A Practical Guide to Privacy in Libraries

Customers outside of North America (USA and Canada) should contact Facet Publishing for purchasing information.

ALA Member
Item Number
Facet Publishing, UK

Primary tabs

You don't need to be an ALA Member to purchase from the ALA Store, but you'll be asked to create an online account/profile during the checkout to proceed. This Web Account is for both Members and non-Members. 

If you are Tax-Exempt, please verify that your account is currently set up as exempt before placing your order, as our new fulfillment center will need current documentation. Learn how to verify here.

  • Description
  • Table of Contents
  • About the author
  • Reviews

Privacy is a core value of librarianship and yet as a concept, it is difficult to define and in practice, a challenge to uphold. This groundbreaking new book considers how privacy issues can arise in a library context and what library and information professionals can do to protect the privacy of their users. A Practical Guide to Privacy in Libraries features a wide range of practical examples of such issues, providing insights and practical steps which readers can follow. In-depth case studies and scenarios support the examples laid out in the book, while examples of data breaches which have occurred in a library setting, and the lessons we can learn from them, are also included. The book also covers the main legislation governing data protection – GDPR – which will be particularly relevant to European librarians, and international librarians offering services to EU citizens.

The book provides a range of tools through which libraries can communicate how they handle the personal data of their users whilst ensuring that they are following best practice with their privacy policy statements, their privacy audits and data protection impact assessments. Privacy is not the same thing as data protection, and the book outlines the differences between these two concepts. Nevertheless, the book has been written with the requirements of data protection law very much in mind.

Written in a highly practical manner, this book is essential reading for library and information professionals who need to understand and support privacy in the library setting and a useful reference for students and researchers in the field who need to understand this topic in practice.  

DisclaimerList of tables, figures and checklistsList of abbreviationsTable of LegislationList of cases 1  Setting the scene
 1.1 Examples of how privacy issues arose in the 19th and 20th centuries1.1.1 Browne issue system1.1.2 Cards used to sign out a book1.1.3 Library Awareness Program1.1.4 Publishing lists of borrowers with overdue books1.1.5 Names of people requesting German language books turned over to the authorities1.1.6 Library patron numbers used for several purposes1.1.7 Russian revolutionary emigrés use of the British Museum Library1.2 Why are the risks to library user privacy so much bigger in the 21st century than before?1.3 Why is the privacy of library users important?1.3.1 The chilling Effect1.3.2 Nothing to hide1.3.3 The functional relationship of privacy with other values1.3.4 Protecting library user privacy is not merely an issue of data protection1.3.5 The different types of privacy1.4 The types of personal data collected by libraries1.5 The privacy of the library as a public space 2  How privacy is regulated in the United Kingdom 2.1 Legislation2.1.1 Data protection2.1.2 Human rights2.1.3 Surveillance2.1.4 Terrorism2.1.5 Voyeurism2.2 Contracts2.2.1 Third countries where there is no adequacy decision2.3 Guidelines2.4 Standards2.5 Ethical/professional values2.5.1 Professional ethics2.5.2 Michael Gorman’s eight enduring values of librarianship2.6 Case law2.6.1 Breach of confidence2.6.2 English legal cases on privacy2.6.3 American legal cases on privacy in bookshops and libraries
 3  Practical examples of privacy issues arising in a library context 3.1 Self-service holds3.2 Receipts from self-service machines3.3 Refgrunt (Librarians venting publicly about interactions with patrons)3.3.1 Risk of being dooced3.4 Online databases and personalisation3.4.1 The filter bubble3.5 Telephone notification3.6 Co-location3.7 How long do you retain loan history data?3.7.1 E-book circulation data3.7.2 Anonymising data so it is still available for statistical purposes3.8 Letting commercial interests into libraries3.9 Use of CCTV in libraries3.9.1 Why it is important to balance both privacy and security considerations3.9.2 Can libraries be too intrusive in their use of CCTV cameras?3.9.3 Cameras used to solve the disappearance of ancient books3.10 Fingerprinting as a form of ID for use of library system3.11 Use of "enrichment" on the library catalogue3.12 Insecure software3.13 Use of web analytics tools on library sites3.14 Use of cloud computing services to store personal data3.14.1 Potential risks/threats3.14.2 Protections3.15 Offshoring & outsourcing3.16 Zines, libraries and privacy issues3.17 Books on Prescription3.18 Implications of GDPR for archiving information about living individuals3.19 Volunteer run libraries3.19.1 Building a relationship of trust with the user3.19.2 Volunteers and sensitive personal data3.19.3 Disclosure & Barring Service (DBS) checks (formerly CRB checks)3.19.4 Data protection training3.20 Copyright declaration forms
 4  Case studies
 4.1 Case Study 1: CASSIE – Computer Access Software Solution4.2 Case study 2: Library participation in learner analytics programs4.2.1 The data that can be captured and fed into a learning management system4.2.2 What protections are there in place to protect user privacy?4.2.3 Learning analytics and professional ethics4.3 Case study 3: Rollout of a shared library management system4.3.1 WHELF shared LMS project4.3.2 Case study 4: Single digital presence for public libraries in England4.3.3 Case study 5: Single library management system for all public libraries in Ireland4.3.4 Case Study 6: Introduction of National Entitlement Cards in Scotland
 5 Cybersecurity
 5.1 Least-privilege model5.2 Offering training on cyber-security and related topics5.3 Protecting personal data5.4 Bring your own device (BYOD)5.4.1 Plan for security incidents where devices are lost, stolen or compromised5.4.2 Network architecture design5.4.3 Network separation5.4.5 BYOD policies5.4.6 Ensure the BYOD policy is workable
 6  Personal data breaches
 6.1 Personal data breach response plan6.1.1 Implementing the five-step plan6.1.2 Tesing the personal data breach response plan6.2 Communications strategy6.2.1 Documenting personal data breaches6.2.2 Notification of a personal data breach to the supervisory authority (GDPR Article 33)6.2.2 Communication of a personal data breach to the data subject (GDPR Article 34)6.3 Payment card data6.4 Library examples of personal data breaches6.4.1 Leaked emails reveal what a politician borrowed from the library6.4.2 Newspaper publishes details of books borrowed by famous writer6.4.3 Inadvertent data breach relating to a library user6.4.4 Data breach at university library6.4.5 Failed attempt to obtain library customer data6.4.6 Social security numbers in library books6.4.7 Lost USB stick containing sensitive data accessed in a library6.4.8 Reviews and ratings on library website6.4.9 Librarian sues Equifax over data breach6.5 Causes of data breaches
 7  Access to and sharing of user data
 7.1 Responding to requests for patron records7.1.1 What records are you being asked to share? 7.2 Examples of where library user data was accessed by third parties7.2.1 London Bridge terrorist7.2.2 Murder of Jo Cox MP7.3 Potential risks in releasing datasets for open data initiatives
 8 Privacy policy statements
 8.1 What the privacy policy notice should cover8.2 Children and the age of consent8.3 Cookie policy8.3.1 Types of cookie8.3.1 Background8.4 How is personal data being used by the library?8.5 The purpose of a library privacy policy8.6 RFID privacy policy8.7 Privacy policies and public access terminals in libraries8.8 Examples of library privacy policy notices8.9 Third party access8.10 Payment card details8.11 How are privacy policies communicated to users?
 9 Data protection & privacy audits 9.1 Why carry out a data protection audit?9.2 Know your data9.2.1 Sensitive personal data9.3 Deletion of data9.3.1 Hidden data9.4 Conducting a library privacy audit9.4.1 Preparing for the audit9.4.2 The audit process

