Developing or Revising a Library Privacy Policy

Privacy Tool Kit 4 of 9

Home | Introduction | Privacy and Confidentiality: Library Core Values | Developing or Revising a Privacy Policy | Implementation of Privacy Policies and Procedures | Library Privacy Talking Points: Key Messages and Tough Questions | What is ALA Doing | Advocacy at the Local, State & National Levels | Appendix

A Privacy Audit

  • Definition and Purpose
  • What to Audit for Personally Identifiable Information
  • Questions to Ask

Sections to Include in a Privacy Policy

  • Notice & Openness
  • Choice & Consent
  • Access by Users
  • Emerging Technologies
  • Data Integrity & Security
  • Enforcement & Redress
  • Government Requests for Library Records

Special Privacy Policy Considerations

  • Academic Libraries
  • School Libraries
  • Public and Academic Library Services to Minors
  • ASCLA Statement on Privacy Rights

All types of libraries are urged to draft, adopt and/or revise privacy and confidentiality policies. This document offers guidance for public, academic, research, school, and special libraries, as well as library systems. Special considerations are raised for school and academic libraries and for public library services to minors because each are affected by laws and practices unique to those particular contexts. Other considerations may also apply. When drafting a policy, library administrators should check with their parent institutions to ensure compliance with those institutions’ norms and policies. Some elements of this guidance may not pertain to all libraries.

In addition, policy drafts should be reviewed against existing local policies, state and local laws, and ALA recommendations and guidelines. Policy drafting teams and trainers may find it helpful to ask themselves and their staff questions from the checklists in the Privacy Audit section and to consider how and whether policies and procedures under consideration provide appropriate guidance.

With technology changes, increased incidence of identity theft, new laws, and increased law enforcement surveillance, librarians must act now to develop and/or revise their privacy policies and procedures to ensure that confidential information in all formats is protected from abuse. They must also protect their organizations from liability and public relations problems. When developing and revising policies, librarians need to ensure that they:

  • limit the degree to which the library and third party service providers monitor, collect, disclose, and distribute personally identifiable information
  • avoid creating unnecessary records including non-text records such as camera recordings
  • avoid retaining records that are not needed for efficient library operation, including data-related logs, digital records, vendor-collected data, and system backups
  • avoid library practices and procedures that place personally identifiable information in public view
  • require that patron records remain on a local server and not be exported to the cloud or a third-party server

A privacy policy communicates the library's commitment to protecting users' personally identifiable information. A well-defined privacy policy tells library users how their information is utilized and explains the circumstances under which personally identifiable information might be disclosed. When preparing a privacy policy, librarians need to consult an attorney to ensure that the library's statement harmonizes with state and federal laws governing the collection and sharing of personally identifiable information and confidential records.

Libraries need to post privacy policies publicly. Privacy: An Interpretation of the Library Bill of Rights states that, "Users have the right to be informed what policies and procedures govern the amount and retention of personally identifiable information, why that information is necessary for the library, and what the user can do to maintain his or her privacy."


  • Carolyn Caywood, "Questions and Answers about Privacy in Libraries," presented at the Virginia Library Association 2002 Conference, October 17, 2002.
  • Barbara Jones, "Intellectual Freedom Policies for Privacy," Libraries, Access, and Intellectual Freedom: Developing Policies for Public and Academic Libraries (Chicago: ALA, 1999), p. 147-168.
  • Confidentiality in Libraries: An Intellectual Freedom Modular Education Program Trainer's Manual (Chicago: ALA, 1993)

A Privacy Audit

A privacy audit of current policies and practices can be an excellent first step in developing a library policy. It will provide insights into strengths and weakness embodied in the existing library’s culture.; If not conducted early in the development or revision of a privacy policy, a privacy audit should be conducted before the conclusion of the process and should be repeated regularly thereafter.

Definition and Purpose

A privacy audit is a technique for assuring that an organization's goals and promises of privacy and confidentiality are supported by its practices, thereby protecting confidential information from abuse and the organization from liability and public relations problems. An audit ensures that information processing procedures meet privacy requirements by examining how the library collects, stores, shares, uses and destroys information about library users and employees. Privacy auditing is not a one-time solution, but rather a process that adapts to changes in services, data needs, and technology. A designated Privacy Officer may lead the audit, but all stakeholders and aspects of privacy need to be represented, from information technology to public relations. The auditing process should be comprehensive enough to address all relevant nuances of the information system. When a library is part of a larger organization conducting a privacy audit, the audit must include specific library issues and needs.

