OLA Guidelines on Identify Theft
Libraries collect and store personal data about our users, volunteers, donors and staff. We have legal and ethical responsibilities to protect that data. The OLA Legislative Committee developed these guidelines to address state and federal law concerning ID Theft. We used several resources including this excellent guide from the State of Oregon - Protecting Your Personal Information - A Business Guide.
State and federal law mandate that libraries have reasonable safeguards to ensure the safety of personal information. Many libraries will be included in the plans developed by their city, university or county. Others such as independent library districts need to address the issue independently. Even if covered by a larger entity, libraries have some unique issues and concerns with personal information. Consequently, OLA recommends reviewing your policies and procedures.
Preventing identity theft in the library is different from protecting patron privacy. They relate, but libraries need to take steps to protect our users' personal information from theft. The American Library Association provides valuable advice on patron privacy and every library should have such a policy in place.
Personal information means an individual’s name, address, date of birth, photograph, fingerprint, biometric data, driver license number, identification card number or any other unique personal identifier or number. (HB 2371)
In the library, personal information includes circulation records and Internet use, including database use. It includes surveillance media and other physical accounting of an individual’s presence in the library. With the advent of more virtual services, personal information can appear in records of reference transactions such as e-mail, instant messaging and chat.
OLA suggests that all libraries address our responsibilities in regards to the personal information of our users, our staff members and our volunteers.
Policies and Procedures
All libraries should have a policy in place to protect our data.
Even if your city, university, school, county, etc. has a policy, libraries have some unique issues. You should make sure these issues are addressed in either a library policy or the broader institutional one.
Any policy should contain:
Here are two policies as examples– one where the library is part of a city and the other as a separate district.
Baker County Library District
Procedures describe how to execute the policy. Library issues revolve around ID
data collection, its use, storage and de-accession. They should address the following:
These procedures follow best practices identified from a variety of sources.
Best Practices and Responses
Everyone who works in a library needs to be concerned about identity theft, understand the library’s perspective on privacy, and know how to respond when there’s data breach or a request for personal ID information.
Staff training and periodic reviews of policy and procedures will help your library protect sensitive data.
Staff training session components
How to respond to a breach:
1. Communicate to appropriate staff.
a. Those detecting a breach in security should inform the library administration first.
b. Law enforcement should be informed after library administration has assessed the situation.
c. A current list of emergency contacts with the appropriate hierarchy should be revised regularly.
2. Coordinate the response.
a. Notify patrons whose records were possibly compromised. Include what information was compromised and how the library is responding.
b. Notify institution and governing bodies (e.g. Library board).
c. Inform library staff appropriately including volunteers.
d. Be prepared to respond to the media and an anxious public.
3. After the response, review the breach and take appropriate actions to resolve security issues.
Responding to requests for personal information:
OLA recommends that what personal information is shared with law enforcement and others should be limited. While library patron requests are exempt from public disclosure, this does not prevent a local library or jurisdiction from sharing them with law enforcement. In 1995, the Oregon Attorney General offered a Letter of Advice describing in more detail the issue of exemption. It is worth reviewing when drafting your library's policy.
There are situations that arise that can be challenging for library staff to address, especially if the request will benefit the library or it involves the police.
At times, your friends group may ask for a list of library card holders because they want to mail out thank-yous to all library users. OLA suggests that your policy restrict internal use again to protect the user's privacy and identity. A best practice would be having an opt-in for patrons; you would ask the patron, when registering, if they want to share their personal ID with the Friends group or other library entity.
Law Enforcement Requests
Every library should have a policy in place that describes how to interact with law enforcement requests for personal information. OLA suggests the following as best practices or guidelines:
Here are some situations that provide good training scenarios for staff: