Syndicate content

IFC Privacy Subcommittee (Intellectual Freedom Committee) Committee

In: ALA Council, Intellectual Freedom, Privacy, Technology
View:   Faces | List

Online Doc DRAFT - Library Privacy Guidelines for E-book Lending and Digital Content Vendors

by Deborah Caldwell-Stone (staff) on Tue, Jun 16, 2015 at 09:45 am

Library Privacy Guidelines for E-book Lending and Digital Content Vendors

[Proposed draft guidelines for adoption by the ALA Intellectual Freedom Committee, the Digital Content Working Group, and other ALA bodies.]

Introduction

Library Privacy Guidelines for E-book Lending and Digital Content Vendors

[Proposed draft guidelines for adoption by the ALA Intellectual Freedom Committee, the Digital Content Working Group, and other ALA bodies.]

Introduction

Protecting user privacy and confidentiality has long been an integral part of the intellectual freedom mission of libraries. The right to free inquiry as assured by the First Amendment depends upon the ability to read and access information free from scrutiny by the government or other third parties.  In their provision of services to library users, librarians have an ethical obligation, expressed in the ALA Code of Ethics, to preserve users' right to privacy and to prevent any unauthorized use of personally identifiable information.  Librarians and libraries may also have a legal obligation to protect library users' data from unauthorized disclosure.

Libraries enter into licenses or agreements with commercial vendors in order to provide library users access to digital information, including e-books, journals, and databases.  Access to these resources is most often provided via networks and the internet.  In the course of providing these services, most e-book and digital content vendors collect and use library patrons' personally identifiable information and use data for a variety of reasons, including digital rights management, consumer analytics, and user personalization.  Libraries and vendors must work together to ensure that the contracts and licenses governing the provision and use of digital information reflect library ethics, policies, and legal obligations concerning user privacy and confidentiality.

These guidelines are issued to provide vendors with information about appropriate data management and security practices in respect to library patrons' personally identifiable information and data about their use of digital content.

Agreements, Ownership of User Data, and Legal Requirements

Agreements between libraries and vendors should address appropriate restrictions on the use, aggregation, retention, and dissemination of users' personally identifiable information, particularly information about minors.  Agreements between libraries and vendors should also specify that libraries retain ownership of all data and that the vendor agrees to observe the library's privacy policies and data retention and security policies. 

Vendors are strongly encouraged to implement the principles of privacy by design, i.e. products and services should have privacy concerns “built in, not bolted on.”  In addition, agreements between libraries and vendors should reflect and incorporate restrictions on the potential dissemination and use of library patrons' records and data imposed by local, state, and federal law. 

Clear Privacy Policies

Library users should be notified about vendor privacy policies when accessing a product or service.  The privacy policies should be made easily available and understandable to users.  Safeguarding user privacy requires that individuals know what personally identifiable information is gathered about them, how long it is stored, who has access to it and under what conditions, and how it is used.  There should be a way to actively notify ongoing users of any changes to the vendor's privacy policies.

User Consent

The vendor should give users options as to how much personally identifiable information is collected from them and how it may be used.  Users should be able to access content anonymously, and have a choice about whether or not to opt-in to features and services that require the collection of personal information.  Users should also have the ability to opt-out if they later change their minds.

Access to Personal Data 

Users should have the right to access their own personal information and contest its accuracy.  Verifying accuracy helps ensure that vendor services that rely on personally identifiable information can function properly.   Guidance on how the user can access their personal data should be clear and easy to find.

Access to personal information should be restricted to the user and conform to the applicable state laws addressing the confidentiality of library records as well as other applicable local, state, and federal law.

Data Integrity and Security

Whenever personally identifiable information is collected, the vendor must take reasonable steps to ensure integrity and security, including compliance with applicable statutory requirements.

Security: Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of data.  Security measures should be integrated into the design, implementation, and day-to-day practices of the vendor's entire operating environment as part of its continuing commitment to risk management.  The vendor should seek compliance with published cybersecurity standards from organizations such as National Institute of Standards and Technology (NIST).

Encryption:The use of data encryption helps enhance privacy protection.  All online transactions between client applications (web browsers, mobile apps, etc.) and server applications should be encrypted.  In addition, any personally identifiable information and user data housed by the vendor off site (cloud-based infrastructure, tape backups, etc.) should use encrypted storage.

Anonymization: Data used for customer analytics and other types of analysis should be anonymized by removing or encrypting personally identifiable information.  While data anonymization is a good practice, it is not foolproof (re-identification analysis has been used to identify individuals from anonymized data sets); therefore access should still be restricted.

Retention:Personally identifiable information should not be retained in perpetuity.  The vendor should establish policies for how long to retain different types of data and methods for securely destroying data that is no longer needed.  For example, accounts that are expired or inactive for a certain amount of time should be purged.  Retention policies should also cover archival copies and backups.

Data Sharing:  It has become common practice for businesses to share data including personally identifiable information with cloud providers, third-party middleware vendors, and other business associates.  However, most state statutes on the confidentiality of library records do not permit release of library patrons' personally identifiable information or data about their use of library resources and services without user consent or a court order. In addition, ALA policy forbids sharing of library patron information with third parties absent a court order.

