CILIP Privacy project - archive.cilip.org.uk · Web viewGiven the potential scale of the project...

Name of meeting: CILIP Board

Date of meeting: 21st November 2018

Report title: Privacy project final report

Contains confidential information:

Yes – transcripts of interviews in appendices. Participants have agreed to these being shared with CILIP Board and the privacy project’s Expert Advisory Group

Agenda item no: 14

Report by: CILIP Privacy Board

Purpose: A report with recommendations to CILIP board was one of the deliverables of the project

Recommendations: The report has three recommendations to be considered by CILIP Board

Compliance checks

Financial implications: The privacy project was set to function within its 2018 budget of £5,000 before budget re-forecast

Legal implications: There are none

Four nations: It covers all four nations

Equalities: No equalities issues have been identified

Byelaws:

Risk assessment:

Divergence of viewpoint with Ethics Review and Privacy project was considered high risk. This was reduced to low as Dawn Finch, Chair of ethics review is also a member of the privacy board.

Links to strategic priorities:Respondents to Shape the Future (a sector-wide consultation to identify priorities and objectives for our Action Plan 2016-2020) identified ‘Privacy’ among the top 10 priorities policy agendas for CILIP to address during the lifetime of the Action Plan.

Agenda item 14Board 18/5121st November 2018

REPORT COVERSHEET

CILIP Privacy Board

1

2018

CILIP Privacy project

Final report of the privacy boardAUGUST 2018

CILIP Privacy Board

This report is a commentary on all of the evidence gathered over the course of the project and provides a snapshot of privacy issues in the library, information and knowledge sector. This report also serves as a review of progress against the PID. The Report has three recommendations for CILIP Board

Contents

1. Executive summary

2. Context

3. Commentary on the evidence

4. Privacy definitions

5. Information professionals and user data

6. Privacy challenges

7. The role of the information professional

8. How can CILIP best help the profession

9. Implementation plan

10.Conclusion

11.Summary of recommendations

Appendices

Appendix 1 Interview transcripts

Appendix 2 Project Initiation Document

Appendix 3 Privacy Project – Report to the Ethics Committee

Appendix 4 Summary of findings

Appendix 5 Privacy project - Evidence collection - Key information

Appendix 6 List of evidence (not included in appendices)

1. Executive summary

2

CILIP Privacy Board

Whilst digital and the online world has contributed to the rise in people’s awareness of privacy issues, defining privacy solely in terms of “digital privacy” was not broad enough to encompass the privacy concerns of our profession

Surveillance which happens through the harvesting and tracking of personal data by social media websites and when the user accesses resources and information via third party vendors has been normalised

Surveillance also happens through compliance with the PREVENT strategy. This increases the potential for conflict with the professional demand for the confidentiality of the user

The evidence did not show the existence of a unified response to the problems raised by the privacy issues highlighted but the evidence does show a unified concern to be doing the “right” thing

Concern about the lack of knowledge on privacy issues, skills in how to address them and awareness about the importance of privacy issues attracted the most separate comments and this lack of knowledge was in relation to staff, users (pupils, members of the public), and employers

Almost all respondents to our survey and the people who attended the privacy workshops would like to see CILIP publish guidance on privacy

There is an appetite for some clear messages from CILIP which would support information professionals do what they possibly are already doing or attempting to do in the workplace

2. Context3

CILIP Privacy Board

1. The privacy project set out to enable a better understanding of what privacy means to our profession and how it can best be promoted by information professionals across all sectors.

2. The project had 2 foci: the information professional and the guidance they require to uphold the principle of privacy in their professional work and the user (or client) and how their right to privacy can be supported and promoted by information professionals in all sectors. User here encompasses citizen, learner, consumer patient, client and employee.

3. In this context, how can CILIP best support and advise information and library workers, managers and leaders so that they can:

Ensure that the privacy of the personal data of users is protected, and;

Support users and citizens in understanding the issues, trade-offs and risks concerning privacy and personal data to enable individuals to make informed and effective decisions about their data and effectively manage it in an online environment

4. The outputs of the project focus on practical actions. In the PID this was stated:

o The project should deliver recommendations and a policy position which CILIP can formally adopt;

5. The deliverables were:

o A report with recommendations to CILIP Board with a focus on practical actions to improve the profile of our professional community in relation to privacy and freedom of access to information

o Advice to the Ethics Review in regard to privacy and freedom of access to information relating to their own work reviewing CILIP’s Ethical principles and code of professional practice

o A user guide on privacy and freedom of access to information for information and library practitioners

o A policy statement and an Information Rights Charter are other possible deliverables of this project

6. Advice to the Ethics Review has already been achieved (see appendix 3)

7. A note on the deliverables Midway through the project it was decided that a stand-alone policy statement on privacy was not the best way for CILIP to support

4

CILIP Privacy Board

information professionals. It has been decided that this should be replaced by a top level statement on privacy which will act as an introduction to an Information Rights Charter.

8. Also to note: The introduction of a Your Membership and a General Election meant that some of CILIP staff who would have been involved with the privacy project from the outset, especially in the development of a communications plan for the deliverables, had other priorities. This means that the outlined implementation programme is a draft only.

3. Commentary on the evidence

9. There were three sources of evidence: A survey of CILIP membership, five privacy workshops and seven one-to-one interviews with experts/ leaders/ aspiring leaders from across the sector.

10.There was a low response rate to the privacy survey (241 and only 34 from the K&IM community). There was no noticeable divergence of views between the K&IM community and the rest of the survey respondents but the numbers that took part are possibly too low to say for sure there isn’t one.

4. Privacy definitions

11.People defined privacy in broader terms than data privacy and included the physical space, building design and how a building is used. Overheard private conversations in public places, written documents with sensitive information being left behind in public rooms were also mentioned here.

12.However, as one of the interviewees observed: “The digital agenda throws the privacy issue into stark relief and shines a light onto privacy which hasn’t had a light shone on it before”. The legal framework/s and policies around personal data also came up during discussions of what privacy means.

13.Societal change and not just the technical, digital aspect of that change, but the shift in values and what is considered “private” has also changed the privacy landscape. The “habitual sharing of personal material” is now the norm and this “growing culture of social media information sharing overshadows privacy issues.”

14.Difficulties in distinguishing between the different spheres you operate in as an individual (as employee, employer etc.) and the different roles you assume in each of those spheres was mentioned. Knowing that there is a difference between personal/

5

CILIP Privacy Board

private information and information that can be shared more openly but not always being able to distinguish where that line is.

15.When people tried to define privacy, technical issues invariably came up. The technical capacity and the decisions taken around how things are done and how systems operate (such as filtering, T&Cs, surveillance) were difficult to separate from people’s views about what privacy actually means to them.

16.“We do need to look at (privacy) in a much, much deeper way. I do think a lot of talk about it at the moment is quite surface. A lot of times when we talk about privacy we talk about it in terms of it being a right, which I think is important, but privacy is a word that means a lot of different things to different people. If it were just a “right” it would be straightforward”.

5. Information professionals and user data

17.How is your organisation involved in user data? was a question asked during the one- to-one interviews. In hindsight it would have been good to have concentrated a little more on this aspect. However, the focus of the project has been the landscape of privacy issues and what can be done about it rather than what library and information professionals are currently doing with user data in the workplace.

A selective snapshot of current involvement drawn from evidence collected during the project

18.“Lots of different departments collect information. I am a Group Director within my company so the very fact that they have put my role at that level ...this gives an indication of the importance of this to my company. I do talk to other departments. They might not have known how to tackle the problems but the will is there to tackle it”.

19.“We have data from 10,000 interviews from our last research project. IPSO Mori does the data collection the only data we hold ourselves is our database for advocacy purposes. We are not involved in data mining. We are currently making sure this is GDPR compliant”.

20.“I’m involved in recruitment so I see lots of information…lots of the information used in recruitment is used to create student records. We get medical information, age, passport information, etc. A lot of detail. The way in which librarians are ploughing into this is really serious and the way in which the systems are all joined up. Recently our university library added an entry and exit system based on your library card. The excuse was to save staff time but this tells you about student behaviours. I’m not comfortable with this and you see librarians piling into this as it provides another string to their bow”.

6. Privacy challenges6

CILIP Privacy Board

21.Questions around the major privacy issues faced by information professionals in the

workplace and for the information profession as a whole, produced the largest discussion and response in the workshops. Privacy issues covered those raised by and as a consequence of new technologies and also professional concerns around balancing freedom of access to information & resources and privacy. The capabilities of technology has polarised this issue.

22.Corporate and government surveillance figured large in people’s concerns. Surveillance also surfaced in the Member Network Forum (October 2017) and New Professionals day/ AGM workshop on “issues of the day” where the privacy issues of PREVENT and surveillance generally were the most mentioned topics.

23.There was no evidence to suggest that there is a unified response to the problems raised by these issues but the evidence does show a unified concern to be doing the “right” thing.

24.Word clouds from the survey showing similar levels of concern over social media, data protection, big data and government.

K&IM responses in survey (36)

All responses in survey (241)

7

CILIP Privacy Board

Balancing Freedom of access with privacy

25.The evidence for this aspect of the privacy debate was included as part of the project’s report to the Ethics Committee (see Appendix 3). To add here that this issue also surfaced in discussions about sharing data and equality of access issues (How do you protect academic data and support open access for example). One of the interviewees saw the problem as being one of channelling opinion down a “for” or “against” position. “The real challenge is to get away from this binary discussion.” What is needed is “some passion for the middle ground.”

Knowledge and skills of the professional and the user

26.Concern about the lack of knowledge on privacy issues, skills in how to address them and awareness about the importance of privacy issues attracted the most comment. There were 132 separate comments. The comments related to users, staff, pupils and employers.

Corporate and government surveillance in particular mention of GDPR and PREVENT

27.There were 60 separate mentions of surveillance under “issues important to the profession”. There were other comments collated under data security which could also be added to this topic. HE librarians and public librarians were the most likely to raise this as an issue but this is possibly just a reflection of the sectors who engaged most with the project.

