|
|
Privacy
Guidelines for
British Columbia Public Libraries
3. Circulation
a) Only authorize employees & volunteers who
need access
|
Libraries should limit employee and volunteer access
to personal information to only those who need access to the
particular type of information in order to perform their job functions.
Rooms, filing cabinets and databases containing personal information
should only be accessible to those employees or volunteers.
See "Security" for more information.
Box 3.1
|
|
Examples
of restricting access on a need-to-know basis:
-
Patron name, barcode, contact information
à only employees or volunteers who check out materials,
update personal information or place holds for patrons (e.g.
Circulation and Reference staff).
-
Patron borrowing history
à only employees or volunteers who assist patrons to access this
information (employees and volunteers should be discreet and avoid
looking at the information themselves where possible).
-
Home
Service patron’s disability information, reading preferences, and
borrowing history
à only employees & volunteers who make selections for Home
Service patrons & update their personal information.
-
Employee timesheets
à
only employees or volunteers responsible for supervising employees &
volunteers or payroll.
-
Employee criminal record check reports
à only employees or volunteers responsible for screening
employees in this regard (e.g. Human Resources Director, Chief
Librarian or Board members).
|
b) Computer screens
| Employees and volunteers should take care when personal
information is visible on a computer screen. The
screen should not be visible to unauthorized persons, such as other
patrons or employees/volunteers, who do not need access to personal
information. |
c) Receipts showing materials borrowed
|
Receipts
provided to
patrons showing what they have borrowed should not show personal
information. Member barcodes are unique identifiers and therefore
personal information.
If barcodes
appear at all on the receipt, they should show only the last 4
digits (e.g. *********1423). In addition to protecting personal
information, this will allow patrons who use the receipts to keep track of
family library loans by individual member to continue doing so.
Box 3.2
|
|
Is
blocking out barcode numbers on receipts really necessary?
-
Many
individuals are becoming more and more sensitive to protecting their
personal information and may object to their barcodes appearing
on receipts (retail store systems are being updated to blank out
credit card numbers on receipts).
-
While
receipts are given directly to patrons, they may be lost or left out
where others can access them.
-
Someone
may be able to access personal information about an individual, such
as reading history, with the individual’s barcode.
-
Where
libraries do not have control over whether or not barcodes
appears on receipts, they should ask their vendor to add this
functionality.
|
d) Sharing information with friends or family
|
Libraries must not share a patron’s personal information
with the patron’s friends or family
members without her consent, unless authorized by FOIPPA (Act, s.
33) (see Box 3.3 below for examples).
Personal information about a patron should also not be
given out over the phone without the patron’s consent, even if the caller provides the patron’s
barcode number (the barcode is not enough to prove consent, as
the card may have been stolen).
Consent must be provided in writing, specifying to whom
the personal information may be disclosed and how it may be used (Act, s.
33.1(1)(b) & Reg., s. 6).
Box 3.3
|
|
Examples
of when a library may disclose a patron’s personal information to the
patron’s friend/family:
-
To collect
a debt owed by the individual the personal information is about,
-
where
the library believes there are "compelling circumstances - that affect
anyone’s health or safety", or
-
so that
a person’s next of kin or friend can be contacted to let them know
that the person is injured, ill or dead.
In all cases, only the minimum
information needed should be disclosed.
See sections 33.1 and
33.2 of the Act for a complete list of exceptions. |
e) Family or friends using another patron’s
card
|
Libraries should not allow a patron’s family or friends
to sign out an item with the patron’s library card, unless the library has consent from the patron.
A patron must provide consent in writing, specifying to
whom the personal information may be disclosed and how it may be used
(Act, s. 33.1(1)(b) & Reg., s. 6). For example, a patron may give written
consent for her sister, Mary Ann, to pick up materials on her behalf,
solely for the purpose of delivering the materials to the patron. If
consent is given for ongoing pick-up of materials, a library may wish to
make a note on the patron’s file.
See "Sharing information with other family members"
above for more information.
|
f) History of what a patron borrowed
|
Libraries should not keep a history of what materials a
patron has borrowed, except
where the individual consents. Once an item has been safely returned,
reference to it should be removed from the patron’s record.
