Library Privacy Checklist for Vendors

This checklist is intended to help libraries and vendors of all capacities take practical steps to implement the principles that are laid out in the Library Privacy Guidelines for Vendors.

This checklist is intended to help all libraries take practical steps to improve privacy practices. It can help all libraries implement the principles laid out in the Library Privacy Guidelines for Vendors.

Priority 1 actions are steps all libraries can take to improve privacy practices. Priority 2 and Priority 3 actions are as important as Priority 1 actions. They help protect user privacy, but may be more difficult for libraries to implement. This is because each library may or may not have the capacity to do Priority 2 or 3, depending on:

  • differing technical expertise
  • available resources
  • organizational structure

Regardless of these factors, libraries can use Priority 2 and Priority 3 actions as talking points with third parties and vendors. These third parties and vendors may have the resources and expertise to help the library implement these actions.

Priority 1 Actions

1. Educate and assist users in managing their privacy when using vendor products and services. Suggested courses of action include:

a. Recommending settings for personal accounts on vendor websites.

b. Explaining privacy settings and how to remove the application and any associated stored data.

c. Explaining how to contact the vendor for additional details or actions as needed.

d. Describing tradeoffs on features versus privacy.

2. Establish privacy policies that are simple and easy to find.

3. Hold regular staff training on privacy laws and library ethics.

4. Review and follow cybersecurity standards published by organizations such as the National Institute of Standards and Technology on a regular schedule.

5. Consult with legal counsel to ensure compliance with federal and state privacy laws.

6. Vendors should encrypt all user data in transit and at rest.

7. Only collect, process, retain, or disclose user data sufficient for a specific process or task.

8. House all physical user data securely and limit access to only those who are authorized.

9. Establish and refresh policies for how long to retain different types of data and detail what methods to use to securely and frequently destroy data that is no longer needed.

10. Share library privacy practices with vendors during the purchasing process.

11. Vendors should explain their procedures for handling a request from law enforcement and notify libraries when these requests are made.

12. Inquire how a vendor handles data breaches and ensure there is a procedure for notifying users in case of a breach.

13. Vendors should give notification to libraries if the company is sold, providing instructions on how users can delete their data.

Priority 2 Actions

  1. Conduct regular privacy audits.
  2. Remind users regularly to check their privacy permissions and give them an opportunity to modify settings or continue consent.
  3. Include privacy requirements during bidding or purchasing process.
  4. Specify in all contracts and agreements with vendors that the library retains ownership of all user data.
  5. Include sections in contracts or agreements that include details on the aggregation, retention, and disclosure of user data.
  6. Libraries should expect vendors to follow library privacy, data retention, and security policies.
  7. Vendors should share data recovery, media recycling, and business continuity plans with libraries.
  8. Create procedures for identifying and producing user personally identifiable information upon request.
  9. Delete users’ personally identifiable information upon request , not just hide it from view.
  10. Vendor systems should default to allow users to opt-in to any data collection that is not essential to library operations.
  11. Libraries should gain a user’s explicit informed consent before utilizing any profiling or customer relationship management tools or non-aggregated data analytics software.
  12. Deidentify data used in analytics software by removing personally identifiable information.

Priority 3 Actions

  1. Libraries should include easily discoverable links to the privacy policies of the vendors they contract with on their website.
  2. Vendors should explain the entire user data lifecycle of their product or service, preferably during the sales process.
  3. Vendors should train sales representatives on how to answer privacy and security questions.
  4. If a vendor’s system integrates with an additional third party, the privacy and security policies in place should ensure confidentiality between the systems.
  5. Work with vendors to ensure personally identifiable library user data is deleted from the vendor's systems when not renewing a service or product. Libraries should ask for third-party verification of deletion.

This checklist details the practical steps libraries can take to implement the Library Privacy Guidelines for Vendors.

Approved January 21, 2017 by the Intellectual Freedom Committee; revised January 26, 2020 and November 16, 2020.