Welcome back to our series on information fiduciaries and libraries! We introduced the concept of information fiduciaries in Part One. In this series entry, we will focus on libraries as possible information fiduciaries.
A Question of Interest
Jack M. Belkin, who popularized the information fiduciary concept in 2014, expanded the traditionary fiduciary concept to a trusted party managing personal data on behalf of another. In the context of the library, what would be considered the best interest of the person? In the 10th edition of the Intellectual Freedom Manual, we have one possible interpretation of “best interest” in the way of privacy and confidentiality:
“In brief, libraries and library workers must act as information fiduciaries, assuring that in every circumstance the library user’s information is protected from misuse and unauthorized disclosure, and ensuring that the library itself does not misuse or exploit the library user’s information.”
On the surface, this appears straightforward enough. However, how a library defines “misuse or exploit” leads to a question about how libraries interpret “best interest” in the fiduciary relationship. Some organizations might interpret “best interest” in ways that others would consider exploitative. Such is the case with academic institutions and learning analytics as described in “A matter of trust: Higher education institutions as information fiduciaries in an age of educational data mining and learning analytics.” Jones, Rubel, and LeClere describe how current learning analytics initiatives violate not only student privacy but also student trust in the institution. At the same time, the institution is acting in the perceived best interest of both students and the institution.
Like academic institutions, libraries are under immense pressure to engage in data practices at the expense of patron privacy. A key component of fiduciary relationships is acting in the best interest of the represented person. While it might be in the best interest for libraries to extensively collect patron data for operations, marketing, and analysis, this level of collection and data processing would violate the best interest of their patrons’ privacy. Libraries committing to an information fiduciary relationship with their patrons must scrutinize their data privacy practices and recalibrate these practices to center on patron privacy interests.
A Question of Ownership
It becomes clear while evaluating practices and interests that the relationship between libraries, patrons, and third parties complicates matters not only in competing best interests but also in matters of data ownership. Personal data is collected in several ways. Sometimes the data collection is direct – an example is when a patron gives the library personal data to obtain a library card. Other times libraries collect personal data generated from a patron’s library resources and services use, even though the patron might not be aware of this data generation and collection. Patrons also directly give personal data to vendors when signing up for accounts and generate data when they use vendor services and resources, possibly unaware of such generation and collection happening on the vendor’s end. On top of all of this, libraries directly give vendors patron personal data. So, who owns what data?
Another component of a fiduciary relationship is the concept of management of valuable assets, particularly in sensitive matters. As demonstrated in the previous paragraph, data ownership can easily be contested if there is no clear sense as to who owns what data. Libraries can (and should!) use vendor contracts to state that the library and its patrons own the data collected by the vendor, defining some clearer ownership roles. Once again, however, technology and data practices can throw this clarity back to uncertainty, particularly with data aggregation and analytics practices by vendors and fourth parties, sometimes in the interests of the customers (libraries and patrons) and sometimes in the interest of the vendor which conflict with patron/library interests. As Jones, Thomson, and Arnold argue in “Questions of Data Ownership on Campus,” adopting an information fiduciary role can help navigate the issue of determining who owns what through focusing on shared ownership and asset management in the best interest of the patron. Even when libraries and third parties claim ownership over patron data collected through patron use of resources and services, any collection or processing of this data must center around the patrons’ best interests with regards to patron privacy.
We would be amiss, though, if we didn’t address a potential issue of treating data as an asset, even in a fiduciary role. In Kerry and Morris Jr.’s “Why data ownership is the wrong approach to protecting privacy,” commodifying data provides little protection for user privacy. Treating data as property reinforces current practices of placing market interests over individual interests. Placing the onus of data privacy management on the individual when there’s evidence that notice and consent currently fail to protect data privacy. Instead of focusing primarily on data ownership and transactional relationships, Kerry and Morris Jr. argue for federal regulation that falls in line with information fiduciary’s emphasis on acting in the interest of the individual. Nonetheless, the concept of data as property or an asset for individuals to manage and organizations to commodify has socioeconomic implications, including perpetuating harms created by the privacy violations embedded in societal systems and institutions, including the library.
Personal Data as a Collection…
We’ve only started to explore the concept of libraries as information fiduciaries. The last two posts focused on personal data collected and generated through a patron’s library use. What happens, then, when personal data is *part* of a collection? This often happens in special collections, archives, and institutional repositories that collect research data, to name a few places. What type of information fiduciary relationship exists between the people in the collection and the library or archive that hosts that collection, if any? Stay tuned for the next installment of the series!
Becky Yoose is the founder of and Library Data Privacy Consultant for LDH Consulting Services, helping libraries and vendors navigate the intersection of library data and privacy. Becky received her MA-LIS from University of Wisconsin – Madison in 2008, and has been a Certified Information Privacy Professional/United States (CIPP/US) with the International Association of Privacy Professionals since 2018. You can find her online at yobj.net and @yo_bj on Twitter.