This checklist is intended to help all libraries take practical steps to improve privacy practices. It can help all libraries implement the principles laid out in the Library Privacy Guidelines for Library Websites, OPACs, and Discovery Services.
Priority 1 actions are steps all libraries can take to improve privacy practices. Priority 2 and Priority 3 actions are as important as Priority 1 actions. They help protect user privacy, but may be more difficult for libraries to implement. This is because each library may or may not have the capacity to do Priority 2 or 3, depending on:
- differing technical expertise
- available resources
- organizational structure
Regardless of these factors, libraries can use Priority 2 and Priority 3 actions as talking points with third parties and vendors. These third parties and vendors may have the resources and expertise to help the library implement these actions.
Priority 1 Actions
- Provide links to third party privacy and terms of service pages for users when appropriate.
- Limit the amount of personal information collected about users. In general, the library or service provider should collect the minimum personal information required to provide a service or meet a specific operational need.
- Provide users with options as to how much information is collected from them and how it may be used. Users should have a choice about whether or not to opt-in to features and services that require the collection of personal information such as borrower history, reading lists, or favorite books.
- Configure services directly under library control to use the opt-in method whenever possible for features that involve the collection of personal information.
- Work with providers to configure external services to use the opt-in method whenever possible for features that involve the collection of personal information. This ability to opt-in should be an important criteria when the library decides to select or renew a service.
- Users should also have the ability to opt-out if they later change their minds and have the data collected during the opt-in phase be destroyed when possible.
- Establish procedures that restrict access to personal information to the user or appropriate library staff and conform to the applicable state laws addressing the confidentiality of library records as well as other applicable local, state, and federal law. Ideally these procedures are supported by technical measures such as role-based permissions for staff account.
Priority 2 Actions
- In the event of a data breach libraries should describe what steps are being taken to remedy the situation or mitigate the possible damage, and what steps users should take to protect themselves.
- Consider enacting canary warnings to notify users when information may have been subpoenaed through a court order.
- Evaluate the impact on user privacy of all third-party scripts and embedded content (e.g. cover images, ratings, reviews, etc.) that are included in a library website, OPAC, or discovery service.
- Avoid Flash-based plugins.
- Review any terms of service for scripts and embedded content, as they often allow the third party to harvest user activity data for their own purposes.
- Consider alternative solutions that better respect user privacy. For example, use Piwik for web analytics instead of Google Analytics.
- Do not retain in perpetuity any user activity data with personally identifiable information.
- Establish policies for how long to retain different types of data and methods for securely destroying data that is no longer needed.
- Retention policies should also cover archival copies and backups.
- Anonymize or de-identify user data stored for assessment or metrics. Anonymization provides better protection than de-identification.
- Anonymize reports and web analytics intended for wider distribution by removing or encrypting personally identifiable information.
- Provide users the ability to access their own personal information and evaluate its accuracy. Guidance on how the user can access their personal data and offer corrections if needed should be clear and easy to find.
- Ensure that all services directly under library control are secure.
- Stay aware of and remediate known exploits.
- Keep software and applications up-to-date.
- Monitor logs for intrusions and perform regular security audits.
- Perform regular backups and have a disaster recovery plan. Note that backups should be subject to your policy on data retention.
- Work with service providers to review contracts/licenses and if needed revise them so that they are in compliance with relevant legal regulations and library policy.
- Create an addendum to contracts regarding liability for data breaches that affect user privacy.
Priority 3 Actions
- Establish and maintain effective mechanisms to enforce library privacy policies. Conduct regular privacy audits to ensure that all operations and services comply with these policies.
- Encrypt all online transactions between client applications (web browsers, ebook readers, mobile apps, etc.) and server applications using modern, up-to-date security protocols for SSL/HTTPS. Communications between server applications and third-party service providers should be encrypted.
- Store user passwords using up-to-date best practices for encryption with a cryptographically secure hash.
- Ensure that any personally identifiable information and user data housed off site (cloud-based infrastructure, tape backups, etc.) uses encrypted storage.
- Explore the possibility of two-factor authentication and implement if possible.
NIST Guide to Protecting the Confidentiality of Personally Identifiable Information
How to Check if your Library is Leaking Catalog Searches to Amazon
A Visual Guide to Practical Data De-Identification
NISTIR 8053: De-Identification of Personal Information
Approved January 21, 2017 by the Intellectual Freedom Committee; revised January 26, 2020.