28.In discussion, surveillance meant two things to people: human intervention, specifically the PREVENT strategy (a particular concern of both HE and public library sector) and the social media harvesting and tracking inherent in technologies and systems. Who has access to the data and to what use that data is put are important issues for our sector but also - who gets to decide this?

29.It was notable that PREVENT was always seen as a threat to privacy and there was little or no acknowledgement of the safeguarding or welfare aspect of the strategy. The Board should be aware that CILIP is proposing to publish some guidelines on PREVENT and may wish to input into this.

30.Given the importance of this topic to participants in the project it is worthwhile publishing some of these comments to illustrate the views of those who participated.

31.These same comments also provide a good summary of the competing stakeholders; users, clients, researchers, organisations supplying services, third party suppliers, government departments and the police.

The surveillance issue in quotes from the evidence

32.“Balancing safeguarding duties and police demands with protecting citizen’s data”8

CILIP Privacy Board

“When asked for users’ reading info, it’s difficult to say “no”

“Third parties asking questions about users and Police wanting access to records”

“IT monitoring internet access”

“Our obligations to work with/co-operate with the Police and security services. Particularly, how we challenge them if we feel they are stepping outside of the legislation or we disagree with what is being asked of us”

“Possibility of surveillance of what users are reading. Pressure from information providers to share more user information”

“Unwarranted third party access to network usage records & CCTV”

“Government obsession with terrorism, social media concerns to maximise profits, industry's desire to know the utmost about the desires and habits of all its potential customers”

“Laws obliging staff to disclose private information about clients and users”

“Corporate and state surveillance including profiling”

“Balancing surveillance with individuals' rights”

“Tracking behaviour”

Data protection and use of data

33.What information to share and in what circumstances it is appropriate to share, and with whom, were common concerns and as with comments received around the PREVENT strategy, the competing and conflicting demands of different stakeholders came up. This conflict seemed especially the case in academic environments where the student’s right to privacy was weighed up against safeguarding responsibilities and other gatekeepers needing to know/ vulnerable groups/ parents.

Social media harvesting, Third party access, Commodification of data

34.In this context commodification means making personal data into a saleable product. The evidence shows concern not just over the increasing capabilities to harvest data but the growing interest organisations have in using that data to target products and services or selling it on to third parties for commercial gain.

35.“Tracking” was the term most commonly used to describe the particular privacy problem which arises from social media harvesting and through the use of databases provided by third party vendors. Due to the variety of ways people now access information this tracking goes deeper than just the recording of a user’s borrowing history and tracks actual use and online behaviour. The privacy intrusion appears disproportionate to what is required to provide a particular service.

9

CILIP Privacy Board

36.There was nothing in the evidence to suggest that there were any strategies or policies in place to manage this. The “newness” of the technical capabilities has not given our sector time nor opportunity to debate these issues.

37.One interviewee spoke of a library management system (in America) which allowed the librarian to see what the user was doing in situ (real time). “This is a complete departure from what we used to be doing in the analogue world….and relatively new”.

Data security

38.Data security and data protection were frequently spoken of together but data security emerged as an important and discrete issue with 23 separate mentions. Cyberattacks, malware, cyber security, hacking, leaks, online security identity theft, phishing, security of the cloud, were the terms used by people when referring to data security as an issue.

39.Some comments suggested privacy concerns around data security could be dealt with by having the right levels of permissions and access in place. The lack of control over information that is moved to the cloud was also mentioned and this particular problem also surfaced in the one to one interviews: “In the longer term we do not know how this information will be used and protected regardless of the terms and conditions we sign up to now”.

7. The role of the information professional

40.No clear role of the information professional emerged from the evidence but nowhere was there any evidence that upholding the value of privacy wasn’t important. People highlighted the issues and highlighted what could be done to help with the issues. We could imply then that participants in this project felt there was a role for information professionals esp. around user education and possibly educating employers and fellow colleagues. But what that education should entail and how far one should could go in this role did not surface.

41.There is an appetite for some clear messaging from CILIP which would support information professionals do what they possibly are already doing or attempting to do in the workplace.

42.In some sectors there are existing and well defined practices and procedures in place for information professionals to protect user privacy – in the health sector for example.

10

CILIP Privacy Board

43.All staff in the NHS go through training sessions on an annual basis on information governance (includes data protection and privacy), and there is a Caldecott guardian (data protection) at board level. Staff know to refer issues up through their line manager to the Caldecott guardian.

44.e-learning or face to face training is established practice. (NHS employs a million people) “I would expect health librarians to be more than just aware about this stuff” (health librarian)

45.The complexity of working alongside other professionals who have a different/ conflicting set of ethics also came out during the one to one interviews.

46.For example: “As an information professional I am clear about obligations around privacy. The privacy of readers is ingrained in me as a professional. But I find it challenging when, for instance, our marketing department talk about cross selling. Some staff come from a commercial background and will have different ethics. For me there are instances of a thick ethical black line [that isn’t necessarily shared by others]”.

47.GDPR was seen as the catalyst which will force the profession to look at things from a user perspective. The need to do this is seen as more pressing than it was in an analogue world where people’s privacy wasn’t such a complex problem.

48.In one interview, library leaders or those responsible for library services were seen to be the ones with a role to play in being more proactive and discerning over user data and the privacy arena in general.

49.For example, decisions around data and how it is captured should be driven by the business to help deliver a better service and not by an IT department.

50.“Library service leaders need the support to manage this. The beneficial purpose should be key in this. Commercial suppliers take the data and apply it for their own benefit. Library leaders should know this and ask the question can this be monetised for public benefit? This data will grow in the future and we should be looking at this issue now.”

8. How can CILIP best help the profession

51.In order to find out what people want and expect from CILIP we asked a general question at the end of our survey but we also had guided questions about an Information Rights Charter, a user guide on privacy and a CILIP policy statement.

11

CILIP Privacy Board

52.99% of respondents to the survey said it would be useful for CILIP to publish guidance for informational professionals on how to uphold privacy. The 1% who answered “no” thought circumstances too varied to produce meaningful guidance. We suggested five topics and invited respondents to tick all that applied. 91% selected GDPR (Which CILIP has now done!), 90% privacy and the law, 84% data sharing, 83% data security and 79% citizen enablement. (slightly lower for K&IM with 72%) Under “other” the most popular suggestion was around tracking, monitoring and harvesting information on users and allowing third party access to user data. Data security was the next most mentioned which had a strong showing in the important issues for the profession question.

53.Data archiving (advising citizens on managing data after death) also got a mention. This topic increasingly crops up in the literature and it is interesting that it got a mention here.

54.Almost all respondents to our survey (99%) and people attending the privacy workshops would like to see CILIP publish guidance on privacy. We asked whether it would be better to split the guidance for the different professional communities within the sector. 63% in our survey said “no” to this approach (66% of the K&IM community).

55.Other things people requested were briefings, definitions, training, advocacy, research and help with user education. And also that the issue be debated: “The most regrettable thing for the profession is that we don’t debate it”. CILIP should also be an organisation which leads by example.

56.There was also a plea for useful, how-to guides based on “real life practice”.

57.

A CILIP policy statement on privacy

58.The privacy workshops showed no outright call for a policy statement. For those who said “yes” to a policy statement the reasons given were that it would provide them with a robust starting point when dealing with problematic privacy issues. A statement would show “where we stand” and would support making changes for the better within their organisations. This could also offer some kind of protection for staff who are asked to provide information about their users to third parties.

12

Recommendation

In light of this evidence we recommend that CILIP produce privacy guidance which informs and supports the Information Rights Charter (see Recommendation in para 64 below) This guidance should not be sector specific and should be of practical use to information professionals.

CILIP Privacy Board

59.People who thought there would be no point to a written statement as “it wouldn’t change anything” said they would prefer CILIP to provide specific guidance on the law (GDPR) and toolkits which help on a practical level.

60.In the survey we asked what a CILIP policy statement might cover from a pre-selected list. The top three selected statements were how information professionals enable citizens to uphold their own privacy (62%), why information professionals uphold privacy (60%) and 60% selected privacy and data sharing. Surprisingly, given the number of comments received on surveillance and the PREVENT strategy, only 29% selected a statement on corporate and state surveillance.

61.On this same theme, 93% of people in the privacy survey thought CILIP should endorse relevant IFLA policy statements on privacy. ALA, Amnesty, BCS and ILO were some of the organisations listed as ones with policy statements CILIP should consider endorsing. For the full list see Appendix 4 Summary of findings).

An Information Rights Charter for CILIP

62.In the survey 88% thought an Information Rights Charter should also embrace freedom of access to information and data protection and 86% said “yes” to the question “Should institutions be invited to commit to upholding such an Information Rights Charter in all aspects of its work? Should institutions be invited to sign up to a charter received 115 responses. 78% of K&IM answered “yes” to this question. A higher percentage of public sector respondents (85%) said yes to this question.

63.Reasons against asking organisations to sign up were: Institutions should not need to commit to upholding the law; Institutions are too varied and will have their own policies; it would be too difficult to get public sector organisations to do this.

64.

13

Recommendation

We recommend that CILIP does not have a stand-alone policy statement on privacy but instead that CILIP develops a top level statement on privacy which acts as an introduction to an Information Rights Charter.

An Information Rights Charter will set out:

The rights and responsibilities of the profession to educate the citizen so that they understand the issues of privacy. Outcome: informed citizens.

The rights and responsibilities of citizens. Outcome: proactive and engaged citizens.

Rights and responsibilities of CILIP (what we are going to do as an organisation)

The Information Rights Charter will be supported by guidance for the profession (see para 57) and will be

CILIP Privacy Board

9. Implementation plan

65.In the PID, Phase 5, “Implementation” had the following elements: Implementation of recommendations, summative evaluation and review, future actions. Implementation was programmed to be completed by the end of 2018. If CILIP Board agrees our recommendation for an Information Rights Charter, we would work towards having a draft IRC framework to bring to an early board meeting in 2019.

