• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!



Page history last edited by PBworks 18 years, 1 month ago


Privacy Audit

January 2006

Compiled by Stephen Sarazin


Explanation and purpose:


The purpose of this audit is to take a very basic inventory of privacy issues (specifically customer privacy) for our organization and to make suggestions and plans toward addressing any vulnerabilities that exist. This is based on ALA guidelines for the practice.



We have reviewed information about federal law and state law as regards privacy. We have also reviewed the ALA Policy on Confidentiality (ALA Code of Ethics 54.15 pt. 3) and our own policy.


Questions and answers:


What information do we collect and retain from patrons?


The Circulation Department collects the following information from patrons upon getting a library card; name, mailing address, email address, date of birth, and demographics. This information is retained in the database as long as the patron has an active account. We no longer collect or retain the Social Security Number. Data is held for three years after the last use of the library card.

We send out three overdue notices to patrons. The notices contain the patron’s name, mailing address and the overdue items checked out on the account. When looking at the patron’s account you are able to access the items checked out to them and any items placed on hold. The items are deleted from the patron’s account upon the return of the items. We do not collect overdue fines, but collect for damaged items, lost items, interlibrary loan costs, and collection agency fees. When sending patrons to collection agency, the following information is given; name, mailing address, library card account, date of birth, and lost items on patron’s account.


The Childrens Services Department collects the following information: For summer reading registration only the name of the child is mandatory. None of it is recorded in the ILS. We do not require that a child have a library card to participate. Honestly, we don’t have to track names, we could just count and ask them to fill out an optional questionnaire/survey for other info. We also request: last school attended, grade level in the fall, address & phone number. I’m considering changing “last school attended” to “where did you hear about the program.” Neither address nor phone is necessary, but phone number helps us contact people if they lose their contract. We also had a liability waiver form for parents to sign if the kids took place in the Jubilee Days Parade which included only names of child & guardian. All this information is retained in hard copy for a year at the most before being shredded.


Who has access to patron data internally?


Only staff have access. However, this includes staff at all institutions in the WYLD system because of the shared database and state-wide card privileges.


How is data secured?


Data that is kept in the database is available only by password to authorized staff at member institutions.


What patron information do we pass on to other entities?


The only patron information we pass on to other entities is the data we pass on to the collection agency for delinquent accounts. Information passed on to the collection agency includes: Patron name, address, date of birth, phone number. This is done through a form on their web site that utilizes Secure Socket Layer (SSL) encryption. The collection agency first contacts patrons by mail before calling them as needed. All payments are received by the library, not the agency, and the library informs the agency of payments. When an account is closed (all payments made) the agency completely purges all record of the patron from their database. There are usually 4-5 patrons per month who are referred to the agency. Generally, it is not more than a couple months before the patron returns the items or pays the fees, and that record is cleared.


Are circulation records deleted from a patron's file once an item is returned?


The items on the patron’s account are removed after the patron has returned the items. There is not a list of items that the patron has checked out. The record does remain in some form on the state’s backup disks until they are purged. These are purged every eight weeks.


The only exception to this


Does the library computer system require users to log-in to use the computer to surf the Internet?




Does the library computer system personalize desktop terminals to the personal settings of the user?




Do the e-mail features the library uses subject the patron to vulnerability?


This is a question worth futher pursuit. We do send out emails to patrons about their records (overdues, holds etc.) . If we have an incorrect or shared email address, this could create issues.


Does the system keep web-server logs of patron Internet activities?


Web site logs are kept for security purposes, but are purged periodically, in keeping with this state policy on web site privacy:



Tasks completed:


  • We have purged all Social Security Numbers from the database for our patrons, due to privacy and identity theft concerns.
  • The board has reviewed and is revising the privacy policy.
  • A privacy officer has been appointed- Stephen Sarazin.


Things to be done:


  • We have incident reports and problem patron records going back for years. We also have some correspondence from patrons. Does that type of material fall within the privacy guidelines? If so, how should we handle it? Does it also fall under the state’s public records law?
  • once the computer at the children’s ref desk is on anyone (staff or patron) could sit down and use it –yes, we’ve had patrons sit down at the librarian’s desk and proceed to work. Perhaps we should be more cautious about having Workflows up since it’s not a restricted area?



Continue to gather more detailed information. Specifically, investigate these areas more deeply:

  • Collection of patron information when registering for programs
  • WYLD office information retention and sharing


Educate staff about privacy issues through:

  • Emails about the issue
  • Formal training
  • One-on-one work with key staff (Circ desk employees etc.)

Notes: We especially need to educate staff regarding picking up holds and inquiries about what is on a minor’s card by someone who is not the card holder. In Wyoming patron information can be revealed to someone who is a custodial parent/guardian of a minor.


Negotiate for proper and secure logging practices and procedures in contracts


Inform users through library privacy policy


The privacy policy is on the web site and in other publicly accessible places. Perhaps it should be physically posted throughout the library. This audit will be posted on the site and within the physical library once it is complete.


Create a bookmark, handed out with each new card, that explains privacy policy to patrons, thereby having a written referral sheet for staff. We would need to create a script for staff to share with every new card issued, and it would contain info about privacy and the many other responsibilities that come with owning a library card. (this would educate staff, too)


Having a warning about the un-privacy of information submitted over the internet appended to the internet use policy that we have posted around terminals.


Make sure patrons receive a notice when they sign up for cards regarding the sharing of information with the collection agency.


Continue to embellish and update the data in this report and make it available to stakeholders. Reports will at least be made annually on this issue


Determine & implement desired practices

  • Notify users whenever personally identifiable information will be stored on the system
  • Remove data from dormant accounts
  • Pay attention to system security
  • Set limits on length of time data is stored


Circulation is presently reviewing the length of time that paper card applications are kept. We are keeping application cards in the card application drawer for the last three years. Library cards expire in the computer on a yearly basis. The expiration date is done on a yearly basis to keep up with patron’s current address information.

  • Create aggregate statistics rather than tracking individual transactions
  • Advise users of limits to library privacy protection when using remote sites.




Should we tell patrons to change the default “PIN” for their library card? How much of a privacy issue is this? Most patrons have no idea what their PIN is and if it weren’t “WYLD,” most of them wouldn’t use remote access.




This is an issue of great importance to the library and there will need to be an ongoing process to assess and update information and practices.

Comments (0)

You don't have permission to comment on this page.