The auditing process begins by evaluating the organization's existing policies and procedures for legality and consistency with the organization's mission and image. When policies have been reviewed (or established), the data collected can be categorized according to the degree of security necessary. The audit assesses the sensitivity, security risks, and public perceptions of the information the organization collects. The audit examines the necessity of each type of data, how it is collected, and what notice and options are provided to individuals the information identifies. Mapping how data flows through the organization for access, storage, and disposal can reveal security needs, both electronic and physical. The management of the auditing process must avoid increasing privacy risks and its recommendations regarding revealed risks must be addressed quickly.

A privacy audit provides a library opportunity to examine:

  • how privacy matters are handled at all levels;
  • the flow and storage of data;
  • the role data plays within the organization;
  • staff training about privacy matters;
  • existing and needed privacy policies.

Selected Sources:

​What to Audit for Personally Identifiable Information

(Based on: Karen Coyle, "Make Sure You Are Privacy Literate," Library Journal, v. 127, #16: reprinted with permission)

  • Patron records
  • Circulation transaction logs
  • Overdue and billing records
  • Document delivery and ILL transactions
  • Records of access to electronic reserves
  • Records that support personalized services
  • Search histories saved beyond a session
  • Saved searches and sets
  • SDI profiles
  • Files/logs of previous electronic reference queries and answers
  • System logs
  • OPAC search logs
  • Library web server logs, including proxy servers
  • Mail message files
  • Mail server logs
  • Public workstations
  • Browser caches, including history files
  • Cookies and certificates
  • Browser bookmarks
  • Paper sign-up sheets
  • Licensed services
  • Shared computer systems and servers
  • Back up files stored locally and off site
  • Remote Web sites, including content providers, outsourced Web hosting, proxy servers, etc.
  • Personalization profiles and other service offers for personal information
  • Usage statistics
  • Signed Internet/e-mail acceptable use agreements
  • User-created lists
  • Reviews
  • Tags on catalog
  • E-book downloads
  • Program registrations

Questions to Ask:

Library Privacy Policy: Do you or have you…

  • already created and publicized a local privacy policy using the recommendations and resources made available through the Privacy Tool Kit
  • implemented a privacy auditing process to assure that an organization's practices support its goals and promises of privacy and confidentiality, thereby protecting confidential information from abuse and the organization from liability and public relations problems?
  • Limit the degree to which personally identifiable information is monitored, collected, disclosed, and distributed?
  • avoid retaining records that are not needed for efficient operation of the library?
  • know how long you need to know ;specific information and do you delete it when no longer needed?
  • list information to be protected: reference requests, information services, circulation and registration records, server and client computer logs?
  • include language to deal with unforeseen circumstances, like "including, but not limited to..."?
  • require that patrons be notified whenever the library collects their PII and be told how to correct inaccurate information?
  • state who may or may not have access to patron information?
  • outline the specific conditions under which access may be granted, i.e., with a court order after good cause has been demonstrated?
  • list the procedures for adopting the policy?
  • have provisions for notifying the public of the policy and of changes in the policy?
  • enumerate exemptions, exceptions, or special conditions? Do you address needs unique to your library environment?
  • have provisions for coordination with the other libraries in your system if your library is part of a cooperative, automated library system?
  • have procedures outlined for responding to court orders of various types?
  • assure that all kinds and types of records are covered by the policy, including data-related logs, digital records, vendor-collected data, and system backups?
  • know how you protect what you collect?
  • work to inform/influence government acts that impact confidentiality?
  • avoid library practices and procedures that place information on public view (e.g., using postcards for overdue notices or requested materials; using patron names to identify self-pickup holds; positioning staff terminals so that the public can read the screens; using sign-in sheets for computer or other device access; and stating reserve request or interlibrary loan titles over the telephone and to voicemail possibly disclosing that information to patrons' family members)?
  • include all aspects of services including protection of electronic data and dissemination of electronic records?
  • ensure that contracts and licenses reflect library policies and legal obligations concerning user privacy and confidentiality; make sure the agreements address appropriate restrictions on the use, aggregation, dissemination, and sale of personally identifiable information, particularly information about minors?
  • provide privacy where you should?
  • ensure safety without being intrusive?
  • make clear the role of confidentiality in protecting intellectual freedom?
  • know where users need privacy to protect their intellectual freedom as well as where privacy might endanger safety?
  • mention or acknowledge the Library Bill of Rights, Statement on Professional Ethics, ALA Policy on the Confidentiality of Library Records, and state & local laws (where applicable)?; Does your policy conform to these supporting documents?

Protecting Minors’ Privacy: Do you or have you…

  • extend to minors the maximum allowable confidentiality and privacy protections?
  • notify parents about the library's privacy and confidentiality policies when issuing library cards to minors?
  • educate children, parents, students, teachers, and school officials about the Children's Online Privacy Protection Act (COPPA) and the Family Educational Rights and Privacy Act (FERPA)?  COPPA requires commercial Web sites and online services to obtain parental permission before collecting information from children under 13. FERPA requires educational institutions to protect students' privacy with regard to educational records.

