View
116
Download
2
Category
Preview:
DESCRIPTION
Presentation from the 2014 Southeastern Chapter of the American Association of Law Libraries conference in Knoxville, TN on privacy audits in law libraries.
Citation preview
WHAT YOU DON’T KNOW CAN HURT YOU: PRIVACY AUDITS
Rachel Gordon
Mercer University School of Law
What is Privacy? In a library (physical or virtual), the right to
privacy is the right to open inquiry without having the subject of one’s interest examined or scrutinized by others.
– ALA, An Interpretation of the Library Bill of Rights
Privacy and Confidentiality Confidentiality exists when a library is in
possession of personally identifiable information about users and keeps that information private on their behalf.
– ALA, An Interpretation of the Library Bill of Rights
Personally Identifiable Information
Generally includes any information that can identify a specific individual
Name Address Phone/Fax number
Social security number
Driver’s license number
Bar or Student ID Number
Email addressMother’s maiden
nameSpouse information
Financial information Medical information Education information
Birth date IP address Signature
What Laws Govern Library Privacy? Federal
1st AmendmentVideo Privacy Protection ActFreedom of Information Act (FOIA)Family Educational Rights and Privacy Act
(FERPA) State
Library privacy statutesRecords retention/destruction statutes
Georgia Library Privacy Statute
Georgia Business Records Statutes
O.C.G.A. § 10-11-2. Time period for retention of business records
O.C.G.A. § 10-15-2. Disposal of business records containing personal information
Privacy Audit
What is it? Whose responsibility is it? What is the end product?
What is a Privacy Audit?
Ensure goals supported by practices Protect from liability Process, not a one-time event
Whose Responsibility?
End Products
Privacy policy Document retention policy Staff training
Preliminary Steps1. Evaluate existing policies and procedures
2. Compile definitions, including what is considered PII
3. Identify a process/department to audit
Data Collected
Protected?
Secure?Test
Destroy
Privacy Audit Cycle
Concluding Steps
Establish ownership Address issues
○ Process Improvement ○ Training
Repeat periodically
Auditing for PII
Patron records Transaction logs Notices for overdue items and fines ILL and document delivery records Visitor registers Reference logs Public terminals
Data Collection Considerations
Why is data being collected? Who is collecting? Who else has access? How stored? For how long? How will data be destroyed?
Developing a Privacy Policy State that privacy and 1st Amendment rights
are protected Specifically discuss patron use info related to
books, multimedia resources, and the internet State that general statistical data may be
compiled, but that PII is not included Offer an opt-in for contact unrelated to library
activities Mention vendors Have it reviewed by legal counsel
Record Retention Policies
Is there a state statute? Minimum time to retain
Audit Results
Existing privacy policy Electronic security Issues in practice
Instances of borrowing history revealedPapers not secured/shreddedProcesses needed updating
Audit Results – Electronic Info Patron circulation data well protected
ILS set to only keep current check outs and unpaid fine information
Staff not clearing patron data from circulation computer monitor
Scanned files need to be manually deleted
Official Requests
Law Enforcement FOIA Open Records Act
Social Security Numbers
Do not use! Check old records Redact or destroy
Informal Patron Requests Who has Weinstein
on Evidence checked out?
Would jury instructions for child molestation be civil or criminal?
Reference Questions
How do I find information on whether I have to tell my boss that I’m HIV positive?
Holds Balance patron privacy with need to
know who receives item Wrap hold items to cover titles if stored
on an open shelf
Routing Slips
Routing slips reveal one or more patron names linked to an item
Opt in
Law Enforcement Requests
Separate policy Easy reference University-wide
THERESA CHMARA, PRIVACY AND CONFIDENTIALITY ISSUES: A GUIDE FOR LIBRARIES AND THEIR LAWYERS (2009).
Audit Results – Training
10-15 student assistants each semester with a completely new staff every 2 years
Students are the main circulation desk contacts
Training issues/reinforcement Reminder sign posted next to the
circulation computer
Audit Results – Paper Problems
MANY issuesInadvertent prints from the circulation
computerCopies of checksOld student info with social security
numbersGraded student work left by former
employeesStaff info page on a bulletin boardPrint copies of sent overdue notices
Inadvertent Printing
Payment Records
Copies of checks
Overdue and Fine Notices
Rachel Gordon123 Some StreetMacon, GA 31204
Public Internet Terminals
Components of a Good Privacy Policy
Notice of rights & applicable laws Choice & consent Access & updating Data integrity and security Data aggregation Required disclosures
Related Issues
Internet security Identity theft Social engineering
Recommended