A group of unviersity libraries in the United States have signed up to a new Statement on Patron Privacy and Database Access. With library resources often now accessed through third-party servers rather than on the bookshelves, it offers a set of principles for how libraries can nonetheless continue to defend the privacy of their users.

The Statement addresses issues which are high on the agenda not only in the United States but worldwide. As we approach the 20th anniversary of IFLA's own Intellectual Freedom Statement, it provides important food for thought. 

IFLA has interviewed Mimi Calter, Deupty University Librarian at Stanford, and Chair of IFLA's Academic and Research Libraries Section, to find out more about the thinking behind the Statement, and what it says.



Mimi Calter - photo by Wayne Verderkuil1. In a few words, what does the Statement on Patron Privacy and Database Access say?

The Statement on Patron Privacy and Database Access grows out of general principles of protection of patron privacy that libraries have long espoused, with a focus on use of licensed databases and data services.  Libraries are trusted providers of these services, and value that role.  We commit to maintaining the same standards of privacy for our customers using databases that we have long maintained for users of physical materials. 


2. What prompted you and others to produce the Statement now?

We produced the statement now because we’ve seen a growing number of demands for data from the library, by the provider, “on behalf of the patron,” but without the patron’s knowledge or control.  In some cases, this demand has been direct, through contracts incorporating data use clauses that allow for broad capture and open-ended use of patron data and patron activity, or that are subject to change without notice.  More concerning, we’ve seen examples of existing accounts, that were created under acceptable data use policies or under no data use policy at all, being migrated to new platforms, with different data reuse terms, without notice.  We are committed to being attentive to these policies, and recognize that we must sometimes walk away from services that cannot meet our needs regarding privacy protection. 


3. For you, and the other people behind the statement, when is it acceptable for students’ data to be collected and used?

We think it is only appropriate that students’ (or other users’) data be collected and used when the individual user affirmatively permits such use.  Some users will certainly choose to share their personal data to establish accounts, to customize their experiences, to be able to save searches and the like.  But they should be making an informed choice when they to do so. 


4. What efforts do you take within the library to protect personal data that you hold?

I can only speak for our practices at Stanford, but our first concern is to minimize the amount of personal data that we hold for individual patrons.  We anonymize circulation records and interlibrary loan files once materials are returned, for example.  Where we do have patron data in our care, we treat it as higher-risk data, which is subject to stricter security treatment. 


5. What costs may there be to stricter privacy controls?

The biggest tension we see is between privacy and personalization.  We know that users value a more personalized experience, and with good reason.  As noted above we know that some users will make the choice to provide more personal data in order to achieve that.  As long as the choice is made with an understanding of the risks and with intention, it’s acceptable.  


6. What level of awareness is there among students about risks to their privacy?

Students tend to have a very general interest in protecting their own privacy.  At Stanford, I get questions about our privacy policies that I see as a clear demonstration of student concern.  That said, I don’t believe that most students have a full understanding of the terms of database contracts and the management of rights that are negotiated there.  They trust the libraries to protect their interests, and we are stepping up to that responsibility. 


7. What impact do you hope the Statement will have?

First and foremost, we hope that the statement will help clarify our concerns and interests for database providers.  By stating clearly that we require privacy for our patrons, we hope to see an end to the more egregious types of data use clauses in our database contracts, like those that are subject to change without notice.  Where we do see such clauses, we know that we will be able to point to the statement, and the support it has from our colleagues, as a reason for finding those terms unacceptable.  At Stanford, we’ve already had several vendor interactions that have been impacted by the statement. 

I’ve also been pleased that the statement has led to conversations with colleagues involved with developing privacy standards.  We’ve opened a dialogue with the team developing RA21 and I’ve been pleased to learn more about the FIM4L project. 


8. Do you think similar statements could be helpful elsewhere in the world?

First of all, I would welcome anyone who wishes to sign on to this statement to do so.  We’ve created a form for anyone who wishes to join to submit their details.  But yes, I do think that it would be beneficial for others to come forward with similar statements of principles.  It all adds to our global dialog.