Pratt Institute Libraries Commitment to Privacy

Data ethics refers to the frameworks and principles that determine how organizations (such as schools and libraries) manage the data that they collect. These guidelines are founded on the basis that organizations are responsible for the privacy and security of their users’ data, and owe their users transparency and personal accountability for the use of said data.

In 2015, the National Information Standards Organization (NISO) published the The NISO Consensus Principles on Users’ Digital Privacy in Library, Publisher, and Software-Provider Systems (NISO Privacy Principles).

The NISO Privacy Principles set the standards for ethical data gathering, storage, and usage for  libraries, systems providers, and publishers. These principles are observed by organizations such as the American Library Association (ALA) and the International Federation of Library Associations and Institutions (IFLA).

1. Shared Privacy Responsibilities
   • “Anyone with access to library data and activity should accept responsibility for safeguarding user privacy and data security and should have training in related standards and best practices.”
2. Transparency and Facilitating Privacy Awareness
   • “Systems should be designed in a way that facilitate understanding of policies through the use of simplified management of options.”
3. Security
   • “The most current security best practices should be used as the baseline to protect data.”
4. Data Collection and Use
   • “The potential benefit to the user, the library, content-, or software-provider derived from the collection and use of users’ personal data must be balanced against the impact of that collection and use on users and their right to privacy.”
5. Anonymization
   • “That portion of library user data that includes personally identifiable information should be retained in that form only as long as absolutely necessary for operational purposes.”
6. Options and Informed Consent
   • “When personal data are not required to provide services as described in “Data Collection and Use”, libraries and content- and software-providers should offer library users options as to how much personal information is collected from them and how it may be used.”
7. Sharing Data with Others
   • “User activity data to be shared should be anonymized and aggregated to a level that minimizes privacy risks to individual users, unless the user has opted-in to a service.”
8. Notification of Privacy Policies and Practices
   • “[P]rivacy policies should be made easily available and understandable to users.”
9. Supporting Anonymous Use
   • “Libraries and content- and software-providers must recognize the right of library users to be anonymous, should they so choose, and users should be provided appropriate affordances.”
10. Access to One’s Own User Data
    • “Users should have the right to access their own personal information or activity data.”
11. Continuous Improvement
    • “Libraries, content-, and software-providers should continuously assess and strive to improve user privacy as threats, technology, legal frameworks, business practices and user expectations of privacy evolve.”
12. Accountability
    • “Libraries, content-, and software-providers should establish a culture of accountability in which data collection, security, use, sharing, and disposal practices and policies are reviewed and reported on a periodic basis.”

The ALA’s Library Bill of Rights states that privacy and confidentiality are essential to the freedoms of association, inquiry, speech, and thought. In the time since its initial publication in 1939, the Library Bill of Rights has been regularly updated to ensure its continued reflection of the current state of the library institution.

In addition to amending the Library Bill of Rights, the ALA has also published a supplemental Interpretation of the Library Bill of Rights. This interpretation states:

“Libraries have a responsibility to inform users about policies and practices governing the collection, security, and retention of personally identifiable information and library use data. Additionally, users should have the choice to opt-in to any data collection that is not essential to library operations and the opportunity to opt-out again at any future time. All nonessential data collection should be turned off by default. In all areas of librarianship, best practice leaves users in control of as many choices as possible regarding their privacy. This includes decisions about the selection of, access to, and use of information. Information about options available to users should be prominently displayed, accessible, and understandable for a general audience.”