Vendor Audits
Users trust the library to protect and secure their data, including when the library works with vendors or third parties to provide services and resources. How can libraries ensure that vendor data practices don’t betray that trust? Libraries can ensure that vendors are following contractual terms and other legal obligations, as well as complying with specific data privacy and security standards and practices, by employing data privacy and security audits. These audits, conducted either by an independent third party or self-reported by the vendor, can identify any potential risks to user privacy, such as unnecessary data collection or disclosure, or potential weaknesses to security practices, such as how the vendor controls access to user data in their organization.
Examples of vendor audits
Keep in mind
- APIs (Application Programming Interface) and any LTI (Learning Tools Interoperability) should be evaluated for privacy risk. If they integrate into course management software and individual students’ accounts, then those vendors potentially have access to users’ data.
- Apps that allow for access to vendor resources should also be evaluated for privacy risk.
- Review vendor products for any additional “freebie” services or products not covered under existing contracts. For example, a vendor might provide access to another product at no cost in addition to the paid resources or services. A free product collects, stores, and shares data all the same as a paid product, but without any privacy protections provided in the paid product’s contract.
Transparency is important! How can you inform library users of vendor privacy policies? View these links below
- Cornell Vendor Privacy Policies https://archive-it.org/collections/12153
- Santa Cruz Public Library https://www.santacruzpl.org/data_privacy/