Educating about Privacy: Do you or have you…

  • educate on a continuous basis everyone associated with the library about library privacy principles, policies and procedures, and library staff's legal and ethical responsibilities as custodians of personally identifiable information?; Those associated with the library include library trustees, users, and employees (e.g., staff, administrators, volunteers, and contract workers); those associated with school and academic libraries include school board trustees, educational administrators, students, and parents.
  • inform library staff about their responsibility to cooperate with other organizations that work to protect privacy and challenge intrusions?
  • engage the community in considering the public policy aspects of privacy through use of Choose Privacy Week materials
  • educate the public through a variety of learning methods that provide the information and tools individuals need to protect their privacy and the confidentiality of their own personally identifiable information?
  • inform the public about library resources on privacy issues?
  • give users choices?
  • explain to the public the difference between privacy and confidentiality in a library setting?

Sections or Issues to Include in a Privacy Policy

Notice & Openness

Policies should notify users of their rights to privacy and confidentiality and of the policies of the library that govern these issues. Such notice should dictate the types of information gathered and the purposes for and limitations on its use. It is critical that library privacy policies be made widely available to users through multiple means. Safeguarding personal privacy requires that individuals know what personally identifiable information (PII) is gathered about them, where and how and for how long it is stored, who has access to it and under what conditions, and how it is used.

Examples of User Notice Statements from Sample Library Privacy Policies:

Choice & Consent

Choice means giving users options as to how any personal information collected from them may be used. Provision of many library services requires the collection and retention of personally identifiable information. Whether this is required (e.g. in order to circulate library material), automatic (e.g. as in some Web-based library services), or voluntary (e.g. when engaging in e-mail-based reference), the library should retain this information only as long as is necessary to fulfill the function for which it was initially acquired. Two commonly used schemes for choice/consent are "opt-in" and “opt out”. With opt-in, by default PII is not included and affirmative steps are required for inclusion. With opt-out, by default PII is included and affirmative steps are required for exclusion.

Examples of Choice and Consent Statements from Sample Library Privacy Policies:

Access by Users

Users have the right to access their own personally identifiable information (PII). The privacy policy should mention this right. Verifying the accuracy and status of PII helps ensure that library services that rely on personally identifiable information can function properly. The right of access covers all types of information gathered about a library user or about his or her use of the library, including mailing addresses, circulation records, computer use logs, etc. Access to personal information should be made available onsite or through secure online access to verify the identity of individual users.

Right to access should also address instances in which age may be a factor. For example, several state library confidentiality laws grant parents a right to view their minor child’s library records, too. The Children's Online Privacy Protection Act of 1998 (COPPA) provides for "a parent's ability to review, make changes to, or have deleted the child's personal information." For more on COPPA, see Part III of "School Libraries" below.

Examples of Access Statements from Sample Library Privacy Policies:

Emerging Technologies with Privacy Concerns

The continuing use of and accelerating dependence on emerging technologies to provide both traditional innovative library services have constituted major challenges for the library profession.; It is important for libraries not to take on the attitude that patrons no longer care about privacy. Studies from the Pew (Anonymity, Privacy and Security Online) show the opposite. Patrons may not possess the discursive language or;technology terms to articulate their complaint, however, it doesn't mean that they do not care about data harvesting, data mining and sharing of their personal information behind the scenes with third parties. The lack of transparency in consent, data sharing and terms of service changes is a barrier to patron-centered service.; It’s imperative that libraries understand each new technology by defining them and identifying the mechanism through which each patron's privacy may be breached. As stewards of patrons' data, we owe them the truth and some options. We realize that access to proprietary information and the business model may not be possible in some instances. Through ALA's existing policies we may find that there are already sufficient protections in place, however, there is definitely room for improvement, for the future.

(Definitions are based on: Burke, John. Neal-Schuman library Technology Companion: A basic guide for library staff. 4th ed. Chicago: Neal-Schuman, ALA, 2013.)

Apps: A piece of software or a program, typically small, that can be used on a computer, smartphone or tablet.

  • Concerns: Libraries using apps to promote library services or pushing them out to new audiences should be aware that apps log IP, monitor behavior and capture activities. At best, apps are fun, allowing users to gain social status and self-regulate movement. At worst, they can collect highly personal data and post on your libraries behalf with little consent. Companies can then profile a patron or predict behavior based on the information gathered.
  • Examples: Key Ring, Foursquare, Evernote, Pinterest.
  • Policy: #B.8.5.2 Confidentiality of Personally Identifiable Information about Library Users.

Camera Surveillance: Cameras monitor, record and archive activities. Mounted on lots, lamp posts and even on patron computers and telephone consoles. Some surveillance cameras may intercept smartphone communications.

