Library Privacy Checklist - Overview

This checklist is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in the Library Privacy Guidelines.  It is an overview checklist that highlights general actions that are applicable across multiple guidelines.  There are also specific checklists that libraries can consult for each guideline.

Priority 1 actions are actions that hopefully all libraries can take to improve privacy practices.  Priority 2 and Priority 3 actions may be more difficult for libraries to implement depending on their technical expertise, available resources, and organizational structure.

Priority 1 Actions

1.      Create a policy that addresses the collection of patron information.  Such a policy should specify that the library is not collecting more patron information than what it needs and that it is not keeping the personally identifiable information of patrons longer than what is necessary.

a.       Create a privacy policy that is understandable by a layperson.

b.      Make sure the privacy policy is posted in the library where the public can see it.

c.       Ensure that the privacy policy includes information about what information the library is tracking, why, and for how long the data is kept.

d.      Ensure that the privacy policy includes when patron information can be shared and under what conditions.

2.      Destroy all paper records with user data, such as computer sign-in sheets.

3.      Ensure all existing security certificates for HTTPS/SSL are valid and create a procedure for revalidating them annually.

4.      Designate a Library Privacy Officer to handle requests for personally identifiable information of patrons from law enforcement officials and other third parties.

 

Priority 2 Actions

1.      Ensure there is a formal process in place to address breaches of patron data directly under library control or maintained by third parties.  The library should notify affected users when they become aware of a breach.

2.      Encrypt all user data with secure algorithms in all network and application communications.

3.      Purge search history records regularly, ideally when the individual computer session ends.

4.      Purge circulation and interlibrary loan records when they are no longer needed for library operations.  Any patron data that is kept for analysis should be anonymized or de-identified and have access restricted to authorized staff.

5.      Utilize HTTPS wherever possible.

6.      Ensure that the privacy policy is updated often and schedule regular times for its review.

 

Priority 3 Actions

1.      Publish and distribute flyers and/or web content for patrons that includes information on how to protect personally identifiable information and other data.

2.      Publish and distribute flyers and/or web content for patrons about available software and alternative browsers and plugins to protect their privacy online and can be used in the library.

3.      Publish and distribute flyers and/or web content about VPN services and/or Tor and patrons’ ability to use these systems on the library network.

4.      Test compliance with these standards through a trusted third party service or individual.


Resources

1.      ALA’s Guidelines for Developing a Library Privacy Policy

2.      How to Geek’s 5 Alternative Search Engines That Respect Your Privacy

3.      ALA’s Library Bill of Rights

4.      ALA’s Privacy Toolkit

5.      EFF Surveillance Self Defence - Choosing the VPN That’s Right for You

6.      EFF Surveillance Self Defence - Introduction to Threat Modeling

7.      EFF Surveillance Self Defence - Keeping your Data Safe

8.      EFF Surveillance Self Defence - Seven Steps to Digital Security

9.     National Institute on Standards and Technology (NIST) Policy on Hash Functions

Approved January 21, 2017 by the Intellectual Freedom Committee