Collection is one of the most crucial stages in terms of protecting user privacy. It is where you figure out what is collected as an institution and why it is collected. Data that is not collected cannot be leaked or breached.
Turn off settings that collect or store user data that the library does not need.
What user data is collected at your library? The following list includes some common places user data is collected. Where else are you collecting user data at your library?
- Integrated library system
- Computer reservation system
- Library instruction data
- Data analytics software
- Your work email account
- Reference or information desk chat logs
Data FOMO [Fear of Missing Out] is a thing! User data should only be collected if it has a specific operational need.
Review a user record to determine why data is being collected. Choose one piece of PII from the record and ask a co-worker (or yourself) why it’s being collected. After asking, “Why?” the first time, ask it again. Do this five times or until you can no longer answer why.
Data point from user record
Why is this information collected?
Example + Action
- Person 1 - Why do we have gender data in the user record?
- Person 2 - It's part of the user registration process.
- Person 1 - Okay, why is it part of the user registration process?
- Person 2 - data being "passively" imported from school system/db by default.
- Person 1 - Why is it being passively imported from the school system?
- Person 2 - This is the way it's always been setup. We take everything into the record that the school collects?
- Person 1 - Why are we taking everything in?
- Person 2 - That is how the technology is currently configured.
- Person 1 - Why do we have to have the technology configured in a way that collects all user data from the student record?
- Person 2 - I don't know that it has to be setup that way. Let's talk with campus IT and see if we can change the setup so we collect less user data in the library record.
Put this into action with the "Privacy Audits Field Guide"