Follow the Paper Trail

Libraries are palaces of paper. We hold vast quantities of information on the pages lining our shelves. We also hold vast quantities of users’ Personally Identifiable Information (PII) in binders, desk drawers, and filing cabinets. A paper hunt in any library may turn up book requests spanning 30 years, volunteer forms from teens who now have teenagers of their own, library card applications, program sign-in logs, and pieces of scratch paper with user barcodes and search queries. Paper is still one of the most common ways that a user’s privacy can be violated and their information shared without consent.

Exercise

Go on a paper scavenger hunt:

Collect any piece of paper you can find that has PII.
Write down the type of document you find, where it is located, what PII it contains, if it is in a secured location, and its retention policy.
Use the three sections on the following pages to help in your assessment.

Document Type

Location

Secured (Y/N)

PII (Personally Identifiable Information)

Retention Policy

Now shred any document that has passed its lifespan and secure any documents with user PII that you plan to keep.

information collected

A library should only collect the information needed for business operations. No information should be collected because you think it might be needed one day. This is especially true for PII. Review all the pieces of PII you are collecting from users. Ask yourself, “Why am I collecting it?” Then ask yourself, “Could I still perform my task without this piece of information?” If the answer is yes, then you don’t need it! Take this opportunity to update your documents to collect the least amount of PII possible.

Library card applications often contain the most PII. Review what information you’re collecting and determine what you can remove. Your library shouldn’t need to collect identification numbers (detangle from student IDs if at all possible), gender, Social Security numbers, or exact birth dates.

storage

Where did you find the document? Was it sitting on a desk or in a drawer where a user could access it? Was it stored in a binder in the office space where a volunteer, student worker, or unauthorized staff could take a quick peek? When people hand over their PII, they trust us to keep it safe. If you have documents that contain a user’s PII, it needs to be secured in a place where only authorized staff can access it. Find a desk drawer or office where sensitive information can be stored. Where possible, store information in a space secured with a lock unless it needs to be accessed.

retention

In your search, did you find documents that have outlived their usefulness? If your library does not already have a retention policy, now is a great time to create it! Your governing body may already have one that you can look to for guidance. It’s rare that you will have a document containing a user’s PII that needs to be kept in perpetuity. Everything has a lifespan, and it’s important to regularly discard documents. Anything that contains users’ PII must be shredded. Have a shredding party! If your library is unable to acquire shredders, there are services across the country that can shred for you.