Volume 6 Number 2
|It's 2004: Do You Know Where Your Patron Data Is?
by Michael Matis, University at Albany
|Since the passage of the USA PATRIOT Act, a
great deal of attention has been paid to the possibility of increased surveillance of
library records. Library associations around the country are calling for the repeal of
sections of the PATRIOT Act that relate to library records. However, libraries do not need
to wait for legislative action to take active steps to protect the privacy of their patron
records. They can review their data collection practices to assure themselves that data
associated with personally identifiable information (PII) will be stored only as long
as it serves a legitimate business purpose. The method used to conduct this survey is a
A privacy audit is a systematic review of the data-collection practices of an organization to determine if the practices are consistent with the privacy policies of the organization. It helps to ascertain what the life-cycle of patron data should be, i.e., how data with PII about patrons is collected, how it is used, how long it is stored, and when it should be deleted.
A privacy audit does not mandate the disposal of records. Rather, it is an opportunity for a library to have a structured conversation about when and how library records are stored in furtherance of the library's business needs. It is an opportunity for librarians to discuss the role of data in the library.
Some may think they do not need to do a privacy audit because they already de-link circulation records when items are returned. However, are they aware if their vendor backs up the circulation data? And what about all other areas where data is collected? Computer sign-in sheets? Email reference questions? Web server logs? Increasingly libraries offer digital services that generate transactional data by default. Conducting an audit allows a library to discover just how much data they are collecting and set retention policies consistent with the mission of the library.
Others may think they do not need to conduct an audit because they destroy any data as soon as any transactions concerning the data are concluded. However, destroying data links is a Draconian measure because it removes a valuable source of data about the trends of the library users. It is possible to "scrub" data such as circulation records and email requests of PII and restructure it to capture some of the demographic data that the records contain. To learn more about this process of "bibliomining" see the article by Scott Nicholson.
To learn more about how to plan for a privacy audit, consult the ALA privacy toolkit.
IT organizations have learned that doing an audit for one purpose has yielded unexpected benefits in another area. Prior to the year 2000, many organizations were very concerned about the "Y2K" problem and took active steps to prevent any disruptions to their operations by doing a thorough audit of their IT systems. The unexpected benefit that firms who took the Y2K issue seriously and did a thorough audit realized was that with a few adjustments, they had a good blueprint for a disaster recovery plan. Perhaps librarians should rethink their perceptions of the USA Patriot Act. Instead of seeing it only as a threat, it is more helpful to see it as an opportunity to start evaluating their data collection practices and in the process discover new ways of utilizing data without compromising patron's privacy interests.
(Editor's note: Michael will be presenting on the topic of library privacy audits at SUNYLA 2004 in Cortland.)