This checklist is intended to help libraries and vendors of all capacities take practical steps to implement the principles that are laid out in the Library Privacy Guidelines for Vendors.
Priority 1 actions all libraries and vendors can take to improve privacy practices. Priority 2 and Priority 3 actions are in addition to Priority 1 and may be more difficult for libraries or vendors to implement depending on their technical expertise, available resources, and organizational structure.
Priority 1 Actions
1. Educate and assist users in managing their privacy when using vendor products and services. Suggested courses of action include:
a. Recommending settings for personal accounts on vendor websites.
b. Explaining privacy settings and how to remove the application and any associated stored data.
c. Explaining how to contact the vendor for additional details or actions as needed.
d. Describing tradeoffs on features versus privacy.
2. Establish privacy policies that are simple and easy to find.
3. Hold regular staff training on privacy laws and library ethics.
4. Review and follow cybersecurity standards published by organizations such as the National Institute of Standards and Technology on a regular schedule.
5. Consult with legal counsel to ensure compliance with federal and state privacy laws.
6. Vendors should encrypt all user data in transit and at rest.
7. Only collect, process, retain, or disclose user data sufficient for a specific process or task.
8. House all physical user data securely and limit access to only those who are authorized.
9. Establish and refresh policies for how long to retain different types of data and detail what methods to use to securely and frequently destroy data that is no longer needed.
10. Share library privacy practices with vendors during the purchasing process.
11. Vendors should explain their procedures for handling a request from law enforcement and notify libraries when these requests are made.
12. Inquire how a vendor handles data breaches and ensure there is a procedure for notifying users in case of a breach.
13. Vendors should give notification to libraries if the company is sold, providing instructions on how users can delete their data.
Priority 2 Actions
1. Conduct regular privacy audits.
2. Remind users regularly to check their privacy permissions and give them an opportunity to modify settings or continue consent.
3. Include privacy requirements during bidding or purchasing process.
4. Specify in all contracts and agreements with vendors that the library retains ownership of all user data.
5. Include sections in contracts or agreements that include details on the aggregation, retention, and disclosure of user data.
6. Libraries should expect vendors to follow library privacy, data retention, and security policies.
7. Vendors should share data recovery, media recycling, and business continuity plans with libraries.
8. Create procedures for identifying and producing user personally identifiable information upon request.
9. Delete users’ personally identifiable information upon request , not just hide it from view.
10. Vendor systems should default to allow users to opt-in to any data collection that is not essential to library operations.
11. Libraries should gain a user’s explicit informed consent before utilizing any profiling or customer relationship management tools or non-aggregated data analytics software.
12. Deidentify data used in analytics software by removing personally identifiable information.
Priority 3 Actions
1. Libraries should include easily discoverable links to the privacy policies of the vendors they contract with on their website.
2. Vendors should explain the entire user data lifecycle of their product or service, preferably during the sales process.
3. Vendors should train sales representatives on how to answer privacy and security questions.
4. If a vendor’s system integrates with an additional third party, the privacy and security policies in place should ensure confidentiality between the systems.
5. Work with vendors to ensure personally identifiable library user data is deleted from the vendor's systems when not renewing a service or product. Libraries should ask for third-party verification of deletion.
Approved January 21, 2017 by the Intellectual Freedom Committee; revised January 26, 2020 and November 16, 2020.