10 Data protection impact assessments

10.1 What the data protection impact assessment must contain
10.2 Impact on privacy
10.3 Steps involved in a data protection impact assessment
10.4 Examples of where DPIAs would be used in libraries

11 Privacy issues and vendors

11.1 Vendors and data breaches
11.2 Working with library vendors to maximise privacy
11.2.1 Points to consider before purchasing technology or content from external providers
11.2.2 Identifying security vulnerabilities in products you already have 
11.3 Vendor privacy policies
11.3.1 Due diligence
11.3.2 The ideal scenario
11.4 Measuring the cybersecurity of vendors

12 Practical steps to protect the privacy of library users
12.1 Twenty-six practical steps to protect your users’ privacy

13 The right to be forgotten
13.1 Right of oblivion

14 Conclusion

14.1 Intellectual privacy
14.2 The freedom to read anonymously
14.3 Potential for information about reading habits to be misused
14.4 Where do libraries fit into the defence of privacy?
14.4.1 The role of information professionals
14.4.2 Legal and ethical responsibility
14.4.3 Privacy training and awareness
14.4.4 Becoming more privacy-conscious
14.4.5 Improving things for the future
14.4.6 Give library users control over how their personal data is used

15 Further reading, toolkits and other resources 

15.1 Books and reports on privacy in libraries
15.2 Checklists
15.3 Web links
15.4 Toolkits
15.5 Tools

Works cited and further reading
Glossary of terms

Paul Pedley

Paul Pedley is a leading expert in information law. He is a Visiting Lecturer at City University, responsible for the Information Law and Policy Module; he has been a member of LACA, the Libraries and Archives Copyright Alliance since 1998; and is the author of Digital Copyright and Copyright Compliance: Practical Steps to Stay Within the Law, and editor of Managing Digital Rights. He regularly runs training courses on copyright and other legal issues.

"The book's 13 main chapters are divided into brief, cogent subsections, and a detailed table of contents makes it easy to find materials on the topics addressed and to get the specific guidance offered at the point of need. Though aimed to meet the needs of librarians working in the UK, the book treats North American examples and principles thoroughly, making it useful for audiences in the US and Canada ... This is a book for working administrators and for collections supporting library and information science or curricula addressing privacy issues."