What data is collected and how libraries use such data—the topic of preceding chapters—is important. So, too, are the protections related to—and ultimate disposition of—data that is collected. This chapter focuses on data security and integrity and on the ultimate disposition of that data (data retention practices). To begin, the analyzed policies provide varying levels of detail regarding their libraries’ data integrity and security practices. ALA’s Privacy Tool Kit section “Developing or Revising a Library Privacy Policy” notes the following, and this verbiage appears in several of the library policies analyzed:
Data Integrity: The library needs to assure data integrity. Whenever personally identifiable information (PII) is collected, the library must take reasonable steps to ensure integrity, including using only reputable sources of data, providing library users access to their personal data, updating information regularly, destroying untimely data or converting it to anonymous form, and stripping PII from aggregated, summary data. The library staff is responsible for destroying information in confidential or privacy-protected records to ensure against unauthorized disclosure. Information that should be regularly purged or shredded includes PII on library resource use, material circulation history, security/surveillance tapes, and both paper and electronic use logs.1
The ALA guidance also includes recommendations regarding data security (including administrative measures):
Security: Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of data. Security measures should be integrated into the design, implementation, and day-to-day practices of the library’s entire operating environment as part of its continuing commitment to risk management. This should include the guarantee of a secure wireless network for patrons to use. These measures are intended to prevent corruption of data, block unknown or unauthorized access to library systems and information, and provide reasonable protection of private information in a library’s custody, even if stored offsite on servers or backup tapes.
Administrative Measures: The library needs to implement internal organizational measures that limit access to data while ensuring that individuals with access do not utilize the data for unauthorized purposes. The library must also prevent unauthorized access by using technical security measures like encrypting transmitted and stored data, limiting access by using passwords, and storing data on secure servers or computers inaccessible by modem or network. If libraries store PII on servers or backup tapes offsite, they must ensure that comparable measures to limit PII access are followed. Libraries should also develop routine schedules for shredding PII collected on paper.2
Discussion of data integrity and security practices did not appear to be a major focus for many policies. Several library policies directly and honestly note the challenges of safeguarding data. Southern Illinois University Morris Library’s policy notes, “Although no method can guarantee the complete security of data, we take steps to protect the privacy and accuracy of patron data.”3 The University of California San Diego Library’s policy notes,
To guard against unauthorized access, maintain data accuracy, and promote the correct use of information, we have implemented physical, electronic, and managerial procedures to safeguard and secure the information we collect online.
However, while we consider these measures reasonable, no guarantee can be given that they will always prevent or protect against invalid access or improper activity. For this reason, we avoid keeping information beyond the term of its primary use and, where possible, encrypt or delete data elements that might cause activities to be linked to individual users.4
The University of Chicago Library’s privacy policy notes, “While the Library makes a concerted effort to protect personal information, we cannot guarantee that your submissions to our website, any content residing on our servers, or any transmissions from our server will be completely secure.”5
In a different light, an ancillary document to the University of California Berkeley Library’s policy notes the possibility of unintentional observation of data:
Unavoidable Inspection. During the performance of their duties, personnel who operate and support electronic communications resources periodically need to monitor transmissions or observe certain transactional information to ensure the proper functioning and security of Library systems and services. On these and other occasions, systems personnel might observe personally identifiable information. Except as provided elsewhere in this Policy or by law, they are not permitted to seek out such information where not germane to the foregoing purposes, or disclose or otherwise use what they have observed.6
Numerous public library policies (much more frequently than academic library policies) reference the challenging security associated with Wi-Fi networks. For example, the St. Louis Public Library’s “Library Technology Acceptable Use Policy” notes,
Users should be aware that the Internet is not a secure medium and that third parties may be able to obtain information regarding users’ activities. . . .
Users should understand and acknowledge that Hotspots are unsecured, wireless networks and that any information being sent or received over the network could potentially be intercepted by another wireless user. Users are cautioned against transmitting their credit card information, passwords, and any other sensitive, personal information while using the wireless network.7
Other policies note care should be taken with configuration of personal devices, such as Las Vegas–Clark County Library District’s “Internet and Wireless Use Policy”:
Use of Personal Equipment
. . .
In light of security issues and the variety of equipment that can be used to access wireless networks, the District urges patrons to incorporate appropriate protections systems such as anti-virus, firewall software and updated patches when accessing the District’s wireless network. The District does not provide encryption services and does not guarantee privacy of data transmitted across its network.8
Often associated with the collection of data is the retention of data, as together they comprise the data life cycle. ALA’s Resolution on the Retention of Library Usage Records notes,
Dispose of library usage records containing personally identifiable information unless they are needed for the efficient and lawful operation of the library, including, but not limited to, data-related logs, digital records, vendor-collected data, and system backups. . . .
