Library Privacy Checklist 3: E-book Lending and Digital Content Vendors

Library Privacy Checklist 3: E-book Lending and Digital Content Vendors

This checklist is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in the Library Privacy Guidelines for E-book Lending and Digital Content Vendors. 

Priority 1 are actions that hopefully all libraries can take to improve privacy practices. Priority 2 and Priority 3 actions may be more difficult for libraries to implement depending on their technical expertise, available resources, and organizational structure.

Priority 1 Actions

1. Provide links to vendor privacy policies and terms of service pages for users when appropriate, e.g. from the library’s own privacy policy page or from a library web page about the vendor’s product or service.
2. Work with vendors to configure services to use the opt-in method whenever possible for features that involve the collection of personal information.
3. Develop a strategy to assist patrons in managing their privacy when using vendor products and services. The strategy could include in-person reference, handouts, web guides, classes, or other programming.  Topics covered could include:
   1. Settings for personal accounts on vendor websites.
   2. Vendor applications on personal devices including any privacy settings and how to remove the application and any associated stored data.
4. Notify staff and patrons of any data breaches and assist patrons in mitigating the impact (changing passwords, uninstalling applications, etc).

Priority 2 Actions

1. Add privacy considerations to the library’s selection criteria for new purchases or the renewal of existing purchases. These considerations should include the vendor:
   1. Notifying users of their privacy policies at the point of access and restricting the collection of patron data to clearly stated operational purposes.
   2. Seeking patron consent for data collection by using the opt-in method whenever possible for features that involve the collection of personal information.
   3. Providing a method for patrons to access, review, correct and delete their personal data.
   4. Encrypting connections using SSL/HTTPS to provide secure access to digital content.
   5. Allowing users to uninstall vendor applications and delete associated stored data from personal devices.
2. Review all new license agreements regarding the use, aggregation, retention, security, and dissemination of patron data.  Before purchasing a new product or service the library should ensure that the license agreement:
   1. Complies with all applicable local, state, and federal laws regarding the confidentiality of library records.
   2. Conforms to the library’s privacy, data retention, and data security policies.
   3. Stipulates that the library retains ownership of all patron data.
   4. Includes a protocol for responding to government and law enforcement requests for patron data.
   5. States the vendor’s responsibilities to notify the library and affected patrons in the event of a data breach.

Priority 3 Actions

1. Review existing licence agreements using the privacy concerns outlined above for new agreements.
   1. Work with vendors to change language of license agreements when possible to address concerns.
   2. Consider not renewing contracts with vendors that are unable to provide these assurances in the license agreement.
2. Review vendors’ data governance plan that addresses patron consent, data security, encryption, anonymization, retention, dissemination/data sharing, and destruction.  If the vendor does not have a plan, ask them to create one.
3. Request that vendors conduct regular privacy audits and make audit results available to the library for review.  Make the results of the review one of the criteria for renewal.

Resources

• ALA. “Encryption And Patron Privacy.”  American Library Association, 2016,
• Cavoukian, Ann.  “Privacy By Design: The 7 Foundational Principles; Implementation And Mapping Of Fair Information Practices.”  Internet Architecture Board, 2011.
• Department of Computer Engineering, Boğaziçi University.  “Guide to Data Protection Auditing.”  Data Protection.
• Hoffman-Andrews, Jacob.  “What Every Librarian Needs To Know About HTTPS.”  Electronic Frontier Foundation, 6 May 2015.
• International Association of Privacy Professionals.  “Security Breach Response Plan Toolkit.”  IAPP Resource Center, 2016.
• Internet Security Research Group.  Let’s Encrypt [https certificate registry].
• Perera, Charith, McCormick, Ciaran, Bandara, Arosha K., Price, Blaine A., and Bashar Nuseibeh.  “Privacy-By-Design Framework For Assessing Internet Of Things Applications And Platforms.”  IoT 2016, 7-9 Nov. 2016, Stuttgart, Germany.
• Riffat, Muzamil.  “Privacy Audit - Methodology and Related Considerations.”  ISACA Journal, vol. 1, 2014.
• Chmara, T. (2012). Privacy and E-Books. Knowledge Quest, 40(3), 62-65.

Additional Questions to Consider

• What are the local statutes regarding patron/user information use?
• Does the vendor’s privacy policy jive with the library’s privacy policy?
• Is the vendor’s privacy policy explicit on the product portal?
• Can the vendor’s privacy policy be shared with the library to publicize for its users?
• User’s browsing, borrowing, downloads, notations, group affiliations shall not be shared with any other parties without the specific written consent of the individual user.
• Does the language in the policy/contract/license specifically address other devices and do the terms extend to other devices as well (smartphone apps, tablet, etc.)?
• What is the retention policy of the institution/library, including proxy server collection of IP address access, and what is the retention policy of the vendor?
• Is the language of the policy consistent with the age of the product’s intended audience, can the minor user for instance understand the policy?
• Does the language of the policy/contract/license specify that harvested user data should be destroyed and not retained in perpetuity by the vendor?   
• In case of data breach, does the language specify that the vendor inform the library as soon as it is aware of the breach?
• How should the library respond in terms of user privacy when a data breach is identified?
• Vendor must give libraries advance notice of any changes to the user privacy policies, at least 30 days to respond.
• Agreements and contracts should be reviewed annually per their individual renewal/ purchase date.