[Web4lib] Library Website Privacy Policies

Edward Spodick lbspodic at ust.hk
Thu Apr 7 00:38:39 EDT 2011


If interested, you can also check the Hong Kong Office of the Privacy Commissioner for Personal Data (http://www.pcpd.org.hk/). By law, web sites here are supposed to have a "Personal Privacy Statement" and a "Personal Information Collection Statement" for compliance.  Not all do, but most do.

Our are at: http://library.ust.hk/privacy.html

This stricly governs the use of and release of personally identifying information.  Other privacy issues could be included, or handled separately.

-Edward


At 12:58 PM -0700 4/6/11, Adams, Jason wrote:
>Robert, thank you for your knowledge and this information.  I will include this in my "privacy policy" report.
>
>I've seen that many public libraries use a similar privacy policy to our initial draft (NYPL, Queens, Multnomah, Seattle, Sonoma County, and even the ALA).  But I've also seen very short privacy policies (e.g. Spokane County Library District: "Spokane County Library District does not use personal information provided by online customers for purposes other than those stated and does not make such information available to other organizations").  This is similar to what we've decided to do; however, as you've pointed out, we cannot say that "we do not make such information available to other organizations."  We do use Google Analytics, and we have third-party vendors (online databases) who DO gather use-statistics.  So, even a generic one or two-sentence policy is still not completely accurate.
>
>I don't believe our original intent was to have an all-inclusive policy, but we did want to follow "best practices" as outlined by the Federal Trade Commission (http://www.ftc.gov/reports/privacy3/fairinfo.shtm) and the Electronic Frontier Foundation (http://www.eff.org/files/eff-ospbp-whitepaper.pdf).  And one thing we never got to was COPPA (http://www.coppa.org/ via the FTC).
>
>On the one hand, it seems proper to let the public know the why-what-hows of collecting their data, and on the other hand, it seems like we're safest with a simple (and hopefully accurate) one or two-sentence statement.
>
>Jason Adams, Library Assistant II
>
>
>
>
>-----Original Message-----
>From: Robert Balliot [mailto:rballiot at gmail.com]
>Sent: Sunday, April 03, 2011 6:33 AM
>To: Adams, Jason
>Cc: web4lib at webjunction.org
>Subject: Re: [Web4lib] Library Website Privacy Policies
>
>Jason:
>
>Washoe County and Washoe County Library use Google Analytics.
>
>So, everything being done on your website up to a point is being
>aggregated / analysed by a third party and is contained in their
>massive database - which can be used to draw inferences about the
>identity of the user (including IP address and location).  Google is a
>private company  not bound by the same privacy rules as a government
>entity.  Even though your policy may state that the Library is
>tracking usage - usage is also being tracked by Google.   Google could
>receive a National Security Letter and the library and Washoe County
>would not know that usage is being tracked.
>
>Washoe Countly Library does not use https for the Sirsi/Dynix Login:
>
>http://library.washoecounty.us/uhtbin/cgisirsi/0/RN/0/1/1168/X/
>
>So, the Pin / Library card information is being sent unencrypted over
>the web and Google Analytics is aggregating the IP address along with
>the before and after web history, key words, landing page, type of
>browser used, screen resolution and other data about the patrons.
>Keystroke logging software / hardware in any Internet cafe, school
>computer or on any compromised system would reveal Pins and logins.
>
>I have not seen your two page description, but if the intent of the
>description is to be inclusive - then it would be misleading not to
>include all relevant information about privacy. If the intent is to be
>inclusive, then the document would need to be changed many times to
>reflect the latest laws, technological changes, and other factors
>affecting library privacy.  That would require much more than two
>pages.
>
>
>R. Balliot
>http://oceanstatelibrarian.com
>
>
>
>
>
>
>On Sat, Apr 2, 2011 at 5:21 PM, Adams, Jason <JAdams at washoecounty.us> wrote:
>>
>> It seems that a general policy should be simply stated, but the actual explicit process used to provide privacy should be a public record that is changeable and updated and available on demand.
>>
>>
>> "The [Library] may track the usage of the Library website and other services accessed through Library services. The [Library] uses this information as anonymous aggregate data to determine the number of visitors to different sections of our site and services..."
>
>> "...The vendors of some of [the Library's electronic databases] provide statistical information to the Library."
>>
>\> "Server logs and statistical summaries are reviewed by [the
>Library] to determine how individual electronic services are used in
>order to improve website content, better manage network traffic, and
>troubleshoot server problems."
>>
>> "The [Library] also offers a wireless network... Please be aware that data accessed and sent over the [Library's] wireless network is not encrypted."
>>
>> "The [Library] website contains links to external websites and databases... The Library cannot be responsible for user privacy when visiting outside websites or the privacy practices of other sites which may differ from the practices described in this policy."
