Personal Information and the Public Library: Compliance with Fair Information Practice Principles / Les renseignements personnels dans les bibliothèques publiques : le respect des principes d'équité dans les pratiques de collecte de renseignements
Libraries collect personal information from users and link that information to internal library records. Although they fiercely protect the privacy of their patrons, libraries cannot ensure that personal information will remain confidential. Patrons must therefore have sufficient information to make informed decisions about release of personal data. Privacy notices are the accepted mechanism for providing this information. Our study demonstrates, however, that Ontario public libraries rarely provide notice to patrons regarding information collection and use. Smaller libraries and those without MLS-trained staff are less likely to provide notice, suggesting that resources and/or staff training may contribute to this lack. We suggest that national or provincial organizations may want to support libraries in the development of privacy policies.
Les bibliothèques recueillent des renseignements personnels sur leurs usagers et relient ces renseignements à leur fiche client. Bien qu'elles protègent rigoureusement la vie privée de leurs usagers, les bibliothèques ne sont pas nécessairement en mesure d'assurer la confidentialité des renseignements personnels qui leur sont fournis. Les usagers doivent donc être en possession de suffisamment d'information pour prendre des décisions éclairées concernant les renseignements qu'ils fournissent. La distribution d'avis concernant la confidentialité est la façon acceptée de fournir cette information. Notre étude démontre cependant que les bibliothèques publiques ontariennes fournissent rarement à leur clientèle des avis concernant la collecte et l'utilisation des renseignements [End Page 1] personnels. Dans les bibliothèques de taille modeste et celles ne disposant pas de personnel titulaire d'une formation (maîtrise) en sciences de l'information, il est encore moins probable que cet avis soit donné, cette lacune étant probablement liée aux ressources dont elles disposent et à la formation de leur personnel. Nous suggérons que les organisations nationales ou provinciales étudient la possibilité de soutenir les bibliothèques dans le développement de politiques concernant la vie privée.
public libraries, privacy policies, staff development
bibliothèques publiques, politiques de confidentialité, développement du personnel
Public libraries today collect and hold many types of personal data, including membership files, records of resources used (loans or electronic publications consulted), interlibrary loan requests, lists of requests for information, reading histories, records of online searches, email and Internet searches, web pages visited, and other digital activities (Fifarek 2002; Sturges et al. 2003). Even a librarian acting on a user's behalf may create a data trail that could potentially identify the patron, particularly in the case of activities involving electronic resources or services such as virtual reference (Fifarek 2002; Neuhaus, Van Fleet, and Wallace 2003). Some of these data, most notably circulation records, are necessary for the business of the library, and libraries also use personal data for other administrative purposes, including fundraising and program planning (Estabrook 1996; Nicholson 2003). Although the utility and even necessity of these data is obvious, the collection and storage of personal information raises privacy risks for patrons, since records of users' activities and reading histories hold clear interest for law enforcement agencies and other groups, including journalists, students, parents, fundraisers, marketing professionals, civil litigants, and politicians (Krug 2006).
These risks are of concern to libraries and librarians, who have long been advocates for the confidentiality of patron information (American Library Association 2004). Indeed, a recent international study of library association codes of ethics indicates that the protection of patron privacy and confidentiality was among the principles most commonly identified (in more than 70% of the codes of ethics studied; Shachaf 2005), and librarians have mounted challenges (some successful) to law enforcement access to library records (Airoldi 2006). Despite this strong commitment [End Page 2] to patron confidentiality, there are some circumstances under which libraries share the patron information they collect. Personal information is shared among library personnel and between libraries for a variety of administrative purposes, and it could be inadvertently released, such as when a computer screen is legible by other patrons, telephone messages are left for patrons that others can access, or information about overdue books is sent on unsealed postcards (Magi 2007). Patron information may also be shared in response to information requests from family, friends, and co-workers (Magi 2007).
Of greatest concern, however, is access by law enforcement officials. Libraries in both Canada and the United States are subject to regulations that require compliance with valid subpoenas or other legal documents requesting personal information regarding library patrons (Bowers 2006), and this mechanism has been used on at least some occasions to access patron records (American Library Association 2005; Magi 2007). These concerns have become especially prominent in the years since 9/11, since Section 215 of the US Patriot act (passed in 2001) allows the government to obtain access to the library records of patrons without their consent or knowledge (Ramasastry, 2006).
