Privacy Tool Kit
Return to the Privacy Tool Kit
II. PRIVACY POLICY
| ALA Privacy and Confidentiality Policies and Procedures | Statements of Other Library and Professional Associations | Privacy Policy Guidelines and Model Policy | Conducting a Privacy Audit | Federal and State Privacy Laws and Policies; Freedom of Information Act; Court Orders | Identify Types of Requests (Court Orders, etc.) | Confidentiality and Coping with Law Enforcement Inquiries: Guidelines for the Library and its Staff |
American Library Association Privacy Policies and Statements
The American Library Association has developed policies, guidelines, and resources to assist librarians in preserving privacy and confidentiality for library users.
Basic Statements
Library Bill of Rights (1948, amended 1961, 1980, reaffirmed 1996)
Freedom to Read Statement (1953; rev. 1972, 1991, 2000)
Code of Ethics (rev. 1995)
Freedom to View Statement (1990)
Library Principles for a Networked World (2003)
Privacy and Confidentiality Policies and Procedures
Policy on Confidentiality of Library Records (1971; rev.1975, 1986)
Suggested Procedures for Implementing Policy on Confidentiality of Library Records (1983; rev. 1988)
Resolution on the Retention of Library Usage Records (2006)
Privacy: An Interpretation of the Library Bill of Rights (2002)
Questions and Answers on Privacy and Confidentiality (2003)
Privacy Resources for Librarians, Library Users, and Families (last updated 2002)
Guidelines for Developing a Library Privacy Policy (August 2003; rev. March 2005)
ALA Issues New Guidelines for Developing Library Privacy Policy (September19, 2003)
Developing a Confidentiality Policy (from ALA, Intellectual Freedom Manual,6th edition, Chicago, IL: American Library Association, Office for Intellectual Freedom, 2002:347-355)
Policy concerning Confidentiality of Personally Identifiable Information about Library Users (1991).
AASL Position Statement on the Confidentiality of Library Records (Rev. July 1999).
ALA Task Force on Privacy and Confidentiality in the Electronic Environment Final Report (July 2000).
The Children's Online Privacy Protection Act
Libraries and The Patriot Act Legislation
State Privacy Laws regarding Library Records
Policies and Statements about the Infringement of Users' Privacy Rights
Resolution on the USA Patriot Act and Related Measures That Infringe on the Rights of Library Users (January 2003)
Resolution on Security and Access to Government Information (June 25, 2003)
Resolution Reaffirming the Principles of Intellectual Freedom in the Aftermath of the Terrorist Attacks (January 23, 2002).
Resolution on the Terrorism Information Awareness Program (June 25, 2003)
The USA Patriot Act in the Library
Confidentiality and Coping with Law Enforcement Inquiries: Guidelines for the Library and its Staff (last updated 2004)
Guidelines for Librarians on the USA PATRIOT Act: What to do before, during and after a "knock at the door?" (January 19, 2002)
Terrorism Information and Prevention System (TIPS)
Statements of Other Library and Professional Associations
IFLA, "The Glasgow Declaration on Libraries, Information Services and Intellectual Freedom," (The Hague, Netherlands: IFLA, August 19, 2002).
IFLA, "The IFLA Internet Manifesto," (The Hague, Netherlands: IFLA, August 23, 2002).
Canadian Library Association, Citizenship Access to Information Data Banks - Right to Privacy, Approved by Executive Council ~ June, 1987.
ACM Code of Ethics and Professional Conduct, Adopted by ACM Council 10/16/92.
Software Engineering Code of Ethics and Professional Practice (IEEE)
Other Codes of Ethics for Computing and Information Sciences
Privacy Policy Guidelines and Model Policy
Guidelines for Developing a Library Privacy Policy, HTML Version (links to WORD and PDF versions)
Model Privacy Policy (August 2003; rev. March 2005)
Conducting a Privacy Audit
Conducting a Privacy Audit (August 2003)
Federal and State Privacy Laws and Policies; Freedom of Information Act; Court Orders
Federal Privacy Laws and Policies
Privacy Act of 1974
The Privacy Act of 1974, 5 U.S.C. § 552a (2000), was the first official Congressional statement about the importance of privacy, generally characterized as an omnibus "code of fair information practices" that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies. The Act provides safeguards against an invasion of privacy through the misuse of records by Federal agencies and allows a citizen to learn how records are collected, maintained, used, and disseminated by the Federal Government. The act also permits an individual to gain access to most personal information maintained by Federal agencies and to seek amendment of any inaccurate, incomplete, untimely, or irrelevant information.
Federal Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. (15 U.S.C. § 1232g; 34 CFR Part 99) protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The main focus of FERPA is to define who can access student records. FERPA grants parents the rights until the child turns 18 years old or attends a school beyond the high school level. The Act spells out the conditions that allow schools to release records without consent to certain designated parties. Title V, section 507 of the USA PATRIOT Act amended FERPA by creating a new exception to the privacy protections.