  • Concerns: Libraries choosing to use surveillance cameras in areas where there is reasonable expectation for privacy and parts of the building run the risk of inadvertently violating rights of patrons--adults, minors and students without just cause. More often, surveillance cameras are not powerful enough to capture concrete data to identify the culprit and puts the library in the business of policing rather than library service.
  • Examples: Aruba Mesh Network, CCTV, Skyway Security.
  • Policy: Privacy: An Interpretation of the Library Bill of Right

Cell/Smartphone: A phone with built-in computer functionality, including e-mail, web browsing and other capacities.

  • Concerns:; Along with its processors, apps and location services comes the ability to measure a user's motion data, track geolocation, following site visits, monitoring social media posts, and snooping on emails.
  • Examples: Android, Blackberry, iPhone, Google Phone, and Windows Phone.
  • Policy: #B.2.1.19 Access to Digital Information, Services, and Networks

Cloud computing: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service); three service models (Cloud Software as a Service (Saas), Cloud Platform as a Service (PaaS), Cloud Infrastructure as a Service (IaaS); and, four deployment models (Private cloud, Community cloud, Public cloud, Hybrid cloud). Key enabling technologies include: (1) fast wide-area networks, (2) powerful, inexpensive server computers, and (3) high-performance virtualization for commodity hardware. (An excerpt from the definition published in October 2011 by the National Institute for Standards and Technology.

  • Concerns: As more companies and individuals choose cloud services for convenience or to save money, valid concerns on how secure data can be when they lay in farm servers in remote areas and by a few entities. One’s data may reside in a server in a different country, which may implicate questions of legal jurisdiction.
  • For example, Amazon AWS now holds more than a trillion projects in the cloud. “The trend is that it will become more dominant than desktop computing in the next decade.” (Pew Report, 2010).
  • Examples: AWS, EMC, Skydrive, Google Drive, Apple iCloud.
  • Policy:; #B.2.1.19 Access to Digital Information, Services, and Networks;
  • #B.8.5.2; Confidentiality of Personally Identifiable Information About Library Users;
  • Privacy: An Interpretation of the Library Bill of Rights

e-book (electronic book) and e-periodicals: An electronic version of a book or periodical that may be read via the web on a computer work station or using a mobile device (e.g., an e-reader, an iPad or a smartphone).

  • Concerns: Most subscription-based services such as Amazon, Overdrive and Zinio require patron consent to the collection, transfer, manipulation, storage and use of pii. Patrons will need to be aware of how the publishing industry has begun to embrace big data including deep analysis of their digital reading habits like reading speed, how many times they've opened an ebook and other insights into how they're engaging with their book.
  • Ex. of formats: Standards include epub, kindle, pdf and READ.
  • Ex. of middleware: Adobe Digital Editions, Amazon Kindle, Overdrive Media Console.
  • Ex. of tablets: Galaxy, iPad, Kindle, Nook.
  • Policy: #B.2.3 Freedom to Read.
  • #B.2.1.19 Access to Digital Information, Services, and Networks.

MOOCs & E-Learning: MOOCs are Massive Open Online Courses and they are rapidly changing the game for higher education and employee professional development. MOOCs offer free online course covering a growing range of topics delivered by qualified lecturers from some of the well-known universities in the world. They allow a single teacher/lecturer to teach thousands and sometimes tens of thousands of participants in a single course delivery. They are often in an asynchronous course format, using smart phones and mobile computing to connect to the participant.

  • Concerns:; There is concern that students will be tracked. Data breaches, password reuse, identity information and marketing calls can ensue.
  • Examples:; Platform providers include Coursera, EdX and Khan Academy, Udacity and FutureLearn.
  • Policy: #B.8.5.2 Confidentiality of Personally Identifiable Information About Library Users.

Interactive Online Public Access Catalog (OPAC): The computer version of the card catalog allows an individual to search the holdings of a library through electronic interface. Service can be deployed by SaaS through a patron-discovery interface called Bibliocore (similar to iTune’s Tunecore). Some OPACs collaborate with search engines, book apps and third parties. They could possess unlimited user-added tagging features. Others are interactive with social media tools that create booklists, write reviews and gain followers.

  • Concerns: The lessening of control over patron borrowing records and the lack of discretion for accommodations by library professionals is a concern for intellectual freedom. When libraries no longer retain exclusive authority to their own collections, patron privacy is not directly protectable which makes contract negotiations with third parties even more important. Some OPACs are powered by aggregators like Bibliocore.
  • Types: Bibliocommons, OCLC.
  • Policy: #B.4.3 Bibliographic Databases;
  • #B.2.1.19 Access to Digital Information, Services, and Networks.