Other US federal data mining programs such as the Terrorism Information Awareness Program, the Computer-Assisted Passenger Prescreening System II no-fly-list database, and the proposed Terrorism Information and Prevention System may lead to the covert use of library records for surveillance. Although these legal regimes are focused in the United States, library patrons in Canada are not immune to privacy concerns, including those engendered by a vulnerability to the reach of US policies. Legal scholars in Canada, for example, believe that agencies such as the FBI could gain access to Canadian library records held on US servers by third-party vendors through application of the Patriot Act (Geist and Homsi 2004). In addition, Canada has itself considered weakening privacy protection for library records. For example, the Federal Justice Department has contemplated requiring all Internet service providers—including libraries—to keep records of people's Web activities and emails so law enforcement agencies could use that information when investigating crimes (Gillespie 2003; Ross and Caidi 2005).
Since libraries cannot guarantee confidentiality of personal information, what other measures should they take to protect patron privacy? Fair Information Practice principles (FIPs), first articulated in a 1973 report [End Page 3] issued by the US Department of Health, Education and Welfare entitled Records, Computers and the Rights of Citizens (1973), offer guidelines in this respect. FIPs identify five core principles of privacy protection:
1. Notice/awareness: consumers should be given notice of information practices before any personal information is collected.
2. Choice/consent: individuals should have the ability to allow or restrict the use of personal information.
3. Awareness/participation: individuals must be able to access, correct, or verify their personal information on record.
4. Integrity/security: the entity collecting the personal information must ensure that records are secure and accurate.
5. Enforcement/redress: principles must be enforceable by self-regulation or legislation.
Primary among these principles is the requirement for notice/awareness. According to FIPs, individuals have a right to know if their personal information is being collected, how it will be used, and with whom it will be shared. Only with this knowledge are patrons able to make informed decisions about the release of their personal information.
• How this information is used by the library.
• How long the information is retained.
• Who has access to patron information.
• How the library responds to court orders requesting access to patron information.
Thus, the ALA suggests that libraries should incorporate this information into privacy policies made available to patrons, thereby providing full notice to patrons regarding their information practices prior to collecting personal information.
Although the Canadian Library Association (CLA) does not require compliance with FIPs, libraries in Canada are typically required to conform to provincial or territorial legislation that governs practices regarding personal information. Generally, these provincial laws require municipal institutions, including public libraries, to protect the privacy of an individual's personal information that exists in institutional records. The practice in Ontario is typical of that in all Canadian provinces. In Ontario, the Municipal Freedom of Information and Privacy Protection Act (MFIPPA) governs records held by public bodies, including the province's public libraries. The MFIPPA stipulates a privacy protection scheme that the government must follow to protect an individual's right to privacy. The scheme includes rules regarding the collection, use, disclosure, and disposal of personal information in the institution's custody and control. In the context of public libraries, personal information includes "information on a patron's borrowing habits, as well as information related to one's computer use, including sign-up sheets and information on any Internet use" (Information and Privacy Commissioner of Ontario 2002). Under MFIPPA, public libraries must provide individuals with the following information regarding the collection and use of personal information:
• The legal authority for the collection (in Ontario, libraries may gather personal information for administrative purposes under the authority of the Public Libraries Act).
• The principal purpose or purposes for which the personal information is intended to be used. [End Page 5]
• The title, business address, and business telephone number of an officer or employee of the institution who can answer the individual's questions about the collection.
The legislation requires that these details be disclosed prior to the collection of any personal information.
The notice required under MFIPPA includes some of the information identified in FIPs and specifically details regarding information use. There is no requirement, however, to provide details regarding other information practices, including what information is collected, how long it is retained, who has access to the information, or how the library responds to subpoenas. Thus, like many privacy laws that incorporate elements of FIPs, MFIPPA's requirements regarding notice/awareness fall short of the ideal recommended by many privacy advocates (Chander, Gelman, and Radinn 2008). Of particular relevance in the context of public libraries, this notice does not reach the standard of the more comprehensive disclosure suggested by the ALA and endorsed by the CLA. At the same time, it includes some elements not required under the ALA guidelines, including identification of the legal authority for collection and identification of a contact person for further information.
