Kristin Briney and Becky Yoose co-wrote the forthcoming book Managing Data for Patron Privacy. The book will be published this summer by ALA. Below is an interview with the authors:

LH: Please briefly summarize Managing Data for Patron Privacy.

Kristin: Libraries cannot guarantee patron privacy if libraries do not actively keep patron data private and secured. A library can make a policy to not keep check out history, but a policy can’t do much to protect patron privacy if that library is not actually deleting checkout data in a timely manner. Our book, Managing Data for Patron Privacy, examines the practical side of privacy and many actions and choices that libraries should make to improve the privacy of patron data.

LH: Who will benefit from reading this book?

Kristin: This book will benefit anyone who works with or makes decisions about patron data. We provide a high-level overview of the patron data lifecycle and the privacy risks and mitigation strategies in working with patron data from start to end of the lifecycle. This high-level overview will be helpful for readers who want a better sense of how data privacy management factors into the daily operations of a library. Other readers can pick and choose from the various chapters if they wish to learn more about a specific topic that is relevant to their work, such as vendor relations and library assessment. 

LH: What sparked your interest in this topic?

Becky runs a library data privacy consulting service (LDH Consulting Services) and Kristin teaches and does research on data management and library privacy, so we both have an established interest in the topic. We worked together and with others to write A Practical Guide to Performing a Library User Data Risk Assessment in Library-Built Systems, which covers a small portion of what’s in the book. Knowing that we work well together, Kristin (who has previously written a book, Data Management for Researchers) lured Becky into a full book project because it sounded like a great idea in March 2020. Little did we know what roller coasters the last two years would be.

LH: How did you learn about managing data and patron privacy? 

Kristin: I’m actually a chemist-turned-science librarian with a specialty in the management of scientific research data. As I started to read more of the library literature, I became more concerned about our own data practices, especially as a lot of that data is patron data which needs to be cared for responsibly! So I started with the foundations of data management and have been learning from others – especially my collaborators on the Data Doubles research project, DLF’s Privacy and Ethics in Technology group, and the library privacy literature (both books and articles)  – about the ethics of library privacy.

Becky: I’ve been working with library data since my early days in Technical Services. As I made my journey from cataloger/developer to traditional systems library work, I learned more about how libraries work with all types of library data, including patron data. Eventually my work took me to the intersection of patron data and privacy – how can libraries stay true to their ethical obligation to protect patron privacy while libraries (and vendors) collect all types of patron data? A good portion of my education was on-the-job, from managing a local data warehouse at a large public library system to my current work focusing on responsible and ethical library data privacy practices at LDH Consulting Services. Another part of my education comes from the International Association of Privacy Professionals (IAPP) through certification and continuing education around industry standards and best practices in data privacy and security.

LH: In the summary for the book, the term “ethical management” is used. Will you describe that term? 

As a field, libraries often discuss the ethics of privacy in a conceptual way. Our book examines the practical side of privacy, specifically the management of patron data. The concepts of “privacy ethics” and “patron data management” meet in the middle with “ethical management” of patron data; that is, practical data management strategies built on ethical privacy principles. Libraries cannot have patron data management without privacy ethics if they want to actually preserve patron privacy.

LH: Why did you decide to include case studies?

Kristin: There are many concrete examples of data privacy concepts throughout the text, but we think that it’s really helpful for readers to see how those privacy concepts are applied to overarching library scenarios. For this reason, we created two case studies that are followed throughout the book: a public systems librarian cleaning up after a data breach and an academic librarian working on an analytics project using student data. Each chapter ends with these two case studies, showing how our fictitious librarians apply the concepts discussed in that chapter to their individual scenarios. As the librarians are in different settings with different contexts, they apply the same concepts in different ways, which is helpful to see. One more thing to note is that these scenarios are very loosely based on our own backgrounds and experiences as a public systems librarian (Becky) and an academic librarian (Kristin), giving insight and authority to how we approach the strategies discussed in the book.

LH: Will you share a practical example of ethical management of data in libraries?

“Data minimization” (i.e. don’t collect data unless you really need it) is a great example of a practical strategy for data management based in privacy ethics. Becky has a great expression that “data is like glitter.” Once you have glitter in your house, it spreads everywhere and is almost impossible to get rid of. We encourage everyone to think about patron data as glitter. This means critically evaluating the data we collect in our libraries, knowing that we have to responsibly protect the privacy of that data once we have it or else risk a huge mess or even a data breach.

LH: What is one practical tip readers will take away from this book that they can immediately apply?

Becky: Asking why you are collecting a piece of information can go a long way. A great place to start is the patron record. What types of patron data are you collecting in the record and why? Don’t stop at the first answer, either – treat it like a reference interview. You’ll quickly find that the chain of answers leads to an issue or problem that can be better addressed through other means, such as a review of existing procedures, or through meeting and building relationships with community partners.

Kristin: There is more covered under “personally identifiable information” (PII) (i.e. data that can be linked back to a specific person) than you might think. People tend to think of PII only as identifiers like name, library card number, or telephone number that clearly link to a single individual, but PII actually includes a lot more than that. PII includes demographic information and behavioral data, not to mention all of the little exhaust trails of data created when patrons use our digital systems. This means that libraries collect a huge amount of patron data, so determining what is actually identifiable patron data is a really important first step toward protecting the privacy of that data.