Reporting user data can take many forms, from internal dashboards for staff (such as checkouts and gate counts) to publishing library data as Open Data. Libraries should be cautious in how and what data they report as it can be a way to inadvertently share a user’s PII.
What to watch out for
- Giving access to unmodified user data to all staff.
- Publishing raw user data to public sources.
- Sharing of user data with marketers and resellers, including user data collected by vendors.
- Being a “good citizen” while helping with law enforcement requests - giving more information than requested under a warrant or subpoena, or even giving information to law enforcement without one.
How to protect user privacy
- Offer aggregated data through dashboards and canned reports.
- Create policies and procedures surrounding publishing data to external audiences, including privacy risk audits of data sets marked for publication.
- School and academic libraries should consult with legal counsel around the Family Educational Rights and Privacy Act (FERPA) educational record disclosure policies.
- Does the library have a law enforcement request procedure? If not, or if the policy has not been updated for a while, here are a few resources from ALA to start the process:
- How to Respond to Law Enforcement Requests for Library Records and User Information: Suggested Guidelines
- Law Enforcement Inquiries