Radio Frequency Identification (RFID): A method used by libraries to protect their physical collections by placing a small tag on each item; tag consists of a computer chip with antenna attached, and security gates or self-checkout systems can then read the tag to complete their functions. Although RFIDs have been existence since the late 1990s, types of RFID can be considered emerging technology.

Near Field Communication (NFC): NFC is a short-range, standards-based, contactless connectivity based on RFID technology that uses magnetic field induction to enable communication between electronic devices in close proximity. For two devices to communicate, one device must have an NFC reader/writer and the other has to have an NFC tag. 

  • Concerns: NFC library cards allow patrons to pay for fines, books and unlock print jobs using Google Wallet, ISIS, PayPal, using an NFC-enabled smartphone or a laptop.; Tags can hold up to 1 MB of information and are embeddable in books, posters, etc.
  • Types: NFC, HF, UHF
  • Policy: ALA/RFID in Libraries Privacy and Confidentiality Guidelines

Social Networking Tools: Social networking tools allow people to bond online and chat, exchange pictures and videos and stay connected through a medium they use daily.; People join the networks, post as much or as little personal information as they would like, connect with the people they already know in daily life, add on new virtual friends drawn from shared interests, or locate and reconnect with old friends who are geographically distant. Each library setting will need to find a balance between just being present and actively sharing in a social networking site.

  • Concerns:; Without careful curation, privacy will be compromised. Libraries will have to find a careful balance between information dissemination and user privacy in each individual situation.
  • Types: Facebook, Skype, Twitter, Tumblr and YouTube.
  • Policy:; #B.2.1.19. Access to Digital Information Services and Networks; #B.2.2 Freedom to View
  • At the time of writing, the above were the most prevalent emerging technologies. By no means is this list exhaustive. It’s impossible to predict which companies will merge and change the terms of privacy or what third party vendors will take over the development of a product. What we can do is remember that it is important for libraries and librarians to continue to treat patron information with due care and consideration. Emerging technologies are changing social norms regarding privacy, providing new avenues for compromising rights. Libraries need to keep up-to- date on the developments and librarians need to remain vigilant.


Data Integrity & Security

Data Integrity: The library needs to assure data integrity. Whenever personally identifiable information (PII) is collected, the library must take reasonable steps to ensure integrity, including using only reputable sources of data, providing library users access to their personal data, updating information regularly, destroying untimely data or converting it to anonymous form, and stripping PII from aggregated, summary data. The library staff is responsible for destroying information in confidential or privacy- protected records to ensure against unauthorized disclosure. Information that should be regularly purged or shredded includes PII on library resource use, material circulation history, security/surveillance tapes, and both paper and electronic use logs.

Shared Data: If patron records are supplied by or shared with a parent institution such as a college registrar or a library consortium, the library needs to adopt measures to ensure timely corrections and deletions of data. Likewise, when the library exchanges data with other departments such as bursars and tax collectors, vendors, or any other organizations, it must ensure that records are accurate and up to date. Libraries issuing passwords should avoid choosing passwords or PIN's that can reveal a user's identity, including social security numbers.

Big Data --data aggregation and;analytics: Shared endorsement settings, mash-ups that combine services to create an entirely new service may reduce redundancy, spare users from typing and repurposing data may be desirable for data management efficiency. Libraries may look at combined services because it’s easier. The disadvantage is that it’s too easy to make incorrect correlations when personally identifiable information sits side by side with other data. Unless a patron opts-in, reading records should never be correlated with patron conduct, database usage, meeting room signups, etc. Libraries should also be aware of what information may be publicly visible. Data may exchange many hands with third parties, using libraries as conduits, allowing more opportunity for privacy breaches and data mining. As stewards of patron privacy, libraries should steer away from the practice of creating aggregate data without legitimate purposes.

Security: Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of data. Security measures should be integrated into the design, implementation, and day-to-day practices of the library's entire operating environment as part of its continuing commitment to risk management. This should include the guarantee of a secure wireless network for patrons to use. These measures are intended to prevent corruption of data, block unknown or unauthorized access to library systems and information, and provide reasonable protection of private information in a library's custody, even if stored offsite on servers or backup tapes.

Administrative Measures: The library needs to implement internal organizational measures that limit access to data while ensuring that individuals with access do not utilize the data for unauthorized purposes. The library must also prevent unauthorized access by using technical security measures like encrypting transmitted and stored data, limiting access by using passwords, and storing data on secure servers or computers inaccessible by modem or network. If libraries store PII on servers or backup tapes offsite, they must ensure that comparable measures to limit PII access are followed. Libraries should also develop routine schedules for shredding PII collected on paper.

