Implementation of Privacy Policies and Procedures
Responsibilities of Governance Bodies/Policy Makers
- Be informed about issues relating to library patron and user privacy and confidentiality, including those specific to minors.
- Be aware of applicable federal, state and local laws and regulations.
- Adopt appropriate policies related to patron privacy and library record confidentiality.
- Understand the library's or educational institution’s plan for routine and crisis communication.
- Be knowledgeable about techniques for dealing with the media.
Responsibilities of Directors/supervisors
- Remain informed regarding issues relating to library patron and user privacy and confidentiality including K-12 students and minors in other library settings.
- Be knowledgeable about applicable federal, state and local laws and regulations.
- Inform and educate policy making bodies regarding relevant professional, ethical and legal issues related to patron privacy.
- Recommend privacy and confidentiality policies to policy makers consistent with professional core values, the Code of Ethics, and applicable law.
- Ensure all contracts with ILS (integrated library system) and other vendors are consistent and compliant with the library's privacy policies.
- Ensure that contracts for fee-based databases offer anonymous searching.
- Conduct privacy audits to review and evaluate current policies, practices, and procedures.
- Identify the type and nature of all records and files containing library patron and user personally identifiable information.
- Develop guidelines and procedures in support of policies:
- Define patron privacy and confidentiality.
- Incorporate privacy issues and protections into relevant library policies.
- Establish a schedule for the retention of records and files containing library patron and user personally identifiable information.
- Create a chart of the library's organizational hierarchy, indicating:
- Chain of command.
- Staff members authorized to respond to requests for patron or user personally identifiable information.
- Define and describe the type and nature of requests for personally identifiable information:
- Informal requests for patron records
Determine the circumstances under which, the manner of and extent to which patron and user personally identifiable information may be disclosed in person, over the phone or electronically. In school and academic libraries, be mindful of the guidelines under the Family Educational Rights and Privacy Act (FERPA) for release of student library records.
- Law enforcement requests for patron records
Detail the specific steps staff should follow in responding to investigatory requests for patron and user personally identifiable information from:
-Local and state agencies
-Federal agencies including FISA/PATRIOT Act requests/orders
- Write a ready-reference card with a clear and concise description of the library's privacy policies.
- Designate a library staff member to serve as the Library Privacy Officer who will:
- Monitor news and information about privacy issues.
- Train library staff on privacy and confidentiality issues, policies, and procedures:
Specify the staff response process to public, media, or law enforcement requests for library patron and user personally identifiable information.
- Develop a routine crisis communication plan in relation to privacy practices and privacy inquiries.
- Designate a library or educational institution spokesperson(s).
- Educate the public as well as the school board, school administrators, teachers, students, and parents about issues of library privacy and confidentiality and the library's policies, practices and procedures.
- Maintain contact with local, regional and national affinity organizations.
- Forge alliances with community groups.
Responsibilities of Staff
- Maintain privacy and confidentiality when assisting library patrons and users taking special care with minors.
- Discuss matters of library patron and user personally identifiable information with other staff only in non-public areas and when necessary for operational purposes.
- Refer all requests for access to, or view of, non-public computers, files or records to a library or school district administrator.
- Keep confidential the source of any request or the nature of the information requested.
Responsibilities of Information Technology Services Staff
- When considering emerging technologies, write a viable technology plan which can evolve with third party vendor updates yet remain firm in protecting patron privacy
- Consider patron privacy in any RFP (Request for Proposal) bid, query, service or project.
- Ensure all contracts with ILS (integrated library system) and other vendors are consistent and compliant with the library's policies
- Ensure ITS staff understand patron rights to privacy and confidentiality remains critical when transitioning to a virtual environment or purchasing new software
- Prominently post or articulate to the patron any instance where patron privacy is no longer being maintained by the library system (eg: leaving the library’s website to enter a third party database)
- When evaluating technology, ask whether it has been successful in protecting patron privacy or were there loopholes in breaching privacy which may require attention.