Physical access includes access to servers, computers, mobile devices, paper documents, and the spaces that contain all of those physical items. Electronic access includes user access levels in various systems and applications for both staff and vendors. Physical items that contain or have access to user data should be secured in locked areas and use passwords. For digital files, practice the “principle of least privilege,” providing staff access to the least amount of user data that is necessary to perform specific tasks.



Perform a self-evaluation to determine if you have the appropriate level of access to a library application or system that handles user data. Remember, everyone should be restricted to the lowest level of user data absolutely necessary for one to do their job. Some examples include integrated library systems, vendor products, social media accounts, Google Drive folders, etc.

*If you are a supervisor or someone at your library with control over staff accounts, perform this same evaluation for all applications or systems to determine if each individual has the appropriate access levels. 


Perform an annual audit of access levels for staff for both electronic and physical access to user data. Use the Privacy Audit Field Guide for assistance in this process.

  • Deactivate accounts of staff no longer working at the library.
  • Change user permissions for staff who changed positions or gained/lost job responsibilities. 
  • Look at which vendors have user accounts and if they still need access to the system.