This checklist is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in the Library Privacy Guidelines. It is an overview checklist that highlights general actions that are applicable across multiple guidelines. There are also specific checklists that libraries can consult for each guideline.
Priority 1 actions are actions that hopefully all libraries can take to improve privacy practices. Priority 2 and Priority 3 actions may be more difficult for libraries to implement depending on their technical expertise, available resources, and organizational structure.
Priority 1 Actions
1. Create a policy that addresses the collection of patron information. Such a policy should specify that the library is not collecting more patron information than what it needs and that it is not keeping the personally identifiable information of patrons longer than what is necessary.
2. Destroy all paper records with user data, such as computer sign-in sheets.
3. Ensure all existing security certificates for HTTPS/SSL are valid and create a procedure for revalidating them annually.
4. Designate a Library Privacy Officer to handle requests for personally identifiable information of patrons from law enforcement officials and other third parties.
Priority 2 Actions
1. Ensure there is a formal process in place to address breaches of patron data directly under library control or maintained by third parties. The library should notify affected users when they become aware of a breach.
2. Encrypt all user data with secure algorithms in all network and application communications.
3. Purge search history records regularly, ideally when the individual computer session ends.
4. Purge circulation and interlibrary loan records when they are no longer needed for library operations. Any patron data that is kept for analysis should be anonymized or de-identified and have access restricted to authorized staff.
5. Utilize HTTPS wherever possible.
Priority 3 Actions
1. Publish and distribute flyers and/or web content for patrons that includes information on how to protect personally identifiable information and other data.
2. Publish and distribute flyers and/or web content for patrons about available software and alternative browsers and plugins to protect their privacy online and can be used in the library.
3. Publish and distribute flyers and/or web content about VPN services and/or Tor and patrons’ ability to use these systems on the library network.
4. Test compliance with these standards through a trusted third party service or individual.
2. How to Geek’s 5 Alternative Search Engines That Respect Your Privacy
5. EFF Surveillance Self Defence - Choosing the VPN That’s Right for You
6. EFF Surveillance Self Defence - Introduction to Threat Modeling
7. EFF Surveillance Self Defence - Keeping your Data Safe
8. EFF Surveillance Self Defence - Seven Steps to Digital Security
9. National Institute on Standards and Technology (NIST) Policy on Hash Functions
Approved January 21, 2017 by the Intellectual Freedom Committee