66.The recommendations we have made so far are for the following products: A top level statement on privacy which will include a definition of privacy for

CILIP An Information Rights Charter Privacy guidance which supports and informs the Information Rights Charter

67.The main work will be a scoping exercise to agree the content of an IRC which will include a top level statement on privacy. Privacy guidance which informs and supports the IRC will possibly take the longest time to complete.

68.Activities to achieve the recommended outputs:

CILIP staff discussion on a top level privacy statement Scoping of the content of an IRC for the sector, possibly through a roundtable

made up of the Expert Advisory group and others Survey of membership (targeting the K&IM community) on a draft IRC As well as the content of an IRC we also need to consider:

o What the IRC will look like o Who will be able to access ito How will it be promoted and embedded

Scoping of the supporting guidance. (The content, format and access issues of the guidance will be determined by the Information Rights Charter).

14

Recommendation

We recommend that CILIP does not have a stand-alone policy statement on privacy but instead that CILIP develops a top level statement on privacy which acts as an introduction to an Information Rights Charter.

An Information Rights Charter will set out:



Rights and responsibilities of CILIP (what we are going to do as an organisation)

The Information Rights Charter will be supported by guidance for the profession (see para 57) and will be

CILIP Privacy Board

69.

Future actions

70.The IRC would be a “living document” which will require a continuing oversight to include looking at any future advocacy opportunities around promoting a “sign up to CILIP’s Information Charter” exercise.

71.Who would be responsible for this oversight would require further discussion.

72.For reasons given earlier, a communications plan for the deliverables of the project was not developed at the start of the project. Now that we have a clearer idea of what the outputs will be if agreed, developing a comms plan will form part of the implementation plan.

10. Conclusion

73.Respondents to Shape the future (a sector wide consultation to identify priorities and objectives for our Action Plan 2016-2020) identified “Privacy” among the top 10 priority agenda for CILIP to address during the lifetime of the action plan. Privacy has been much in the spotlight over the past year and the approach of GDPR has increased interest and driven some of the focus around the topic.

74.It has been important to note this and to be aware that privacy is possibly regarded as a “fashionable” issue. We have attempted to navigate the heavily emotive language that such a situation carries with it especially in not assuming issues and opinions from the outset.

75.The response rate to the privacy survey was disappointing. We knew there would be a risk of this given the open ended questions (7 out of 17) but for the purposes of this project we needed to gather qualitative comments and for the reasons given earlier we did not want to pre-guess the most important issues by giving pre-selected choices. We did receive over 1,000 separate comments and the privacy related comments received via the Ethics review survey and workshops were also analysed.

76.The one to one interviews have been a worthwhile exercise and have provided us with a rich picture of the privacy issues and general landscape across the sector. The transcripts are given here as an appendix. Although only a small group of people

15

Recommendation

We recommend that the Privacy Board and Expert Advisory group continue in their current form to oversee the development of an IRC and supporting guidance.

CILIP Privacy Board

were interviewed they were from HE, a national library, public libraries, charity, health, corporate and commercial sector.

77.We are confident that the recommendations we make here have a good foundation through the comments, feedback and discussions we have facilitated.

Jacqueline MayResearch & foresight managerJuly 2018

11. Summary of recommendations

Recommendation (p. 12 para 64)

CILIP produce an Information Rights Charter to be informed by CILIP’s new ethical framework. This Charter would consist of a top level statement from CILIP. From this statement will come the Charter which will set out:



Rights and responsibilities of CILIP

Recommendation (p. 11 para 57)

CILIP produce privacy guidance which informs and supports the Information Rights Charter. This guidance should not be sector specific and should be of practical use to information professionals

Recommendation (p.13 para 69)

The Privacy Board and Expert Advisory Group continue in their

16

CILIP Privacy Board

current form to oversee the development of an IRC and supporting guidance.

Final report of the Privacy board: Appendices

Contents

Appendix 1 Interview transcripts

Appendix 2 Project Initiation Document

Appendix 3 Privacy Project – Report to the Ethics Committee

Appendix 4 Summary of findings

Appendix 5 Privacy project - Evidence collection - Key information

Appendix 6 List of evidence documents (available on request)

17

CILIP Privacy Board

Appendix 1: Interview transcripts

Interview 1 Large special collections library

What does digital privacy mean to you in relation to your work?

Privacy has always been an issue with the physical collection so on one level I would say digital privacy shouldn’t mean anything different at all BUT

Digital platforms incur surveillance - it is inherent in the way it works. Systems are of necessity collecting information in order to “work”, tracking content but also people’s behaviour. It shows behaviours. Looking at something for 2 minutes is very different from looking at something for 2 hours.

We need as an organisation to make people aware that sharing data is not just about what they have looked at. It is also how they interact with the resource/ tracking their behaviours.

Not concerned in terms of the law (GDPR will have obligations for organisations) but what data do we have on people with our existing systems and what data could we have?

GDPR is the context through which I’m looking at privacy

Does it mean anything different to you personally?

Yes, I would say that in my private life my level of distrust has gone up. I’m more paranoid in the digital world thinking about privacy settings etc. Librarianship is a trusted profession so we need to go that extra mile in order to retain that trust.

18

CILIP Privacy Board

What role does your organisation play in enabling users of your services to understand and protect their privacy?

GDPR will force us to look at things from a user perspective. Working on old systems (and some of our processes still are old and do not have the capacity to capture data in the same way as in digital environment) But new systems, BYOD interfacing with our digital systems individuals need to be aware of what they are taking away with them along with the new digital systems. (pushing resources out to people) the fact that they are tracked. As an organisation we need a root and branch review. We are not Google or Amazon we are publically funded so do not have the same capabilities of those systems but we will have more capabilities as we go on. Being open and transparent about what we have the capacity to do, what we have decided to do and not to do. And what you will do with what you have decided to collect. (why would we ever want this information?)

We need to look at it from the users point of view as in the analogue world people’s privacy wasn’t so much of a problem (less complicated to protect).

What are the most significant privacy challenges you face in your role?

Tracking behaviour. We are harvesting web sites - only what is openly available (UK based) no proprietary websites (Facebook, Twitter etc.) Question asked about text/ data mining. People want to access this information/ resources remotely for research purposes etc. There is a pressure towards open access.

Tension is between this push towards open access and the Right to be forgotten.

There will be information here people do not wish others to see. Past misdemeanours etc. If we open up this resource to text data mining there are a whole lot more things we need to ask ourselves.

Balance between the research community and the people whose information is contained in the archive, who could be disadvantaged.

Although this is information in the public domain it is much easier to locate and access in the digital world than in the analogue. Open access and new technology increases these potential conflicts.

As custodians we cannot alter or change the “record”. It cannot “be forgotten” because it has happened.

So, there are shades of grey. Things are not absolutely good or absolutely bad. This is demonstrated in the publishing of archives. In the analogue world as a repository you can keep some items back if you feel some individuals living would be harmed/ disadvantaged by their release. But in a digital world whilst it is the same issue it is on a massive scale. It may be unworkable to “keep some items back” for privacy/ data protection reasons.

Are you confident that as an informational professional you have the tools available to protect the privacy of your users?

19

CILIP Privacy Board

One worry/ concern is about problems that arise when we try to find new ways to diversify funding. As an organisation we are constantly looking to diversify our funding. People who use our building are readers and non-readers - all sorts of different people here for different reasons- As an informational professional I am clear about obligations around privacy when using the collection or seeking information. The privacy of readers is ingrained in me as a professional. But I find it challenging when for instance, our marketing department talk about cross selling. My immediate reaction is ‘NO’ you cannot use info about use of the collections to do that/ merge together and link data/ mash up/ and personalisation for that particular purpose. Some staff come from a commercial background and may have different professional ethics. Not understand the sensitivity around using collections. For me there are instances of a thick ethical black line.

On a personal level I don’t see any need for cross selling (say between my information needs and my shopping behaviour) and I don’t think you can dismiss such concerns as being merely generational. For example, researchers are often asked to be more open/ share their research more widely but they are in a competitive environment (I mean before they formally publish). They need a competitive advantage over their rivals. It is naive not to recognise the fact that there is a competitive advantage at play here.

What role do professional ethics play in protecting privacy?

Individual privacy isn’t an absolute. There will always be the greater public good to consider (legal obligations etc.). The problem is knowing where to draw that line. Privacy versus access to information. Right to access always has to be balanced with an individual’s right to privacy.

If we know that under certain circumstances we would share/ give data away the ethical responsibility on us becomes one of telling our users under what circumstances we would do that. Being open and transparent is the heart of it. Principle becomes “thou shalt be honest about circumstances under which you might give data” (and also when you will not e.g. reasons such as cross selling).

Is there anything else you would like to say about the topic of privacy that hasn’t already been said?

For CILIP the approach should be that as a profession we have an obligation to inform and educate. Need a policy telling people about when/ what/ where/ how etc. As a public organisation we cannot say we will never share data. There is no point having grand gestures if you can’t stand by it.

Interview 2 Corporate

What does privacy in the digital world mean to you in relation to your work?

My work is around data and not digital these are two separate things but they are often used as if they were the same thing. I am assuming you are using data but in the digital fashion? For me I deal with end customer information so have to take on board custodial

20

CILIP Privacy Board

duty very seriously. Not just from a legal perspective but so as not to abuse the trust that people have placed in us in giving us access to that information.

It is one of 5 principles that we use in our information strategy.

What does it mean to you personally?

I am not convinced that any industry or trade has genuinely taken the privacy rights of the individual seriously up to this time. People seem quite happy to intrude upon a person’s life because it is on a computer (analogy used...helping yourself to things in somebody’s bag).

They feel it’s “fair game” you’ve given it to one person...so you lose control of it. Everything is recorded today..it is different from the past.

How do you think others in your organisation are involved in user data?

Lots of different departments collect information. I am a Group Director within my company so the very fact that they have put my role at that level ...this gives an indication of the importance of this to my company. I do talk to other departments. They might not have known how to tackle the problems but the will is there to tackle it.

