Maintaining Confidentiality – It’s Everyone’s Business

Eileen M. Palmer President, New Jersey Library Association

Executive Director Libraries of Middlesex Automation Consortium

May 2014

Privacy vs. Confidentiality

• These words are often used interchangeably but mean different things

• Privacy is about people

– In a library, the right to privacy is the right to open inquiry without being examined or scrutinized by others.

– But libraries are public places. We can and do try to protect the privacy of inquiry. But we also have people and (sometimes) cameras. We cannot protect against all observation.

Privacy vs. Confidentiality

• Confidentiality is about data – Extension of privacy

– Identifiable data

– “Privacy” notices abound -- but they are really about confidentiality (or lack of it). (ex. doctors, grocery stores, credit card companies and, yes, libraries).

• The law says library users have the legal protection of confidentiality regarding identifiable data about how they use the library.

How Private Should Patrons Expect the Library to be?

• Physical

– Public building where people tend to expect to be left alone

• Virtual

– Visitors may come and go with an expectation that no record exists of their visit

• Do we have a responsibility to set expectations for our users – both physical and virtual?

Elements of a Patron Disclosure Policy • What you collect, why you collect it and how

long you retain it.

• What is protected by law. What rules the library must follow for disclosure.

• When (and under what circumstances) you will disclose data and to whom you will disclose it.

• How data is protected and secured.

• 3rd party vendors.

Confidentiality Statutes • New Jersey Library Confidentiality Law

– Library records which contain the names or other personally identifying details regarding the users of libraries are confidential and shall not be disclosed except in the following circumstances:

• a. The records are necessary for the proper operation of the library;

• b. Disclosure is requested by the user; or

• c. Disclosure is required pursuant to a subpoena issued by a court

or court order.

• Delaware – exception to public records law

– Any records of a public library which contain the identity of a user and the books, documents, films, recordings or other property of the library which a patron has used.

Confidentiality Statutes • Maryland

(a) In general. -- Unless otherwise provided by law, a custodian shall deny inspection of a public record, as provided in this section.

< … >

(e) Circulation records, or other item, collection, or grouping of information about an individual. --

(1) Subject to the provisions of paragraph (2) of this subsection, a custodian shall prohibit inspection, use, or disclosure of a circulation record of a public library or other item, collection, or grouping of information about an individual that:

(i) is maintained by a library;

(ii) contains an individual's name or the identifying number, symbol, or other identifying particular assigned to the individual; and

(iii) identifies the use a patron makes of that library's materials, services, or facilities.

(2) A custodian shall permit inspection, use, or disclosure of a circulation record of a public library only in connection with the library's ordinary business and only for the purposes for which the record was created.

Issues • What’s a record?

• When can we disclose confidential information? • Law enforcement

• Public

• Media

• Vendors

• What is our responsibility • Board

• Director

• Staff

Responsibilities

• Get legal counsel

• Put policy in place

• Assure that procedures are in place and that training is provided for staff

• BE CONSISTENT! Follow policy when/if the need arises

• Compliance with the law is about more than what you do when the police knock at your door!

• How often in the last year have you discussed with staff what it means to have access to confidential data?

Know what records you collect

• Circulation

• In-house use of materials

• Computer workstations

• Hold requests

• ILL requests

• Database logins

• Website use

How do you safeguard data?

• Protecting patron confidentiality is about more than knowing what to do when the police come to the door.

• Do you treat confidential data as confidential?

– If you don’t no one else will

• Do you have an employee policy on handling confidential data?

• Policies on backups, data handling and retention?

• What about 3rd party vendors?

What information do you keep and how long do you keep it?

• Integrated Library System – Log files – Access – Borrowing history

• PC Reservation System • Calendaring / Program Registration System • Paper records (Reference, holds, meeting rooms,

etc.) • Website • Privacy Audit

3rd Party Vendors

• Patron data in the cloud?

• Vendors with access to patron data?

– SIP connections?

– Access

• Overdrive, Freading/Freegal, EventKeeper, etc. with more to come.

• Amazon / Kindle

Vendor Negotiations

• Know what your vendor’s privacy policy is. • Insert language protecting your patrons’

confidentiality as much as possible. – Vendors willingness to include such language varies. – Making this issue part of your negotiation may result

in contract language that is favorable.

• Have your own data handling/confidentiality agreement that vendors must sign.

• Make your patrons aware of when they are creating data with a third party vendor that you do not control

Elements of a Data Confidentiality Agreement

• What data is to be covered

• Prohibition on unauthorized use or disclosure

• Adherence to industry standard safeguards

• Return or destruction of data

• Maintenance and/or security of data

• Reports of unauthorized disclosure or misuse of data

• Subcontractors or agents

• Terms and Termination

What Happens When Someone Asks for Library Records ?

• Is it a record?

• Is the record protected?

• Do you have a policy and procedures?

• Who is asking? Does one of the exceptions apply?

– Staff from other libraries (ILL, Consortia)

– Law Enforcement

– Media

– Parents

How Do You Handle:

• Access to children’s records

– Parental signature ?

• Picking up holds

• Providing a mailing list to the Friends

• Is my daughter at the library?

• Request from Board Member or Municipal Official

Common Questions

• My library destroys records, is that OK?

• What if I see someone break the law?

• Can I tell another staff member what his/her child has out.

• What if I see someone do something illegal on the computer?

What Would You Do? What Would Your Staff Do?

• Police have just arrested a juvenile in town. The only ID the kid has is a library card. The police call and ask you to look up who he is. Can you?

• A reporter stops by on a Saturday afternoon and wants to interview someone who attended the library-sponsored lecture on protecting civil liberties. You have a list of attendees. Do you share?

• The mayor calls and wants the library to prepare a set of mailing labels so he can send his newsletter to library users (he was responsible for the new library after all!). Should you?

Sample Policies • San Francisco Public Library Privacy Policy

– http://sfpl.org/pdf/about/administration/privacypolicyfaq.pdf

• ALA Privacy Resources – http://www.ala.org/advocacy/privacyconfidentiality/privacy/privacyco

nfidentiality

• Princeton Public Library Privacy Policy – http://princetonlibrary.org/privacy

• Overdrive Privacy Policy

– http://www.overdrive.com/privacypolicy.aspx

• NC State University Policy for Staff – http://policies.ncsu.edu/rule/rul-02-61-02

Resources

• Privacy and Confidentiality Issues: A Guide for Libraries and Their Lawyers, ALA 2009

• NJLA – http://www.njla.org/content/njla-statement-confidentiality-library-

records-and-e-content

– http://www.njla.org/content/njla-statement-privacy-0

– http://www.njla.org/content/njla-statement-national-security-letters-nsls

– http://www.njla.org/content/suggested-procedures-implementing-policy-confidentiality-library-records

• NJSL Library Laws – http://www.njstatelib.org/LDB/Library_Law/lwstlibr.php#256

Questions?