Despite the acknowledged importance and value of patron notice, many libraries lack this most basic of privacy protection mechanisms. Studies indicate that fewer than half of libraries have privacy policies in place (Murray 2003; Sturges et al, 2003; Magi, 2007); thus, it appears that the majority of libraries do not provide patrons with details regarding their information practices. This lack cannot be defended on the basis that patrons already understand the information practices of libraries, since research demonstrates that patrons hold demonstrably inaccurate assumptions regarding the privacy protection offered by public libraries (Sturges et al. 2003).
This leads to an important question: why would libraries not use these most basic of privacy mechanisms? There has been no direct research on this question, but some preliminary hypotheses can be advanced. Perhaps the lack of policies is a result of a lack of enforcement—that is, libraries may not have privacy policies because, in the jurisdictions that have been studied and—unlike commercial entities that collect personal information—they are not required to have these policies. Alternatively, [End Page 6] limited resources may contribute to the lack of policies. Although there has been no direct research on this issue with respect to public libraries, there are some suggestions in the literature that the development of privacy policies may indeed be linked to institutional resources. Among Vermont public libraries, those with larger numbers of personnel (presumably larger libraries) are more likely to have privacy policies (Magi 2007). Even among large and well-funded organizations such as Fortune 500 companies in the United States, larger organizations (the Fortune 100) are more likely than their smaller counterparts to have privacy policies (Schwaig, Kane, and Storey 2006). One study of privacy policies among municipal websites selected the largest municipalities on the assumption that they would be most likely to have developed privacy policies (Beldad, De Jong, and Steehouder 2009). Finally, the development of privacy policies may be linked to professional training in that staff who hold a Master's of Library and Information Science (MLS) may be more aware of privacy issues and/or professional ethics and thus be more likely to support the development of privacy policies. Magi (2007) demonstrated that among Vermont libraries those with directors holding a master's degree in library science are more likely to have privacy policies.
The studies to date paint a consistent picture: public libraries, perhaps especially those that are smaller and without MLS-trained staff, are typically remiss in providing notice to patrons regarding information practices. None of the previous research, however, has examined the practices of Canadian libraries with respect to patron notice. Furthermore, none of the research has taken place in a jurisdiction where a regulatory mechanism requires libraries to provide such notice, and there has been little exploration, in these studies, of the factors related to the presence (or absence) of privacy policies or notice.
The research reported in this paper focuses on the question of whether Ontario public libraries provide notice to their patrons about the collection and use of personal information.
RQ1: Do public libraries in Ontario conform to their legal obligations under MFIPPA regarding notice/awareness by providing (1) the legal authority that entitles them to collect personal information, (2) the purpose of the data collection, and (3) a contact person?
RQ2: Do public libraries in Ontario provide the public with privacy policies or other documents explaining their information practices, as suggested by the ALA guidelines, including:
RQ3: What factors are correlated with the provision of notice as per MFIPPA and/or privacy policies? [End Page 8]
The data were collected from a sample of Ontario public libraries selected from the Ontario Public Library Directory maintained by Ontario Library Services North and the Southern Ontario Library Services. The sample consists of 77 libraries selected at random from the directory, representing 22% of the 312 libraries included in the directory as it existed in January 2008.
Our goal was to assemble from these libraries the information that would, with reasonable effort, be available to a patron regarding the collection and use of their personal information. In particular, we were seeking the following:
1. Any membership application form.
2. Any privacy or confidentiality notice intended for patrons.
3. Any board policies (available to patrons) pertaining to patron privacy or confidentiality.
Data collection proceeded on two fronts. First, library websites (if present) were examined to identify any membership application forms, patron privacy notices, and/or board policies regarding patron privacy. Relevant documents available on the website were added to the data set for that library. The second aspect of data collection involved telephone calls to each library to request the relevant documents. One investigator and/or the research assistant attempted a minimum of four times to contact each library. Upon learning the nature of the requested information, we were typically directed to the chief executive officer of the library, although in a very small number of cases another individual within the organization was identified as having specific responsibility for privacy issues, and in those cases we were directed to this individual. Those libraries with one or more of the relevant forms were asked to send them by mail, email, or fax. Reminder contacts by phone or email were sent to libraries to encourage submission of relevant documents. Up to three such reminder contacts were made to encourage submission.
