Library Privacy Checklist - Overview
This checklist is intended to help all libraries take practical steps to improve privacy practices. It can help all libraries implement the principles laid out in the Library Privacy Guidelines.
Priority 1 actions are steps all libraries can take to improve privacy practices. Priority 2 and Priority 3 actions are as important as Priority 1 actions. They help protect user privacy, but may be more difficult for libraries to implement. This is because each library may or may not have the capacity to do Priority 2 or 3, depending on:
- differing technical expertise
- available resources
- organizational structure
Regardless of these factors, libraries can use Priority 2 and Priority 3 actions as talking points with third parties and vendors. These third parties and vendors may have the resources and expertise to help the library implement these actions.
Priority 1 Actions
- Create a policy that addresses the collection of user information. Such a policy should specify that the library is not collecting more user information than what it needs and that it is not keeping the personally identifiable information of users longer than what is necessary.
- Create a privacy policy that is understandable by a layperson.
- Make sure the privacy policy is posted in the library where the public can see it.
- Ensure that the privacy policy includes information about what information the library is tracking, why, and for how long the data is kept.
- Ensure that the privacy policy includes when user information can be shared and under what conditions.
- Destroy all paper records with user data, such as computer sign-in sheets.
- Ensure all existing security certificates for HTTPS/SSL are valid and create a procedure for revalidating them annually.
- Designate a Library Privacy Officer to handle requests for personally identifiable information of users from law enforcement officials and other third parties.
Priority 2 Actions
- Ensure there is a formal process in place to address breaches of user data directly under library control or maintained by third parties. The library should notify affected users when they become aware of a breach.
- Encrypt all user data with secure algorithms in all network and application communications.
- Purge search history records regularly, ideally when the individual computer session ends.
- Purge circulation and interlibrary loan records when they are no longer needed for library operations. Any user data that is kept for analysis should be anonymized or de-identified and have access restricted to authorized staff.
- Utilize HTTPS wherever possible.
- Ensure that the privacy policy is updated often and schedule regular times for its review.
Priority 3 Actions
- Publish and distribute flyers and/or web content for users that includes information on how to protect personally identifiable information and other data.
- Publish and distribute flyers and/or web content for users about available software and alternative browsers and plugins to protect their privacy online and can be used in the library.
- Publish and distribute flyers and/or web content about VPN services and/or Tor and users’ ability to use these systems on the library network.
- Test compliance with these standards through a trusted third party service or individual.
Approved January 21, 2017 by the Intellectual Freedom Committee; revised January 26, 2020.