For some patrons, having a record of what they have
borrowed (or searched for) is a valuable reference. However, borrowing
history can also disclose sensitive personal information about an
individual, such as certain personal preferences and health concerns. If
libraries wish to offer this service, it should be available on an
"opt-in" basis (i.e. must be expressly requested – see Box 2.6). Patrons
should also be able to stop recording their borrowing history (and to
purge the old record).
Box 3.4
|
|
What
about existing systems that do not allow any flexibility?
-
Some
libraries’ computer systems do not provide the ability to choose
whether a patron’s reading history is recorded, nor to turn it off or
purge the previously recorded information.
-
This
should be disclosed to patrons through the library’s privacy policies.
-
Any new
system should offer patrons the ability to make choices with respect
to any recording of their reading histories.
|
i) Parent’s access to child’s borrowing
history
|
Libraries sometimes have policies allowing parents or
guardians to view the borrowing history of their children
under a certain age. Where there is such a policy, it should
set the age at under 12 years.
If a child under 12 years old objects to her parent
accessing information about her borrowing history (or any other personal
information), or if a child is over 12, the parent or guardian’s request
should be referred to the library’s FOI/Privacy Officer. This can
be a complex area and the FOI/Privacy Officer is in the best position to
determine what access is appropriate.
See "Personal information access & correction" for
more information.
|
ii) Home Service patrons’ borrowing history
|
Home service
is one example of where it may be necessary to keep track of what patrons
have borrowed in order to avoid
selecting resources the patron has already borrowed.
See "Registration: Home Service", and "Home Service"
below, for more information.
|
g) History of who borrowed an item
|
A patron’s personal information should only be recorded
in association with a borrowed item
until the record is no longer necessary. For example, if a record of the
last borrower is necessary to ensure that resources are returned undamaged
and library employees or volunteers are able to check the condition of
books as they are checked in, the record of the last borrower’s personal
information should be removed at that time.
If a library’s current system is not able to purge
personal information right away, this should be communicated in the
library’s privacy policies. Appropriate privacy protection measures should
be included in any new system.
See "Miscellaneous: Library system changes" for more
information.
|
h) Books on hold
|
Some libraries display books on hold
in common areas for patrons to pick up. This potentially
allows other individuals to access the materials and identify patrons’
reading choices. Where it is not feasible to offer this service without
leaving the books in common areas, steps should be taken to protect the
patron’s privacy.
Box 3.5
|
|
Steps to
protect patron privacy for books on hold in common areas:
-
Individuals should be advised before they place an item on hold that
it will be available for pick up in a common area,
-
a
minimum of personal information should appear on the outside of the
book to identify who the material is for, and
-
the spine of the book
or other resource should be covered (e.g. paper folded around spine
with patron’s first initial and last name secured with elastic band).
|
i) Home Service
|
Patrons receiving Home Service
usually provide more personal information than is collected
from other patrons. This often includes information regarding what the
patron’s needs to accommodate her disability, reading preferences, and
reading history. Only employees and volunteers who work directly in the
Homes Service program and who need access to the home service patron
information should have access to it.
See "Security" and "Registration: Home Service" for
more information.
|
j) Paper book cards
|
Some libraries use paper book cards
to
keep track of borrowed materials. Book cards listing each patron who has
borrowed the material disclose patrons’
personal selections to others who may see the card later. Where no other
system for recording circulation materials is feasible, patrons should be
given the option, on an individual basis, of having their reading
selections recorded privately.
Box 3.6
|
|
Privacy
enhancing ideas for libraries that use paper book cards:
-
Keep
paper books cards at the Circulation Desk and have employees or
volunteers write the patrons name.
-
Low-tech
automation: Use a simple database or spreadsheet to record the
patrons’ names beside the ISBN, call number and/or title of the
resources out on loan.
|
k) Patron cards held by library
| Libraries that keep patron cards
in the library should not allow patrons to find their
own cards from among those of other patrons (Act, s. 33). Instead,
employees or volunteers with authority to access personal
information of patrons should give the cards out. If the employee or
volunteer does not know the patron, she should ask to see
identification to make sure that the card is being given to the
right person. |
l) Unreturned materials
| Libraries use a variety of methods to collect unreturned
materials. Libraries may disclose
personal information without consent for the purpose of
collecting a debt owed to them (Act, s. 33.1(1)(i)). However, disclosure
should be limited to personal information that is reasonably necessary to
collect the debt. |
i) Automatic overdue notification
| Libraries should let patrons know if they use automatic
overdue notices
that are not private, such as automatic telephone messages and
postcards. An appropriate place for such a notice may be the
libraries privacy policies. |
ii) Retention of information
|
Personal information about patrons who have not returned
materials should be kept only as long
as is necessary, such as when it is necessary to enforce library rules or
to collect on a debt.
