Creating a Privacy Policy from the Ground Up

Privacy policies are easy to ignore, but when done right, creating one can be a positive experience. In early 2017, several of the staff members at my library started having informal conversations about privacy in our digital platforms, largely a result of the release of ALA Library Privacy Checklists. After several months of talking, it became clear that we needed to get a formal group together to create a privacy policy. This would ensure that we were having conversations with everyone in the library, including our patrons, about privacy. This led to the creation of a Patron Privacy Task Force, which just wrapped up about six months of work. I co-chaired the group with the Head of Reference Services at one the libraries, and we had representatives from all library departments. The final result was just as we had hoped: a thorough and open process producing a clear and accurate policy we have provided to our patrons.

Because many libraries are working on similar projects, I wanted to describe our process and the lessons learned. While ultimately I am pleased with what we produced, I had to restrict the scope due to time and interest from the group, and there are some important takeaways from that.

Planning

When we started the project, construction in the library and changes in staffing were disrupting normal functions. We knew it was important to restrict the project to the time necessary to complete finite deliverables. Rather than creating a new committee, we felt it would be helpful focus effort on learning about privacy, and bringing that knowledge back to departments and standing committees as an embedded value. We had a member from every department across the libraries (which ended up being ten people) and intentionally included a mix of department heads, librarians, and paraprofessional staff. Varying perspectives across departments and functions helped create good discussions and ensured that we would be less likely to miss something important.

Nevertheless, such a large group can be unwieldy, and adding yet another set of meetings can be a challenge for already overburdened schedules. For that reason, my co-chair and I spent a lot of time preplanning all the meetings and creating a   specific project plan that would be flexible to adapt to our needs, which we needed to do in the end. Our plan had our work starting in early August and ending in December with the goal to have: 1) a complete policy, 2) internal best practices documentation, and 3) an outreach plan. As it turned out, we did not complete all the internal documentation, but the policy and outreach plan were complete on time, and the policy went out to the public at the same time as when we reported on the work of the committee to all library staff in mid-January 2018.

One of the most useful aspects of our project was treating it as a professional development opportunity with a number of reading assignments to complete before the kickoff meeting and throughout the work period (I have included some of the resources we used below). We also ensured from time to time we returned to theoretical, or guiding, principles of our work when it felt like we were feeling too bogged down with minutia. The plan ended up starting with research, followed by reading, writing, and practical research, more theory, and a final push with completing the draft of the policy and working on documentation.

Conducting the Privacy Audit

After spending some time talking through the project and figuring out some mechanics, we moved into the privacy audit stage. This requires examining every system and practice the library uses in a systematic manner and determining whether this falls in line with best practices. The ALA Privacy Checklists help with the latter part, but we also relied on Karen Coyle’s Library Privacy Audit spreadsheets. The first step was to brainstorm all the systems we used in our daily work and how we used them, and then divide those up by department. We mapped the systems we used into the spreadsheets, with some additional systems added. For that reason, multiple departments who use the same system in different ways reviewed some systems, and other systems that were unique to a department were reviewed just by that one. We then used the checklists to verify that we had covered the essentials in our audits and to raise additional issues that the spreadsheets did not cover.

This was not always the most straightforward process for people unused to looking carefully at systems, but for that reason it was a useful process. By dividing the work up between departments, it meant that everyone in the library had a better chance to learn about how their work affected patron privacy and ask questions about the processes of other departments as patron information moves across the library. For example, when a patron requests that the library purchase a book, this is recorded in one system and leaves a trail through email as it goes between systems. After the request is placed, that information stays in various systems to ensure the patron gets the book after it arrives. As public and technical services talked through that process, it was easier to identify which pieces of it were important to good service and which created informational residue.

Compiling the audit results into a useful format was a challenge, and this is an area of this project that did not meet my initial hopes. My original plan was to create a flexible best practices manual that would record all the results of the audit and how closely they met the standards set by the checklists. In practice, that was way too complicated, and we ended up just focusing on the “Priority 1” actions, which are those that any library can meet no matter their technical abilities. In fact, many of our practices are much better than that, but breaking the work down into smaller steps was a much more feasible approach. Ultimately, the co-chairs took the research done by all the task force members and created a list of practices for each checklist that indicated where we met best practices and where we needed to do more work. We asked all departments to complete the project identified for each checklist by one year out, and to consider including “Priority 2” level projects in departmental goals for the following fiscal year.

Writing the Policy

The process for writing the policy itself was different from the audit, in that the first draft came entirely from the co-chairs and then went out the group for editing. This was to create a unified tone and help identify all the gaps in knowledge that the task force members could complete with their research. Writing the policy started with the ALA Privacy Policy Creation Toolkit, and in particular the “Sections to Include in a Privacy Policy.” I literally copied those sections into a blank document to start the writing process, though some of them were renamed or reorganized in the final version.

After writing the rough draft, I listed all the sections where I was missing important information, and relied on the task force to fill in those sections. This was a fascinating process as we tried to explain technical processes that each of us understood in a way the whole group could understand and explain to a patron. Explaining the way the scanners could accidentally store a patron’s email address was an example of something that took multiple attempts to get right in the policy. The difficulty I had in writing was useful in itself, however. Each time I felt embarrassed or confused about describing one of our practices told me that this practice needed to change. I hope when we go back to revise the policy, the difficult sections will be easier to write because the practices will be better.

Outreach and Next Steps

One of the important privacy tasks in the checklists is the need for education and outreach to staff and patrons. The process of writing the policy in the task force took care of a lot of staff education, but this will need to be an ongoing process. For that reason, we recommended that the task force reconvene to check on the progress of privacy improvements in 9-10 months after the adoption of the policy, but not necessarily with the exact same members. As we work through fixing our practices this will be a great opportunity to have additional conversations with library staff and include more detail.

No matter how many checklists or guidelines we consult, we will not be able to cover all scenarios. For that reason, we asked people to keep the following guiding principles in mind when making decisions about data collection that could affect patron privacy.

  • Is it necessary to collect this information?
  • Could I tell who an individual was even if there was no name attached?
  • If I need to collect this information, what is the data I can remove to obscure personal information?

To tell patrons about the policy we wrote a blog post and posted it on the library website. Obviously, this will not reach everyone, but at least will catch our most active users–we know from usability testing that people do look at our blog post headlines! Meanwhile, a set of recommended outreach practices included creating guides for how to turn on privacy features in browsers especially for specific vendor platforms with potentially problematic practices, partnering with our campus IT department on information security awareness, and presenting on privacy issues in research and teaching at a faculty professional development event.

Conclusion

As someone who enjoys writing policies and looking for ways to improve processes, this kind of project will always appeal to me. However, many members of the task force told me that it was a useful exercise to improve their own knowledge and keep up to date with how the privacy conversation has changed even in the last few years. Because this is such a constantly shifting topic, this will require active management to keep our policy accurate and our practices in line with changes in technology. The good news is that this was a grassroots effort that can be started up again with relatively little effort as long as someone cares to do so, which I suspect will now always be the case at my library.

Selected Resources the Task Force Used

Other library policies

 

Leave a Reply

Your email address will not be published. Required fields are marked *