This checklist is intended to help libraries and vendors of all capacities take practical steps to implement the principles that are laid out in the Library Privacy Guidelines for Vendors.
Priority 1 actions all libraries and vendors can take to improve privacy practices. Priority 2 and Priority 3 actions are in addition to Priority 1 and may be more difficult for libraries or vendors to implement depending on their technical expertise, available resources, and organizational structure.
Priority 1 Actions
- Educate and assist users in managing their privacy when using vendor products and services. Suggested courses of action include:
- Recommending settings for personal accounts on vendor websites.
- Explaining privacy settings and how to remove the application and any associated stored data.
- Explaining how to contact the vendor for additional details or actions as needed.
- Describing tradeoffs on features versus privacy.
- Establish privacy policies that are simple and easy to find.
- Hold regular staff training on privacy laws and library ethics.
- Review and follow cybersecurity standards published by organizations such as the National Institute of Standards and Technology on a regular schedule.
- Consult with legal counsel to ensure compliance with federal and state privacy laws.
- Vendors should encrypt all user data in transit and at rest.
- Only collect, process, retain, or disclose user data sufficient for a specific process or task.
- House all physical user data securely and limit access to only those who are authorized.
- Establish and refresh policies for how long to retain different types of data and detail what methods to use to securely and frequently destroy data that is no longer needed.
- Share library privacy practices with vendors during the purchasing process.
- Vendors should explain their procedures for handling a request from law enforcement and notify libraries when these requests are made.
- Inquire how a vendor handles data breaches and ensure there is a procedure for notifying users in case of a breach.
- Vendors should give notification to libraries if the company is sold, providing instructions on how users can delete their data.
Priority 2 Actions
- Conduct regular privacy audits.
- Remind users regularly to check their privacy permissions and give them an opportunity to modify settings or continue consent.
- Include privacy requirements during bidding or purchasing process.
- Specify in all contracts and agreements with vendors that the library retains ownership of all user data.
- Include sections in contracts or agreements that include details on the aggregation, retention, and disclosure of user data.
- Libraries should expect vendors to follow library privacy, data retention, and security policies.
- Vendors should share data recovery, media recycling, and business continuity plans with libraries.
- Create procedures for identifying and producing user personally identifiable information upon request.
- Delete users’ personally identifiable information upon request, not just hide it from view.
- Vendor systems should default to allow users to opt-in to any data collection that is not essential to library operations.
- Libraries should gain a user’s explicit informed consent before utilizing any profiling or customer relationship management tools or non-aggregated data analytics software.
- Deidentify data used in analytics software by removing personally identifiable information.
Priority 3 Actions
- Libraries should include easily discoverable links to the privacy policies of the vendors they contract with on their website.
- Vendors should explain the entire user data lifecycle of their product or service, preferably during the sales process.
- Vendors should train sales representatives on how to answer privacy and security questions.
- If a vendor’s system integrates with an additional third party, the privacy and security policies in place should ensure confidentiality between the systems.
- Work with vendors to ensure personally identifiable library user data is deleted from the vendor’s systems when not renewing a service or product. Libraries should ask for third-party verification of deletion.
- ALA. “Encryption And Patron Privacy.” American Library Association, 2016,
- Cavoukian, Ann. “Privacy By Design: The 7 Foundational Principles; Implementation And Mapping Of Fair Information Practices.” Internet Architecture Board, 2011.
- Department of Computer Engineering, Boğaziçi University. “Guide to Data Protection Auditing.” Data Protection.
- Hoffman-Andrews, Jacob. “What Every Librarian Needs To Know About HTTPS.” Electronic Frontier Foundation, 6 May 2015.
- International Association of Privacy Professionals. “Security Breach Response Plan Toolkit.” IAPP Resource Center, 2016.
- Internet Security Research Group. Let’s Encrypt [https certificate registry].
- Perera, Charith, McCormick, Ciaran, Bandara, Arosha K., Price, Blaine A., and Bashar Nuseibeh. “Privacy-By-Design Framework For Assessing Internet Of Things Applications And Platforms.” IoT 2016, 7-9 Nov. 2016, Stuttgart, Germany.
- Riffat, Muzamil. “Privacy Audit – Methodology and Related Considerations.” ISACA Journal, vol. 1, 2014.
- Chmara, T. (2012). Privacy and E-Books. Knowledge Quest, 40(3), 62-65.
Additional Questions to Consider
- What are the local statutes regarding user information use?
- User’s browsing, borrowing, downloads, notations, group affiliations shall not be shared with any other parties without the specific written consent of the individual user.
- Does the language in the policy/contract/license specifically address other devices and do the terms extend to other devices as well (smartphone apps, tablet, etc.)?
- What is the retention policy of the institution/library, including proxy server collection of IP address access, and what is the retention policy of the vendor?
- Is the language of the policy consistent with the age of the product’s intended audience, can the minor user for instance understand the policy?
- Does the language of the policy/contract/license specify that harvested user data should be destroyed and not retained in perpetuity by the vendor?
- In case of data breach, does the language specify that the vendor inform the library as soon as it is aware of the breach?
- Vendor must give libraries advance notice of any changes to the user privacy policies, at least 30 days to respond.
- Agreements and contracts should be reviewed annually per their individual renewal/ purchase date.