WHAT YOU DON’T KNOW CAN HURT YOU: PRIVACY AUDITS

Rachel Gordon

Mercer University School of Law

What is Privacy? In a library (physical or virtual), the right to

privacy is the right to open inquiry without having the subject of one’s interest examined or scrutinized by others.

– ALA, An Interpretation of the Library Bill of Rights

Privacy and Confidentiality Confidentiality exists when a library is in

possession of personally identifiable information about users and keeps that information private on their behalf.

– ALA, An Interpretation of the Library Bill of Rights

Personally Identifiable Information

Generally includes any information that can identify a specific individual

Name Address Phone/Fax number

Social security number

Driver’s license number

Bar or Student ID Number

Email addressMother’s maiden

nameSpouse information

Financial information Medical information Education information

Birth date IP address Signature

What Laws Govern Library Privacy? Federal

1st AmendmentVideo Privacy Protection ActFreedom of Information Act (FOIA)Family Educational Rights and Privacy Act

(FERPA) State

Library privacy statutesRecords retention/destruction statutes

Georgia Library Privacy Statute

Georgia Business Records Statutes

O.C.G.A. § 10-11-2. Time period for retention of business records

O.C.G.A. § 10-15-2. Disposal of business records containing personal information

Privacy Audit

What is it? Whose responsibility is it? What is the end product?

What is a Privacy Audit?

Ensure goals supported by practices Protect from liability Process, not a one-time event

Whose Responsibility?

End Products

Privacy policy Document retention policy Staff training

Preliminary Steps1. Evaluate existing policies and procedures

2. Compile definitions, including what is considered PII

3. Identify a process/department to audit

Data Collected

Protected?

Secure?Test

Destroy

Privacy Audit Cycle

Concluding Steps

Establish ownership Address issues

○ Process Improvement ○ Training

Repeat periodically

Auditing for PII

Patron records Transaction logs Notices for overdue items and fines ILL and document delivery records Visitor registers Reference logs Public terminals

Data Collection Considerations

Why is data being collected? Who is collecting? Who else has access? How stored? For how long? How will data be destroyed?

Developing a Privacy Policy State that privacy and 1st Amendment rights

are protected Specifically discuss patron use info related to

books, multimedia resources, and the internet State that general statistical data may be

compiled, but that PII is not included Offer an opt-in for contact unrelated to library

activities Mention vendors Have it reviewed by legal counsel

Record Retention Policies

Is there a state statute? Minimum time to retain

Audit Results

Existing privacy policy Electronic security Issues in practice

Instances of borrowing history revealedPapers not secured/shreddedProcesses needed updating

Audit Results – Electronic Info Patron circulation data well protected

ILS set to only keep current check outs and unpaid fine information

Staff not clearing patron data from circulation computer monitor

Scanned files need to be manually deleted

Official Requests

Law Enforcement FOIA Open Records Act

Social Security Numbers

Do not use! Check old records Redact or destroy

Informal Patron Requests Who has Weinstein

on Evidence checked out?

Would jury instructions for child molestation be civil or criminal?

Reference Questions

How do I find information on whether I have to tell my boss that I’m HIV positive?

Holds Balance patron privacy with need to

know who receives item Wrap hold items to cover titles if stored

on an open shelf

Routing Slips

Routing slips reveal one or more patron names linked to an item

Opt in

Law Enforcement Requests

Separate policy Easy reference University-wide

THERESA CHMARA, PRIVACY AND CONFIDENTIALITY ISSUES: A GUIDE FOR LIBRARIES AND THEIR LAWYERS (2009).

Audit Results – Training

10-15 student assistants each semester with a completely new staff every 2 years

Students are the main circulation desk contacts

Training issues/reinforcement Reminder sign posted next to the

circulation computer

Audit Results – Paper Problems

MANY issuesInadvertent prints from the circulation

computerCopies of checksOld student info with social security

numbersGraded student work left by former

employeesStaff info page on a bulletin boardPrint copies of sent overdue notices

Inadvertent Printing

Payment Records

Copies of checks

Overdue and Fine Notices

Rachel Gordon123 Some StreetMacon, GA 31204

Public Internet Terminals

Components of a Good Privacy Policy

Notice of rights & applicable laws Choice & consent Access & updating Data integrity and security Data aggregation Required disclosures

Related Issues

Internet security Identity theft Social engineering