Library Privacy Checklist Overview

This checklist is intended to help libraries of all capacities take practical steps to implement the principles that are laid out in the Library Privacy Guidelines.  It is an overview checklist that highlights general actions that are applicable across multiple guidelines.  There are also specific checklists that libraries can consult for each guideline.

Priority 1 are actions that hopefully all libraries can take to improve privacy practices. Priority 2 and Priority 3 actions may be more difficult for libraries to implement depending on their technical expertise, available resources, and organizational structure.

Priority 1 Actions

  1. Create a policy that addresses the collection of user information.  Such a policy should specify that the library is not collecting more user information than what it needs and that it is not keeping the personally identifiable information of users longer than what is necessary.
    1. Create a privacy policy that is understandable by a layperson.
    2. Make sure the privacy policy is posted in the library where the public can see it.
    3. Ensure that the privacy policy includes information about what information the library is tracking, why, and for how long the data is kept.
    4. Ensure that the privacy policy includes when user information can be shared and under what conditions.
  2. Destroy all paper records with user data, such as computer sign-in sheets.
  3. Ensure all existing security certificates for HTTPS/SSL are valid and create a procedure for revalidating them annually.
  4. Designate a Library Privacy Officer to handle requests for personally identifiable information of users from law enforcement officials and other third parties.

Priority 2 Actions

  1. Ensure there is a formal process in place to address breaches of user data directly under library control or maintained by third parties.  The library should notify affected users when they become aware of a breach.
  2. Encrypt all user data with secure algorithms in all network and application communications.
  3. Purge search history records regularly, ideally when the individual computer session ends.
  4. Purge circulation and interlibrary loan records when they are no longer needed for library operations.  Any user data that is kept for analysis should be anonymized or de-identified and have access restricted to authorized staff.
  5. Utilize HTTPS wherever possible.
  6. Ensure that the privacy policy is updated often and schedule regular times for its review.

Priority 3 Actions

  1. Publish and distribute flyers and/or web content for users that includes information on how to protect personally identifiable information and other data.
  2. Publish and distribute flyers and/or web content for users about available software and alternative browsers and plugins to protect their privacy online and can be used in the library.
  3. Publish and distribute flyers and/or web content about VPN services and/or Tor and users’ ability to use these systems on the library network.
  4. Test compliance with these standards through a trusted third party service or individual.

Resources