in any illegal act will not be permitted. A possible policy statement could be:
Any activity or conduct that is in violation of federal, state, or local laws is strictly prohibited on library premises.
Clear evidence of illegal behavior is best referred to law enforcement who know the processes of investigation that protect the rights of the accused.
Should staff be instructed to monitor library use by patrons to determine inappropriate or illegal behavior?
Library Patron Behavior policies and Internet Use policies should clearly state that illegal activity is prohibited. Staff should be carefully trained to deal with any illegal patron behavior that is apparent to them or has been brought to their attention. General monitoring by staff of patron content or use of library materials and resources in any format is inappropriate in all instances with the exception of observation for the purposes of protecting library property. Patron Behavior and Internet Use policies should clearly state all of the steps to be taken by staff when illegal behavior or activity in violation of the above policies is observed. The steps in these guidelines will vary from library to library and should be determined locally. Once again, clear evidence of illegal behavior is best referred to law enforcement who know the processes of investigation that protect the rights of the accused.
Links to non-ALA sites have been provided because these sites may have information of interest. Neither the American Library Association nor the Office for Intellectual Freedom necessarily endorses the views expressed or the facts presented on these sites; and furthermore, ALA and OIF do not endorse any commercial products that may be advertised or available on these sites.
Related FilesQuestions and Answers on Privacy and Confidentiality (WORD)
Questions and Answers on Privacy and Confidentiality (PDF File)