The American Library Association's Task Force on Privacy and Confidentiality in the Electronic Environment

Final Report, 7 July 2000

FINDINGS
CONCLUSIONS
RECOMMENDATIONS
APPENDIX
BIBLIOGRAPHY

At the American Library Association Conference in New Orleans in 1999, ALA Council resolved that the Library and Information Technology Association be asked to examine the impact of new technologies on patron privacy and the confidentiality of electronic records. The Taskforce on Privacy and Confidentiality in the Electronic Environment was formed at the ALA Midwinter Conference with broad participation from across ALA.

The Task Force decided to focus on identifying the applicable technologies, describing these and their possible impacts. The group did not see policy development as part of the charge. Because the Association has always taken a strong stand on patron privacy, and considering that there are already a number of privacy policy statements promulgated by the Association, the Task Force believes that reaffirmation, reinforcement, and repetition of previous stands may be adequate. Additional information and policy dissemination efforts may help to communicate the Association’s concerns more broadly.

   

Findings

The report identifies the following areas where technology is having a particular impact on patron privacy and confidentiality.

Law and Legislation

In most states, the law protects the confidentiality of library records to some degree. Generally, these laws protect circulation and registration records containing personal names. Many also protect information on the "use of library materials." Not all state laws are written in such a way that we can assume that they protect the privacy of patrons using online resources.

Library Systems

Libraries need to be concerned about computer system security as part of their commitment to patron privacy. This means that libraries must be able to protect user records, both electronic and paper, from unauthorized access. User records have also expanded beyond the standard lists of library cardholders and circulation records as libraries begin to use electronic communication methods such as electronic mail for reference services, and as they provide access to computer, web and printing use.

Library systems must be able to authenticate users while keeping user activities confidential. Some institutions require a user logon for all computer access, potentially creating a record of all online activity, even catalog browsing. Libraries that provide materials over web sites controlled by the library must determine the appropriate use of any data describing user activity logged or gathered by the Web server software.

Internet Access in Libraries

This is an area of great concern because libraries have limited influence over the privacy practices of World Wide Web sites on the public access Internet. The threats to patron privacy take many forms, including:

  • User tracking by remote sites
    This is ameliorated by the fact the library computer connections are usually shared by many patrons so that it is unlikely that specific individuals will be identified. However, data is being gathered and patrons need to be aware of that.
  • Users giving out personal information online
    Users may voluntarily reveal personal information to take advantage of personalization features of web sites, to subscribe to services, to participate in interactive communications, and to purchase items online.
  • Logs or caches of user activity, in online form or as backups
    Unless steps are taken by the library, subsequent users at a library computer may be able to see some traces of activity of previous users.
  • Screen view privacy
    Patrons have a reasonable right to access information privately while in the library. Computer screens may be readily visible to other patrons.

Libraries should inform patrons of the potential for loss of privacy with Internet use and encourage safe Internet use practices.

Library Support for Patron Privacy

While libraries have historically supported patron privacy, substantial anecdotal evidence suggests that our user community is not aware of this strong stance. And as libraries have moved into the internet world, providing extensive access to quality internet access through the library's website or portal, few libraries have adopted the practice of communicating with its users through a link to the library's policies on privacy from its web pages.

Access to Remote Resources Provided by Library

Libraries increasingly contract for information resources that are stored remotely and are under the control of a vendor. Care must be taken to include patron privacy measures in the license between the library and the vendor. Vendors may be reluctant to forego the gathering of marketing and usage data, but libraries may need to insist on patron privacy measures.

New features are being developed that allow users to personalize their use of remote information, to e-mail retrieved items to themselves, or to purchase items like article reprints. These features necessarily link the activity to the individual user, and create a record of the use. Great care must be taken to provide confidentiality in this environment where the library has the ability to do so, or care must be taken to inform users of privacy implications of such use where the library does not have the necessary control.

Library Employee Privacy

In addition to its obligation to its users, libraries must be aware of employee privacy as well. Monitoring of employee activities for "quality control" may be an invasion of employee privacy if it is not made known as a policy. As employees begin to use online communication to interact with patrons, the patron's privacy is also at risk. The policies and practices of parent institutions may also come into play. The best course here is for libraries and their parent institutions to have a written policy that says what privacy the employee and patrons can realistically expect.

   

Conclusions

The effort to protect patron privacy should be clearly supported by ALA policy. The document, Access to Electronic Information, Services, and Networks: An Interpretation of the Library Bill of Rights (Adopted June 28, 1989, by the ALA Council; amended June 30, 2004.  [ISBN 8389-7351-5]), contains strong statements on the end goals of confidential use of library information resources and intellectual freedom in the current environment. ALA policy statements on the confidentiality of library records focus on circulation data. ALA may wish to revise these statements to include a wider range of data. Of particular concern is the pervasive gathering of "marketing information" or tracking online usage by third parties.

Libraries have some influence over the technical products and services that are marketed primarily to libraries (library automation systems, some content vendors focused on libraries). Carefully written license agreements and contracts are important tools in insuring that patron privacy is protected by the products and services we buy.

Libraries should take a proactive role in communicating their privacy commitment to their user communities through policy statements on library websites as well as through other traditional communication channels.

Libraries must be especially diligent in all areas where they use and control technology-based information systems. Because libraries have stronger user privacy concerns than many other institutions, our needs will often not be met by software as it is configured "out of the box."

Libraries have an important role in educating the public about privacy, especially where the libraries provide access to technology. Public education and library policies can empower users even in the open access Internet. ALA should consider creating model privacy policies, instructional materials, and privacy "best practices" documents for libraries.

Librarians, as individuals and through their library associations, can influence public policy on privacy. State laws on the confidentiality of library records may need to be extended to cover new technologies, or revised to be technology neutral. Librarians can participate in the creation of standards and new technologies that take privacy considerations into account. Librarians can advocate the importance of privacy through standards bodies and ad hoc groups that allow public participation and comment.

   

Recommendations

In reviewing the conclusions of the Task Force Study, three recommendations emerge which we submit for ALA Council review and possible action. These are:

  1. That ALA revise its policy statements related to Policy on Confidentiality of Library Records (rev. 1986) and Policy Concerning Confidentiality of Personally Identifiable Information about Library Users (1991) in order to specifically and appropriately incorporate internet privacy.
  2. That ALA develop model privacy policies, instructional materials, and privacy "best practices" documents for libraries.
  3. That ALA urge that all libraries adopt a privacy statement on web pages and post privacy policies in the library which cover the issues of privacy in internet use as accessed through the library's services.

Task Force on Privacy and Confidentiality in the Electronic Environment

  • Flo Wilson (LITA), Chair
  • Therese Bigelow (ALSC)
  • Karen Coyle (LITA)
  • Rebecca Felkner (LITA, ex officio)
  • William Fietzer (ALCTS)
  • Tom Klingler (LITA)
  • Tamara Miller (LITA)
  • Jacqueline Mundell (LITA, ex officio)
  • Karen Schneider (PLA)
  • Craig Summerhill (LITA)
  • Claudette Tennant (ALA)
  • Sylvia Turchyn (IFC)
  • Christie Vernon (Legislation)
  • E. Paige Weston (RUSA)
  • Rick Weingarten (OITP)