Main Nav

Colleagues,

 

Our college librarian wants to implement a library privacy policy which covers the use of library computers. I believe it’s directly contradictory to most institutions’ AUPs (we have an old one, but I’ve been looking at others to re-write ours).

 

Here’s the proposed text of the library privacy policy (highlights by me):

 

In accordance with common standards of privacy, the Code of Ethics of the American Library Association, and the California Government Code (Sections 6267 and 6254), we recognize that the library records of Menlo College students, faculty, staff, and other library patrons are confidential.  These records include, but are not limited to, circulation records, interlibrary loan records, and information stored by patrons on the Library's computers.  The same standards of confidentiality also apply to the questions asked by library patrons at the reference desk or elsewhere, the advice and assistance provided by library staff, and any other information related to the resources or equipment used by particular library patrons.

 

Confidential information will be used and shared by the Bowman Library staff only to the extent necessary for the proper functioning and administration of the Library.  It will not be made available otherwise except as specifically required by law.  No confidential information will be provided to outside agencies, including law enforcement agencies, unless the College first establishes that the relevant warrant, process, order, or subpoena is in the proper form and that there is a showing of good cause for its issuance.

 

Most AUPs I’ve seen specifically indicate that there should be NO expectation of privacy when using campus computing resources, and some I’ve seen (including this one from University of Florida) indicate that the institution may *proactively* refer suspected violations of the law to the authorities.

 

Do any of your institutions have a library privacy policy similar to this, and how does it work with your AUP?

 

Thanks for your input!

 

Rae

 

***********

Raechelle Clemmons

Chief Information Officer

Menlo College

Direct: 650-543-3889

Cell: 650-575-7698

www.menlo.edu/it

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

This is common here; Michigan state law provides for privacy of library of records.  We just state that laws have to be followed:

Authorized Users must comply with all federal, comply with all federal, Michigan, and other applicable laws; all generally applicable University rules and policies; and all applicable contracts and licenses.

And that privacy is not guaranteed:

.  Privacy - Technological methods must not be used to infringe upon privacy.  However, Authorized Users must recognize that Resources are public and subject to the Freedom of Information Act, the Communications Assistance for Law enforcement Act, other federal, state and local statutes and regulations, and exceptions established by the University as ​permitted by law.  Authorized Users utilize such Resources at their own risk.

Theresa

On Thursday, December 1, 2011, Raechelle Clemmons <rclemmons@menlo.edu> wrote:
> Colleagues,
>
>  
>
> Our college librarian wants to implement a library privacy policy which covers the use of library computers. I believe it’s directly contradictory to most institutions’ AUPs (we have an old one, but I’ve been looking at others to re-write ours).
>
>  
>
> Here’s the proposed text of the library privacy policy (highlights by me):
>
>  
>
> In accordance with common standards of privacy, the Code of Ethics of the American Library Association, and the California Government Code (Sections 6267 and 6254), we recognize that the library records of Menlo College students, faculty, staff, and other library patrons are confidential.  These records include, but are not limited to, circulation records, interlibrary loan records, and information stored by patrons on the Library's computers.  The same standards of confidentiality also apply to the questions asked by library patrons at the reference desk or elsewhere, the advice and assistance provided by library staff, and any other information related to the resources or equipment used by particular library patrons.
>
>  
>
> Confidential information will be used and shared by the Bowman Library staff only to the extent necessary for the proper functioning and administration of the Library.  It will not be made available otherwise except as specifically required by law.  No confidential information will be provided to outside agencies, including law enforcement agencies, unless the College first establishes that the relevant warrant, process, order, or subpoena is in the proper form and that there is a showing of good cause for its issuance.
>
>  
>
> Most AUPs I’ve seen specifically indicate that there should be NO expectation of privacy when using campus computing resources, and some I’ve seen (including this one from University of Florida) indicate that the institution may *proactively* refer suspected violations of the law to the authorities.
>
>  
>
> Do any of your institutions have a library privacy policy similar to this, and how does it work with your AUP?
>
>  
>
> Thanks for your input!
>
>  
>
> Rae
>
>  
>
> ***********
>
> Raechelle Clemmons
>
> Chief Information Officer
>
> Menlo College
>
> Direct: 650-543-3889
>
> Cell: 650-575-7698
>
> www.menlo.edu/it
>
>  
>
> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