What role does your organisation play in enabling users of your services to understand and protect their own privacy?

Internal staff are working on an education programme specific to their job role ..what our obligations are. Part of that is making very clear with our customers what their rights and responsibilities are. If we are concerned our customers are in a more vulnerable position, we have a team of staff who are able to take more time with them.


Legacy systems. IT systems are built to last 10 years + data protection has been in place but not necessarily (given) the most stringent (attention). Working with older systems where privacy was not even thought about. We are trying to retrofit our current understanding of privacy to something that was created before that understanding.

What would you say are the top privacy challenges for the information profession?

GDPR

Information is an asset and we need to treat it as such - at the moment we treat it as a commodity. If people understood what an asset their information was and if companies understood that information is an asset we wouldn’t be in this situation in the first place.

Are you confident that as an information professional you have the tools available to protect the privacy of your users?

I do and part of my role is to make sure we are. We are currently undertaking a large programme to make sure that we can do this. Not that we weren’t looking at this before

21

CILIP Privacy Board

GDPR but GDPR is the main driver for this - but I am using GDPR as an opportunity and a lot of organisations are not seeing this.


For me it’s definitely something that I find important. Professionally yes but also personally. You put yourself into people’s shoes. Would you want your own data to be treated in that way? You always have to think of unintended consequences. Intended consequences are easy to think about, unintended consequences are the hardest.

At some point in time you will make a mistake and it is the speed with which you act which is important.

How do you think we as a society should balance privacy with freedom of access to information? (Are they connected?)

Incredibly tricky balance and not convinced we will get it right. For me it is about purpose. For instance, if the purpose of what we are doing is ethical and moral and people who we are using the information about are comfortable about how we are using the information and we are open and transparent then that is a comfortable position to be in.

Benefit to society...? For eg. Apps. I am part of an app group which allows the app to see where my phone is I chose to let the app do this. The purpose of the app is to provide real time info to other drivers about traffic jams (when you slow down...) it can then alert other drivers.

Can switch it on and off.

What are your thoughts on recent government legislation?

Makes me very uncomfortable. Some of the legislation that has come from US makes me very uncomfortable also. Whilst I totally understand the concerns around the internet and there is a dark side to it that we need to address, the underlying tenant of collaborating and connecting are I think an incredible opportunity for people as a whole - resource to be utilized properly can and has led to amazing things.

The Charter (snooper’s charter) infringes upon that. If we were in the position of perhaps 50 years ago when we implicitly trusted our politicians, then that might be the case but as a society we question and challenge. Today we go to the doctor to confirm what we’ve googled.

The internet has given us different sources of information “Fake news” might have complicated things (not as easy as that but nothing important ever is).


22

CILIP Privacy Board

I want to stress the whole opportunity versus challenge side of it. Current legislation - this isn’t the end game. As information professionals we need to make sure we are building agility and flexibility into our thinking so that we can constantly evolve.

And for CILIP - what should we be doing?

All of those things + really keen that we have some kind of “sheep dip” training course for information professionals.

Like Prince 2...a week long course, accredited. Understand the world that you are playing in. Not doing the Prince 2 it’s teaching you about the issues of project management.

Training session - a fundamental part should be privacy.

Interview 3 Health


Wasn’t sure what I thought about it – chatted to colleagues, googled etc. Not sure I have ever had very passionate ideas about this. Too easy to think about privacy as only a digital issue - which has made a difference - but there are other issues to think about in regards to privacy.

In regards to my work I’m working in the NHS which has a very strong tradition of privacy. The confidentiality between patient and clinician and the patient record on the one hand, the need for clinical staff to share information across teams in a structured way and the pressure on the NHS to become paperless (become digital).

Digital and privacy are central themes across the NHS so the setting in which I’m working - privacy is a very live issue and within libraries we are often seen as advisory we are the go to people around copyright, FOI, data protection so as a profession we need to understand this stuff and be able to advise on it impartially.

It doesn’t arise as an issue, either weekly, monthly etc this is due in part to the setting we’re in anyway and partly we are dealing with information professions and it is not discussed as it’s part of everyday life. It is embedded in the way the NHS functions. Eg if a library finds a set of patient notes in library (much is still on paper) it is dealt with very seriously.

The way in which we access IT systems in the NHS is very heavily regulated one of the issues for librarians is sometimes over regulated as librarians have problems accessing the internet...white lists have to be opened up by IT department.

Public health has broad issues, housing, homelessness, international comparisons, disposal of the dead.


Yes, very much so I think there are multiple layers here. Not just about digital. One doesn’t always know quite where one stands unless you give it some thought. I think there are two

23

CILIP Privacy Board

issues going on in Western and British society here. It’s interesting looking online that privacy is very much a western concept. Not even a word in other cultures which use the word “privacy”.

1. Digital agenda which throws privacy issue into stark relief and shines a light onto privacy which hasn’t had a light shone on it before

2. Societal change. Older generation kept themselves to themselves (didn’t wash your dirty linen in public and all those phrases...careful who you talk to (war) wanting to hide who you were. I think 50’s 60’ and 70’s began to see a revolution (we called it a sexual revolution) what that does to privacy - it changes the dynamic. People are no longer hiding/ keeping things private. What was private then is not private now and I think social media has accelerated this. Enabled us to share what we’re doing every moment of the day...and opinions. Where you are, what you’re thinking easily picked up (google/ Facebook) we are more open to telling people things.

This makes the conversation about privacy more difficult for a younger generation. They are by comparison less private.

Yes, it’s about being free from public attention and there’s the whole public/ secrecy issue but one aspect of privacy is being secluded and being apart from the world.

Privacy has been compromised in the open plan. Hasn’t necessarily been good for productivity not necessarily led to wider collaboration.

Home working however does have downsides. Society where more and more people are working from home, through a digital interface without ever seeing anyone from the outside world.

Part of the definition of privacy is being in private on your own or with somebody. It is beyond the digital. When I withhold information it’s privacy, when you withhold information it’s secrecy.

Connection between privacy and freedom of access to information

Yes, the tension is visible in the NHS. The relationship is intensely private between clinician and patient but that clinician will have to share in order to get diagnosis, tests, care etc. family members. A mix between what society accepts and what individual’s concerns are - what the profession thinks is the right thing to do and that balance shifts over time. What you could be shot for in 1943 is different now.


The NHS is very clear about its statutory and mandatory responsibilities through training. All staff in the NHS goes through training sessions on an annual basis on information governance (includes data protection and privacy), we have a Caldecott guardian (data protection) at board level. Refer issues up through line manager to the Caldecott guardian.

24

CILIP Privacy Board

e-learning or face to face. (NHS employs a million people) I would expect health librarians to be more than just aware about this stuff.

Public sector is probably hotter on this. Private sector possibly more bothered by secrecy and competitive advantage.

What are the most significant privacy challenges for the profession?

I think keeping up with the pace of change is the absolute challenge because we’ve already recognised privacy is tied up with the digital and the pace of change is fast.

Societal change and keeping up with the legal framework. The traditional skills of knowing where to look and giving impartial advice in an impartial and trusted setting are still core and crucial in what librarians do but it’s a fast moving world.


Yes...tram like lines drawn about the way we do things because of the setting I work in.


When you look at the PKSB - at its heart is our ethics. I’m not alone in this...Although I know it’s there and although I’ve been very active, I possibly won’t be able to quote anything from it. Nothing in it would surprise me but I think the visibility isn’t there. Few people would say there was anything wrong with the code but I think it needs to be surfaced a lot more.

Is there a conflict between employer’s code and our ethical code?

I think there would be great synergies between the health professions code and CILIPs

I think there is a tension. If you are in a university it is about being open about information, sharing it but actually what the universities want to do is share information. And so their systems are very open. Public libraries (similar).

The NHS isn’t in the teaching and research business (has an interest in research but its primary purpose is patient care and safety. The NHS is cautious and closed about information because it doesn’t want information shared because it is private.


I think it’s a contract between individuals in a society setting between them and their employer them and their family and friends, them and their government and I think where the line is shifts over time and my view is that it is not just about digital and it changes over a generation.

I asked here: Do you think then that the ethical principles need to have that malleability or is that “dangerous”?

25

CILIP Privacy Board

Malleable is a strong word. I think review is essential, flexibility where it seems appropriate but I think more than anything greater visibility within the profession.


No..I need to go away and look!

Interview 4 Third Sector, charity

What does online digital privacy mean to you in your work?

The interest in privacy of data is data for beneficial purposes. What we consider is our private data, what our private data shared can help society with. This is not a binary conversation between those who want privacy at all costs and those who do not want privacy at any cost.

I have seen what high levels of trust there is in librarians. Librarians are very well placed to help us to navigate this very complicated world.

Why? The role of the public librarian has changed dramatically. A whole range of things used to be run by librarians are not being run by librarians any longer. Librarians were making the link between information data and what should be made available to people before.

Librarians have an ability to negotiate complexity. They also operate in safe spaces. There are very few safe spaces left and libraries are that. They have a remarkably high level of trust from people. Moving into this area has a high level of risk for librarians. But if they don’t do it the role of the professional librarian’s role is diminished.

One of the 21st century roles for librarians. They are comfortable with topics such as censorship. Decades of controversy over digital information, what you can watch online, what’s recorded about what you see and what you watch online etc. I would be hard pressed to think of another group who are as widespread, located in safe spaces and has a history of dealing with complex issues and a professional ethos which is broadly public spirited and public orientated.

How is your organisation involved in user data?

We have data from 10,000 interviews from our last research project. IPSO Mori does the data collection the only data we hold ourselves is our database for advocacy purposes. We are not involved in data mining. We are currently making sure this is GDPR compliant.

What are the most significant challenges you face in your role?

In terms of public policy, the most significant challenge is the privacy paradox. We might know quite a lot about how our data is used but we do not do much about it. We do not set

26

CILIP Privacy Board

our privacy settings at a high level we rather trust in good judgement in public/ private organisations so the privacy paradox is as a result of us living in the past.

