Privacy Tool Kit
American Library Association Privacy Policies and Statements
The American Library Association has developed policies, guidelines, and resources to assist librarians in preserving privacy and confidentiality for library users.
Library Bill of Rights (1948, amended 1961, 1980, reaffirmed 1996)
Freedom to Read Statement (1953; rev. 1972, 1991, 2000)
Code of Ethics (rev. 1995)
Freedom to View Statement (1990)
Library Principles for a Networked World (2003) PDF
Privacy and Confidentiality Policies and Procedures
Privacy Resources for Librarians, Library Users, and Families (last updated 2002)
AASL Position Statement on the Confidentiality of Library Records (Rev. July 1999).
Appendix addressing new technologies related to: Confidentiality of Library Records. Usage Tracking. Security Issues. Institutional Concerns and Developments. Library Practices. Commercial Applications
Policies and Statements about the Infringement of Users' Privacy Rights
Statements of Other Library and Professional Associations
IFLA, "The Glasgow Declaration on Libraries, Information Services and Intellectual Freedom," (The Hague, Netherlands: IFLA, August 19, 2002).
IFLA, "The IFLA Internet Manifesto," (The Hague, Netherlands: IFLA, August 23, 2002).
Canadian Library Association, Citizenship Access to Information Data Banks - Right to Privacy, Approved by Executive Council ~ June, 1987.
ACM Code of Ethics and Professional Conduct, Adopted by ACM Council 10/16/92.
Conducting a Privacy Audit
Conducting a Privacy Audit (August 2003)
Federal Privacy Laws and Policies
The Privacy Act of 1974, 5 U.S.C. Ã‚ÂÂ§ 552a (2000), was the first official Congressional statement about the importance of privacy, generally characterized as an omnibus "code of fair information practices" that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies. The Act provides safeguards against an invasion of privacy through the misuse of records by Federal agencies and allows a citizen to learn how records are collected, maintained, used, and disseminated by the Federal Government. The act also permits an individual to gain access to most personal information maintained by Federal agencies and to seek amendment of any inaccurate, incomplete, untimely, or irrelevant information.
Federal Educational Rights and Privacy Act (FERPA ): The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. (15 U.S.C. Ã‚ÂÂ§ 1232g; 34 CFR Part 99) protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The main focus of FERPA is to define who can access student records. FERPA grants parents the rights until the child turns 18 years old or attends a school beyond the high school level. The Act spells out the conditions that allow schools to release records without consent to certain designated parties. Title V, section 507 of the USA PATRIOT Act amended FERPA by creating a new exception to the privacy protections.
Children's Online Privacy Protection Act (COPPA): The Children's Online Privacy Protection Act of 1998 (COPPA) (15 U.S.C. Ã‚ÂÂ§ 6501; 16 CFR 312) requires commercial online content providers who either have actual knowledge that they are dealing with a child 12 or under or who aim their content at children to obtain verifiable parental consent before they can collect, archive, use, or resell any personal information pertaining to that child. In addition, the Act requires commercial Web sites and online services covered by COPPA to place their information collection, use and disclosure practices prominently on their Web site. The law also mandates that site operators allow parents to review and delete information about their children collected by the site.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, requires the adoption of national standards for electronic health care transactions and mandates the adoption of Federal privacy protections for individually identifiable health information. The new standards went into effect on April 14, 2003, outlining the responsibilities of health care providers and the rights of patients in providing access to individual health care information.
The Financial Modernization Act of 1999 (Gramm-Leach-Bliley Act): The Financial Modernization Act of 1999, Public Law 106-102, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions—such as credit reporting agencies—that receive customer information from other financial institutions.
Student and Exchange Visitors Information System (SEVIS): The Student and Exchange Visitors Information System (SEVIS), administered by the Department of Homeland Security in partnership with the Department of State and the Department of Education, maintains updated information on approximately one million non-immigrant foreign students and exchange visitors during the course of their stay in the United States each year. Schools are now required to report a foreign student's failure to enroll or if students drop out of their programs. Certain requirements imposed by the Family Educational Rights and Privacy Act (FERPA) are waived and conditions for employment specified.
The Electronic Communications Privacy Act of 1986 (ECPA): Analysis - The Electronic Communications Privacy Act (ECPA), Public Law 99-508, sets out the provisions for access, use, disclosure, interception and privacy protections of electronic communications. The law, which covers various forms of wire and electronic communications, prohibits unlawful access and certain disclosures of communication contents and prevents government entities from requiring disclosure of electronic communications from a provider without proper procedure. ECPA was amended by Sections 209-212 and 216 of the USA PATRIOT Act.
Federal Trade Commission's Consumer Protection, Privacy Oversight: The Federal Trade Commission Consumer Protection Division, under Section 5 of the FTC Act, administers a privacy program in order to make sure that companies keep the promises they make to consumers about privacy and take precautions to secure consumers' personal information. The Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' personal information.
Other Federal Privacy Legislation
Illegal Immigration Reform and Immigrant Responsibility Act (IIRIRA) of 1996 [Requires that educational institutions collect data for the Student and Exchange Visitors Information System (SEVIS)]
For information on privacy-related legislation, see:
State Privacy Laws and Policies
Forty-eight states and the District of Columbia have library privacy and confidentiality laws. The language varies from state to state. These laws take two forms: affirmative protection of privacy for individuals who use libraries, and exemptions of libraries from open records or freedom of information laws. Libraries are advised to rely on existing laws to control behavior that involves public safety or criminal behavior.
FOIA and Libraries
Identify Types of Requests (Court Orders, etc.)
Confidentiality and Coping with Law Enforcement Inquiries: Guidelines for the Library and its Staff
Increased visits to libraries by law enforcement agents, including FBI agents and officers of state, county, and municipal police departments, are raising considerable concern among the public and the library community. These visits are not only a result of the increased surveillance and investigation prompted by the events of September 11, 2001 and the subsequent passage of the Patriot Act, but also as a result of law enforcement officers investigating computer crimes, including e-mail threats and possible violations of the laws addressing online obscenity and child pornography. These guidelines, developed to assist libraries and library staff in dealing with law enforcement inquiries, rely upon the ALA's Policy on Confidentiality of Library Records, its Policy Concerning Confidentiality of Personally Identifiable Information about Library Users, and the Code of Ethics.