Patron Privacy and Access Policies

Introduction to Patron Privacy in Libraries

Responsibilities of Libraries

• The library profession has a long-standing ethic of facilitating, not monitoring, access to information.
• It is essential that libraries maintain an updated, publicly available privacy policy that states what data is being collected, with whom it is shared, and how long it is kept.
• Everyone who provides governance, administration, or service in libraries, including volunteers, has a responsibility to maintain an environment respectful and protective of the privacy of all users.
• Libraries should not monitor, track, or profile an individual’s library use beyond operational needs.
• Data collected for analytical use should be limited to anonymous or aggregated data and not tied to individuals’ personal data.

Civil Practice Law Section 4509, Library Records

• Libraries in New York State are guided by Civil Practice Law Section 4509, Library Records.
  • All patron activity in a library and records from library use is confidential and protected by law.
  • Libraries are responsible for ensuring that patron personally identifiable information and library usage are not shared with any person or business outside of the agreements between the library and the patron.
    • Actions that are considered against this law include: Sharing data with Friends groups, uploading a contact list to a third party such as MailChimp, or using patron data for anything other than performing normal circulation activities (unless otherwise agreed to between the patron and library).

Patron Opt-In vs. Opt-Out

• While libraries are barred from using patron data for mailing lists or other communications outside of overdue notices, a library can certainly create an "opt-in" option on their library registration card to include the patron on a mailing list or other service.
  • Adding a line such as "Please check here if you would like to be included in library communication" is permissible. Staff would then take the information from the registration card and follow local policy to handle the data appropriately.
• This practice should not be an "opt-out" option by default.
  • "users should have the choice to opt-in to any data collection that is not essential to library operations and the opportunity to "opt-out" again at any future time."
  • All nonessential data collection should be turned off by default.
  • In all areas of librarianship, best practice leaves users in control of as many choices as possible regarding their privacy. This includes decisions about the selection of, access to, and use of information. Information about options available to users should be prominently displayed, accessible, and understandable for a general audience." Source: ALA, Privacy: An Interpretation of the Library Bill of Rights.
  • The American Library Association goes on to say that users should have the right to give "explicit consent."
    • "Explicit consent means that users are given an option to agree or disagree with the collection of their data. The user must be informed in a specific and unambiguous manner regarding how their data will be collected, used, and/or shared. Users should be given the choice before choosing to access a service rather than have to opt-out later. Libraries should ensure their online services do not default to opt-out. Opt-out requires action from the user to remove themselves from data collection. This does not allow a user to learn about the specific details of how their data will be utilized." Source: Privacy and Confidentiality Q&A

Systems Access and Confidentiality of Library Records Policy

The Systems Access and Confidentiality of Library Records Policy aims to establish practices for maintaining the information security of the Personally Identifiable Information (PII) collected and stored by libraries and the OWWL Library System. This policy shall apply to all individuals authorized to access the System Information Systems as necessary for their job functions.