Electronic Tracking: Neither local nor external electronic systems used by the library should collect PII through logging or tracking e-mail, chat room use, Web browsing, cookies, middleware, or other technology usage. Nevertheless, users should be advised of the library’s privacy protection limits when using remote sites. If the library enables cookies (small files sent to a browser by a Web site to enable customization of individual visits), it should instruct users on how to refuse, disable, or remove cookies from their hard drives. Moreover, the library should not maintain cookies after users terminate their sessions or share them with external third parties. Libraries should regularly remove cookies, Web history, cached files, or other computer and Internet use records and other software code that is placed on their networks. Those libraries that authenticate patrons for use of external databases by middleware systems and/or proxy servers should simply verify the attributes of valid users and not release PII.

Data Retention: It is the responsibility of library staff to destroy information in confidential or privacy- protected records in order to safeguard data from unauthorized disclosure. Information that should be regularly purged or shredded includes PII on library resource use, material circulation history, and security/surveillance tapes and logs. If this data is maintained off-site, library administrators must ensure that appropriate data retention policies and procedures are employed. Libraries that use surveillance cameras should have written policies stating that the cameras are not to be used for any other purpose. If the cameras create any records, the library must recognize its responsibility to protect their confidentiality like any other library record. This is best accomplished by purging the records as soon as their purpose is served.

Encryption: The use of data encryption can help enhance privacy protection. Encrypted data requires others to use a pre-defined electronic key to decipher the contents of a message, file, or transaction. Libraries should negotiate with vendors to encourage the use of such technology in library systems (e.g., in the document delivery, saved searches, and e-mail features now offered by many OPAC vendors). Whenever possible, libraries should consider making encryption tools available to library users who are engaging in personalized online transactions or communications.

Selected Links:

Examples of Retention Schedules from Sample Library Privacy Policies:

Examples of Security Statements from Sample Library Privacy Policies:

Enforcement & Redress

Libraries that develop privacy policies need to establish and maintain an effective mechanism to enforce them. They should conduct regular privacy audits to ensure that all library programs and services are enforcing these policies. Redress must be available for library users who feel their privacy and confidentiality rights are violated. Libraries should provide a means to investigate complaints and re-audit policy and procedures in cases of potential violation of library privacy and confidentiality. Library educational efforts should include informing users how to protect their own privacy and confidentiality, both in and outside of the library setting.

Selected Links:

Government Requests for Library Records

Libraries must ensure they have well-established procedures to enforce their policies by informing users about the legal conditions under which they might be required to release personally identifiable information (PII). Libraries should only consider a law enforcement request for any library record if it is issued by a court of competent jurisdiction that shows good cause and is in proper form. Only library administrators, after conferring with legal counsel, should be authorized to accept or comply with subpoenas, warrants, court orders, or other investigatory documents directed to the library or pertaining to library property. All library staff should be trained and required to contact a designated Library Privacy Officer or previously designated administrator immediately should a law enforcement officer appear requesting library compliance with a request to release PII.

Libraries should develop and implement procedures for dealing with law enforcement requests before, during, and after a visit. Guidance on these matters can be found in the following ALA documents:

To learn more about federal search and seizure guidelines, see:

Examples of Disclosure/Court Order Statements from Sample Library Privacy Policies:

Special Privacy Policy Considerations

Academic Libraries

The Freedom to research unfamiliar and controversial topics is central to the mission of academic institutions. Academic libraries serve those needs well. They frequently provide their personal, professional, and educational information services to a wide variety of users. If academic libraries provide different levels of service or access to different categories of borrowers (e.g., faculty, graduate students, undergraduate students, or community members), they must ensure that their services and access are offered equitably within a borrower type. Such restrictions should not impede intellectual freedom.

Academic Libraries and Students: Students in academic institutions are adults and must be accorded the same privacy safeguards as adults in other types of libraries. The mere fact that students are enrolled in courses should not jeopardize their privacy rights. Thus, student circulation records for course-required and reserve reading should be protected from inquiry with the same rigor as their circulation records for personal reading. Librarians assisting in investigations of plagiarism should take care to protect the usage records of individual students. Librarians can assist faculty in the development of classroom instruction and procedures that meet educational goals without compromising student rights to privacy.

Academic Libraries and FERPA and SEVIS: The Family Educational Rights and Privacy Act (FERPA) was passed to protect the privacy of student education records and to define who can access these records. FERPA grants parents the rights until the child turns 18 years old or attends a school beyond the high school level. At the age of 18 or when students attend institutions of higher learning, they assume the right to access and protect the privacy of their educational records. The Student and Exchange Visitors Information System (SEVIS) maintains updated information on approximately one million non-immigrant foreign students and exchange visitors during the course of their stay in the United States each year. Colleges and universities are now required to report a foreign student's failure to enroll or if students drop out of their programs. Colleges and university librarians need to identify how their institutions implement these laws and whether they have any impact on the collection and retention of library user records.

