Library Privacy Guidelines for Library Management Systems
Library management systems (LMS), also known as integrated library systems, are used by libraries to inventory collections and manage user records. The LMS stores personal information collected from patrons for a variety of reasons and maintains records of what items patrons borrow, the holds they place, and fines or fees they may incur. In addition, the LMS may share data with or provides services to other systems employed by the library, for example to provide authentication for online resources.
Libraries must work to ensure that their procedures and practices for managing the LMS reflect library ethics, policies, and legal obligations concerning user privacy and confidentiality. Agreements between libraries and vendors should specify that libraries retain ownership of all data; that the vendor agrees to observe the library's privacy, data retention, and security policies; and that the vendor agrees to bind any third parties it uses in delivering services to these policies as well.
These guidelines are issued by ALA to provide libraries using LMS with information about appropriate data management and security practices in respect to library patrons' personally identifiable information and data about their reading habits and use of library resources.
Why Privacy Is Important
Protecting user privacy and confidentiality has long been an integral part of the intellectual freedom mission of libraries. The right to free inquiry as assured by the First Amendment depends upon the ability to read and access information free from scrutiny by the government or other third parties. In their provision of services to library users, librarians have an ethical obligation, expressed in the ALA Code of Ethics, to preserve users' right to privacy. Librarians and libraries may also have a legal obligation to protect library users' personally identifiable information and data from unauthorized disclosure and use.
Clear Privacy Policies
Users should be notified about library privacy policies when registering for a library card or borrowing materials for the first time. Library privacy policies should be made easily available and understandable to users in an accessible format. Safeguarding user privacy requires that individuals know what personally identifiable information is gathered about them, how long it is stored, who has access to it and under what conditions, and how it is used. A proactive process should be created to notify ongoing users of any changes to the library's privacy policies.
The library should give users of the LMS options as to how much personally identifiable information is collected from them and how it may be used. Users should have a choice about whether or not to opt-in to features and services that require the collection of personal information. Users should also have the ability to opt-out if they later change their minds and have the data collected during the opt-in phase be destroyed when possible. For example, if the LMS offers the ability to save the checkout history, this should be an opt-in feature not turned on as a default.
Access to Personal Data
Users should have the right to access their own personal information and evaluate its accuracy. Verifying accuracy helps ensure that library services that rely on personally identifiable information can function properly. Guidance on how the user can access their personal data held in the LMS should be clear and easy to find.
Access to personal information should be restricted to the user or appropriate library staff and conform to the applicable state laws addressing the confidentiality of library records as well as other applicable local, state, and federal law. In addition, state and federal laws may give parents, guardians, and educators access to the library records of minors (see Library Privacy Guidelines for Students in K-12 Schools in the Additional Resources section below).
Collection & Retention of User Data
Libraries should limit the amount of personal information collected by the LMS about patrons. In general, the library should collect the minimum amount of personal information required to provide a service or meet a specific operational need. Library policies developed around the collection of personal information should also cover the use of any free-text note fields associated with the patron's record.
Personally identifiable information should not be retained in perpetuity. The library should establish policies for how long to retain different types of data and methods for securely destroying data that is no longer needed. For example, accounts that are expired or inactive for a certain amount of time should be purged. Retention policies should also cover archival copies and backups.
All online transactions between client applications (staff desktop clients, web browsers, mobile apps, etc.) and server applications should be encrypted using modern, up-to-date security protocols for SSL/HTTPS. Client applications that do not support encryption (such as staff desktop clients) should employ virtual private network (VPN) technologies.
In addition, any personally identifiable information and user data housed by the library off-site (cloud-based infrastructure, tape backups, etc.) should use encrypted storage.
PINs & Passwords
User personal identification numbers (PINs) and passwords stored in the LMS should be encrypted so that only the user has access to them, i.e. library staff cannot view them. This encryption should use up-to-date best practices. Currently, this means that passwords should be salted and hashed with a SHA-2 hash function, but library personnel responsible for password security should stay current on best practices. In addition, the LMS should provide users with the ability to set their PIN or password themselves without having to reveal it to library staff.
Notifications & Reports
User notifications for holds, overdue items, and fines should contain minimal personal information especially if sent through insecure communication (e.g. email, text message, postcards). Users could be encouraged to login to a secure account for more details. If the LMS provides the ability to include notification history as part of the patron record, this should be offered as an opt-in feature for patrons and not turned on by default.
Access to LMS reports that contain personally identifiable information should be restricted to appropriate library staff. Reports intended for wider distribution should be anonymized by removing or encrypting personally identifiable information.
Libraries that combine patron information from the LMS with external demographic information for analytics should take measures to protect reader privacy. Aggregation and anonymization should be employed to help prevent the identification of reading habits and library usage with specific individuals. Because of the growing threat of reidentification techniques, access to anonymized data sets should still be restricted to appropriate users.
It has become common practice for organizations to share data including personally identifiable information with third-parties. However, most state statutes on the confidentiality of library records do not permit release of library patrons' personally identifiable information or data about their use of library resources and services without user consent or a court order, although some state library confidentiality statutes permit sharing this data with parents or guardians of minors. In addition, ALA policy forbids sharing of library patron information with third parties without user consent or a court order.
The library should develop and implement procedures for dealing with government and law enforcement requests for library patrons' personally identifiable information and use data held within the LMS. The library should consider a government or law enforcement request only if it is issued by a court of competent jurisdiction that shows good cause and is in proper form. The library should also inform users through its privacy policies about the legal conditions under which it might be required to release personally identifiable information.
The library could consider publishing a warrant canary notice to inform users that they have not been served with a secret government subpoena or national security letter. If a canary notice is not updated or it is removed, users can assume that a subpoena or national security letter has been served (see Canary Warrants Frequently Asked Questions in the Additional Resources section below).
Library staff who have access to patron data in the LMS should receive training on the library's privacy policies and best practices for safeguarding patron privacy.
Libraries should establish and maintain effective mechanisms to enforce their privacy policies. They should conduct regular privacy audits to ensure that all operations and services comply with these policies. A library that suffers a violation in its privacy policies through inadvertent dissemination or data theft must notify the affected users about this urgent matter as soon as the library is aware of the data breach and describe what steps are being taken to remedy the situation or mitigate the possible damage.
[The Library Privacy Checklist for Library Management Systems/Integrated Library Systems is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in this guideline.]
Canary Warrants Frequently Asked Questions, Electronic Frontier Foundation
Library Privacy Guidelines for Students in K-12 Schools, Intellectual Freedom Committee of the American Library Association
NISO Consensus Principles on User’s Digital Privacy in Library, Publisher, and Software-Provider Systems, National Information Standards Organization
Privacy Toolkit, Intellectual Freedom Committee of the American Library Association
Approved June 24, 2016 by the Intellectual Freedom Committee of the American Library Association