Patron privacy is one of those topics that touches every aspect of a library's operations, and for good reason. After all, from library card sign-ups to public access computer usage to reference desk inquiries, your patrons share a lot of information with you. Here are a few starting points to consider when tackling this sprawling issue.
Perhaps the most obvious place to start is with the sorts of information you collect from your patrons when they sign up for your services.
First, consider the kinds of personal information that you're collecting. Do you need all of it? What information do you need in order to provide your services? What details can you do without? If you can, try to reduce the amount of information that you hold on each of your patrons and store only the information you need.
Second, ensure that your database systems are secure. Make sure your systems use encrypted connections to keep prying eyes out. Require your staff computers to use full disk encryption to protect any data stored on them in case they get lost or stolen. Limit access to only those who absolutely need to access it. Also, you may want to require your employees to use multi-factor authentication when logging in to your systems, or to use a VPN when they're connecting to your internal systems while working remotely.
Also, consider training your employees on proper data handling procedures. TechSoup offers a KnowBe4 Cyber Security and Compliance Training bundle that includes discounted setup and KnowBe4 training subscriptions. In this training, your staff will learn how to spot phishing and ransomware attacks to protect your data from bad actors.
For additional information, see our prior blog post on physical device security.
Malware attacks often exploit newly discovered security holes in the software you use. To help prevent this, install security patches on all your systems — whether they're public-access or staff devices — as soon as they're available.
This applies to things like operating systems (Windows, macOS), sure, but it also applies to things like productivity software, web browsers, and your antivirus software. It's a minor inconvenience, but it could prevent major headaches later.
Your public access computers and equipment can inadvertently store a lot of information about your patrons. For example, if one of your patrons forgets to log out of their Gmail account, the next person who visits gmail.com might end up accessing a complete stranger's email.
There are a few things you can do to prevent this, though. Shared PC Mode on Windows 10 or 11 provides options for how a shared computer should retain data on the last person to use it. MacOS also allows you to set up a guest user account that can automatically clear out any saved data about the previous user upon logout. This means that the next person who uses the computer will not be able to see what the prior user did.
Alternatively, a product like Reboot Restore Rx Pro, available through TechSoup, can automatically reset your computers to a default state on a scheduled basis. This can help limit the amount of personal information that gets stored to a public access device.
In addition, you should also consider the security of your copiers and printers.
"Wait, what?"
I know. But modern printers and copiers are basically self-contained computers that spit out documents. Many of them come with robust networking capabilities, and many of them also store a record of prior print or copy jobs. This blog post from TechSoup's Jim Lynch goes over the risks in more detail, along with what you can do about it.
As libraries continue to evolve into serving as broader community resources, you may find that your patrons take care of a lot of personal business at your branches. For example, they may use your Internet connectivity for things like telehealth appointments or remote job interviews.
If your facilities allow for it, consider setting up some kind of private spaces for these sorts of tasks, like phone booths or small meeting rooms, that are available on an ad hoc basis.
When you're looking to sign up for a service provided by a third-party vendor, take a close look at how that vendor handles client data. To help with this, the Library Freedom Project offers some free resources, such as its Vendor Privacy Audit checklist and Vendor Privacy Scorecard.
Any one blog post like this is going to be incomplete, and indeed, this blog post covers just a few things to consider. The takeaway is that you need to evaluate your entire operation to look for ways that patron privacy can be compromised — from your back office to your checkout desk to your reference department to your public access equipment.
A good place to start is the Pacific Library Partnership's Data Privacy Best Practices Toolkit for Libraries. This free resource covers a wide range of topics related to patron privacy and offers guidance for things you can do to protect your patrons from prying eyes and ears.
Top photo: Shutterstock