Government Requests:The vendor should develop and implement procedures for dealing with government and law enforcement requests for library patrons' personally identifiable information and use data. The vendor should consider a government or law enforcement request only if it is issued by a court of competent jurisdiction that shows good cause and is in proper form.  The vendor should inform and consult with the library when it believes is obligated to release library patrons' information unless prevented from doing so by the operation of law.  The vendor should also inform users through its privacy policies about the legal conditions under which it might be required to release personally identifiable information.

Company Sale, Merger, or Bankruptcy:In the event that the vendor is sold to another company, merges with another company, or is dissolved through bankruptcy, all personally identifiable information should be securely destroyed, or libraries and their end users must be notified and given the opportunity to request that their data be securely destroyed.

User Devices

Privacy protections for library patrons' personally identifiable information and use data should extend to the user's device, including the web browser or any applications provided by the vendor.  Communications between the user's device and the vendor's services that contain personally identifiable information and use data should be encrypted.  If the vendor wishes to employ personalization technology such as web browser cookies on its website or allow third-party web tracking, it should inform the user and provide the user the opportunity to opt-in before initiating these features for the user. If a vendor-provided application stores personally identifiable information or use data on the user's device, it should be encrypted.  The user should be able to remove a vendor-provided application and delete any data stored on the device.

Audit and Notification

Vendors should establish and maintain effective mechanisms to enforce their privacy policies.  They should conduct regular privacy audits to ensure that all operations and services comply with these policies.  The results of these audits should be made available upon request to libraries that are customers or potential customers.  A vendor that suffers a breach in its privacy policies through inadvertent dissemination or data theft must notify the effected libraries and users about this urgent matter as soon as the vendor is aware of the data breach.  

More...

File IFCPrivacyAgendaAC2015Final

by Deborah Caldwell-Stone (staff) on Tue, Jun 16, 2015 at 09:12 am

PDF File, 13.28 KB

File ebook_vendors_privacy2015-06-15-REVISED-3Numbered

by Deborah Caldwell-Stone (staff) on Tue, Jun 16, 2015 at 09:12 am

PDF File, 113.16 KB

Event IFC Privacy Subcommittee Meeting, 2015 ALA Annual Conference, San Francisco, CA

by Deborah Caldwell-Stone (staff) on Tue, Jun 16, 2015 at 09:08 am

The IFC Privacy Subcommittee will meet on Sunday, June 28, 2015 from 8:30 a.m. – 10:00 a.m.  in Room 220,  Moscone Convention Center South, 747 Howard Street, San Francisco, California during the ALA Annual Conference.  The agenda and draft guidelines document are attached. 

The main item on the agenda is the approval of the final draft of the "Library Privacy Guidelines for E-book Lending and Digital Content Vendors."  The subcommittee invites and welcomes comments and suggestions concerning the proposed guidelines.   Comments can be posted to the documents here in Connect  or emailed to Deborah Caldwell-Stone, staff liaison, at dstone@ala.org.

 

The IFC Privacy Subcommittee will meet on Sunday, June 28, 2015 from 8:30 a.m. – 10:00 a.m.  in Room 220,  Moscone Convention Center South, 747 Howard Street, San Francisco, California during the ALA Annual Conference.  The agenda and draft guidelines document are attached. 

The main item on the agenda is the approval of the final draft of the "Library Privacy Guidelines for E-book Lending and Digital Content Vendors."  The subcommittee invites and welcomes comments and suggestions concerning the proposed guidelines.   Comments can be posted to the documents here in Connect  or emailed to Deborah Caldwell-Stone, staff liaison, at dstone@ala.org.

 

More...

Online Doc Draft 2 - Best Privacy Practices for Ebook and Digital Content Vendors

by Deborah Caldwell-Stone (staff) on Wed, Jan 21, 2015 at 09:56 am

DRAFT  v2 - Best Privacy Practices for Ebook and Digital Content Vendors

DRAFT  v2 - Best Privacy Practices for Ebook and Digital Content Vendors

Most ebook and digital content vendors collect and use personally identifiable information for a variety of reasons, including digital rights management, consumer analytics, and user personalization.  Libraries and vendors must work together to ensure that contracts and licenses reflect library policies and legal obligations concerning user privacy and confidentiality.  Agreements should address appropriate restrictions on the use, aggregation, retention, dissemination, and sale of personally identifiable information, particularly information about minors.  Vendor products and services should have privacy concerns “built in, not bolted on.”

Clear Privacy Policies

It is critical that vendor privacy policies be made easily available and understandable to users when accessing their product or service.  Safeguarding user privacy requires that individuals know what personally identifiable information is gathered about them, how long it is stored, who has access to it and under what conditions, and how it is used.  There should be a way to notify ongoing users of any changes to the vendor's privacy policies.

User Consent

The vendor should give users options as to how much personally identifiable information is collected from them and how it may be used.  Users should be able to access content anonymously by having the ability to opt-in or opt-out of features and services that require the collection of personal information. 

