Conducting a Privacy Audit

 

An Educational Service of the American Library Association Office

for Information Technology

Policy

 

Prepared by Leslie Harris & Associates - www.lharris.com in conjunction with OITP staff - www.ala.org/oitp

 

------------------------------------------------------------

The audit process begins by evaluating an organization's existing policies and procedures for legality and consistency with the organization's mission and image.  When policies have been reviewed (or established), the data collected can be categorized according to the degree of security necessary.  The audit assesses the sensitivity, security risks, and public perceptions of the information the organization collects.  The audit examines the necessity for each type of data, how it is collected, and what notice and options are provided to the individuals identified by the information.  Mapping how data flows through the organization for access, storage, and disposal can reveal security needs, both electronic and physical.  The audit process itself must be managed so that it does not increase risks and its recommendations must be addressed quickly once risks are revealed.

 

Below is an outline of tasks for conducting a privacy audit:

 

Review legal context

-- Federal law

-- State Law

-- Local Ordinances

 

Review current library policies

-- ALA Policy on Confidentiality (ALA Code of Ethics 54.15 pt. 3)

-- Institution's policy

-- Library privacy policy

 

Conduct assessment of library systems data

-- Library and library records, including circulation records, patron registration, circulation transaction logs, and overdue, billing and payment records 

-- Determine whether policies adequately restrict access to records and logs that reveal what was borrowed by a patron to library staff who have a legitimate need to see the record

-- Determine whether to delete circulation records from a patron's file once an item is returned

-- Decide whether to delete patron registration records after the expiration of the borrower's privileges

-- Examine library system transaction logs

 

Assess institutional network

-- Restrict access to server logs to library staff who have a legitimate need to consult

 

Examine Internet access to determine vulnerability of library patron records via the World Wide Web.

-- Does the system require users to log-in to use the computer to  surf the Internet?

-- Does the system personalize desktop terminals to the personal settings of the user?

-- Do the e-mail features subject the patron to vulnerability?

-- Does the system keep web-server logs of patron Internet activities?

 

Assess remote systems

-- Inter-Library Loan Partners

-- Database vendors

 

Define System Rules

-- What data will be retained

-- How user data that is stored on the system protected from unauthorized use

-- Who has access to the data

-- How long is the data retained

 

Determine & implement desired practices

-- Notify users whenever personally identifiable information will be stored on the system

-- Remove data from dormant accounts

-- Pay attention to system security

-- Set limits on length of time data is stored

-- Create aggregate statistics rather than tracking individual transactions

-- Advise users of limits to library privacy protection when using remote sites.

-- Negotiate for proper and secure logging practices and procedures in contracts

 

Designate privacy officer

 

Educate staff

 

Inform users through library privacy policy

 

-----------------------------------------------------

Further information:

 

Enright, Keith P. [2001]. "Privacy Audit Checklist."

http://cyber.law.harvard.edu/clinical/privacyaudit.html

 

Flaherty, David H. 1998. "How To Do A Privacy And Freedom Of Information Act Site Visit."

David H. Flaherty.

http://www.pco.org.hk/english/infocentre/files/flaherty-2.doc

 

Jerskey, Pamela, Ivy Dodge, Sanford Sherizen. [1998]. "The Privacy

Audit: a Primer."

http://www.bc.edu/bc_org/fvp/ia/pri/intro.html

 

-----------------------------------------------------

Copyright 2002, American Library Association, Office for

Information Technology Policy

 

Disclaimer

 

This Online Privacy Tutorial is a service of the American Library Association. The content of this tutorial is primarily the work of Leslie Harris & Associates in Washington, DC. The views expressed in these messages are not necessarily the views of ALA or Leslie Harris & Associates. This tutorial is for information only and will not necessarily provide answers to concerns that arise in any particular situation. This service is not legal advice and does not include many of the technical details arising under certain laws. If you are seeking legal advice to address specific privacy issues, you should consult an attorney licensed to practice in your state.