Academic Libraries and Faculty: Academic institutions often rely on principles of academic freedom to protect the intellectual freedom of faculty. While the principles of academic freedom are intended to protect faculty from professional consequences of researching unpopular or controversial areas, they do not necessarily protect the privacy of faculty. Academic libraries should also have in place appropriate policies based on First Amendment and Fourth Amendment rights to protect the privacy of faculty members' library records.

Academic Libraries and Computer Systems: The computer networks of academic libraries are often part of institutional networks, under the ultimate control of units outside the library. Academic libraries should work with campus computer departments to ensure that student and faculty information-seeking activity is kept confidential and well protected throughout the institution. In addition, library personnel should review library procedures and arrangements with outside vendors to ensure the highest level of protection for such records as online digital reference logs, proxy server and other authentication devices, e-mail reference transactions, personalized searching, and SDI profiles.

Selected Links:

School Libraries

School librarians have an ethical obligation to protect and promote student privacy. Although the educational level and program of the school necessarily shapes the resources and services of a school library, the principles of the Library Bill of Rights apply equally to all librarians, including school librarians. School librarians are in a unique position to educate students & staff about the implications of sharing information with others as well as the library’s role in protecting privacy.

School Libraries and FERPA:

“The Federal Educational Rights and Privacy Act,” 20 U.S.C. § 1232g, (FERPA controls disclosure of a student’s educational records and information. It requires educational institutions to adopt policies that permit parents of minor children to inspect and correct their educational records. It also prohibits disclosure of a student’s records without the parents’ written permission.

The Family Policy Compliance Office (FPCO), a part of the U.S. Department of Education, is the federal office charged with overseeing and enforcing FERPA. According to FPCO, any record maintained by an educational institution directly related to a student, in any format, that allows the student to be identified from the information contained in it, is considered an “educational record.” Analysts within FPCO have issued guidance stating that library circulation records and similar records maintained by a school library are “educational records” under FERPA.

Though FERPA generally requires institutions to protect the privacy of educational records, it contains many exceptions that allow disclosure of a student’s educational records without a parent’s or student’s consent or permission. For example, FERPA permits educational institutions to release information contained in a student’s records to any school official who has a “legitimate educational interest” in the records; to appropriate public officials in health and safety emergencies; and to courts and law enforcement agencies in response to a judicial order or lawfully issued subpoena. FERPA also permits educational institutions to disclose information about international students to the Department of Homeland Security and the Immigration and Customs Enforcement Bureau.

FERPA thus permits disclosure when state library confidentiality statutes and professional ethics would otherwise prohibit the disclosure of library records. FERPA, however, does not require the institution to disclosure records under these circumstances, nor does FERPA require institutions to create or maintain particular records.

State library confidentiality laws may apply to K-12 libraries as well as public libraries, and may impose additional duties to protect students’ library records that go beyond FERPA’s requirements. Therefore, school libraries may draw upon professional ethics and intellectual freedom principles to craft policies that extend additional privacy protection to students’ library records; adopt record retention policies that protect students’ confidentiality; and where applicable, incorporate state law protections for students’ library records. (ALA Questions and Answers on Privacy and Confidentiality)

Protecting Students Privacy in a School Library

School librarians have a responsibility to “assume a leadership role in promoting the principles of intellectual freedom within the school by providing resources and services that create and sustain an atmosphere of free inquiry.” This includes safeguarding student and teacher privacy. School library personnel must strive to: educate all members of the school community about the value of school library users; develop board approved policies that provide the highest level of protection for all records; and teach all members of the educational community about the policies and procedures that govern privacy. School libraries operate as part of larger educational structures. In some cases school systems may create policies and procedures that infringe on students’ rights to privacy. School library personnel are encouraged to educate all policy makers about the dangers of abridging students’ privacy rights.

Each school library should have a privacy policy outlining how students’ library records are protected and under what circumstances they may be released and to whom. To do less is to leave the school librarian uncertain about the legal course of action and in a weaker position to respond to requests for release of library records. The privacy policy should reference and incorporate the state library confidentiality law and also incorporate FERPA guidelines.

The policy should also reference American Library Association and American Association of School Librarians policy statements related to protecting minors’ privacy rights in libraries. The Code of Ethics states in Article III, “We protect each library users’ right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired, or transmitted.” The American Association of School Librarians’ “Position Statement on the Confidentiality of Library Records” expresses this concept, “The library community recognizes that children and youth have the same rights to privacy as adults.” These documents provide an ethical defense for school librarians defending minors’ privacy in a school library.

After the privacy policy has been approved by the school’s governing body, ti should be disseminated to school staff, students, and parents. Minors’ privacy and the confidentiality of their records will be better protected when school employees and the community understand the laws involved.

