Writing Your Privacy Policy
There are several key areas to include in any privacy policy. There is no need to reinvent the wheel! The Library Freedom Institute has created a template for any library to use when crafting their policy (https://bit.ly/LFIprivacytemp). Review the template. What phrases or sections resonate with your library’s practices? What language can you use in your policy? All library policies should be reviewed and approved by the governing board and legal counsel before being implemented.
Check out these library privacy policies for other wording suggestions.
Exercise
Complete each section in this exercise to start drafting your privacy policy.
Privacy Statement - Your Right to Privacy
This is the section where you can tell users why privacy matters to libraries. Write details about your commitment to privacy values and ethics. Include links to applicable local, state, and federal laws.
What information do we collect?
Users have the right to know every type of information that is collected by the library. Include any and all PII and non-personally identifiable information you might collect. This section should also include information collected as part of any kind of analytics program. Including a link to third-party vendors’ privacy policies is helpful here. Be sure to include information that may be collected through email, chat services, RFID, or any reference interactions.
This is a good section to include your retention policies. Let users know how long you keep any information, including their borrowing history. If you have a written retention policy, provide the link.
Who has access to my information?
Remind users that their information is confidential, but also tell them who has access to it at your library. This is a good place to discuss policies around one user getting access to another user’s information (e.g. a parent asking for their child’s records).
How do we protect the privacy of students and minors?
Many libraries serve users that may have specific privacy rights under local, state, and federal law. If you serve students or minors, be sure to address how your library protects their privacy.
Our website and public computers
This might feel like the most complicated section if you’re unfamiliar with technology. If possible, seek out help from the Information Technology department to fill out the details in each of these sections.
- HTTPS
Let users know what HTTPS is (it’s a certificate that encrypts your network traffic) and that your library employs it on your website.- Does your library lack a secure website? Get a free SSL certificate with Let’s Encrypt
- Cookies
Explain what cookies are (see the commonly used term section in this guide) and let users know what cookies your site uses. This section is likely to mostly be teaching users about cookies.
- Data and Network Security
Let users know that you are actively working to prevent their data from getting into the wrong hands. You don’t need to go into elaborate detail here, but avoid using phrases found in the red flag section like, “we may protect your data” or “reasonable measures.”
- Public Computers and Connected Devices
If your library offers WiFi access, device checkout, or pubic computers, here is where you can tell them what protections are in place. Let users know how long you keep a log of their computer usage (hopefully not more than 24 hours) and what happens to their data when they log out of a computer or return a device.
Third-party vendors
Most library users think anything they access from the library’s website is part of the library. They don’t have knowledge of the vast third-party vendor network. In this section give a summary of the types of information that may be collected, used, and shared by these vendors. Provide a link to an easy-to-read and regularly updated page that has links to all of the third-party vendor privacy policies. Also, include what the library’s expectations are for vendors. This information may be included in the contracts or requests for purchase.
Third-party vendors
Many libraries employ some form of surveillance. Be upfront and honest with your users. Include details on security cameras and any body-worn cameras (including retention policies and who has access to the footage), facial recognition software, and smart speakers.
Third-party vendors
Detail the procedures in place when a request from law enforcement comes in to access a user’s records. Include information about any training staff has undergone.
Congratulations!
You’ve just completed the first draft of your library privacy policy. Put your answers to these questions into one document and include the section headings.
Your library may also want to include a transparency report as part of its privacy policy. A report would provide the number of requests made, what agencies requested information, and how many requests were fulfilled. Check out Google’s Transparency Report for an example: https://bit.ly/GooTransparency