Library management systems (LMS) are also known as integrated library systems (ILS). Libraries use them to inventory collections and manage user records. The LMS stores personal data collected from users. It also maintains records of what items users borrow, the holds they place, and bills they may incur. In addition, the LMS may share data with third parties. One reason would be to provide authentication for online resources.
Library procedures and practices for managing the LMS should reflect library ethics, policies, and legal obligations concerning user privacy. Agreements between libraries and vendors should specify the following:
- Libraries retain ownership of all data;
- The vendor will comply with the appropriate federal, state, and local library privacy laws;
- The vendor agrees to observe the library's privacy, data retention, and security policies; and
- Other parties used by the vendor will follow these policies.
ALA provides these guidelines for libraries using an LMS. The guidelines include information about appropriate data management and security practices for library users' personal data.
Clear Privacy Policies
- First Notice: When users register for a library card or borrow materials for the first time, notify them of library privacy policies.
- Easy and Available: Library privacy policies should be easily available and easy to understand, using plain language. The policies also need to be in a publicly accessible format and in the languages of the major service populations.
- Change Notices: Libraries need to have a proactive process to notify ongoing users of any changes to the library's privacy policies.
User Consent and Rights
LMS users should have options as to how much personal data is collected from them and how it may be used. Wherever possible, users should have the ability to access, modify, and delete personal data in the LMS at any time. Users should have a choice about whether to opt in to anything that requires personal data collection beyond what is required for business operations. Users should also have the ability to opt out if they change their minds. Users should be able to have the data destroyed when possible.
Example: The LMS offers the ability to save the checkout history. This should be an opt-in feature. If users opt in, they should be able to opt out. They should also be able to have that checkout history destroyed.
Access to Personal Data
Users should have the right to access their own personal data and check its accuracy. Instructions on how the user can access their personal data should be clear and easy to find.
Third-party access to personal data should follow the applicable state laws on confidentiality of library records. They should also follow any other applicable local, state, and federal laws. This includes a user's access to another user's personal data in the LMS.
State and federal laws may give parents, guardians, and educators access to the library records of minors (see Library Privacy Guidelines for Students in K-12 Schools). Staff access to user data should be restricted to specific roles. Those roles should only allow for the minimal amount of data needed to complete an operational task.
Collection & Retention of User Data
Libraries should minimize the amount of personal data they collect. They should limit that amount to only the information required to provide a service or meet a specific operational need. Library policies about personal data should also cover the use of any free-text note fields associated with the user's record. Collecting some types of data puts users at risk for harm if the data is breached or improperly used. Libraries should asses their direct operational needs before considering the collection of high-risk sensitive data, such as:
- Government or organization issued identification numbers (e.g. Social Security Numbers, Student ID, Driver’s License Numbers)
- Library use history (other than materials currently checked out) or behavior
- Demographic information (e.g. gender identity, race/ethnicity, employment)
Collecting this information may conflict with Article VII of the Library Bill of Rights.
Libraries should ask themselves the following questions when they want to collect personal data in a free text field:
- Why does a library need to collect that data?
- What is it being used for?
- Will the service not work if the data isn't collected?
- Who has access to it?
- How long does it need to be kept?
Personal data should not be retained in perpetuity. The library should have policies for how long to retain different types of data including borrowing history. The library should also have methods for securely destroying data when it's no longer needed. For example, libraries should purge accounts that are expired or inactive for a certain amount of time. Retention policies should also cover archival copies and backups.
Data Integrity and Security
LMS data must be encrypted in storage and whenever data is transmitted to and from the LMS. Examples of storage and transit include staff desktop clients, web browsers, and mobile apps. Encryption methods should follow up-to-date security protocols and practices.
Some libraries might have client applications that do not support encryption to transmit data. Examples of these clients are staff desktop computers or self checkout kiosks. For these types of clients, you should use or create secured encrypted communication channels. An example of this type of encryption is a virtual private network (VPN).
In addition, any LMS user data stored off-site should use encrypted storage. Examples of offsite storage include cloud-based infrastructure and tape backups.
PINs & Passwords
Only a user should have access to their personal identification numbers (PINs) and passwords stored in the LMS. These should be encrypted. Library staff shouldn't be able to view them. This encryption should use up-to-date best practices. Users should also have the ability to set their PIN or password themselves. Do not transmit PINs or passwords in plaintext, such as sending PINs or passwords through email. Users should not have to reveal PINs or passwords to library staff to reset a password or PIN.
Notifications & Reports
User notifications for holds, overdue items, and bills should contain minimal personal data. These notifications include email, text messages, postcards, or phone calls. An LMS might provide the ability to include notification history as part of the user record. If the LMS offers this, it should be offered as an opt-in feature.
