6. Reference Questions

Often questions are answered without library employees or volunteers writing down any personal information. If it is, the library should remove and destroy the personal information or destroy the whole record as soon as is practicable.

Many libraries keep track of questions for follow up, in case they are asked again, or to compile statistical information. Personal information should be removed whenever possible. For example, write the individual’s name on the top of the paper; tear that part of the paper off and shred it once the question is answered.  

  Box 6.1

Questions emailed to the library include an email address, which may be personal information (e.g. if it is an individual’s personal email address). An individual’s personal information should not be kept once a question has been answered, unless necessary for a specific purpose. Examples of where it may be necessary include the following: further related questions are anticipated from the individual, there are specific legal reasons to keep it, or the information has been used in a decision that affects the individual (in which case, it must be kept for at least one year).

  Box 6.2

Libraries using the internet to answer reference questions sometimes do so through a form on their website, that emails directly to the library or in real time (chat-type system).

Whether communicating by email or in real-time, libraries should limit the personal information requested to only what is needed to provide the service. They must also state why the information is being collected, what authorizes the library to collect the information, and how to contact someone who can help them if they have questions regarding the collection (Act, s. 26). Also, individuals should be warned if the connection is not secure (e.g. encrypted).

Libraries using a real-time, method of communicating with individuals over the internet must consider the details of how the system works to ensure that the personal information collected is protected. A Privacy Impact Assessment (PIA) should be conducted to examine the privacy effects of an existing system or to ensure that any future system is in compliance with FOIPPA.

See "Policies & procedures: Privacy Impact Assessment (PIA)" for more information.

If individuals are simply referred to the website of an organization outside, the library for help with reference questions, the library should clearly indicate this and recommend that the individual read the service’s privacy policies.

When a library contracts with an outside organization to provide services on its behalf, the library is responsible for how personal information is treated by the organization because it is still under the library’s "control" (Act, s. 3(1)).

The details of a reference system offered by an outside provider on behalf of the library must be examined to thoroughly consider the privacy implications.  A Privacy Impact Assessment (PIA), should be conducted to examine the privacy effects of an existing system or to ensure that any future system is in compliance with FOIPPA before it is implemented.

See "On-line Services: Outside Databases", "On-line Services: On-line reference questions", "Outside Services Providers: Services provided on behalf of the library" and "Policies & Procedures: Privacy Impact Assessments" for more information.

Occasionally, a library has to consult with another library, or an outside organization to answer a question. Libraries should not forward the individual’s personal information with the question. Most libraries seek out the information on behalf of the individual and then provide it directly to them. This is the best practice.

If it is not practicable to ask on the individual’s behalf without disclosing her personal information, the library should provide the individual with the other organization’s contact information so she can ask directly. If this is not possible or desirable, the library should follow the guidelines set out for Interlibrary Loans in Box 9.2 (in the next section).