>>
>> What are your thoughts?  Has anyone had experience putting together a privacy policy for their library's website?  If so, did you work with a team or alone, and what steps did you take to get final approval before posting it to the site?
>>
>> Thanks, Robert, for your reply, and thanks in advance to any other replies I might receive.
>>
>> Sincerely,
>>
>>
>> From: Robert Balliot [mailto:rballiot at gmail.com]
>> Sent: Friday, April 01, 2011 7:50 PM
>> To: Adams, Jason
>> Cc: web4lib at webjunction.org
>> Subject: Re: [Web4lib] Library Website Privacy Policies
>>
>>
>>
>>
>>
>> This is an interesting problem.  The way that I understand the law is that States can offer more constitutional protections than the Federal government, but not less.  So, you have the Nevada law which reads:
>>
>>
>>
>> Nevada Chapter 239 Public Records:
>>
>>
>>
>> NRS 239.013  Confidentiality of records of library which identify user with property used.  Any records of a public library or other library which contain the identity of a user and the books, documents, films, recordings or other property of the library which were used are confidential and not public books or records within the meaning of NRS 239.010. Such records may be disclosed only in response to an order issued by a court upon a finding that the disclosure of such records is necessary to protect the public safety or to prosecute a crime.   (Added to NRS by 1981, 182)
>>
>>
>>
>> That seems like a pretty strong case for privacy in Nevada. In my mind, those confidential records would include anything being done on a library computer.  But, the Children's Internet Protection Act (based on the power of withholding funds) and the various iterations of the Patriot Act and FISA end up modifying Constitutional protections by changing the historic parameters of probable cause and somewhat redefining due process through National Security Letters.  I imagine that there may be some case law at this point that has tested the provisions of the Patriot Act that a qualified attorney could definitively apply to both Nevada law and Federal law.
>>
>>
>>
>> The ALA code of ethics only has the power of a well-reasoned authoritative suggestion.  But, I think your policy would need to balance what you *can do* with liability.  If you provide a policy that is perceived as an obligation to your public / patrons then the less you say without trying to rewrite the law may provide the least amount of institutional liability.  On the other hand, a well-informed public is a good thing for society and a fundamental goal of libraries.  It seems that a general policy should be simply stated, but the actual explicit process used to provide privacy should be a public record that is changeable and updated and available on demand.
> >
>>
>>
>> I don't really think that libraries in general can guarantee protection of the privacy of computerized records. There are too many access points and rarely any measures in place to encrypt active records and forensically wipe old records. Even though you may want to protect privacy and aspire to do so, it may be a greater disservice to the public to convince them that you can.
>>
>>
>>
>> R. Balliot
>>
>> http://oceanstatelibrarian.com
>>
>>
>>
>> On Fri, Apr 1, 2011 at 7:59 PM, Adams, Jason <JAdams at washoecounty.us> wrote:
>>
>> Our Web Team put together a nice 2-page privacy policy -- very similar
>> to what you see on most library websites.  When our Policy Review Team
>> revised it, our privacy policy was reduced to two sentences sandwiched
>> between a statement from the ALA Code of Ethics ("We protect each
>> library user's right to privacy...") and a statement about the PATRIOT
>> Act ("The Library System complies with the law as it relates to the
>> U.S.A. P.A.T.R.I.O.T. Act...").
>>
>> It's my understanding that it is "proper" standard practice for website
>> privacy policies to detail a website's information-gathering practices,
>> including a description of why we collect data, what we collect, and
>> what we do with it.  I've seen this mentioned by the Electronic Frontier
>> Foundation, Federal Trade Commission, and the American Library
>> Association (in their document "Guidelines For Developing a Library
>> Privacy Policy").
>>
>> What are your suggestions for helping our less web-savvy library system
>> decision-makers to understand the importance of a more descriptive
>> privacy policy for our library website?  Any links to related articles,
>> other library privacy policies, and statements by the EFF, FTC, ALA,
>> library lawyers, etc. would also be helpful.
>>
>> Thanks in advance for your replies!
>>
>> Jason Adams, Library Assistant II
>>
>>
>>
>> _______________________________________________
>> Web4lib mailing list
>> Web4lib at webjunction.org
>> http://lists.webjunction.org/web4lib/
>>
>>
>>
>> Jason Adams, Library Assistant II
>
>
>
>_______________________________________________
>Web4lib mailing list
>Web4lib at webjunction.org
>http://lists.webjunction.org/web4lib/


-- 
Edward F Spodick, IT and Services Infrastructure Manager
Hong Kong University of Science & Technology Library
lbspodic at ust.hk  tel:852-2358-6743 fax:852-2358-1043




More information about the Web4lib mailing list