We used to trust banks, saw them as a benevolent institution just keeping our money safe…but banks have a huge amount of information about us and whilst we were treating them as a friend, they were treating us very commercially as a customer. We are going through the same thing now – the private sector knows far more about us than the public sector.

This information is fine grained and subtle information on which they make huge commercial decisions. Could be to our benefit but we need a better conversation. Public librarians are best placed to do this - are they willing to do it? CILIP should perhaps find out.

25 -30 million car number plates are scanned every single day and the tracking ability is enormous. Most will accept this but we should know what is done with the data, how long it is kept etc.

Main point of the state is to keep us safe but I rather dislike the idea that every single journey has been recorded and is on a database.

Data sharing for public benefit is another issue. But there is little data sharing really due to different systems. But as we move to more consolidated systems data becomes highly vulnerable.

(NHS data banks are kept in a physically secure place). If we are not careful though we will hamstring collecting data for public benefit and we will be unconcerned about the data collection for our private benefit.

This is why we need a conversation. We are the commodity.

What are the main privacy challenges for the information profession?

Real challenge is to get away from this binary discussion. A lot of people try to make it binary - you are either for data privacy or you are for a free for all…this is unreasonable. What we are missing is a strong public interest voice which is able confidently to deal with the degree of uncertainty, deal with the debate and not be afraid to be attacked by both sides, because it would be…zealots who want none of our data shared and the other side.

The prize is to be trusted by the public. Once you are trusted by the public the balancing interests of an intelligent, evidence based voice will be able to counter the binary push which is very dangerous…pushed into that camp or that camp we will lose the really significant public interest about sharing things. This won’t be a one-off intervention but a recasting of the public librarian for 21st century.

27

CILIP Privacy Board

Educating the user/ what we collect ourselves/ should librarians be more proactive to say this is what we want from system is this a role for us as well?

Professional librarians might find this a bit more tricky. Where I see that role absolutely being with is with the library leaders. In the past librarians would be looking at this but now it’s those who are responsible for library services (IT).

We are on the road to ruin when the IT department starts to run the business. IT departments are often embedded in a local authority. IT should reflect the business. So the data and how it’s captured should be driven by the business. A Professional Association can unpick that knot in any particular situation. There are some general rules about how we do this. (Single Digital Presence (SCL and the BL?)…collecting data becomes very important and it can help to deliver a better service.

Library service leaders need the support to manage this.

What the beneficial purpose is should be key in this. Commercial suppliers take the data and apply it for their own benefit. Library leaders should know this and ask the question can this be monetised for public benefit? This data will grow in the future and we should be looking at this issue now.


I think it is critical. For both the professional librarian and the library leader. For example – to be able to say: “I have to work within a code of ethics, if I do what you ask of me I will break that code.” This gives a high degree of protection to an individual facing a serious dilemma. A professional association should enable an individual to say “no” and have the full weight of the professional association behind them. The individual is saying “No” not on a personal level but on a professional level.

Ethics should not be an add. It is the only thing that protects a profession from just being blown in the wind of managerial, policy and political demand. In the context of a local library service an individual can say “I have a duty to report this to my professional body”.

Ethics protect the privileges that a profession has.

How do you think we as a society should balance privacy with freedom of access to information?

You can’t make the decision between privacy and non-privacy you have to make the decision between public benefit and private data. I can see the public benefit of having my private data shared anonymously. This will be a constant discussion. (now and into the future) If it isn’t you get back to the dangers of taking a binary position. The collection of data has a huge significance for everyone. How long is it kept, can I see what you keep, can I see the rules that govern it?

Unless you have a set of principles you can’t really get in on this debate and that’s what’s missing at the moment.

28

CILIP Privacy Board

Research has shown that people trust the voluntary sector to hold data but the voluntary sector probably hold data in the least secure form.

This is a modern issue and will be an issue for decades to come. We don’t have the language yet to make the distinctions we need to make or the passion for the middle ground - any passion is at either side of the argument. If you hold the middle ground you are excluded from the debate.

The ability to store data is growing exponentially, (so to) the ability to analyse that data but for what purpose (in the future) we have no idea. But it could be of incredible value to us. Need public oversight and public interest. If everything is recorded and private space no longer exists what happens?

Interview 5 Independent consultant for industry


I do competitive intelligence for a pharma company. In one sense it has a strong resonance. Compliance issues, data privacy and how those things are managed and the security of information, what gets exchanged is exceptionally well regulated within that industry. I don’t tend to deal with a lot of user data not something that’s particularly relevant for my particular work. Less on my radar for my job.


The social media accounts that I have sent up is through my company I haven’t set up personal account. I have a LinkedIn account that’s me. Don’t tend to use Twitter for anything personal. Think trust is the main issue in this area. My levels of trust aren’t very high.


Trust is the biggest issue. There’s a chain that goes with digital delivery you are always touching more than one person and one supplier and it’s very difficult to say that in any situation you will be the sole owner of that data and will be the only person who will touch that information. This is an issue for all organisations. But I think specifically for information professionals the issue is around trust and ethics, of how you deal with data, you ensure you have the right knowledge in that area I think if you are doing that kind of role and if you are touching that data every day people would expect you to have that knowledge. But this is a challenge, it’s a complex area.


I work with clients and I have access to their internal systems. I have to sit through all of their compliance training. It’s important that I am signed up to those. My understanding is that the user would have more trust even though it isn’t a legal guideline. It’s important that I can say I do business ethically they do have a role but I don’t think they are the

29

CILIP Privacy Board

answer; I don’t think they are the solution. That’s something I’d also expect if I was dealing with somebody in a public library or an academic library that they would have been through some kind of compliance training.


It does play a role from my own perspective. I belong to CILIP; I belong to the Association of Independent Information Professionals and the Society of Competitive Intelligent Professionals the last two have very clearly defined ethical guidelines; particularly the Association of Independent Information Professionals, around how we should deal with our clients, how we should behave with the information they provide us and how information we give them should be given. Competitive intelligence is more to do with finding competitive information so ..don’t go rifling through people’s bins etc. You must act within the law and legally. But for me it’s very important for me to say to my clients- that I can show them the ethical guidelines and say I have signed up to those. I can say these show how I operate as a business so the user will have much greater confidence in me and they can see that they are very specific things but again they are guidelines not a legal obligation.

It is very important that I can sign up to these and be able to say that I do business ethically and incredibly important to me that I am behaving in the best way that I can. I do think they have a role but I don’t think they are the answer or the solution but it feels very comfortable signing up to them.

Privacy and freedom of access to information

I wouldn’t like to see a situation where information becomes more closed as I think there is a huge social, economic and environmental benefit of having access/ freedom of access to information, access to good quality information helps everybody. But I am aware of where it becomes dangerous - where people are taking that information and not being very clear about what they are going to do with it.

Example is fitness trackers. This is real time information which is incredibly valuable real world evidence but can also be hugely manipulated. The same person who takes the data can send it to an insurance agent. When passing on information to somebody else they are perhaps less scrupulous or they have a different reason for having that information.


Think it would be a very useful route for CILIP to take - that you have been through a bit more training / learning on a specific topic or issue such as privacy (vulnerable groups) or learning around the new ethical framework. To be able to say I am signed up to CILIP and the code but I have also improved my knowledge/ gained this bit of extra learning (a certificate?) which specifically relates to the work I do. This would increase people’s trust in the profession.

Pilot interview Membership organisation30

CILIP Privacy Board


Twofold - Member’s privacy and being aware of what they are signing up to. What data we are keeping and how we are using that data.

Wider sense – we need to be the voice of authority, know about regulations. It is important that the profession itself are champions of privacy.


The same ideas but personally your data is something that is important. How you are using social media etc. I understand about it but probably don’t do enough about it. Important to me to understand it although I don’t feel I know about all aspects of how data is used.

Personalisation – Tend to think it a good thing - You sometimes know about the downsides but chose not to do much about it.


Twofold

Sharing user data and we also collect data

Features at conferences online etc. In a previous role as a public librarian enabling users was probably getting more important all the time. It is a role for us but it is down to knowledge and skills. Have to educate the user to take responsibility for their own privacy?

Is there anything you would like to see your organisation doing to enable their users understand and protect their privacy?

In a CILIP sense not really. Important to ensure users understand about their privacy. In a public library there was always more the organisation could do but not always possible. Helping the users in a very quick way/ staff resources stretched and doesn’t allow the time to go into privacy issues.


Striking a balance. Top level reasons why personal data might be collected by the state (terrorism) and at a lower level might have a perfectly reasonable reason for collecting that information. How people interact with services etc.

There are issues to do with you in your role as an information professional, as an individual, and with our users coming in to use our services. We as professionals have to balance the needs between these groups there is no set way of advising what the right way is of doing this. It is hard as an info professional to argue against the “nothing to hide” fallacy - hard to challenge this. Easy to be painted pro terrorism. So, how we coherently make the case for privacy based on our ethics and knowledge is important.

31

CILIP Privacy Board


Yes, I feel confident in that I know the steps involved in protecting data. We have a risk register (what do we do if a lap top is stolen etc.) third party/ cloud we do a risk assessment but there will always be a risk. So we have the knowledge and tools but we need to keep on top of things as things change.


I think they do play a role. It allows the profession to have a standpoint. Every privacy challenge probably requires a different answer. Ethics provide a backbone to it all...a starting point upon which to build a case. Ethics can be useful for building training.

It is hard to define ethics in a changing world. Need to be malleable.

Should there be a formal statement?

Yes, there should be an attempt to do this. Danger is that it might be too woolly. But if we don’t - this would be missing a trick.

Public library usually a copyright challenge.

As a professional I went to the books not the management. Not professional staff necessarily on the front line.

A disconnect about what people knew and making policy after the fact. Often the IT dept. have far too much power over what’s happening...the basis on which they collect data might be different to any policy a library or the profession might have.

Volunteers are often on the front line delivering computer skills not necessarily going to be teaching the user about privacy.