The American Library Association urges members of the library community to advocate that records retention laws and regulations limit retention of library usage records containing personally identifiable information to the time needed for efficient operation of the library.9
The Privacy Tool Kit’s section “Developing or Revising a Library Privacy Policy” notes,
Data Retention: It is the responsibility of library staff to destroy information in confidential or privacy-protected records in order to safeguard data from unauthorized disclosure. Information that should be regularly purged or shredded includes PII on library resource use, material circulation history, and security/surveillance tapes and logs. If this data is maintained off-site, library administrators must ensure that appropriate data retention policies and procedures are employed.10
Some of the analyzed policies provided broad, generalized references to length of data retention, with phrasings such as “regularly remove,” as opposed to something more specific, such as “each week.” Some policies provide additional, more detailed retention information on one or more particular data types. Examples of broad, generalized data retention references follow (and note some of the policies below provide more specific retention details later in their policies):
In all cases involving personally identifiable information, it is our policy to . . . avoid retaining records not needed for the fulfillment of the mission of the library.
. . .
Our goal is to collect and retain only the information we need to provide library-related services.
. . .
Data Integrity: We take reasonable steps to assure data integrity, including . . . destroying untimely data or converting it to anonymous form.
Data Retention: We regularly review and purge personally identifiable information once it is no longer needed to manage library services. Information that is regularly reviewed for purging includes, but is not limited to, personally identifiable information on library resource use, material circulation history, and security/surveillance tapes and logs.
. . .
The IU Libraries follow University policy for the retention of data. . . .
Data about which users were connected to which machine is collected, in accordance with University policy, and kept for a limited time with very limited access by staff.
. . .
We regularly remove cookies, web history, cached files, and other use records from library computers and networks.11
How long will you keep data about the use of Library services?
It depends on the data and how we are using it. Some data will be kept indefinitely, other data is stored and used for shorter periods. We only keep data as long as it is useful for the services we provide.12
Identifiable information may be retained, in some cases indefinitely, when doing so serves an institutional purpose.13
Where it is necessary for the Library to identify users, it is our goal to gather only the minimum information necessary and to retain that information for only as long as it is needed to complete a particular transaction.
. . .
Site Security
We avoid keeping information beyond the term of its primary use and, where possible, encrypt or delete data elements that might cause activities to be linked to individual users.14
The Library will make all practicable efforts to retain records containing patron-identifiable information only to the extent necessary to preserve Library or public property or to fulfill another core library function.15
Library records containing personally identifiable information will be disposed of unless needed for efficient operation of the library, public records retention requirements, system backups, or other reasons related to effectively managing library resources or providing services.16
In accordance with NRS 239, the District will not retain any records pertaining to a patron’s use of library resources longer than necessary to provide appropriate stewardship of those resources.
. . .
Data Retention: The District protects personally identifiable information from unauthorized disclosure once it is no longer needed to manage library services. Information that should be regularly purged or shredded includes personally identifiable information on library resource use, material circulation history, and security/surveillance tapes and logs.17
ALA’s “Library Privacy Checklist—Overview” (as well as the checklists associated with specific systems) provides additional retention guidance on particular data types, for example, circulation transaction data: “Purge circulation and interlibrary loan records when they are no longer needed for library operations. Any patron data that is kept for analysis should be anonymized or de-identified and have access restricted to authorized staff.”18
Indeed, across the analyzed policies, one of the most frequent retention-related references to a specific data type is circulation data. In many but not all instances, it’s noted that upon the return of an item to the library, the information tying the patron to that item is erased. Many policies note exceptions related to instances in which a fine or fee is accrued or in which a user has opted for the system to maintain a list of past items checked out. Library policies can provide more time frame–specific information on one or more data types, such as
The Library seeks to protect user privacy by purging borrowing records as soon as possible. In general, the link connecting a patron with a borrowed item is broken once the item is returned. The exception is when a bill for the item is generated. In that case, the information on who borrowed the item is retained indefinitely in our system.19
To safeguard patron information once a book is returned to the library the link between a patron and the item checked out is deleted. The only exception to this deletion is for books with fines or those books regarded as “lost” on a patronʼs account.20
The Library purges from its system all circulation records 30 days after a circulation transaction has closed and the items have been returned.21
When a borrower returns materials to the library, if no fines or fees are assessed, information about the materials checked out is deleted from the library’s online records twice monthly.22
The records of most circulation borrowing transactions are expunged and overwritten immediately upon return to the libraries of the loaned items and thereafter are reflected only as anonymized statistics descriptive of overall borrowing patterns.23
Morris Library maintains records of circulation transactions only until the borrowed items are returned. Fines accrued for lost or overdue books are kept for record keeping purposes and only until the patronʼs record is purged. The library does not maintain histories of patronsʼ previously borrowed items.24
The Library will not track identifiable patron search history and will keep no record of such. The exceptions to this are:
1. In circumstances where format of material requires extensive time to verify the return of all relevant borrowed items (ie: a box containing dozens of documents etc). After full verification the patron data will not be kept except in the cases of rare and valuable materials where usage data may be kept indefinitely.25
WHEN YOU CHECK OUT PRINT MATERIALS:
. . .
