Review of Managing Data for Patron Privacy: Comprehensive Strategies for Libraries by Kristin Briney and Becky Yoose

Book Review

The most interesting part of Managing Data for Patron Privacy: Comprehensive Strategies for Libraries is how the book exposes tensions between the architecture of our library systems and the ethic of privacy that the information professions emphasize. Authors Kristin Briney and Becky Yoose use their book to offer practical consideration for managing personally identifiable information in libraries; the reality is that many of these systems do not place privacy at the center of their design which means their strategies must be reactive.

A framework which centers privacy does exist, and this book presents it as the basis for privacy impact assessments (Briney & Yoose 2022, pg. 35). The Privacy by Design framework was developed by Ann Cavoukian in the 1990s, and was implemented for the Ontario government in 2010 ( https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf ). Privacy by Design has since influenced other regulatory bodies, such as the European Union’s (EU) General Data Protection Regulation (GDPR) which currently contains a procedure for privacy impact assessments ( https://gdpr.eu/article-35-impact-assessment ). As the authors detail, while inventorying the major relevant regulations within the U.S., no unifying federal guidance on data privacy has been released. So, U.S. libraries, as one type of institution with a history of recording activities which can reveal personal information, find themselves contending with the societal consequences of a state that defers to an individual’s ability to protect any of the data they generate, even when utilizing state-sponsored resources. The individual’s choice means either creating personally identifiable data or locking themselves out of the vast majority of opportunities for upward mobility, personal health and safety, and many other benefits. Confidentiality and privacy as a part of librarianship, especially in the U.S., has developed in response to the role of the public sphere in contrast to market interests.

The codification of privacy as a library concern has been part of the information professions since at least the 1939 American Library Association’s (ALA) Code of Ethics. Privacy as a “guiding principle” for libraries is often traced to events of the 1970’s, in which the Federal Bureau of Investigation (FBI) requested records of patron usage of library materials (Varnum 2015). But it does not follow that librarians have a shared definition of what privacy means, particularly when much of the scholarly literature leaves the reader with a vague understanding of its definition (Cyrus & Baggett 2012). If we take the view that privacy is a social construction, we can expect there to be a need for periodic reassessments of how long-standing professional values apply to present societal needs. In the wake of the 2001 Patriot Act, the ALA’s more detailed 2002 interpretation of the Library Bill of Rights emphasizes the user’s right to inquire without monitoring or surveillance from others, and the 2008 version of the Bill further detailed internet search behaviors as part of this principle, by including transmitted information under the privacy umbrella (Harper & Oltmann 2017; Noh 2017). Consequently, the Library and Information Science (LIS) literature increasingly focused on the degree to which a library should take responsibility for patron data and behaviors while online (Varnum 2015).

Briney and Yoose’s book references the language of data management as a structure for categorizing the areas where privacy should be considered in libraries today. The stated goal of the book is not to resolve the differences between the ALA Bill of Rights and the political context of U.S. library systems, but “for libraries of all types to better manage their data” (Briney & Yoose 2022, pg. 5). It is about making methodical, incremental improvements by taking inventories, planning meetings, writing documents, and learning procedures. It is about building the vocabulary to provide a privacy ethic to other departments, third-party vendors, and within organizational culture. Chapters on data inventory, risk assessment, policy, security, vendor relations, and library assessment describe library privacy practice. Scenarios at the end of each chapter personify the guidance-heavy content, with ongoing storylines set in fictionalized public and academic libraries. The title’s “Comprehensive Strategies” focuses on managing personally identifiable information in libraries to mitigate risks of harm. The approach encourages development of a mental model of the optimum lifecycle for this type of data, often pushing back against “data exhaust” (Zuboff 2019) where details of activities are tracked and stored by default. These strategies are responding to the era in which American libraries now find themselves, with baked-in vendor relationships where the actual controls on patron data access reside. The book does not provide a vision for rebuilding systems to match library values but is instead a handbook for guiding the important daily work of patron privacy.

If privacy does involve some version of the “right to be left alone” (Warren & Brandeis 1890, cited by Briney & Yoose on pg. 4), then creating an equitable space for a person to be alone in is a necessary condition. This becomes a difficult, or even impossible, area for practical data management strategies to locate, which is a limitation of this book. As digital spaces intensify their abilities to house personal expression and access to vital resources, data creation becomes more necessary, not less. But from the point of view of data security, data creation is a liability, even a “toxic asset” (Scheier 2016) as Briney and Yoose repeatedly remind the reader. Their book stops short of offering a resolution for this tension and during their discussion of representing demographics as data points they write “there isn’t a right answer when privacy and representation conflict” though a “duty of care” still exists (Briney & Yoose 2022, pg. 55). In practice, this punts the question of data collection back to the person whose data is being collected and does not address inequity. For libraries to live up to being confidentiality and privacy leaders, data creation, sharing, and sovereignty can be no less important than data security, access, and preservation. This will involve shifting focus from the cost of data breaches as organizational liabilities, where this book starts the conversation, to the human cost of those affected. Librarianship will have to find new ways of addressing the politics of privacy in the systems it uses for the duty of care to be fulfilled.

The closing chapters of Managing Data for Patron Privacy offer the book’s best pathway forward: looking to each other. The privacy ethic in libraries is contingent on librarians finding and building resources with peers, so that “you are not alone” (Briney & Yoose 2022, pg. 156) becomes a true statement. Considering privacy through data management tasks can only get readers of this book so far. Training all library workers (Chapter 9) and building a sustainable culture of privacy (Chapter 10) by taking stock of the organization and choosing a particular area as a starting place puts the advice given earlier in the book on a path towards realization. As an incremental approach to rethinking where privacy fits into the data lifecycle, librarians are encouraged to take a cue from the book itself and pick a chapter to scope a privacy project to get started.

References

American Library Association. 2017. “Professional Ethics.” Tools, Publications & Resources. May 19, 2017. http://www.ala.org/tools/ethics .

American Library Association. 2017. “Privacy.” Advocacy, Legislation & Issues. September 25, 2017. http://www.ala.org/advocacy/intfreedom/librarybill/interpretations/privacy .

Briney, Kristin, and Becky Yoose. 2022. Managing data for Patron Privacy: Comprehensive Strategies for Libraries . ALA Editions.

Cyrus, John W. W., and Mark P. Baggett. 2012. “Mobile Technology: Implications for Privacy and Librarianship.” The Reference Librarian 53(3): 284–296. https://doi.org/10.1080/02763877.2012.678765 .

Harper, Lindsey M., and Shannon M. Oltmann. 2017. “Big Data’s Impact on Privacy for Librarians and Information Professionals.” Bulletin of the Association for Information Science and Technology 43(4): 19–23. https://doi.org/10.1002/bul2.2017.1720430406 .

Noh, Younghee. 2017. “A critical literature analysis of library and user privacy.” International Journal of Knowledge Content Development and Technology 7(2): 53–83. https://doi.org/10.5865/IJKCT.2017.7.2.053 .

“Data Is a Toxic Asset - Schneier on Security.” 2016. Schneier.com. 2016. https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html .

Varnum, Ken. 2015. “Editorial Board Thoughts: Library Analytics and Patron Privacy.” Information Technology and Libraries 34(4): 2. https://doi.org/10.6017/ital.v34i4.9151 .

Warren, Samuel D., and Louis D. Brandeis. 1890. “The Right to Privacy.” Harvard Law Review 4(5): 193–220. https://doi.org/10.2307/1321160 .

Zuboff, Shoshana. 2019. The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power . New York: Public Affairs, Hatchette Book Group.