By Emily Clasper
Librarians have long been champions of patron privacy, committed to protecting patron information as an essential element of free speech and access for all. In its 1939 Code of Ethics for Librarians, the American Library Association affirmed that “It is the librarian’s obligation to treat as confidential any private information obtained through contact with library patrons.” A 2002 Interpretation of the Library Bill of Rights further highlights the imperative that we, as library and information professionals, protect the Personally Identifiable Information (PII) entrusted to us by our users.
Although this idea has long been a cornerstone of our professional ethics and commitments, it is hard not to notice that the issue of patron privacy and the protection of user PII has recently become a hot issue in libraries. We’ve all seen the scary headlines about high profile data breaches involving retailers and government agencies, and the threat of unseen hackers taking over user accounts and computer systems has taken on a daunting presence in our personal and professional lives. No longer a hypothetical threat, the danger of exposed PII and the very real consequences of that data falling into the wrong hands sent our privacy conscious profession into panic mode.
As a result, a valuable conversation has opened up surrounding the proactive measures libraries can take to prevent and deal with threats to the privacy of patron information. We can now find many resources and guidelines to help us ensure patron PII and transaction information are secure, especially when it comes to measures for upgrading and securing digital accounts and transactions. Libraries across the country are making sure that patron records are protected by secure passwords, transactions are completed using https protocols, and vendors are held accountable for their use of secure APIs to access to patron information. All of these (and many other technology-oriented measures) are essential for libraries to implement in the name of protecting our patrons.
However, it is important for all of us to remember that the protection of PII must not be seen as solely a technology concern. Many recent conversations about this issue with colleagues from across the country have left me with the feeling that some in our profession are forgetting a critical element of this issue. It is not enough to secure your patron’s PII as it relates to transmission and access via digital means. Library staff at all levels must be involved and committed to this effort, and must be supported by policy and training to ensure greater security of patron information.
Not long ago, a little article about a data breach situation at Coney Island Hospital caught my eye. The long and short of the matter was that a volunteer at the hospital was granted access to patient PII (including names, birthdates, and record numbers) without first being trained in handling this information by the hospital’s HR department. This was treated by the hospital as a very big deal, with several press releases following from the administration, and measures taken to ensure such access was never granted again.
This little news item got me to thinking about the access we give to our staff and volunteers to much more information than was cited in this case, and the policies and procedures we have in place to ensure that this information is handled correctly by our workers. Many library workers I have interacted with do not know with certainty when it is “OK” to give PII over the phone (how do you know that’s really the person they claim to be?) or do not realize that handing a book to someone may also mean giving them old checkout receipt or “on hold” slip with another patron’s PII printed on it. Patron privacy is not only a technology issue, it is also in large part a customer service issue for all library staff to engage in.
On the day I read this article, I followed up by asking a number of colleagues a simple question: What training does your library give staff and volunteers before allowing them access to patron information? I won’t share the answers here, but think of how this is done in your library.
I am a great believer that the staff and volunteers who work in our libraries are the single most important resource we have to give to our communities. However, without the proper policies, training, and oversight, the amazing people of our library workforce can easily become a threat to the privacy of patron information. Making sure that this is not the case is an aspect of the issue we cannot afford to ignore. We must support our workers and their commitment to upholding the right to privacy by making sure our policies, procedures, and training all support our shared values in ensuring our communities’ right to privacy. Don’t hand the issue over to your computer techs and consider the issue finished. There is much more work to be done.
Emily Clasper, MLIS, PMP; has been at Suffolk Cooperative Library System since 2005. She has helped provide cooperative services and technical support to 54 public libraries. She is a certified Project Management Professional (PMP®), often coordinating large cooperative projects for the libraries in her consortium and offering her project planning and development skills to libraries seeking assistance in making great ideas come to life.