Yes...they are always going to be connected but how you balance that will have to be thought about.

Public library – can get challenges when security agency asks what someone has been looking at organisations not always aware of what they can give out.


Talked about at conferences as being a challenge...personal thought is that it is overly reactive but I am not as much of a cynic to say they have done this for other reasons...perhaps an ill thought out way to respond to the terrorist threat.

Pretty useless anyway in response to terrorist threat...encryption

Should we be teaching encryption to users?32

CILIP Privacy Board

(Scottish PEN)

Have been doing workshops on this. I’m not worried on the ethical points (using TOR etc.) problems is that the library wouldn’t be able to use an encrypted browser. We can say to users that you can’t do it here but you can use it yourself...the tools aren’t illegal so that isn’t the issue.


No

Ends

Appendix 2

PROJECT INITIATION DOCUMENT

CILIP Privacy Project

Project Initiation Document

August 2017

1. Context

1.1 CILIP agreed to include in its schedule of Policy Inquiries for 2017/18 an inquiry into the role of library and information professionals in Privacy.

1.2 It has further been agreed that an element of this project will include collaboration with the Carnegie UK Trust, as well as the CILIP Ethics Committee (to coincide with the review of the Ethical Principles and Code of Professional Practice).

2. Purpose

Privacy and confidentiality have always been fundamental to CILIP’s Code of Ethics. However, the concept and practice of online data privacy are undergoing rapid change and challenge from both the private sector and the state at all levels.

In this context, how can CILIP best support and advise information and library workers, managers and leaders so that they can:

33

CILIP Privacy Board

Ensure that the privacy of the personal data of users is protected, and;

Support users and citizens in understanding the issues, trade-offs and risks concerning privacy and personal data to enable individuals to make informed and effective decisions about their data and effectively manage it in an online environment

This project will acknowledge the different aspects of the “individual” - the individual as citizen, consumer, employee, parent/ carer and, within a commercial setting, client.

The project will look both at the role of CILIP members in teaching, informing and facilitating individuals to exercise their rights and also CILIP members in ensuring a compliant and ethically sound approach to the management of information within both companies, third sector and the public sector. Freedom of access to information is looked at in its relationship to privacy issues rather than a separate topic.

3. Design principles

3.1 We propose the following ‘design principles’ which should inform both the inquiry itself and the development of any outputs from it:

The project must be undertaken with due consideration to the scope of CILIP’s Royal Charter, our commitment to the public good and to our 2020 goal to ‘put library and information skills and professional values at the heart of a democratic, equal and prosperous society’;

The project must be closely aligned with the review of the CILIP Ethical Principles and Code of Professional Practice;

The outputs of the project must focus on practical actions;

The project should deliver recommendations and a policy position which CILIP can formally adopt;

The project should be conducted openly, transparently and in such a way that avoids undue influence from any one campaign or lobby group or perspective.

An Equalities audit of the project should be undertaken.

34

CILIP Privacy Board

4. Scope

The scope of the project must cover the full range of industry sectors (public, private and 3rd sector) represented across CILIP membership;

Focus will be on the UK but will be informed by international principles and examples

Specifically, the outputs of the project should recognise and reflect the role of information professionals in commercial and security contexts as well as publicly-funded library services;

Consideration of freedom of access to information will be limited to those areas where it impacts on privacy

The project will not have a special focus on the new GDPR (General Data Protection Regulations) which comes into force May 2018. None of the deliverables of the project relate specifically to GDPR and UK legislation to implement it generally or to its implementation in information and library services specifically. Although it is recognised that the GDPR does provide an important background context for the project as a whole

Similarly, Right to be forgotten will provide an important background context for the project as a whole but will not be a specific focus of the project or of its deliverables

5. Deliverables

5.1 A report with recommendations to CILIP Board with a focus on practical actions to improve the profile of our professional community in relation to privacy and freedom of access to information

5.2 Advice to the Ethics Review in regard to privacy and freedom of access to information relating to their own work reviewing CILIP’s Ethical principles and code of professional practice

5.3 A user guide on privacy and freedom of access to information for information and library practitioners

5.4 A policy statement and an Information Rights Charter are other possible deliverables of this project

35

CILIP Privacy Board

6. Methodology

6.1 The proposed project is challenging. There is no defined role of librarians and information professionals in supporting privacy and a relatively poor articulation of the interaction between the professional ethics of the individual and those of the institution in which they work. Hence while a professional may be ethically committed to promoting the privacy of their users, the institution in which they work may not.

6.2 The proposed methodology is designed to develop a logical sequence from first principles to a clear articulation of this role, and subsequently to a series of actions and recommendations which will help to embed these principles into policy and practice.

6.3 A diagram of the proposed methodology for the inquiry is shown overleaf but the main components are:

A discussion document setting out some of the key issues that need to be addressed in the inquiry

Discussions with key individuals and sector bodies based on the issues raised in the discussion document

A formal survey of CILIP members and other interested individuals plus key organisations on potential actions to mitigate any problems

A draft a set of proposals to take to wider examination and consultation

Initial report synthesising evidence for internal verification

Report with recommendations to CILIP Board

An implementation programme, summative evaluation and review

Outline of future actions

7. Connection to CILIP strategic priorities

7.1 Respondents to Shape the Future (a sector-wide consultation to identify priorities and objectives for our Action Plan 2016-2020) identified ‘Privacy’ among the top 10 priorities policy agendas for CILIP to address during the lifetime of the Action Plan.

36

CILIP Privacy Board

7.2 The scope of the proposed inquiry and the proposed outputs encompass 4 of CILIP’s 5 strategic priorities:

Advocacy Workforce development Standards and innovation Member services

7.3 The implementation of a Policy project into Privacy is also aligned and will feed into the review of the CILIP Ethical Principles and Code of Professional Practice, already confirmed for 2017.

37

Hypothesis:Define the core subject of the inquiry, including the definition of scope

and terms

Analysis:Research the current

state of the profession in relation to Privacy and Freedom of Access to Information (including

evidence from practitioners)

“Landscape Report”

Synthesis:Deliver a CILIP Policy

Statement on the role of library and information

professionals in relation to Privacy and Freedom of Access to Information

Specific analysis of whether both

public and commercial

information can be covered within scope

IMPLEMENTATONDEFINITION & LEARNING

CILIP

ETHICS

INDIVIDUALS

INSTITUTIONS

POTENTIAL OUTPUTS

Engagement with Carnegie

UK Trust & incorporation of lessons learned

from public attitudes research

What do we expect CILIP to do in order to promote & reinforce outcomes?How should outcomes be reflected in revised Ethical Principles?

How do we expect individuals to reflect outcomes in their values & practice?How do we expect institutions to reflect outcomes in policy & practice?

PUBLIC

How should the outcomes be communicated with the public?

Policy StatementLobbying & advocacyTraining & eventsContent

Revised Ethical PrinciplesConfidential channel for practitioners

Guide for PractitionersCommitment to Ethical Principles

Information Rights Charter/ PledgeGuidance for Institutions

Information Rights CharterMedia relationsPublic information

CILIP Privacy Board

38

CILIP Privacy Board8. Timeline for implementation

8.1 The proposed project is a large-scale investigation, with several dependencies (notably, the relationship with parallel processes undertaken by the Carnegie UK Trust and the CILIP Ethics Review).

8.2 It is now proposed the inquiry will last for a year including a short period for the

recommendations, implementation and outcomes.

8.3 A detailed proposed Gantt chart for the project is shown overleaf.

9. Project team

9.1 The project will be overseen and managed by the following personnel/ stakeholders:

9.2Role Description Personnel

Project Chair Accountable for the overall outcome of the project, including reviewing and deciding on the recommendations of the Project Board.

Martyn Wade

Project Board Project Assurance Martyn Wade (Project Chair)Dawn Finch (Chair of Ethics Committee)Nick Poole (Chief Executive Officer)Guy Daines (Head of Policy)Jacqueline May (Policy Officer)

Project Manager Accountable for management of the project according to the Project Plan (as set out in the Project Initiation Document)

Jacqueline May (Policy Unit)

Project Team Accountable for the provision of additional support and capacity in the implementation of the project plan

Mark Taylor (Comms)Cat Cooper (Comms)Chris Bacon (IT)Bose Dada (Finance)Lisa Goldsmith (IT/ Data)

Advisory Group Expert practitioners will Ian Clarke (TBC) Stephen Wyber 39

CILIP Privacy Board(External) provide an expert view

and act as critical friends during the inquiry. Input will be provided remotely

Paul Pedley (TBC)Louise Cooke (TBC)David McMenemy (TBC)Douglas White (TBC)Aude Charillon (TBC)

(TBC) Dion Lyndsay (TBC)Ruth Carlyle (TBC)Denise Carter (TBC)

10. Project resources10.1No specific budget has been allocated to the policy project for FY2017.

10.2All project-related activities in 2017 will therefore be conducted using existing staffing capacity and resources.

10.3Any implementation of the outcomes of the project (and the development of the possible outputs) will need to be costed separately, and included in budgetary discussions for 2018, before confirmation.

11. Change management

11.1Given the potential scale of the project it is highly subject to ‘scope creep’. It is therefore proposed to adopt a formal change management methodology whereby once the scope is signed off, further changes in scope or deliverables will only be accepted once their resourcing implications have been considered and accounted for.

12. Risk management

12.1Specific risks associated with the project will be managed in the context of CILIP’s overall Risk Book.

