Library Policies & Procedures: Library Confidentiality Policy

Library Confidentiality Policy

Introduction

The right to privacy, as guaranteed by the United States Constitution, prohibits libraries from informing others of the status of checked out materials. In addition, this is a violation of Missouri and Federal law, as well as professional ethics asw outlined in the American Library Association Privacy Policy. Privacy is essential to the exercise of free speech, free thought, and free association. Murrell Library and Commons (“Murrell Library”) at Missouri Valley College upholds the right to privacy in support of open inquiry without having the subject of one’s interest examined or scrutinized by others. “When [library clients] recognize or fear that their privacy or confidentiality is compromised, true freedom of inquiry no longer exists.”[1]

Confidentiality exists when a library is in possession of personally identifiable information about users and keeps that information private on their behalf. Murrell Library’s privacy and confidentiality policies have deep roots not only in law but also in the ethics and practices of librarianship. These practices are based upon multiple sources, including the Library Bill of Rights, the Code of Ethics of the American Library Association, and the American Library Association’s Privacy: An Interpretation of the Library Bill of Rights, as well as the the Fair Information Practice Principles (FIPPs) from the Organization of Economic Cooperation and Development (OECD). Murrell Library and Commons also adheres to the Missouri statute on library privacy and the Family Educational Rights and Privacy Act (FERPA).[2]

Privacy and Confidentiality at Murrell Library and Commons

Students, faculty, staff, and community members using the services of Murrell Memorial Library will be accorded privacy safeguards. Library personnel collect and retain only information necessary to conduct library business and transactions for faculty, staff, students, and the community. The library will not share individual library data with third parties unless compelled to do so under the law, to comply with a court order (e.g., subpoena or warrant), or to receive assistance in retrieving library materials from patrons not cooperating with the library rules and regulations associated with the borrowing of materials from Murrell Library or received via interlibrary loan.

Murrell Library and Commons pledges that:

• All library employees (including student workers) are responsible for protecting records from inquiry, including course-required and reserve reading.
• All library employees assisting in investigations of plagiarism will protect the usage records of individual students.
• All library employees assisting faculty in the development of classroom instruction and procedures will work to meet educational goals without compromising student rights to privacy.
• All library employees providing reference/research consultations will consider such consultations confidential and will not share the identity of the user or the topic of inquiry beyond what is necessary to provide needed assistance in locating resources.
• Murrell Library will work with the Office of Information Technology and outside vendors to ensure that student, staff, and faculty information-seeking activity is kept confidential and well protected. Murrell Library personnel will review library procedures, contracts, licenses, and agreements to ensure privacy for all users of these services.

The Library Bill of Rights as adopted by the American Library Association provides an ethical framework for those who work in libraries. This includes not only professional and paraprofessional positions, but also student workers and vendors. All vendor contracts contain applicable confidentiality and privacy policies that protect personally identifiable information, including library records. Although the Articles of the Library Bill of Rights are unambiguous, additional statements and interpretations guide its’ use. According to Article III of the current Code of Ethics of the American Library Association (2008): “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired, or transmitted.”

The Library Bill of Rights states that: “All people, regardless of origin, age, background, or views, possess a right to privacy and confidentiality in their library use. Libraries should advocate for, educate about, and protect people’s privacy, safeguarding all library use data, including personally identifiable information.”[3]

The Missouri statute on library privacy states that: “Notwithstanding the provisions of any other law to the contrary, no library, employee or agent of a library, or third party contracted by a library that receives, transmits, maintains, or stores library records shall release or disclose a library record or portion of a library record to any person or persons except:

1. In response to a written request of the person identified in that record, according to procedures and forms giving written consent as determined by the library;  or
2. In response to an order issued by a court of competent jurisdiction upon a finding that the disclosure of such record is necessary to protect the public safety or to prosecute a crime.”[4]

The Missouri statute applies to digital resources, e-books, and library material at “any library established . . . by any college or university, and any private library open to the public. . . .”[5] Because Murrell Library and Commons falls within this definition, the statute applies to Missouri Valley College. The statute uses the following definitions:

• “Digital resource or material,” any E-book, digital periodical, digital thesis, digital dissertation, digital report, application, website, database, or other data available in digital format from a library for display on a computer screen or handheld device;
• “E-book,” any book composed or converted to digital format for display on a computer screen or handheld device;
• “Library material,” any book, E-book, digital resource or material, document, film, record, art work, or other library property which a patron may use, borrow or request. . . .[6]

The statute further defines a “Library record” as being:

[A]ny document, record, or other method of storing information retained, received or generated by a library that identifies a person or persons as having requested, used, or borrowed library material, and all other records identifying the names of library users. The term “library record” does not include nonidentifying material that may be retained for the purpose of studying or evaluating the circulation of library material in general.[7]

The Family Educational Rights and Privacy Act (FERPA)[8] mandates privacy for student records at colleges and universities. The statute applies to all institutions, public or private, which receive federal funding, including Missouri Valley College. FERPA prohibits the release of student records without the express written consent of the student involved. Although FERPA does not specifically mention library records, many institutions (including Murrell Library and Commons) interpret the statute to include library records.

Murrell Library and Commons adheres to, and hereby adopts, the “Fair Information Practice Principles” (FIPPs) as outlined by the Organization of Economic Cooperation and Development (OECD). Although not statutes or regulations, the FIPPs have been adopted by many state and government agencies, as well as multiple businesses, foundations, and nonprofits. They were used in the previous policy on Library Confidentiality from Murrell Library and Commons. The most recent statement of the FIPPs (2013) outlines the following rights:

1. Collection Limitation Principle - There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
2. Data Quality Principle - Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
3. Purpose Specification Principle - The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
4. Use Limitation Principle - Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: a) with the consent of the data subject or b) by the authority of law.
5. Security Safeguards Principle - Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
6. Openness Principle - There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
7. Individual Participation Principle - An individual should have the right:
   1. To obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to [them];
   2. To have communicated to [them] data relating to [them] within a reasonable time at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible to [them];
   3. To be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
   4. To challenge data relating to [them] and, if the challenge is successful to have the data erased, rectified, completed or amended.
8. Accountability Principle - A data controller should be accountable for complying with measures which give effect to the principles stated above.[9]

Enforcement and Redress

Library users who have questions, concerns, or complaints about the library’s handling of their privacy and confidentiality rights should file written complaints with the Library Director. Murrell Library will respond in a timely manner and may conduct a privacy investigation or review of policy and procedures. Library records will not be made available to any agency of state, federal, or local government unless a subpoena, warrant, court order, or other investigatory document is issued by a court of competent jurisdiction that shows good cause and is in proper form. Only the Library Director or his/her designee is authorized to receive or comply with requests from law enforcement officers, and legal counsel for Missouri Valley College will be contacted before determining the proper response. Library staff, student assistants, and volunteers shall refer any law enforcement inquiries to the Library Director.