Children's Online Privacy Protection Act (COPPA)
The Children's Online Privacy Protection Act of 1998 (COPPA) (15 U.S.C. § 6501; 16 CFR 312) requires commercial online content providers who either have actual knowledge that they are dealing with a child 12 or under or who aim their content at children to obtain verifiable parental consent before they can collect, archive, use, or resell any personal information pertaining to that child. In addition, the Act requires commercial Web sites and online services covered by COPPA to place their information collection, use and disclosure practices prominently on their Web site. The law also mandates that site operators allow parents to review and delete information about their children collected by the site.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, requires the adoption of national standards for electronic health care transactions and mandates the adoption of Federal privacy protections for individually identifiable health information. The new standards went into effect on April 14, 2003, outlining the responsibilities of health care providers and the rights of patients in providing access to individual health care information.
The Financial Modernization Act of 1999 (Gramm-Leach-Bliley Act)
The Financial Modernization Act of 1999, Public Law 106-102, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions—such as credit reporting agencies—that receive customer information from other financial institutions.
Student and Exchange Visitors Information System (SEVIS)
The Student and Exchange Visitors Information System (SEVIS), administered by the Department of Homeland Security in partnership with the Department of State and the Department of Education, maintains updated information on approximately one million non-immigrant foreign students and exchange visitors during the course of their stay in the United States each year. Schools are now required to report a foreign student's failure to enroll or if students drop out of their programs. Certain requirements imposed by the Family Educational Rights and Privacy Act (FERPA) are waived and conditions for employment specified.
The Electronic Communications Privacy Act of 1986 (ECPA)
The Electronic Communications Privacy Act (ECPA), Public Law 99-508, sets out the provisions for access, use, disclosure, interception and privacy protections of electronic communications. The law, which covers various forms of wire and electronic communications, prohibits unlawful access and certain disclosures of communication contents and prevents government entities from requiring disclosure of electronic communications from a provider without proper procedure. ECPA was amended by Sections 209-212 and 216 of the USA PATRIOT Act.
Federal Trade Commission's Consumer Protection, Privacy Oversight
The Federal Trade Commission Consumer Protection Division, under Section 5 of the FTC Act, administers a privacy program in order to make sure that companies keep the promises they make to consumers about privacy and take precautions to secure consumers' personal information. The Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers' personal information.
Other Federal Privacy Legislation
Cable Communications Policy Act of 1984
Cable Television Consumer Protection and Competition Act of 1992 (PDF)
Communications Assistance to Law Enforcement Act (CALEA) of 1994
Digital Millennium Copyright Act of 1998
Do-Not-Call Implementation Act of 2003
Driver's Privacy Protection Act of 1994
E-Government Act of 2002 (Requires Federal Agencies to conduct privacy impact assessments)
The Enhanced Border Security and Visa Entry Reform Act of 2002
The Fair Credit Reporting Act (1970)
Foreign Intelligence Surveillance Act (FISA) (1978)
Illegal Immigration Reform and Immigrant Responsibility Act (IIRIRA) of 1996 [Requires that educational institutions collect data for the Student and Exchange Visitors Information System (SEVIS)]
Privacy Protection Act of 1980
Right to Financial Privacy Act (1978)
Telecommunications Act of 1996
Telephone Consumer Protection Act of 1991
Video Privacy Protection Act of 1988
For information on privacy-related legislation, see:
ALA Washington Office, Current Privacy Legislation
EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Bills
Thomas Legislative Information on the Internet
Pending Legislation Concerning the USA PATRIOT Act
State Privacy Laws and Policies
Forty-eight states and the District of Columbia have library privacy and confidentiality laws. The language varies from state to state. These laws take two forms: affirmative protection of privacy for individuals who use libraries, and exemptions of libraries from open records or freedom of information laws. Libraries are advised to rely on existing laws to control behavior that involves public safety or criminal behavior.
State Privacy Laws regarding Library Records
FOIA and Libraries
Identify Types of Requests (Court Orders, etc.)
Sample subpoena, trap/trace, preservation order, etc.
Sample National Security Letters (PDF)
Sample FISA (Section 215) Order for Business Records (PDF)
Sample Federal Search Warrants and Subpoenas (PDF)
Confidentiality and Coping with Law Enforcement Inquiries: Guidelines for the Library and its Staff
Confidentiality and Coping with Law Enforcement Inquiries: Guidelines for the Library and its Staff
Increased visits to libraries by law enforcement agents, including FBI agents and officers of state, county, and municipal police departments, are raising considerable concern among the public and the library community. These visits are not only a result of the increased surveillance and investigation prompted by the events of September 11, 2001 and the subsequent passage of the USA PATRIOT Act, but also as a result of law enforcement officers investigating computer crimes, including e-mail threats and possible violations of the laws addressing online obscenity and child pornography. These guidelines, developed to assist libraries and library staff in dealing with law enforcement inquiries, rely upon the ALA's Policy on Confidentiality of Library Records, its Policy Concerning Confidentiality of Personally Identifiable Information about Library Users, and the Code of Ethics.
Links to non-ALA sites have been provided because these sites may have information of interest. Neither the American Library Association nor the Office for Intellectual Freedom necessarily endorses the views expressed or the facts presented on these sites; and furthermore, ALA and OIF do not endorse any commercial products that may be advertised or available on these sites.
Privacy Policy revised March 15, 2007