Currently these risks are:

Risk Mitigation Likelihood/Impact

Risk Level Risk Direction

Scope creep All changes in scope to be assessed separately, including resource implications

2/2 Medium

ResourcesThe limited resources will 2/3 High

40

CILIP Privacy Boardneed managing carefully. No commitments can be made without identifying the funding source. Costings will be needed for 2018 budget discussions

Divergence of viewpoint with Ethics Review and Privacy project

Commonality of some members of Ethics Review and Privacy project should help allay this

2/3 High

(Note Levels of likelihood/Impact: 1=low; 2= medium; 3 = high; 4=Extreme)

Communications – A communications Plan will be developed to optimise profile and engagement with the project

41

CILIP Privacy Board

Appendix 3Privacy Project – Report to the Ethics CommitteeAbout this document: This document collates and analyses the evidence collected during the privacy project which particularly relates to what CILIP members think about how privacy is reflected in Ethical Principle number 8 and the Professional Code of Professional Practice. The Privacy Board makes three main recommendations and this report represents one of four outputs of the privacy project. Please see the accompanying two documents for a summary of the privacy survey results and some key information about the evidence gathering phase of the project which includes the numbers of participants.

Summary of recommendations

Ethical Principle 8 and the Code of Professional Practice (or whatever replaces it) should:

Be extended to include

Data and data content

Specific reference to children and vulnerable adults

Be re-written to be

More direct in its language and purpose

More proactive in its language and purpose

Focused on informed consent

Reflect

The responsibility of the profession to educate and inform citizens of their rights in regard to their own data and of the value of their own data

The responsibility of the profession to take due care in the information/ data they do collect on their clients and users, the content they create, and the duty they have to be transparent about the decisions they make on the collection and use of that data

Introduction

1. Ethics and values are at the core of CILIP’s PKSB and privacy is mentioned specifically in CILIP’s Ethical Principles and Code of Professional Practice for library and information professionals. Namely:

2. Ethical principles

Number 8: Respect for confidentiality and privacy in dealing with information users.

3. Code of Professional practice

42

https://www.cilip.org.uk/about/ethics/code-professional-practice

https://www.cilip.org.uk/about/ethics/ethical-principles

CILIP Privacy BoardSection B: Responsibilities to information and its users Number 4: Protect the confidentiality of all matters relating to information users, including their enquiries, any services to be provided, and any aspects of the users' personal circumstances or business.,

4. Section D: Responsibilities to society Number 4: Strive to achieve an appropriate balance within the law between demands from information users, the need to respect confidentiality, the terms of their employment, the public good and the responsibilities outlined in this Code.

What’s the problem?

5. Evidence suggests that without the right to privacy the right to freedom of access to information and freedom of expression is unlikely to be fully exercised. Information professionals have long held an ethical commitment in principle and practice to freedom of access to information and freedom of expression and privacy.

Key issues identified at the beginning of the privacy project:

6. The digital world has changed the nature of how we access information and resources including government services and this has impacted upon an individual’s privacy

7. Information professionals have to a degree been excluded from the design and implementation of new technologies, systems and processes which collect and store personal information. This means that the levels of privacy we can offer users has changed without a corresponding shift in how we as a profession manage this change

8. Our consultation discussion paper asked the question:

Are the existing Ethical Principles and Code of Professional Practice an adequate summation of a professional approach to privacy? How could it be improved?

Key messages from the evidence

9. This report will confirm much of what has already been gathered by the ethics review. That CILIP should focus on and advocate for informed consent.

10.CILIP needs to extend the Principle on privacy to include data and content. It’s not just about the users of the information, it needs to cover the subject’s information –not necessarily the same thing.

11.Ethical Principle 8 and the Code of Professional Practice (Section B and D) should be re-written to be more direct and proactive with a focus on informed consent. This should be facilitated through educating citizens to understand their rights and the value of their own data. Delivering this education should be part of the responsibility of the profession.

43

CILIP Privacy Board12.The Ethical Principle and Code should have more explanatory material and guidance

that stresses the importance of informed consent and the need to educate all clients/ users. This includes individuals generally and specific groups, especially children and vulnerable adults.

13.Library and information professionals should take due care in the information/ data they do collect on their clients/ users, in the content they create and a duty to be transparent about the decisions made on how this data is used.

The Evidence

14.As well as specific questions asked at the privacy workshops and in the survey about how privacy was represented in Ethical Principle 8 and the Code of Professional Practice, a question about the privacy challenges faced by information professionals and the sector as a whole generated some relevant comments.

15.Nobody attending the workshops, responding to the privacy survey or during the one –to-one interviews said that the existing Ethical Principle and Professional Code of Conduct were totally unfit for purpose. In the privacy survey 74% of respondents think that Ethical Principle number 8 adequately covers professional concerns around privacy and 83% think that the Code of Professional Practice adequately covers the responsibilities of an information professional in relation to privacy.

16.There were, however, sixty comments on Ethical Principle number 8 and forty-one comments on the Code of Professional Conduct which have contributed to the evidence.

17.Most suggestions for change were for a tightening up of the wording to reflect the growing importance of privacy issues and the addition of specific words and phrases that properly reflect the online digital world. Comments in the privacy survey also suggested additions to the Ethical Principles and Professional Code of Conduct in order to better reflect the more complex information landscape in which information professionals now operate.

18.There were also comments about the limitations of any set of ethical principles and the fact that there has to be room to make a professional judgement call.

Ethical Principle 8

Wording of the ethical principle

19.“Respect” in the phrase “respect for” was really not liked across the workshops and in the privacy survey. People thought it was meaningless and too passive. “Respect for” needs to be more clearly defined in the current climate.

20.This statement really only says that you have noted the need for ethical behaviour, it does not say what you should or should not be doing. It should not just be about respecting privacy but about understanding and applying the principle.

44

CILIP Privacy Board21.“Dealing with” is too vague. Privacy and confidentiality were flagged up as being

connected but not necessarily identical concepts.

22.“Information users” was too narrow as there are potential privacy concerns for far more people than just service users.

Additions to the ethical principle

23.Data and digital including data protection and data security were the most commonly requested additions to the Ethical Principle.

24.There should be a referencing of the relevant legislation, in particular GDPR. And the principle should not just cover users of information - it should also cover the subject’s information which is not the same thing.

25.It would be worth explicitly referencing upholding data protection legislation for our customers, which would encompass both privacy and the individual’s rights as a data subject.

26.A general comment from the ethics survey refers to the Ethical Principles in general and makes a similar point made by some people commenting on the Code: The Ethical Principles should confirm a boundary between confidentiality and privacy of users and the confidentiality of material they are trying to access.

27.There is no reference to our professional role as educators, ensuring users have the skills required to ensure their privacy, or any information about what happens when things go wrong. The relationship between us (information professionals) as employees and our employers was also raised The focus is on users – nothing on employers. Censorship/ net neutrality were also mentioned as topics for inclusion.

The Code of Professional Practice

Wording and particular phrases of the Code of Professional Practice

28.The phrase “Public good” is not clear or adequately defined. The term:..is widely abused by government to undermine, ignore or override the privacy interests of individuals. One person suggested “public interest” as an alternative to “public good”.

29.The phrase “Appropriate balance” was also not liked: We either stand for the rights of our users or we do not. The phrase also does not reflect the fact that the profession should be upholding core ethical principles of confidentiality when faced with “unethical” access to private information.

30.“Where legally possible” was a suggested caveat to the phrase “Responsibilities to information and its users”.

45

CILIP Privacy Board31.More allowance within the wording for discretion, and an acknowledgement of

sharing work- related information and sharing information with those who should be able to access it was a recurrent theme.

32.Legal requirements and the prevailing legislation, in particular GDPR and the Data Protection Act, came up as candidates for the Code (as well as for Ethical Principle 8 see above).

Additions to the Code of Professional Practice

33.An expansion to include a wider group than service “users” and expansion beyond the individual. An individual’s rights as a data subject should be added.

34.A distinction should be made between personal and non-personal confidential information. The comments about this distinction related to sharing information and data within an organisation “confidentiality within a service space.” The comment We have a responsibility to raise concerns about procedures and data handling across multiple systems reflects the fact that technology provides the impetus for many of the recurring privacy issues.

35.The balance between data protection and freedom of information should be reflected and there should an “amplification” of issues associated with clash of ethics and the law.

36.Another area for expansion highlighted was in the provision of more guidance such as illustrative case studies and scenarios and there should be a reference to an arbitration code or means of redress when things go wrong.

37.A general comment about the code being “too soft for today’s world” and a need for clarity, particularly in regards to electronic information, perhaps sums up comments received under this section.

Freedom of access to information and privacy

38.The PID for the Privacy project specified that our advice to the Ethics review was in regard to privacy and freedom of access to information.

39.The sharing and re-use of information, equality of access, FOI, and government legislation were all mentioned in responses to this topic. Also the competing push and pull forces which have to be negotiated by information professionals.

40.Technology and digital practices such as profiling, filtering, student learning analytics and allowing third party access to data have all been mentioned as raising privacy concerns.

46

CILIP Privacy Board41.(the code) doesn’t provide guidance as to how to mitigate needs of individual vs

needs of organisations vs demands of suppliers/ providers and any applicable legal frameworks. What has priority ethics or the law? Individual vs corporate?

42.For example: how the push for more open access can disadvantage some communities as locating information digitally (data mining) becomes easier and could impinge upon the confidentiality of certain groups of people whose interests can be protected more easily within an analogue collection. The balance between these two forces is particularly felt amongst the research community, national collections and archives.

43.No solutions as to how this balance could/ should be reflected in the ethical principles or code of professional practice were proposed by the participants in this project. Reading through the comments the most a code could offer would be a recognition of this dynamic and the acknowledgement of the right of an information professional to demonstrate discretion and judgement in a way that tries to respect the competing information needs of the different users.

44.The use of case studies and scenarios were requested as a means of illustrating these “dilemmas”.

45.Whilst the majority of comments around commodification of data and commercial use of data were negative there were some comments which reflected an opposing view (in particular within a public library environment) namely that some allowance should be made for using user data.

46.I'd like to see Libraries being more free and entrepreneurial about how we use our incredibly rich datasets to improve the offer for our customers, develop marketing strategies to appeal to more people, and maybe even output headlines of this data to publishers in search of marketing help

47.In the one to one interviews we conducted the fact that individual privacy isn’t an absolute came up when discussing ethics.

48.If we know that under certain circumstances we would share give data away the ethical responsibility on us becomes one of telling our users under what circumstances we would do that.

