Library Privacy Checklist for Library Websites, OPACs, and Discovery Services

 

This checklist is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in the Library Privacy Guidelines for Library Websites, OPACs, and Discovery Services

Priority 1 are actions that hopefully all libraries can take to improve privacy practices.  Priority 2 and Priority 3 actions may be more difficult for libraries to implement depending on their technical expertise, available resources, and organizational structure.

Priority 1 Actions

  1. Establish a library privacy policy which includes data privacy and security policies based on legal regulations and professional/industry standards.
    1. Ensure that the privacy policy is readily available in easy-to-understand language to users of a library website, social media site, OPAC or discovery service.
    2. Provide links to third party privacy and terms of service pages for users when appropriate.
  2. Limit the amount of personal information collected about users. In general, the library or service provider should collect the minimum personal information required to provide a service or meet a specific operational need.
  3. Provide users with options as to how much information is collected from them and how it may be used. Users should have a choice about whether or not to opt-in to features and services that require the collection of personal information such as borrower history, reading lists, or favorite books.
    1. Configure services directly under library control to use the opt-in method whenever possible for features that involve the collection of personal information.
    2. Work with providers to configure external services to use the opt-in method whenever possible for features that involve the collection of personal information. This ability to opt-in should be an important criteria when the library decides to select or renew a service.
    3. Users should also have the ability to opt-out if they later change their minds and have the data collected during the opt-in phase be destroyed when possible.
  4. Establish procedures that restrict access to personal information to the user or appropriate library staff and conform to the applicable state laws addressing the confidentiality of library records as well as other applicable local, state, and federal law.  Ideally these procedures are supported by technical measures such as role-based permissions for staff account.
  5. Provide training to library staff who manage the library's websites, OPACs, and discovery services on the library's privacy policy and best practices for safeguarding patron privacy. Library staff that negotiate contracts with vendors that provide websites and services should also receive privacy training.

Priority 2 Actions

  1. Create a proactive process to notify ongoing users of any changes to the library's privacy policy or any violations in user privacy through inadvertent dissemination or data theft.
    1. In the event of a data breach libraries should describe what steps are being taken to remedy the situation or mitigate the possible damage, and what steps patrons should take to protect themselves.
    2. Consider enacting canary warnings to notify patrons when information may have been subpoenaed through a court order.
  2. Evaluate the impact on user privacy of all third-party scripts and embedded content (e.g. cover images, ratings, reviews, etc.) that are included in a library website, OPAC, or discovery service.
    1. Limit use of Javascripts from third-parties on library sites.
    2. Avoid Flash-based plugins.
    3. Review any terms of service for scripts and embedded content, as they often allow the third party to harvest user activity data for their own purposes.
    4. Consider alternative solutions that better respect user privacy.  For example, use Piwik for web analytics instead of Google Analytics.
  3. Do not retain in perpetuity any user activity data with personally identifiable information.
    1. Establish policies for how long to retain different types of data and methods for securely destroying data that is no longer needed.
    2. Retention policies should also cover archival copies and backups.
    3. Anonymize or de-identify user data stored for assessment or metrics. Anonymization provides better protection than de-identification.
    4. Anonymize reports and web analytics intended for wider distribution by removing or encrypting personally identifiable information.
  4. Provide users the ability to access their own personal information and evaluate its accuracy. Guidance on how the user can access their personal data and offer corrections if needed should be clear and easy to find.
  5. Ensure that all services directly under library control are secure.
    1. Stay aware of and remediate known exploits.
    2. Keep software and applications up-to-date.
    3. Monitor logs for intrusions and perform regular security audits.
    4. Perform regular backups and have a disaster recovery plan.  Note that backups should be subject to your policy on data retention.
  6. Work with service providers to review contracts/licenses and if needed revise them so that they are in compliance with relevant legal regulations and library policy.
    1. Create an addendum to contracts regarding liability for data breaches that affect user privacy.

Priority 3 Actions

  1. Establish and maintain effective mechanisms to enforce library privacy policies. Conduct regular privacy audits to ensure that all operations and services comply with these policies.
  2. Encrypt all online transactions between client applications (web browsers, ebook readers, mobile apps, etc.) and server applications using modern, up-to-date security protocols for SSL/HTTPS. Communications between server applications and third-party service providers should be encrypted.
  3. Store user passwords using up-to-date best practices for encryption with a cryptographically secure hash.
  4. Ensure that any personally identifiable information and user data housed off site (cloud-based infrastructure, tape backups, etc.) uses encrypted storage.
  5. Explore the possibility of two-factor authentication and implement if possible.

Resources

Sample Privacy Policy – New York Public Library

NIST Guide to Protecting the Confidentiality of Personally Identifiable Information

HTTPS Everywhere

Let’s Encrypt

How to Check if your Library is Leaking Catalog Searches to Amazon

Warrant Canary

A Visual Guide to Practical Data De-Identification

NISTIR 8053: De-Identification of Personal Information

Password Storage Cheatsheet

Approved January 21, 2017 by the Intellectual Freedom Committee