Access to LMS reports that contain personal data should be restricted. Only library staff who need the reports for critical operational processes should have access. LMS reports should contain only the minimum amount of personal data necessary for operational needs. Reports intended for wider distribution should be de-identified. This can be done by removing personal data or aggregating personal data to ranges or groups that can't easily be re-identified.
Sharing LMS Data
The following parties might request personal data from the LMS:
- Parent, guardian, or caregiver
- Another library user
- School affiliated with library user
- Department within the larger organization
- External partnerships
- Law enforcement or governmental agencies
Libraries should only share data when there is a legal or contractual obligation for the library to share data.
Most state laws on the confidentiality of library records restrict disclosure of library users' personal data. This personal data includes their use of library resources and services. These state laws typically require user consent or a court order to allow disclosure. However, some state library confidentiality statutes permit sharing this data with parents or guardians of minors. In addition, library user records are subject to the same disclosure requirements as other educational records under the Family Educational Rights and Privacy Act (FERPA). ALA policy also protects library users' personal data. ALA policy forbids libraries from unrestricted disclosure of library user information with third parties. The exception is if there is user consent or a court order.
The library should develop and implement procedures for dealing with government and law enforcement requests. These procedures should include requests for library users' personal data held within the LMS. The library should consider a government or law enforcement request only if:
- It is a court order;
- The order is issued by a court of competent jurisdiction;
- That jurisdiction shows good cause; and
- That court order is in proper form.
Third-party Integrations and LMS Application Program Interfaces (APIs)
Many LMSes can integrate with third-party applications through APIs. Libraries should review APIs for possible privacy and security issues. An example of an issue is not encrypting user data through API calls and responses. Another example is possible unauthorized access to user data by third parties.
LMS APIs might also create a profile of user behavior. This is called behavioral tracking or fingerprinting. This user behavior can sometimes gather enough data points to create a unique picture of the user. If that happens, the user can sometimes become identifiable. Libraries need to consider the risk in using an LMS API if it creates these types of user profiles. This type of profiling contradicts the user's right to privacy in the Library Bill of Rights.
LMS Cloud Hosting Security and Privacy
A vendor who offers a cloud-hosted LMS should be audited for data security and privacy practices. This should be done on an annual basis.
Security involves both managerial and technical measures to protect against the following:
- unauthorized access
- disclosure of data
Vendors should integrate security measures into the design, implementation, and day-to-day practices of their entire operating environment. This should be part of the vendor's continuing commitment to risk management.
The vendor should seek compliance with published cybersecurity standards. These standards should come from organizations, such as the National Institute of Standards and Technology (NIST).
Analytics and LMS Data
Some LMSs are sold with built-in analytics modules or customer relationship management systems (CRMs). Other LMSs allow libraries to export user data for analytical purposes.
Libraries using LMS data for analytical purposes must balance the operational needs for data and the user's right to privacy. Libraries should review and assess the user privacy risks that come with using LMS data for analytical purposes. Libraries should also consider possible violations to the user's privacy rights. For example, user profiling and other tracking methods directly conflict with the right to privacy. This profiling can occur within the LMS itself. Examples include the unnecessary collection and storage of personal data, such as borrowing history and other library use behaviors. Another example includes combining personal LMS data with external data, such as credit reporting companies or census information to create individually identifiable profiles.
Libraries must also consider risks to user privacy when working with vendor-hosted analytics products. Libraries need to check whether vendors will disclose, reuse, or sell user data or profiles to other third parties or government agencies. If a vendor does this, negotiate the removal of data sharing from the contract. Refer to the Vendor Guidelines and the Privacy and Confidentiality Q&A for more guidance on LMS data and analytics.
Whenever possible, libraries using LMS data to enhance the library experience should do so on an opt-in basis.
Libraries should establish and sustain privacy awareness practices with library staff and affiliates who have access to LMS data. This includes:
- Staff Training: Regular, ongoing training for library staff who have access to user data in the LMS. Training should include the library's privacy policies and best practices for safeguarding user privacy.
- Privacy Audits: Conducting regular privacy audits. This helps to verify that all LMS processes and procedures comply with privacy policies.
- Response Plans: Creating and regularly reviewing response plans for LMS data incidents. Examples of these incidents could be data breaches or leaks. The response plan should include communications to staff and affected users. The response plan should also include what steps to take to remedy and/or mitigate the damage from the incident.
[The Library Privacy Checklist for Library Management Systems can help all types of libraries take practical steps to implement what's in this guideline.]
Library Privacy Guidelines for Students in K-12 Schools
Privacy, Intellectual Freedom Committee of the American Library Association
Approved June 24, 2016 by the Intellectual Freedom Committee of the American Library Association; revised January 26, 2020 and April 2022.