[Web4lib] Library Website Privacy Policies

Adams, Jason JAdams at washoecounty.us
Sat Apr 2 17:21:18 EDT 2011 

It seems that a general policy should be simply stated, but the actual
explicit process used to provide privacy should be a public record that
is changeable and updated and available on demand.


I believe that's where they were coming from when they "pared down
considerably" (in their own words) our privacy policy and suggested a
FAQ section that could "be changed with changing technologies, without
changing the policy."

 

If you provide a policy that is perceived as an obligation to your
public / patrons then the less you say without trying to rewrite the law
may provide the least amount of institutional liability.

 

And I believe this, too, is why they believe the privacy policy should
"be succinct."

However, with both of the above points being said, it is my
understanding (per the Federal Trade Commission and the Electronic
Frontier Foundation - and even ALA) that a website privacy policy should
describe what we do with the data we collect from our visitors.  Is it
not standard practice to have a website privacy policy that does so?
Cannot we still do this and have a privacy policy that doesn't need
updates and revisions for the next several years?  The ALA's privacy
policy is 8-years old tomorrow, and it still stands as relevant as it
did in 2003 (cf. http://www.ala.org/ala/home/privacystatement.cfm).

 

In addition, I don't believe statements like the following would either
create a greater liability for our library or a greater obligation to
our patrons:

 

"Personally identifying information that you provide by emails or web
forms will be used only for such purposes as are described at the point
of collection..."

 

"Email sent to the Library is not necessarily secure against
interception."

 

"The Library will not ask for and does not use sensitive information
such as social security numbers or credit card numbers, and it is
advisable not to send such sensitive information by email."

 

"The Library uses cookies to enable customization of individual visits
on the Library website... Refusing or disabling cooies may result in an
inability to access some library services..."

 

"The [Library] may track the usage of the Library website and other
services accessed through Library services. The [Library] uses this
information as anonymous aggregate data to determine the number of
visitors to different sections of our site and services..."

 

"...The vendors of some of [the Library's electronic databases] provide
statistical information to the Library."

 

"Server logs and statistical summaries are reviewed by [the Library] to
determine how individual electronic services are used in order to
improve website content, better manage network traffic, and troubleshoot
server problems."

 

"The [Library] also offers a wireless network... Please be aware that
data accessed and sent over the [Library's] wireless network is not
encrypted."

 

"The [Library] website contains links to external websites and
databases... The Library cannot be responsible for user privacy when
visiting outside websites or the privacy practices of other sites which
may differ from the practices described in this policy."

 

Once again, is it not standard practice to include such statements in a
privacy policy?  The EFF says, "...a privacy policy should accurately
and completely disclose the privacy practices of the site"
(http://www.eff.org/wp/osp).  The FTC says, "...notice of some or all of
the following have been recognized as essential to ensuring that
consumers are properly informed before divulging personal information:
identification of the entity collecting the data... the uses to which
the data will be put... potential recipients of the data; the nature of
the data collected and the means by which it is collected... whether the
provision of the requested data is voluntary or required, and the
consequences of a refusal to provide the requested information; and the
steps taken by the data collector to ensure the confidentiality,
integrity and quality of the data"
(http://www.ftc.gov/reports/privacy3/fairinfo.shtm).

 

What are your thoughts?  Has anyone had experience putting together a
privacy policy for their library's website?  If so, did you work with a
team or alone, and what steps did you take to get final approval before
posting it to the site?

Thanks, Robert, for your reply, and thanks in advance to any other
replies I might receive.

Sincerely,

Jason Adams, Library Assistant II






From: Robert Balliot [mailto:rballiot at gmail.com] 
Sent: Friday, April 01, 2011 7:50 PM
To: Adams, Jason
Cc: web4lib at webjunction.org
Subject: Re: [Web4lib] Library Website Privacy Policies

 

 

This is an interesting problem.  The way that I understand the law is
that States can offer more constitutional protections than the Federal
government, but not less.  So, you have the Nevada law which reads:

 

Nevada Chapter 239 Public Records
<http://www.leg.state.nv.us/Division/Legal/LawLibrary/NRS/NRS-239.html#N
RS239Sec013> :

 

NRS 239.013  Confidentiality of records of library which identify user
with property used.  Any records of a public library or other library
which contain the identity of a user and the books, documents, films,
recordings or other property of the library which were used are
confidential and not public books or records within the meaning of NRS
239.010
<http://www.leg.state.nv.us/Division/Legal/LawLibrary/NRS/NRS-239.html#N
RS239Sec010> . Such records may be disclosed only in response to an
order issued by a court upon a finding that the disclosure of such
records is necessary to protect the public safety or to prosecute a
crime.   (Added to NRS by 1981, 182)

 

That seems like a pretty strong case for privacy in Nevada. In my mind,
those confidential records would include anything being done on a
library computer.  But, the Children's Internet Protection Act (based on
the power of withholding funds) and the various iterations of the
Patriot Act and FISA end up modifying Constitutional protections by
changing the historic parameters of probable cause and somewhat
redefining due process through National Security Letters.  I imagine
that there may be some case law at this point that has tested the
provisions of the Patriot Act that a qualified attorney could
definitively apply to both Nevada law and Federal law.

 

The ALA code of ethics only has the power of a well-reasoned
authoritative suggestion.  But, I think your policy would need to
balance what you *can do* with liability.  If you provide a policy that
is perceived as an obligation to your public / patrons then the less you
say without trying to rewrite the law may provide the least amount of
institutional liability.  On the other hand, a well-informed public is a
good thing for society and a fundamental goal of libraries.  It seems
that a general policy should be simply stated, but the actual explicit
process used to provide privacy should be a public record that is
changeable and updated and available on demand.

 

I don't really think that libraries in general can guarantee protection
of the privacy of computerized records. There are too many access points
and rarely any measures in place to encrypt active records and
forensically wipe old records. Even though you may want to protect
privacy and aspire to do so, it may be a greater disservice to the
public to convince them that you can.  

 

R. Balliot

http://oceanstatelibrarian.com <http://oceanstatelibrarian.com/> 



 

On Fri, Apr 1, 2011 at 7:59 PM, Adams, Jason <JAdams at washoecounty.us>
wrote:

Our Web Team put together a nice 2-page privacy policy -- very similar
to what you see on most library websites.  When our Policy Review Team
revised it, our privacy policy was reduced to two sentences sandwiched
between a statement from the ALA Code of Ethics ("We protect each
library user's right to privacy...") and a statement about the PATRIOT
Act ("The Library System complies with the law as it relates to the
U.S.A. P.A.T.R.I.O.T. Act...").

It's my understanding that it is "proper" standard practice for website
privacy policies to detail a website's information-gathering practices,
including a description of why we collect data, what we collect, and
what we do with it.  I've seen this mentioned by the Electronic Frontier
Foundation, Federal Trade Commission, and the American Library
Association (in their document "Guidelines For Developing a Library
Privacy Policy").

What are your suggestions for helping our less web-savvy library system
decision-makers to understand the importance of a more descriptive
privacy policy for our library website?  Any links to related articles,
other library privacy policies, and statements by the EFF, FTC, ALA,
library lawyers, etc. would also be helpful.

Thanks in advance for your replies!

Jason Adams, Library Assistant II



_______________________________________________
Web4lib mailing list
Web4lib at webjunction.org
http://lists.webjunction.org/web4lib/

More information about the Web4lib mailing list