In addition to an official privacy policy, school libraries should also have a records retention policy detailing the types of records maintained, the length of retention, and a schedule for their destruction. Minors’ records are best protected when minimal library records are maintained for the shortest period possible. (ALA Questions and Answers on Privacy and Confidentiality, #34,

Educating Students and Staff about Privacy: In addition to protecting patrons’ privacy, school librarians play a vital role in educating faculty, staff and students about privacy. We live in an era when personal information is widely available online, and online networks and databases collect and store personal information. These facts present growing challenges to individuals’ privacy. Students need to be aware of the implications of their online activities in terms of personal safety, identity safety, and security of future academic and employment opportunities. School Librarians should educate students to engage in online communication and interaction that is responsible, ethical and safe.; For this purpose, ALA has developed ideas, tools and resources specifically for school libraries available through their Choose Privacy website.

School libraries and COPPA:

School libraries and COPPA: The Children's Online Privacy Protection Act (COPPA) regulates commercial Web sites and online services, including apps, which are directed to children under the age of 13 and collect children's personally identifiable information, as well as general audience sites that know they are collecting personally identifiable information from children 13 and under. Such sites have a legal obligation to comply with the law. ;Operators who violate COPPA can be held liable for civil penalties of up to $16,000 per violation by the Federal Trade Commission (FTC) the agency responsible for enforcing COPPA.

Noncommercial Web sites, such as library, nonprofit, community groups, and government agencies are not subject to COPPA. A library collecting personal information from children in order to e-mail them summer reading lists or reference assistance is not required to seek parental consent. However, libraries should be aware that changes to the COPPA rules adopted in December 2012 require any site that integrates outside services, such as plug-ins, apps, ;or advertising networks that collect personal information from site visitors to comply with COPPA if the site operator knows that the outside service is collecting information from children under 13.; A library should carefully review any app or outside service's data collection practices before integrating it into its website.

Although libraries are not directly impacted by COPPA, children using the Internet in a library may need help understanding the law and getting consent from their parents to use websites and apps. ;In some instances, children will find that COPPA may restrict their ability to participate in some activities on Web sites while they await parental approval. It is the librarians' role to guide children through the process or help them find alternative activities online. Parents may need assistance in understanding the law and the significance of the requests they receive from Web sites.

Librarians and libraries should play a key role in helping all library users understand and comply with COPPA. (Note: The extent to which schools can or do assume parental responsibilities for students will depend in large part on decisions made by the local school board or superintendent. It will also depend on the nature of the resources being used in the classroom and whether those resources require students to divulge personally identifiable information. Some schools may decide to act on behalf of the child, others may decide to seek consent although an Acceptable Use Policy signed by students and parents at the beginning of the year, while others may take no responsibility at all and leave it up to parents. However the school implements the law, it must take care not to allow COPPA to interfere with curricular decisions.)

Selected Links:

Public and Academic Library Services to Minors

The rights of minors vary from state to state. Libraries may wish to consult the legal counsel of their governing authorities to ensure that policy and practice are in accord with applicable law. Furthermore, the legal responsibilities and standing of library staff in regard to minors differ substantially in school and public libraries. In all instances, best practice is to extend to minors the maximum allowable confidentiality and privacy protections.

The Children's Online Privacy Protection Act (COPPA) requires commercial Web sites and online services that collect personally identifiable information from children aged 13 and under to obtain consent from their parents or guardians in advance. (Please see the detailed information about COPPA in the section on school libraries.); Although COPPA does not usually place any special obligations on public libraries, there are two impacts to consider:

Parents are responsible not only for the choices their minor children make concerning the selection of materials and the use of library facilities and resources, but also for communicating with their minor children about those choices. Librarians should not breach a minor's confidentiality by giving out information readily available to the parent from the minor directly. Libraries should take great care to limit the extenuating circumstances in which they release such information.

Parental responsibility is fundamentally important to a minor's use of the library. Notifying parents about the library's privacy and confidentiality policies should be a part of the process of issuing library cards to minors. In some public libraries, the privacy rights of minors may differ slightly from those of adults, often in proportion to the age of the minor. The legitimate concerns for the safety of children in a public place can be addressed without unnecessary invasion of minors' privacy while using the library.

The Minors’ right to privacy regarding their choice of library materials should be respected and protected.

Selected links:

ASCLA Statement of Privacy Rights

The Association of Specialized and Cooperative Library Agencies asserts the fundamental position that a right to privacy exists equal for all people regardless of physical, psychological, intellectual, social, or political condition.

In providing service to special populations, librarians, support staff, and other service providers must be aware of that fundamental right to confidentiality of materials and records and take affirmative action within the institutional structure to maintain these privacy rights.

ASCLA Board of Directors, adopted January 27, 2014

Revised by the IFC Privacy Subcommittee and approved by the Intellectual Freedom Committee January 2014. Updated April 2017