Libraries publish information and provide services through websites, online public access catalogs (OPACs), and discovery services. The OPAC, often known simply as the library catalog, allows patrons to search the library's collections using a web-based user interface. A discovery service provides a single web-based user interface to search across multiple resources such as library catalogs, periodical databases, institutional repositories, and digital collections.
Library websites, OPACs, and discovery services may collect personal information about patrons for a variety of reasons including authentication, personalization, and user analytics. In addition, personal information is sometimes shared with third parties that provide content or other functionality for the website or service.
The hardware, applications, and data that comprise a website or service may be managed directly by the library; by a parent organization such as a local government, school, or consortium; by a vendor or service provider; or by some hybrid of shared responsibilities among multiple parties. Regardless of the management model, libraries must work to ensure that the websites, OPACs, and discovery services they offer reflect library ethics, policies, and legal obligations concerning user privacy and confidentiality.
These guidelines are issued to provide libraries with information about appropriate data management and security practices in respect to library patrons' personally identifiable information and data about their reading habits and use of library resources.
Why Privacy Is Important
Protecting user privacy and confidentiality has long been an integral part of the intellectual freedom mission of libraries. The right to free inquiry as assured by the First Amendment depends upon the ability to read and access information free from scrutiny by the government or other third parties. In their provision of services to library users, librarians have an ethical responsibility, expressed in the ALA Code of Ethics, to preserve users' right to privacy. Librarians and libraries may also have a legal obligation to protect library users' personally identifiable information and data from unauthorized disclosure and use.
Clear Privacy Policies
Users should be notified about library privacy policies when using a library website, OPAC, or discovery service. Library privacy policies should be made easily available and understandable to users in an accessible format. Safeguarding user privacy requires that individuals know what personally identifiable information is gathered about them, how long it is stored, who has access to it and under what conditions, and how it is used. A proactive process should be created to notify ongoing users of any changes to the library's privacy policies.
Personalization & User Consent
The library should give users options as to how much information is collected from them and how it may be used. Users should have a choice about whether or not to opt-in to features and services that require the collection of personal information. Users should also have the ability to opt-out if they later change their minds and have the data collected during the opt-in phase be destroyed when possible. For example if the discovery service offers the ability to save their search history, this should be an opt-in feature not turned on as a default.
Access to Personal Data
Users should have the right to access their own personal information and evaluate its accuracy. Verifying accuracy helps ensure that library services that rely on personally identifiable information can function properly. Guidance on how the user can access their personal data should be clear and easy to find.
Access to personal information should be restricted to the user or appropriate library staff and conform to the applicable state laws addressing the confidentiality of library records as well as other applicable local, state, and federal law.
All online transactions between client applications (web browsers, ebook readers, mobile apps, etc.) and server applications should be encrypted using modern, up-to-date security protocols for SSL/HTTPS. Communications between server applications and third-party service providers should be encrypted. User passwords should be stored using up-to-date best practices for encryption. In addition, any personally identifiable information and user data housed off site (cloud-based infrastructure, tape backups, etc.) should use encrypted storage.
It has become common practice for organizations to share data including personally identifiable information with third-parties, often unintentionally. Scripts and embedded content from a third-party that are placed on websites (sharing buttons, photo streams, videos, etc.) may allow that third party to track user behavior and share that data with other parties. However, most state statutes on the confidentiality of library records do not permit release of library patrons' personally identifiable information or data about their use of library resources and services without user consent or a court order. In addition, ALA policy forbids sharing of library patron information with third parties without user consent or a court order.
Libraries should carefully evaluate the impact on user privacy of all third-party scripts and embedded content that is included in their website, OPAC, or discovery service.
User Generated Content
Library websites, OPACs, and discovery services often allow patrons to create publicly shared content such as comments, ratings, recommendations, etc. The library will need to weigh the costs and benefits of requiring authentication (privacy implications if real identity is used) versus anonymous access (more difficult to prevent spam and other unacceptable use) in order to create shared content. In addition, tools that allow the creation of content may rely on third parties which may collect user data and share it with other parties.
Activity Data & Web Analytics
Libraries should limit the amount of personal information collected about users. Websites, OPACs, and discovery services collect and record data about user activity. Even for anonymous users (I.e. those that do not login to access personalization features) the activity data may include personally identifiable information. In general, the library should collect the minimum personal information required to provide a service or meet a specific operational need.
Access to reports that contain personally identifiable information should be restricted to appropriate library staff. Reports and web analytics intended for wider distribution should be anonymized by removing or encrypting personally identifiable information.
Careful consideration should be given before using a third party to collect web analytics (e.g. Google Analytics) since the terms of service often allow the third party to harvest user activity data for their own purposes.
User activity data with personally identifiable information should not be retained in perpetuity. The library should establish policies for how long to retain different types of data and methods for securely destroying data that is no longer needed. Retention policies should also cover archival copies and backups.
Library staff who manage the library's websites and services should receive training on the library's privacy policies and best practices for safeguarding patron privacy. Library staff that negotiate contracts with vendors that provide websites and services should also receive privacy training.
Libraries should establish and maintain effective mechanisms to enforce their privacy policies. They should conduct regular privacy audits to ensure that all operations and services comply with these policies. A library that suffers a violation in its privacy policies through inadvertent dissemination or data theft must notify the affected users about this urgent matter as soon as the library is aware of the data breach and describe what steps are being taken to remedy the situation or mitigate the possible damage.
[The Library Privacy Checklist for Library Websites, OPACs, and Discovery Services is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in this guideline.]
NISO Consensus Principles on User’s Digital Privacy in Library, Publisher, and Software-Provider Systems, National Information Standards Organization
Privacy: An Interpretation of the Library Bill of Rights, American Library Association
Privacy Toolkit, Intellectual Freedom Committee of the American Library Association
Approved June 24, 2016 by the Intellectual Freedom Committee of the American Library Association