49.Another interviewee stressed that the issue was whether the purpose to which the information would be used was ethical and had the agreement of the data subject as to whether this was problematic.

50.And there was a general comment about the lack of visibility of CILIP’s ethics. “Few people would say there was anything wrong with the Code but I think it needs to be surfaced more”.

Key privacy issues highlighted which helped to inform the Privacy Board’s recommendations to the Ethics Committee

47

CILIP Privacy Board51.Some of the key privacy issues for our members were the same issues our members

wished to see reflected in the Principles and Code. These were; third party suppliers, commodification, Prevent, government and corporate surveillance generally, data protection and the use of data, and social media harvesting.

An Information Rights Charter

52.The things which people said they would expect to see in an Information Rights Charter had similarities to the topics which came up when discussing/ responding to questions specifically about the Ethical Principle and Code of Professional Conduct. This suggests that these topics should somehow also be reflected in any new code or set of ethical principles.

Citizens, users/ data subject, client’s rights

When and how to challenge requests front third parties

Right to be forgotten

Freedom of information

Protection of an individual’s right to privacy

Data protection

Cyber security

Data sharing/ between organisations

Responsibilities/ role of information professionals

Legal/ the law

Redress/ where to go when things go wrong

NB: Information Rights Charter

53.One of the privacy project’s recommendations to CILIP Board will be an Information Rights Charter for the sector. We will recommend that this Charter has a short overarching statement of what we stand for as a leading organisation. Below this will sit an Information Rights Charter which sets out the responsibilities of the profession and the rights of citizens. Guidance to include individual citizens and specific groups, will be integrated into this one unifying document.

54.Please also see two additional short papers:

Evidence collection key information

Summary of findings

55.The complete evidence relevant to this part of the privacy project is available as a separate document on request.

48

CILIP Privacy Board

CILIP Privacy BoardApril, 2018

Appendix 4

Summary of findingsThis document provides a summary of quantitative results from the privacy survey. Major privacy issues in the workplace and privacy issues faced by the information profession as a whole have also been collated here from three sources of evidence: Privacy workshops, one-to-one interviews and the privacy survey. For a summary of all the questions asked during the project please see the accompanying document: Evidence – key information.

Privacy survey

Number of respondents

241

Who responded?

81% librarians

13% information manager

4% knowledge manager

1% data scientist

0.50% data manager

Other (Archivist, Academic Librarian, Academic, Community Librarian (Local Authority), Consultant, Compliance Manager, Information Officer, Information Governance Manager, Information Professional, Library assistant, Librarian and learning technologist, Library

49

CILIP Privacy BoardOutreach Officer, Service manager, LRC Assistant and IT Advisor, Learning Centre Manager, LIS academic, LMS supplier project manager and chartered librarian, Library studies student, Learning Technologies and Libraries Manager, Library Supervisor, Long retired librarian, Manager, Records manager, Retired librarian, Research data librarian, Retired Librarian AND Information manager, Retired)

Demographics (sector, age, gender, ethnicity)

Sector Respondents reflected the make up of our membership with the highest number from the HE sector (31%) followed by public librarians (19%) school librarians (12%) Health care 8% government and the armed forces (7%) and FE (6%).The other sectors, industry (commercial services), law, prisons, industry etc. all came in at under 5% for each.

Age Highest number of responses (34%) 55 -59, 24% 40 -49 and 4% 20-29

Gender 70% female, 25% male, 5% prefer not to say.

Sexuality 77% heterosexual/ straight, Gay man/ woman 4%, Bi 2%, 15% prefer not to say and 2% prefer to self-describe.

Ethnicity A similar pattern to other CILIP surveys 84% white British other ethnic groups hardly registering. A fairly high proportion (5%) preferring not to say.

What respondents said

Ethical Principles and Code of Professional Conduct

74% think that Ethical Principle no. 8 adequately covers professional concerns around privacy and 83% think that the Code of Professional Practice adequately covers the responsibilities of an information professional in relation to privacy.

There were however 60 comments on the Ethical Principle and 41 comments on the Code of Professional conduct. (See report to the Ethics Committee).

Policy statements

When asked what policy statements would help to provide a better understanding and positive attitude to upholding the principle of privacy. Six choices were listed.

69% General statement on how information professionals uphold privacy.

69% Statement on the relationship of freedom of access to information and privacy

62% Statement on how IP enable citizens to uphold their own privacy.

60% Why information professionals uphold privacy.

60% Statement on privacy and data sharing.

29% Statement on corporate and state surveillance.

11 comments under “other”.

50

CILIP Privacy BoardEndorsing relevant policy statements of other organisations

93% thought CILIP should consider endorsing relevant IFLA policy statements.

Other organisation statements CILIP should think about endorsing

ALA, Amnesty, ARA, BCS, ICO, ILO, Liberty, UN Declaration, UNESCO, Chartered Institute of Quality, other library associations

Major privacy issues in your work (Survey, workshops and interviews)

GDPR and data protection

Corporate and government surveillance

Knowledge and skills (Staff and the user)

Use and security of data

Major privacy issues facing the information profession (Survey, workshops and interviews)

Balancing freedom of access with privacy

Knowledge and skills (Staff and the user)

Corporate and government surveillance

Data security

Data protection

Social media harvesting

Third party access

Commodification of data

Volume of data

GDPR & legislation generally

What could CILIP do to help with these issues identified?

99% of respondents to the survey thought it would be useful for CILIP to publish guidance for information professionals on how to uphold privacy. 91% choose GDPR as an area such guidance should cover.90% chose privacy and the law. 84% Data sharing 83% data security 79% choosing citizen enablement.

The 24 “other” comments have been collated into the main topics listed below under What other things CILIP should be doing.

We asked whether it would be better to split guidance on privacy for different professional communities within the sector 63% said “no” to this.

51

CILIP Privacy BoardInformation Rights Charter

88% thought an Information Rights Charter should go beyond privacy and also embrace freedom of access to information and data protection and 86% said “yes” to the question “should institutions be invited to commit to upholding such an Information Rights Charter in all aspects of its work?

Reasons against asking organisations to sign up

Institutions should not need to commit to upholding the law

Institutions are too varied and will have their own policies

Too difficult to get public sector organisations to do this

We asked what they would expect to find in an Information Rights Charter

Citizens, users/ data subject, client’s rights

When and how to challenge requests from third parties

Right to be forgotten

Freedom of information

Protection of an individual’s right to privacy

Data protection

Cyber security

Data sharing/ between organisations

Responsibilities/ role of information professionals

Principles

Legal/ the law

Redress when things go wrong

Words and phrases such as clear explanation, comprehensive, practical, factual accuracy came up when describing what should be included.

What other things CILIP should be doing (Survey)

Briefings and guidelines

Training and citizen enablement

Advocacy/ awareness raising

Research

52

CILIP Privacy Board Partnerships

Start a debate

CILIP’s own practices

Appendix 5Privacy project - Evidence collection - Key information This document outlines the sources of evidence, dates of collection, number of participants and other key information about the data collection

Privacy Survey

The privacy survey went out to 9,286 people - all CILIP members who have opted in to do surveys. News about the survey and a link went out in the weekly news (reach 7,307 people) and a link to the survey was also sent out on LIS-PUB-LIS.

One to one interviews

As part of the evidence gathering phase of the project we also held 5 one-to-one interviews with experts, leaders/ aspiring leaders from across the sector. (This group was made up by a librarian, an information manager, a health librarian, an academic and a chief executive of a charity)

Privacy workshops

9 October, 2017 Cardiff11 October, 2017 (Member network forum)14 November North Wales 21 November Glasgow13 December Newcastle City Library

95 information professionals attended five privacy workshops. A further group of people attended the ethics review only workshops which asked questions/ raised privacy issues and we have included the evidence from those sessions in our report to the Ethics Committee.

53

CILIP Privacy BoardQuestions asked over the course of the privacy project

Privacy survey

Do you think this Ethical Principle (no. 8) adequately covers professional concerns around privacy?

Do you think these provisions of the Code of Professional Practice adequately cover the responsibilities of an information professional in relation to privacy?

What policy statements would help to provide a better understanding and positive attitude to upholding the principle of privacy? (options given)

Would it be helpful for CILIP to consider endorsing relevant IFLA policy statements?

Are there any other organisation statements which you think CILIP should think about endorsing?

What do you think are the major privacy issues facing you in your work?

What do you think are the major privacy issues facing the information profession?

What could CILIP do to help with these issues you have identified?

Would it be useful for CILIP to publish guidance for information professionals on how to uphold privacy?

If yes which areas should it cover? (tick all that apply)

Do you think it would be better to split guidance on privacy for different communities: data professionals, information managers, knowledge managers, librarians etc.?

Should an Information Rights Charter go beyond privacy and embrace freedom of access to information, data protection etc.?

What would you expect to find in an Information Rights Charter?

54

CILIP Privacy Board Should institutions be invited to commit to upholding such an Information Rights

Charter in all aspects of its work? What other things should CILIP be doing in regards to privacy?

One to one interviews








How do you think others in your organisation are involved in user data?



Privacy workshops

What do we understand by Privacy?

What are the privacy challenges you face in your work?

What do you think are the major Privacy issues facingthe Information Profession?

Information on provisions relating to Privacy in the EthicalPrinciples & Code of Professional Practice

What would you change about CILIP’s Ethical Principles and Professional Code of Practice as they relate to privacy?

Does CILIP need a policy statement on privacy? If yes, namethe top three things which should be in one

55

CILIP Privacy Board

Appendix 6

List of other evidence available but not included here in the appendices

Privacy survey all quantitative data Privacy survey all free text comments Flipchart write ups from privacy workshops Privacy mentions in Ethics workshops Privacy tagged comments from Ethics survey

56

CILIP Privacy project - archive.cilip.org.uk · Web viewGiven the potential scale of the project...

Documents

Transcript of CILIP Privacy project - archive.cilip.org.uk · Web viewGiven the potential scale of the project...