Patron Privacy Framework10th Annual NISO/BISG Forum

24 June 2016

Nettie Lagace, Associate Director of Programs, NISO @abugseye

Daniel Ayala, Director Information Security, ProQuest @buddhake

Michael Robinson, Head of Library Systems, University of Alaska - Anchorage@mikerobinson_ak

NISO as a “Switzerland”

A meeting place for libraries, vendors, publishers to discuss common issues and create consensus solutions

An Issue of Privacy

ALA code of ethics

Publishers/vendors who serve users are not librarians

Libraries are servers in the cloud and user interactions are managed by third parties

NISO & Patron Privacy Framework Intro

Can libraries and service providers develop valuable services that are based on user activity data, or improve existing services using activity data, in a way that simultaneously protects privacy?

NISO & Patron Privacy Framework Intro

Can we build a framework to protect patron privacy that is based on consensus that simultaneously recognizes the nuances with this issue?

NISO & Patron Privacy Framework Intro

Goal: Establish a consensus framework of principles that prescribe how information systems should respect the privacy of patron data

What we arrived on...OverviewPreamble1. Shared privacy responsibilities2. Transparency & facilitating privacy awareness3. Security4. Data collection and use5. Anonymization6. Options and informed consent7. Sharing data with others8. Notification of privacy policies and practices9. Supporting anonymous use10. Access to one's own user data11. Continuous improvement12. AccountabilityGlossary

So how does this tie to User Experience?

Security & Privacy User Experience

Balance of UX & Privacy

Suppliers (Publishers, Service Providers)

TrustBalance privacy and functionality

Metrics on usage

Operational info to keep the service “up”

Multiple customers: creators and users

Libraries

Balance of UX & Privacy

Metrics to fuel funding and buying decisions

Wide array of positions on data use

Assessment mandates

Fundamental privacy tenets as baseline

Expertise

Enablement of users to make informed decisions

Users

Balance of UX & Privacy

ControlPersonalisation and recommendations

Fast, easy, mobile, ubiquitous access

Informed control over own privacy and data

Consumer-like features expected

The Librarians

Both ends of the spectrum...

The Librarians

Both ends of the spectrum...

Legal & Ethical Obligation to Protect Reader Privacy

1st amendment (free inquiry), ALA policy, professional ethics

State laws on confidentiality of library records

The Librarians

Both ends of the spectrum...

Libraries Need to Embrace the Modern Web

E-content, personalization, user experience

Operational needs, business intelligence, educational assessment

The Librarians

Both ends of the spectrum...

False Dichotomies

Privacy is dead vs privacy at all costs

Abandoning ethics vs fettering competitiveness

UX Focus on the Framework

How do you define what gets collected automatically vs explicitly asked for?

PII/Sensitive InformationBrowser/Application Fingerprint

UX Focus on the Framework

How do you define what gets collected automatically vs explicitly asked for?

Persistent Cookies Tracking

Session Cookies Tracking

UX Focus on the Framework

How do you define what gets collected automatically vs explicitly asked for?

User BehaviourReader Behaviour(Free Inquiry)

UX Focus on the Framework

How do you define what gets collected automatically vs explicitly asked for?

US Privacy LawsEU Privacy Laws

UX Focus on the Framework

What does consent look like?

EU Right to be ForgottenFTC Fair Information Practises

Legal

UX Focus on the Framework

What does consent look like?

Notification via Terms of Service

Existing Consent Models are Broken

UX Focus on the Framework

What does consent look like?

Opt-In & Opt-OutNotification via Terms of Service

Existing Consent Models are Broken

UX Focus on the Framework

What does consent look like?

Data sharing disclosures

Existing Consent Models are Broken

UX Focus on the Framework

What does consent look like?

Consent via NagwareData sharing disclosures

Existing Consent Models are Broken

UX Focus on the Framework

What does consent look like?

CHOICENO REAL

Existing Consent Models are Broken

Security DRM

Privacy

vs. vs.

Strong ties between Privacy and Authentication

The tie touser experience

and the need for real

choices

What’s next for the community?

Consensus building / discussion of principles over the past 2 years

NISO Privacy PrinciplesPrivacy Guidelines from ALA Intellectual Freedom Committee & Digital Content Working GroupLITA Patron Privacy Interest GroupLibrary Digital Privacy Pledge

What’s next for the

community?

Now is the time for action

How do we put these principles into practice

Iterative process - implement, learn, change

Expectations & perspectives may change as practices develop

Let’s Get to

the How

The Next Step

Use the shared partnership amongst the vendors, libraries and users to create a shared ecosystem to build a model

Model language for RFP and Contract

Audit standards and responses

Mapping of principles to local and regional privacy laws

Share implementation best practices amongst libraries and suppliers

Encourage ALA Privacy Summit to move the topic forward

ResourcesNISO Consensus Framework to Support Patron Privacy in Digital Library and Information Systems - http://www.niso.org/topics/tl/patron_privacy/

ALA Code of Ethics - http://www.ala.org/advocacy/proethics/codeofethics/codeethics

ALA Office of Intellectual Freedom - https://chooseprivacyweek.org

ALA Library Privacy Guidelines for e-book Lending and Digital Content Vendors - http://www.ala.org/advocacy/library-privacy-guidelines-e-book-lending-and-digital-content-vendors

Library Digital Privacy Pledge - https://libraryfreedomproject.org/ourwork/digitalprivacypledge/

Stock Photography Source: Shutterstock and Stocksnap.io

Discussion, Ideas, Questions