A total of 76 libraries were reached in this manner. Only one library could not be contacted. Of those libraries that were contacted, two indicated that they had documents but did not send them. Thus, 74 libraries contributed to the final data set, representing a response rate of 96%. [End Page 9]
Data from the Ontario Library Survey (2007) were used to divide libraries into groups according to size and whether they had MLS-trained staff. Operating budget was used as a proxy for library size, and responding libraries were divided into small (25 libraries, budgets up to $64,200), medium (24 libraries, budgets between $64,201 and $400,000), and large (25 libraries, budgets over $400,000) according to their 2006 operating budget. Libraries were also divided into two groups according to whether, in 2006, they had professional librarians on staff: 39 libraries (52.7%) had at least one staff person with MLS training, while 35 libraries (47.3%) did not.
Do public libraries in Ontario conform to their legal obligations under MFIPPA regarding notice/awareness by providing (1) the legal authority that entitles them to collect personal information (2) the purpose of the data collection, and (3) a contact person?
One of our primary questions was whether public libraries in Ontario conform to the requirements of MFIPPA with respect to notice to patrons regarding the collection and use of patron information.
Of the three requirements laid out in MFIPPA, notices are mostly likely to meet the second: among the 14 instances of notice, 13 (93% of those providing notice) indicate the legal authority for collection in the notice they provide to patrons. Ten of the notices (71.4%) indicate how the personal information will be used, and still fewer provide the name of a contact person for privacy-related inquiries or concerns (4 notices, or 28.6%). Only three libraries (21.4% of those providing notice) meet all three MFIPPA requirements. Thus, of the 74 libraries included in the [End Page 10] sample, only 4% (95% confidence interval e4.49%, 0% to 8.5%) meet the applicable regulatory requirement for patron notice.
Do public libraries in Ontario provide the public with privacy policies or other documents explaining their information practices, as suggested by the ALA guidelines, including:
• Identification of personal information collected /protected
• Disclosure of use
• Response to subpoenas?
The data presented to this point indicate that the vast majority of Ontario public libraries fail to meet regulatory requirements for notice regarding the collection and use of that personal information. A number of libraries, however, have policies or notices available to patrons that address privacy and confidentiality. These documents do not meet the requirements for notice as per MFIPPA, but they do provide patrons with some information regarding the collection and use of their personal information. Among the sample, 26 libraries (35.1%) provided a board policy available to patrons, 10 libraries (13.5%) provided a policy intended for patrons, and 32 libraries (43.2%; 95% confidence interval ±11.3%, 32% to 54.5%) provided one or both of these documents. Apparently libraries are less likely to attend to regulatory requirements than to general principles (endorsed by professional library associations) for the provision of notice to patrons.
What factors are correlated with the provision of notice as per MFIPPA and/or privacy policies?
We also expected that those public libraries that comply with MFIPPA regulations will be more likely also to have a privacy notice as per the ALA recommendations. There is in fact a significant relationship between these two forms of notice (χ2 = 5.62, p < .05). Libraries with one form of notice are more likely to have the second form: among libraries without MFIPPA notice, only 36.7% have a patron or board policy, whereas among those libraries with MFIPPA notice, 71.4% have a patron or board policy.
Libraries have real issues regarding the privacy and confidentiality of the personal information of their patrons, and these issues will only grow as digitization of library services increases. Despite an admirable and longstanding commitment to patron privacy and confidentiality, libraries cannot protect their patrons from all possible authorized and unauthorized access to their personal information. Given this situation, it is incumbent upon libraries to provide their patrons with notice regarding the collection and use of their personal information, thereby complying with regulatory frameworks (e.g., MFIPPA in Ontario) and Fair Information Practice principles.
Our data show that the majority of public libraries in Ontario fail to provide notice as required by the relevant regulatory framework; moreover, most libraries that attempt to provide notice do so ineffectively. Ontario public libraries are somewhat more likely to have privacy policies available to patrons that provide at least some of the information suggested under Fair Information Practice principles as crucial aspects of notice. Overall, fewer than half of the libraries studied offer any form of notice [End Page 13] to their patrons regarding the collection and use of personal information. In this respect, practice among Ontario libraries is entirely consistent with that observed in other jurisdictions, despite a commitment among libraries to the protection of patron confidentiality (Magi 2008). In an era in which the confidentiality of patron records cannot be assured, libraries are not typically enacting this most basic of mechanisms that would allow patrons to make informed decisions about the release of their personal information (Johnson 2000).
Room 240, North Campus Building
University of Western Ontario
London, ON N6C 5B7