Access to Personal Data 

Users should have the right to access and verify the accuracy of their own personal information.  Verifying accuracy helps ensure that vendor services that rely on personally identifiable information can function properly.  Users should be able to delete their own personal information if they no longer wish to use the vendor’s products or services which depend on such information.  Guidance on how the user can access their personal data should be clear and easy to find.

Access to personal information should be restricted to the user.  Right to access should also address instances in which age may be a factor.  The Children's Online Privacy Protection Act of 1998 (COPPA) provides for "a parent's ability to review, make changes to, or have deleted the child's personal information."

Data Integrity & Security

Whenever personally identifiable information is collected, the vendor must take reasonable steps to ensure integrity and security, including compliance with applicable legal requirements such as COPPA for minors and Family Educational Rights and Privacy Act (FERPA) for students.

Security: Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of data.  Security measures should be integrated into the design, implementation, and day-to-day practices of the vendor's entire operating environment as part of its continuing commitment to risk management.  The vendor should seek compliance with published cybersecurity standards from organizations such as National Institute of Standards and Technology (NIST).

Encryption: The use of data encryption helps enhance privacy protection.  All online transactions between client applications (web browsers, mobile apps, etc.) and server applications should be encrypted.  In addition, any personally identifiable information housed by the vendor off site (cloud-based infrastructure, tape backups, etc.) should use encrypted storage.

Anonymization: Data used for customer analytics and other types of analysis should be anonymized by removing or encrypting personally identifiable information.  While data anonymization is a good practice, it is not foolproof (reidentification analysis has been used to identify individuals from anonymized data sets); therefore access should still be restricted.

Retention: Personally identifiable information should not be retained in perpetuity.  The vendor should establish policies for how long to retain different types of data and methods for securely destroying data that is no longer needed.  For example, accounts that are expired or inactive for a certain amount of time should be purged.  Retention policies should also cover archival copies and backups.

Data Sharing: If a vendor shares or sells personally identifiable information to other parties, it should be clearly described in the licensing agreements with libraries and in the privacy policies published for end users.  It has become common practice for businesses to share data including personally identifiable information with cloud providers, third-party middleware vendors, and other business associates.  The vendor should develop procedures to carefully vet and monitor these associates to ensure they are in compliance with the vendor's privacy policies.

Government Requests: The vendor should develop and implement procedures for dealing with government and law enforcement requests for personally identifiable information.  The vendor should only consider a government or law enforcement request if it is issued by a court of competent jurisdiction that shows good cause and is in proper form.  The vendor should inform users through their privacy policies about the legal conditions under which they might be required to release personally identifiable information.

Company Sale, Merger, or Bankruptcy: In the event that the vendor is sold to another company, merges with another company, or is dissolved through bankruptcy, all personally identifiable information should be securely destroyed, or libraries and their end users must be notified and given the opportunity to request that their data be securely destroyed.

User Devices

Privacy protections for personally identifiable information should extend to the user's device, including the web browser or any applications provided by the vendor.  Communications between the user's device and the vendor's services that contain personally identifiable information should be encrypted.  If the vendor's website employs personalization technology such as web browser cookies or allows third-party web tracking, it should inform the user and give them the chance to opt-in or opt-out.  If a vendor-provided application stores personally identifiable information on the user's device, it should be encrypted.  The user should be able to remove a vendor-provided application and delete any data it stored on the device.

Audit & Notification

A vendor that develops privacy policies needs to establish and maintain an effective mechanism to enforce them.  They should conduct regular privacy audits to ensure that all operations and services comply with these policies.  The results of these audits should be made available upon request to libraries that are customers or potential customers.  A vendor that suffers a breach in their privacy policies through inadvertent dissemination or data theft should notify the effected libraries and users in a timely manner.

More...

File ebook_vendors_privacy_v2

by Deborah Caldwell-Stone (staff) on Wed, Jan 21, 2015 at 09:52 am

PDF File, 22.6 KB

File IFCPrivacyAgendaMW2015

by Deborah Caldwell-Stone (staff) on Wed, Jan 21, 2015 at 09:52 am

PDF File, 15.03 KB

File PrivacySubComProceedingsMW14

by Deborah Caldwell-Stone (staff) on Mon, Jun 23, 2014 at 07:44 pm

PDF File, 14.63 KB

File PrivacyAgendaAC2014

by Deborah Caldwell-Stone (staff) on Mon, Jun 23, 2014 at 07:43 pm

PDF File, 14.23 KB

File PrivacySubAgendaMW12Final

by Deborah Caldwell-Stone (staff) on Mon, Jun 11, 2012 at 11:16 am

PDF File, 7.51 KB

Pages

The IFC Privacy subcommittee monitors ongoing privacy developments in technology (in cooperation with the Library & Information Technology Association), politics and legislation (in cooperation with the Committee on Legislation), and social trends; to identify needs and resources for librarians and library users; to propose action to IFC on resolutions, policies, and guidelines as well as on educational, informational, promotional and other projects; and to collaborate with other organizations (e.g., LITA and COL).

Subscribe to IFC Privacy Subcommittee (Intellectual Freedom Committee)