Once you return an item, and you do not owe a fine on the item, your checkout of the item is anonymized and the item cannot be traced back to you.26
Items that have been returned are automatically erased from a patron’s record, unless they have opted to save their checkout history.27
The library does not maintain records of items that individuals have borrowed and returned in the past, except when there are unresolved issues with those items.28
Circulation records and other records identifying the names of library users with specific materials are retained while the materials are charged to a patron and when materials are returned until of no further administrative value. The current ILS system retains patron information on items until the item is checked out to another patron.
If an item is returned damaged and the fees are not paid, the library will retain the record until the matter is resolved.29
At the moment that library material is returned to the library, the link between the customer and the material is broken—the Libraryʼs system does not retain information on what materials were taken out by whom the moment the item is returned.30
The Library does not maintain a history of what a library user has previously checked out once books and materials have been returned on time. When fines accrue on a user’s account, the Library does maintain records of items that have been borrowed but returned after the due date, or are still outstanding on the user’s record.31
Personal data is privatized, i.e. made anonymous, in the Library’s computer system so that log files cannot identify personal checkout history beyond 60 days.32
District records that link a patron’s identity to the use of library materials will be expunged upon the return in good standing of loaned materials to the District.33
The library does not keep a record of your reading history beyond operational requirements. Once you return an item it is removed from your account.34
Information on materials received through Interlibrary Loan (ILL) are [sic] kept for one year.35
The Athenaeum tracks interlibrary loaned items currently being borrowed and generates a paper record with patron information. After a period of six months, once the materials are returned to the owning library and all appropriate fines and/or fees are paid by the borrower, the paper trail record is destroyed.36
Raw log files are normally maintained for 90 days for security purposes. . . . For some sites, an aggregated abstract of the data is prepared each night that anonymizes session data so that searches cannot be linked to specific IP addresses or network IDs.37
Data gathered about each session varies according to the method of connection to the resource. The resulting logs contain information necessary for analyzing the use of resources, troubleshooting problems and improving services.
Log data is also used to distribute resource costs among Harvard libraries and faculties. These logs remain intact for approximately one fiscal year.38
The University of Texas Libraries keeps the minimum number of records necessary to maintain operations. For example, when a user logs off a library computer, the library does not retain information that connects the user to activities performed during the session.39
Retention of Information Collected through This Web Site
In general, the Internet services logs of the University Libraries, comprising electronic files or automated logs created to monitor access and use of Agency services provided through this Web site, are retained for 60 business days and then destroyed. Occasionally, logs are retained longer for troubleshooting purposes. Information concerning these records retention and disposition schedules may be obtained through the Internet privacy policy contact listed in this policy.40
Cookies, web history, and cached files are removed when a user closes a browser or logs off a machine.41
We remove cookies, web history, cached files, or other computer and Internet use records and other software code that is placed on our public computers or networks after each use.42
Public Access Computers
The Warrenville Public Library District attempts to maintain strict security on public access computers to prevent any personal information from being retained after a workstation has been rebooted.43
Once a search has been conducted, the software does not retain a copy of the search, and any records of the search will not exist.
. . .
The reservation management program retains patron identification information for only the current day’s transactions. After the end of the business day, session information and statistical summary information can be generated; but patron identifying information is unavailable.
Printouts from the library’s public internet workstations are managed with an automated print management program. The program confirms print requests and alerts patrons and staff of print charges accrued. After a pending print job is released by staff for print out no record of the job remains.
The security on the workstations wipes out the cache and/or history files each time a new computer session is started.
. . .
The search history of each PAC [catalog only station] is automatically erased every twenty-four hours.44
When a computer session is ended, all information about that session is ordinarily deleted. At the end of the business day, all computer use and reservation records are normally erased.45
To use one of our public computers, you log on using your library card number. We do not keep a record of your activities during your session, such as browsing history, cookies, bookmarks, or downloads. The session data is automatically deleted from the computer after you log out. We do, however, keep a record of the fact that you logged on to that computer.46
In accordance with this law [Florida Statutes Chapter 257.261], computer sign-in sheets are shredded as soon as all customers listed have been served or at the end of the day, whichever occurs first.
. . .
A library branch may choose to keep a daily log of guest pass distribution. . . . Sign-in sheets are to be shredded as soon as they are full or at the end of each day, whichever occurs first.47
The library does not keep a record of your activities on any public computer or laptop. Any record of browsing history and activities are [sic] removed when you log out.
