Libraries face a number of challenges in protecting the privacy of users, especially students in elementary, middle, and high schools. School libraries offer print, media, and online content to meet students’ educational and research needs as well as to nurture their intellectual curiosity and development. Students’ use of library resources is also incorporated into classroom activities, learning outcomes, and assessment.
School libraries typically are integrated into their district's administrative and technology infrastructures. Depending on district administration and outside cooperative technology or vendor agreements, school libraries have greater or lesser degrees of autonomy. A lack of autonomy may make it difficult for librarians to implement policies and procedures to protect student privacy in regard to the use of library systems, applications, and collections. In addition, state and federal laws regarding library records, educational records (e.g., the Family Educational Rights and Privacy Act (FERPA), and the online activities of minors (e.g., the Child Online Privacy Protection Act (COPPA) have both positive and negative impacts on the privacy rights of students. For example, FERPA defines explicit rights to privacy for students and minors but at the same time grants schools and parents access to, and oversight over, student records that weakens these privacy rights.
ALA issues these guidelines to provide school libraries with information about appropriate data management and security practices in respect to student use of library collections and resources in order to strengthen student privacy protections.
Why Privacy Is Important
Protecting user privacy and confidentiality has long been an integral part of the intellectual freedom mission of libraries. The right to free inquiry as assured by the First Amendment depends upon the ability to read and access information free from scrutiny by the government or other third parties. In their provision of services to library users, librarians have an ethical obligation, expressed in the ALA Code of Ethics, to preserve users' right to privacy. Librarians and libraries may also have a statutory or regulatory obligation to protect library users' personally identifiable information and data from unauthorized disclosure and use.
Students' and minors' First Amendment rights to free inquiry and privacy must be balanced against both the educational needs of the school and the rights of the parents. As students and minors mature, it is increasingly important that they are provided with opportunities to exercise their curiosity and develop their intellect free from the chilling effects of surveillance by educators, peers, parents, or commercial interests. As students begin to participate more fully in the online world, they must develop an appreciation for their own privacy and a corresponding respect for the privacy of others.
Clear Privacy Policies
It is important for libraries to develop privacy policies for student use of library resources that are adopted by both the library and the school’s policy-making body. Students should be notified about library privacy policies when borrowing materials or accessing resources for the first time and as appropriate when there is a change in services, policies, or access. Library privacy policies should be made easily available and understandable to students in an age-appropriate manner. Safeguarding user privacy requires that staff keep all in-library use and reference questions confidential and assure that there is no monitoring by staff or peers of what students are reading, viewing, or researching while in the library.
School librarians should conduct privacy audits to determine the current threats to student privacy and what protections are already in place. The audit should cover the library management system; computer and network use in the library; eBooks and other online content; interactive Web tools; social media; and other technologies such as scanners/photocopiers and surveillance cameras. The results of the audit can be used to help create or revise privacy policies.
Collection and Retention of User Data
Libraries should limit the amount of personal information collected about students. Libraries should collect the minimum amount of personal information required to provide a service or meet a specific operational need. Libraries should not build services or resources using sensitive personally identifiable information that, if leaked or accessed by an unauthorized party, could prove detrimental to the user's privacy.
Personally identifiable information should not be retained in perpetuity. The library should establish record retention policies specifying how long to retain different types of data and specifying methods for securely destroying data that is no longer needed. Retention policies should also cover archival copies and backups.
The use of data encryption helps enhance privacy protection. All online transactions between client applications (staff desktop clients, web browsers, mobile apps, etc.) and server applications should be encrypted. Client applications that do not support encryption (such as staff desktop clients) should employ virtual private network (VPN) technologies. In addition, any personally identifiable information and student data housed by the library or school off-site (cloud-based infrastructure, tape backups, etc.) should use encrypted storage.
Library privacy policies should define when school library records can be shared (and under what conditions) with parents or guardians, school staff and teachers, and third-parties such as online service providers.
Federal laws such as FERPA and COPPA as well as state laws concerning the confidentiality of library and student records may impact if and how data is shared. Because of the broad leeway FERPA gives schools in using student data for internal educational purposes, librarians need to clearly distinguish among library records, educational records, and administrative records in order to provide explicit privacy rights in accordance with professional ethical obligations.
Agreements between school libraries and online service providers should address appropriate restrictions on the use, aggregation, retention, and dissemination of students' personally identifiable information. Agreements between libraries and service providers should also specify that libraries retain ownership of all data and that the service providers agree to observe the library's privacy policies, data retention policy, and security policies. In the event of a data breach, users whose data was compromised should be informed promptly (in the case of minors, the parents or guardians should be informed).
Many service providers have signed the Student Privacy Pledge which indicates a commitment to work in an ongoing fashion to meet and exceed all federal requirements to protect student data. Librarians should make participation in the Student Privacy Pledge a criterion when making purchasing decisions.
In addition, many states are passing legislation that restricts the collection and use of students' data by service providers (e.g. California’s Student Online Personal Information Protection Act – SOPIPA). Librarians should only contract with service providers that comply with applicable state laws.
Educational Technology Systems
Primary and secondary schools are adopting learning management systems and other technologies that enable educators to monitor student reading habits (e.g. did the student access/read the assigned eBook or online text?) As a result, school districts are co-opting librarians into surveillance regimes by adopting these types of technologies. Librarians need to advocate for protecting student library use in an age of ubiquitous data logging and surveillance technologies, including learning management systems.
Digital Literacy & Advocacy
School librarians have a responsibility to teach students about their privacy rights, practices they can use to protect themselves, ethical behavior online, and respect for the privacy of others. In addition to educating students, school librarians should become advocates for protecting student privacy and intellectual freedom in the larger school environment. Often school librarians are focused only on user privacy within the library to the detriment of larger privacy issues in their school and district context. Because of their professional training and ethical commitment, librarians are well-equipped to be privacy advocates outside of the school library.
[The Library Privacy Checklist for Students in K-12 Schools is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in this guideline.]
Privacy Technical Assistance Center
U.S. Department of Education
Intellectual Freedom Committee of the American Library Association
Spying on Students: School-Issued Devices and Student Privacy
Electronic Frontier Foundation
Student Data Principles
Data Quality Campaign and the Consortium for School Networking
Student Privacy Bill of Rights
Electronic Privacy Information Center
Student Privacy Pledge
Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA)
Students' and Minors' Privacy Resources
Choose Privacy Week, American Library Association
Approved April 2, 2016 by the Intellectual Freedom Committee of the American Library Association