For example, there are legal limits on how long an
organization may take legal action to recover on a debt. And, the
Library Act (s. 47(c)) allows libraries to exclude an individual in
certain circumstances. It may therefore be reasonable to keep personal
information until the library is no longer able to collect on the debt or
for as long as the library is able to exclude the individual under the
Library Act.
See "Records retention & disposal" for more
information.
|
iii) Children
|
If a child has not returned a borrowed item, the library may disclose the child’s personal information in order to
collect the debt (Act, s. 33.1(1)(i)). Where a parent or guardian has
agreed to be responsible for materials borrowed by the child, her personal
information may also be disclosed for this purpose. In either case,
disclosure should be limited to what is reasonably necessary to collect
the debt.
Box 3.7
|
|
Example à Maber’s mother signed his library card application,
agreeing to be responsible for what he borrows. The library may call
her to ask for the overdue book to be returned. In doing so, the
library may describe the unreturned book to Maber’s mother. If the
book is still not returned and the library has not been able to
collect the fine owing, it may give a collection agency personal
information about Maber’s mother’s that is reasonably necessary to
collect the debt. |
iv) Collection agencies
v) Communication with other libraries
|
A library may ask other libraries
for personal information about a patron for the purpose of collecting a
debt owed by that individual as a result of not returning a library
resource (ss. 27(1)(b) & 33.1(1)(i)).
Personal information collected and/or disclosed should be
limited to what is reasonably necessary to collect the debt owing. This is
normally limited to information needed to locate the individual.
Libraries should not share "black lists " or share patron personal information in a general way (e.g. not specific
to a debt) during meetings or discussions.
See "Collection agencies" (above) and "Disclosure of
personal information: Other libraries" for more information.
|
m) Faxing or emailing personal information
|
Library employees and volunteers should take care when
faxing
or emailing personal information. Sensitive personal information, such as financial or health information
should not be faxed or emailed unless it must be received immediately and
faxing or emailing is the only way to do so. Even where the personal
information is not sensitive, cautionary steps should be taken to ensure
that the information only reaches the intended recipient. If faxing
personal information is an ongoing, routine or an integral part of the
library’s operations, encryption or other secure transmission techniques
should be used.
Box 3.8
|
|
TIPS for
faxing or emailing personal information:
-
Fax
machines that send or receive personal information should be in secure
areas.
-
When
sending personal information by fax, use a cover sheet with the name
of the recipient and the number of pages.
-
Include
a confidentiality clause on the fax cover sheet or in the email. Check
that the number dialled or the email address used is correct prior to
sending the personal information.
-
Once a
fax is sent, check the confirmation report to ensure that it was sent
to the intended number.
-
If it is
necessary to fax or email sensitive personal information, call ahead
to confirm the fax number or email address and the appropriate person
to receive the fax/email. Ask the person to wait for the fax/email and
call to confirm when she has received it.
See the Office of the
Information & Privacy Commissioner’s Guidelines on "Faxing
and Emailing Personal Information" for more information. |
n) RFID (Radio Frequency Identification)
|
Libraries wishing to explore implementing RFID technology
should carefully examine the privacy implications of this technology.
Privacy requirements should be incorporated into any Request for Quotation
(RFQ) or Request for Proposal (RFP) concerning potential RFID technology.
Additionally, a Privacy Impact Assessment (PIA) should be conducted early in the design phase and completed
prior to the implementation of RFID technology in the library system.
See the Office of the Information and Privacy
Commissioner of Ontario’s "Guidelines for Using RFID
Tags in Ontario Public Libraries" for
information in the context of privacy protection in that province. Also
see "Policies & procedures: Privacy Impact Assessment (PIA)" in these
Guidelines for more information.
|
|