--
Theresa Rowe
Chief Information Officer
Oakland University
 
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Library records are protected in many if not most states by law so those portions seem fine. The computer issue probably may not be a library issue if the thrust is what a patron stores on a computer in a library. Indeed, many libraries have processes that don't permit storage of materials. Identification and investigation to determine individual ownership is often impossible. Records of who uses computer are protected by law. Have you asked what is the intent of the computer reference?  Is it to protect staff from having to police use? Is it somehow directed at threats raised by SOPA or is it in response to an institutional issue?  Unfortunately this is in no measure a simple question.   The AUP and other laws govern behaviors and expected conduct. An expectation of protection of privacy rights doesn't need to conflict with the AUP.

Best,
John

On Thursday, December 1, 2011, Raechelle Clemmons <rclemmons@menlo.edu> wrote:
> Colleagues,
>
>  
>
> Our college librarian wants to implement a library privacy policy which covers the use of library computers. I believe it’s directly contradictory to most institutions’ AUPs (we have an old one, but I’ve been looking at others to re-write ours).
>
>  
>
> Here’s the proposed text of the library privacy policy (highlights by me):
>
>  
>
> In accordance with common standards of privacy, the Code of Ethics of the American Library Association, and the California Government Code (Sections 6267 and 6254), we recognize that the library records of Menlo College students, faculty, staff, and other library patrons are confidential.  These records include, but are not limited to, circulation records, interlibrary loan records, and information stored by patrons on the Library's computers.  The same standards of confidentiality also apply to the questions asked by library patrons at the reference desk or elsewhere, the advice and assistance provided by library staff, and any other information related to the resources or equipment used by particular library patrons.
>
>  
>
> Confidential information will be used and shared by the Bowman Library staff only to the extent necessary for the proper functioning and administration of the Library.  It will not be made available otherwise except as specifically required by law.  No confidential information will be provided to outside agencies, including law enforcement agencies, unless the College first establishes that the relevant warrant, process, order, or subpoena is in the proper form and that there is a showing of good cause for its issuance.
>
>  
>
> Most AUPs I’ve seen specifically indicate that there should be NO expectation of privacy when using campus computing resources, and some I’ve seen (including this one from University of Florida) indicate that the institution may *proactively* refer suspected violations of the law to the authorities.
>
>  
>
> Do any of your institutions have a library privacy policy similar to this, and how does it work with your AUP?
>
>  
>
> Thanks for your input!
>
>  
>
> Rae
>
>  
>
> ***********
>
> Raechelle Clemmons
>
> Chief Information Officer
>
> Menlo College
>
> Direct: 650-543-3889
>
> Cell: 650-575-7698
>
> www.menlo.edu/it
>
>  
>
> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

--
==
John G. Jaffe
Director of Integrated Information Systems/CIO
Sweet Briar College          VOICE: 434 381 6139
Sweet Briar, VA 24595      FAX: 434 381 6173
E-MAIL: jgjaffe@sbc.edu
Twitter: http://twitter.com/sbclibrary

 Please consider the environment before printing

“My brethren, by the bowels of Christ, I beseech you, bethink you that you may be mistaken."  Oliver Cromwell - 1599-1658

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from alfred.essa@gmail.com

Rae,

I wouldn't go so far as to say that most Information Technology AUPs set no expectation of privacy. The University of Florida AUP policy that you cite is very interesting. At first reading it seems heavy-handed. But my takeaway after a more careful reading is that they are informing the community that a) they routinely monitor network traffic and other systems as normal part of IT operations and b) as a public institution they are subject to Florida Public Records Law, which means that any communication could be subject to public disclosure. 

