Final Report of the Privacy Policies Working Group

Final Report of the Privacy Policies Working Group

The Privacy Policies Working Group (PPWG) was charged with the review of the current Library and related policies regarding Library use and Library records.  The results of the discussions of the group based upon the charge are as follows:

1.  Review the Library’s current policies regarding personal privacy in Library use and Library records.

The PPWG identified the policies listed below from general to specific agency with notes on currency and accuracy of each:

• Family Educational Rights and Privacy Act – FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) – http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
• Health Insurance Portability and Accountability Act – HIPAA Privacy Rule (42 U.S.C. 299b-21-b-26) – http://www.hhs.gov/ocr/privacy/index.html
• Interlibrary Loan Code for the United States – Revised 2008 ALA/RUSA – http://www.ala.org/rusa/resources/guidelines/interlibrary
• Illinois Library Records Confidentiality Act (75 ILCS 70/) – http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=1004&ChapterID=16
• I-card Programs – http://www.icardnet.uillinois.edu/appPublicWebsite/dspindex.cfm  (2014 Board of Trustees approval – no stated privacy policy but quite separate from the purview of this committee)
• Campus Policy on Appropriate Use of Computer Technologies and Network Systems – http://cam.illinois.edu/viii/VIII-1.1.htm  (revised 2003)
• Vice-President for Academic Affairs/Web Privacy Notice – http://www.vpaa.uillinois.edu/policies/web_privacy.cfm  (2003 – Note that they are supposed to have a list of approved privacy policies.  The Library is not listed here and the HR policy which is listed has a bad link.)
• Security Camera Policy, Campus Administrative Manual (2009) – http://www.cam.illinois.edu/viii/VIII-1.5.htm
• Campus Policy on Photography/Talent Release Information – http://publicaffairs.illinois.edu/resources/release/index.html  (2006 – Note that this page includes links to the Talent Release Form, the Talent Release Form for Minors and a Location Release Form, the last of which is also available through Library Facilities.)
• Permission to Film in Campus Libraries – http://www.library.illinois.edu/administration/services/policies/permission_film.html  (Approved in 2006 by the Library Administrative Council)
• Circulation/Confidentiality – http://www.library.illinois.edu/circ/policies/Confidential.html (Modified 2010)
• Requests for Library Patron Information: Staff Guidelines (Reviewed by the University Librarian, 2/18/13)  – http://www.library.illinois.edu/administration/services/policies/patronrequest.html
• Ask a Librarian Privacy Policy – http://www.library.illinois.edu/askus/privacy.html  (2009)
• University Archives Website Privacy Notice – http://archives.library.illinois.edu/about-us/documents-and-policies/privacy-notice/  (2012 copyright)
• Rare Books and Manuscripts Library Privacy Notice – Currently under revision
• Scholarly Commons/Policies for Social Media – http://www.library.illinois.edu/sc/about_us/socialmedia_policies.html  (2013 – These are policies that should apply to all units as a basis for institutional use.
• Choose Privacy (2011 Libguide from the Undergraduate Library) – http://uiuc.libguides.com/content.php?pid=109716
• Third Party Privacy Notices– Most of our publishers and databases append their privacy policies to their websites for example:
  • EBSCO –  http://support.ebscohost.com/ehost/privacy.html
  • ProQuest Congressional – http://congressional.proquest.com/congressional/common/privacy?accountid=14553&groupid=95978
  • Scopus (Elsevier) – http://www.elsevier.com/legal/privacy-policy

2.  The group will update, reconcile and consolidate these policies.

The PPWG has reviewed the policies listed above and has consolidated them in the document “Privacy Policies – Appendix 1”.

Some of the specific library policies such as permission to film and circulation should be reaffirmed and the date noted on their respective pages.  We have not received a privacy policy from the Rare Books and Manuscripts Library since they are updating their current document.  Confidentiality is not treated in the same manner as the rest of the UL due to concerns regarding theft and damage to rare items.

3.  The group will identify gaps in current policy and practice regarding privacy and engage in the development of new policies, guidelines and best practices.

The most apparent area in which privacy policies should be developed relates to the capture of data in the area of reference services.  Personal identifying information rarely appears in the Desk Tracker software or as a result of chat reference.  However, rarity should not preclude the development of policies in this area.  Currently an Ask a Librarian Privacy Policy does exist.   We would suggest that the development of further policies related to reference services and software be developed through the Office of the AUL for User Services until the identity of a central reference unit evolves that could provide this support. Examples of current policies in this area at other institutions are available at http://www.lib.umich.edu/library-administration/reference-privacy-policyand http://uwdc.library.wisc.edu/about/privacy-policy.

Capture, retention and disposal of personally identifying information in the course of research, even for internal use, should be and is covered by approval of the Institutional Research Board.  We would remind all of our researchers who work in this area that this approval is necessary prior to engaging in user research.  Information related to the IRB process is available on the RPC page, but the dissemination of this information may not get to all of our researchers in the Library.  We can also include related information on this process as a link in the user-facing page.

A specific, written policy regarding the placement, use and retention of recordings related to security cameras in the Library should be developed as suggested in ALA documents in order to avoid “function creep”.  We suggest the AUL for User Services and the Assistant Dean for Facilities propose language to supplement the language in the Campus Administrative Manual for review by the Administrative Council.

A specific, written and publicly available privacy policy regarding the collection and retention of patron information for individuals using the Rare Books and Manuscripts Library should be developed and made publicly available.

A determination on the retention of chat transcripts needs to be made.

A statement on the retention of Web Analytics and related cookies needs to be developed.

In addition to those items that come under the charge of this group, we would note that good training of all of those employed by the University Library is essential in this area.

• Uniform procedures relating to the disposal of call slips need to be made explicit and shredders for these items should be placed in each point of circulation to enable immediate destruction of these records.  (Units should, of course, be mindful of the effect of noisy shredders on patrons.)
• Training at all levels on actions that an individual should take in the event of the appearance of security personnel requesting personal information about our patrons needs to be articulated in detail as found in Requests for Library Patron Information: Staff Guidelines (http://www.library.illinois.edu/administration/services/policies/patronrequest.html).

4.  This group will consider and make recommendations on the Library’s role in educating our users about the privacy and security of their library records.

The University Library Privacy Policy (attached here as Appendix 2) should be displayed prominently under Library policies and added as necessary to all other pages that might be applicable in this area.

Appendix 1 – Should be attached to the University Library Privacy Policy for display as part of Library policies.

Finally, a libguide entitled Choose Privacy! was developed by the Undergraduate Library for “Choose Privacy Week” in 2011.  We would suggest the development of a non-event-related guide for users that is available with links to both the University Library Privacy Policy and any staff pages.  This guide should be developed by a working group or a member of the Undergraduate Library faculty or staff.

The Working Group recommends that a small implementation group be developed to shepherd the development of further policies, provide necessary updates of Library policy, and assist in the development of access to these policies.  This group might consist of the AUL for User Services and two other individuals.