All personally identifiable information is purged immediately upon the end of your public computer reservation. An anonymous log is created that includes only the computer terminal number, reservation time, and duration of the session. These anonymous reservation statistics remain in the system for two months.
All connected devices you borrow from the library (e.g. tablets, eReaders) have their history manually cleared by library staff immediately after you return the device.48
User Privacy
Any patron may request to have their chat, email, or text transcript deleted by contacting the Libraries’ Learning and Research Services department.50
In the case of email reference questions, we retain any personal information provided by the patron, such as name, email, phone number, until the question is resolved.51
The Library treats reference questions, regardless of format of transmission (in person, via telephone, fax, email or online) confidentially. Identifying information related to these questions is purged on a minimum of two weeks.52
Video Surveillance: . . . Recorded images are saved for a period of eight weeks, at which point the storage medium is re-recorded.53
Recordings from the WPLS video security system are stored digitally on restricted hardware at the Main Office and retained up to a minimum of 28 days. . . . Video records of incidents can be retained and reviewed as long as considered necessary by the Executive Director.54
Length of time recorded images are retained varies based on the storage capacity of the system hard drive.55
No video will be stored for more than the rolling window when the system overwrites the oldest video while recording the present.
. . .
The Library will retain specific footage of an incident until no longer needed. Video files will be reviewed annually by the Executive Director and the Director of Facilities and Security to decide whether to continue to retain or to dispose.56
Recorded information from security cameras is retained for one month, unless an incident occurs that requires holding the tape longer. . . .
Recorded information that is subpoenaed will be retained for one year.57
Recordings from security cameras are stored no longer than 10 days, unless an incident occurs that requires holding the entire recording or a portion of the recording longer.58
When a customer record is inactive for four (4) years and carries no outstanding debt (financial or in borrowed materials), the record is deleted from the Library’s computer system and is not archived.59
Library Cards and Circulation Records
To receive a library card, library users are required to provide identifying information such as name, birth date and mailing address. This identifying information is retained as long as the library user continues to use the library card.60
Cardholder accounts will be purged after 5 years of inactivity unless there are billed item fees on the account. All accounts, including delinquent accounts with billed item or collection referral fees, will be purged after 7 years of inactivity. Libraries follow the Florida Department of State’s General Records Schedule for Public Libraries when reviewing records eligible for purging.61
For most cardholders, your account remains in the system as long as it is active. An account becomes inactive when it hasn’t been used in three years and there are no outstanding fines or fees attached. At that point, it is deleted from our system. A few card types, such as non-resident cards, expire sooner—see our Registration Policy for details.62
The Library Is Bound by Records Retention Rules
What this means: A record of your usage and content will likely exist.
All designated Metro government social media accounts shall follow archive guidelines set forth by the Public Records Commission.63
Think before you post. You are legally liable for everything you post. Remember that the internet never forgets. Everything you post may be visible to the world even after you attempt to delete it.
The content of the Library’s social media is subject to public record laws, including the Missouri Sunshine laws. Relevant record retention schedules apply to social media content. Content must be managed, stored, and retrieved to comply with open records laws and e-discovery laws and policies.64
Moderators will maintain an archive containing all social media posts and comments in accordance with the State of Florida’s General Records Schedule GS15 for Public Libraries.65
Several library policies make reference to—and in some cases provide a link for—a different, higher-level record retention schedule or policy, such as a university schedule or a county government schedule.
Library patron records are retained in accordance with the state record retention requirements established by the Office of the Public Records Administrator of the Connecticut State Library.66
The Library’s Billing Department retains all paper and electronic documents pertaining to and relevant for the collection of overdue fines, replacement charges, damaged-book fines/charges, and associated processing fees, according to the University of California Records Disposition Schedules Manual.67
The Libraries retain Individual Information associated with Business Transactions for a period of time mandated by state or federal tax laws, and consistent with the University’s data retention schedule.68
At all times PII is to be secured in accordance with University policies and for limited time periods defined by record retention schedules.
. . .
Records containing PII which are scheduled for destruction shall be disposed of in accordance with University information security procedures.69
The Cherokee Regional Library System shall follow the Local Government Records Retention Schedules for Local Government Paper and Electronic Records as set forth by the Georgia Secretary of State’s Division of Archives and History.70
Records Retention
In order to meet the administrative, legal, fiscal, and archival requirements of the State of Michigan, the Genesee District Library will manage its records in accordance with the General Schedule #17 (GS #17) developed for Michigan public libraries.71
The library strives to collect the least amount of personally identifiable information we can. We avoid creating unnecessary records. We keep your information as long as required by the City of San José’s Records Retention Schedule.72