I interpret that as: "Hey. Don't assume that any of your messages or documents are private. In the event the Florida Public Records Law is asserted, we might need to disclose those records." I don't see anywhere (I could be wrong) where University of Florida is asserting that they will "pro-actively" refer "suspicious" behavior to law authorities.  That would be troubling indeed if that were the case. But I don't think that's the case.

I believe the Stanford University IT AUP (http://adminguide.stanford.edu/62.pdf) does a nice job in stating specific ground rules (checks and balances) if an intervention is required. Here is an excerpt:

"Corrective Action — If system administrators have persuasive evidence of misuse of computing
resources, and if that evidence points to the computing activities or the computer files of an
individual, they should pursue one or more of the following steps, as appropriate to protect other
users, networks and the computer system"

Stanford U then goes on to state a number of steps that must be followed. For example: 

"Provide notification of the investigation to the Universityʹs Information Security Officer or
designate, as well as the userʹs instructor, department or division chair, or supervisor."

Stanford is a private university and U Florida is a public university. They are governed by different laws and, therefore, set different levels of privacy protection. I think both documents are well written in that they make clear that by using their computing resources I don't have absolute privacy. Nonetheless, I can expect a *reasonable* degree of privacy.  The boundaries of reasonableness are nicely specified in Stanford's case by explicitly describing the policies they will follow in the event of corrective action.

Alfred Essa


This falls under the Privacy section of our Policy on the Ethical Use of Computers:

http://groups.wfu.edu/CIT/ethical_use_policy.html

Associate Provost for Technology & Information Systems
Wake Forest University


Ø  Library records are protected in many if not most states by law…

 

Previous messages have covered this topic pretty well.  I would only add the following thoughts. 

 

1.       The ethos that your book reading habits are private is a strongly held and core belief in the library community, with almost the same kind of privacy expectation as you might have with your doctor, your lawyer, or  your minister or priest.  I don’t know if the legislation that supports this core belief about library privacy is always as strong as the legislation about you lawyer, etc., but privacy legislation about your library records is certainly common.

2.       As a part of this ethos, library circulation systems typically do not retain any history of which books you have checked out other than the books you currently have checked out.  As soon as you return a book to the library, all record of the fact you checked it out is gone.  So the capabilities for data mining or law enforcement investigations are inherently very limited, irrespective of whether there are privacy protections in law and irrespective of what AUP your institution might have in place for its library.  This is to be contrasted with the practices of the online booksellers who keep records of everything forever and mine the data to death.  I don’t know what the practices are in this regard for vendors of virtual E-book collections that allow E-books to be checked out and then checked back in.

 

Jerry

 

----------------------------------------------------------------------------------------
Jerry Bryan • Vice President of Information Services • Pellissippi State • 10915 Hardin Valley Road • P.O. Box 22990 • Knoxville, TN 37933-0990

Voice: 865 539-7127 •  Fax: 865 539-7653 •  E-mail: jbryan@pstcc.edu

 

 

Thanks Jerry.Perhaps I should clarify...I'm not concerned with the privacy related to what books you have checked out or have read/are reading (I understand the legal rights here), only the piece that extends that same level of privacy to anything you might do/store on a computer you use in the library. I can think of all sorts of behavior that we wouldn't want to extend privacy to (harassing another student or employee, trying to hack campus systems, and the usual array of illegal activities). The language used in the brief policy and our librarian's interpretation of it when asked is that any computer hardware/software use while in the library is part of the library record and covered by the library privacy policy. That's where I'm questioning how other schools deal with this. 

Thanks!

Rae

**********
Sent from my iPhone
(please excuse typos)

If Cornell's information is of help, it is offered here:  http://www.library.cornell.edu/privacy

As you can see, it integrates IT institutional policy with state confidentiality rules and departmental (CUL) policy and ethics.  

As a matter of process, the staff did consult with me in the framing of this work, and it is put together nicely, I think.  

Thanks, Tracy


Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.