Library Privacy Guidelines for Data Exchange Between Networked Devices and Services
Machine-to-machine communications of data allow libraries to offer services such as self-checkout stations and patron account features in library catalogs. A typical scenario might be an application installed on a library management system that allows a client application to access patron data and perform transactions or perform information searches on behalf of a patron. Examples of protocols and APIs supported by many library management systems include SIP2, NCIP, Z39.50, SRU and SRW, and other Web services (see Glossary of Terms at the end of this document). Libraries must work to ensure that their procedures and practices for managing programmatic data communications reflect library ethics, policies, and legal obligations concerning user privacy and confidentiality.
These guidelines are issued to provide libraries with information about appropriate data management and security practices in respect to library patrons' personally identifiable information and data about their reading habits and use of library resources.
Why Privacy Is Important
Protecting user privacy and confidentiality has long been an integral part of the intellectual freedom mission of libraries. The right to free inquiry as assured by the First Amendment depends upon the ability to read and access information free from scrutiny by the government or other third parties. In their provision of services to library users, librarians have an ethical obligation, expressed in the ALA Code of Ethics, to preserve users' right to privacy. Librarians and libraries may also have a legal obligation to protect library users' personally identifiable information and data from unauthorized disclosure and use.
The use of data encryption helps enhance privacy protection. Data communications between client applications and server applications that may include patron information should be encrypted. Client-server applications that do not support encryption (such as SIP2) should be deployed over transports that perform encryption, such as virtual private networks (VPNs) or TLS or SSH tunnels. If a particular service or protocol is available over either encrypted or unencrypted connections (e.g., as can be the case with NCIP), the library should mandate the use of the encrypted configuration option.
Server applications that allow programmatic data communications should limit access to authorized client applications. The library should monitor server applications to insure no unauthorized client applications have access to patron information as a standard part of data security measures.
Server applications that allow programmatic data communications should supply only the minimum of patron information required to fulfill the specific purpose for which that information is being made available to an authorized client application. For example, if a client application needs to verify that a set of credentials correspond to those of a patron who has privileges at the library, that application may not need to be sent any contact or demographic information about that patron. The library should take advantage of available configuration options to enforce the principle of minimum disclosure.
The library should work with service and system providers to perform an audit which identifies what data is currently being transmitted, kept, and under what circumstances in order to ensure minimum disclosure in the future.
Retention of User Data
Server applications that provide programmatic data communications may create log files that contain patron information. The library should establish policies for how long to retain log files and methods for securely destroying data that is no longer needed. Retention policies should also cover archival copies and backups.
Librarians and library technologists who participate in the design of new standards or application profiles for machine-to-machine communication protocols should advocate for standards that follow these guidelines.
[The Library Privacy Checklist for Data Exchange Between Networked Devices and Services is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in this guideline.]
Glossary of Terms
API - application programming interface is a set of routine definitions, protocols, and tools for building software and applications.
Client - a piece of computer hardware or software that accesses a service made available by a server. The server is often (but not always) on another computer system, in which case the client accesses the service by way of a network.
NCIP - National Information Standards Organization Circulation Interchange Protocol is a protocol that is limited to the exchange of messages between and among computer-based applications to enable them to perform functions necessary to lend and borrow items, to provide controlled access to electronic resources, and to facilitate cooperative management of these functions.
SIP2 - Standard Interchange Protocol 2 is a proprietary standard for communication between library computer systems and self-service circulation terminals.
SRU - Search/Retrieve via URL is a standard search protocol for Internet search queries, utilizing Contextual Query Language (CQL), a standard query syntax for representing queries.
SRW - Search/Retrieve Web service is a web service for search and retrieval.
SSH tunnel - an encrypted tunnel created through an SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel.
Approved June 24, 2016 by the Intellectual Freedom Committee of the American Library Association