One step forward, many steps back

Below is a guest post from Becky Yoose, whom I am proud to count as a colleague, mentor, and friend.


Disclaimer – the following post represents the personal views of the author, and does not necessarily represent the views of her company, LDH Consulting Services.

Last June, the Santa Cruz Civil Grand Jury released a report about their investigation into Santa Cruz Public Library’s use of Gale’ Analytics on Demand to analyze patron data. The findings of the report included that SCPL did not properly inform patrons about the use of AoD, nor obtain consent from patrons to use their data in AoD, nor follow industry best practices – the list goes on. Overall the report found that SCPL use of AoD put patron privacy at risk. [1]

While the findings and recommendations from the civil grand jury report are not legally binding, the jury required the SCPL Director to respond to the report by September 23rd, 2019. The director’s response to the Santa Cruz Civil Grand Jury Report has been published and, well, it’s a hell of a mixed bag.

The response is divided into two sections: findings and recommendations. The recommendations section gives me some hope. SCPL created a new page about data privacy, posted their vendor assessment questionnaire, and even plan to do another round of privacy policy revisions after additional training. The recommendations to put in a more formal privacy program seem to be accepted, though from the response there is very little information about the “who, what, when, where, and how” of the implementation, including who exactly the new data privacy officer is for SCPL.

While these steps put SCPL on the right track in protecting patron privacy, the findings section tells a completely different story, and a troublesome one at that.

Overall, the director did not directly respond to the findings themselves, with the exception of a couple of findings. The major themes in the responses include:

  1. The state law ultimately permits use of AoD
  2. The state law doesn’t say anything about gaining consent or other matters
  3. Other libraries use AoD

Let’s break these three themes down.

The state law ultimately permits use of AoD

The director of SCPL uses this line to respond to the following findings:

  • The use of Gale Analytics on Demand by Santa Cruz Public Libraries was inconsistent with the library’s long-standing policy on Confidentiality of Library Records (policy 303, adopted February 2006; revised November 2010) and companion document, “Information We Keep About You.” (F1)
  • Santa Cruz Public Libraries did not adequately inform its patrons about the Library’s use of Gale Analytics on Demand or obtain their consent for this use. (F3)
  • Santa Cruz Public Libraries used Gale Analytics on Demand without adequately considering the patron privacy aspects of current California law. (F4)

What difference does it make if the grand jury concluded that use of AoD was ultimately allowed under current California law? That statement does not address the failures of the director’s library to make sure that the privacy policy reflected current practices, that patrons knew and understood how the library was using their data, and that there was a documented legal review of AoD before use. [2] The law might allow it, but that doesn’t necessarily mean that it makes it ok to do it. [3]

The state law doesn’t say anything about gaining consent or other matters

This response was used by the director in:

  • Santa Cruz Public Libraries did not adequately inform its patrons about the Library’s use of Gale Analytics on Demand or obtain their consent for this use. (F3)
  • Santa Cruz Public Libraries used Gale Analytics on Demand without adequately considering the patron privacy aspects of current California law. (F4)

This again is where compliance-only thinking by library administration is not in the best interest of patron privacy. Yes, legal regulations don’t cover everything, and they can’t—technology changes outpace technology regulations. The director is plainly stating that if the law doesn’t say anything that they are not doing anything wrong.

Let’s rephrase the above—this is a library director who is saying that letting patrons know that the library is using patron data in an analytics program isn’t important, nor is getting patron consent for said use, because the law doesn’t force the library to do so.

The original report does state that there is no regulation around consent and notice; however, the report goes on to say “[a]bsent guidance from the law, California libraries can turn to best practices in the library community to guide them in their interactions with third-party vendors.” (pg. 7). The report then provides an entire section of best practices from the library field (pgs. 8-10). The director completely ignores the existence of these best practices in their response.

Other libraries use AoD

The director used this line in their response to F7 – “The use of Gale Analytics on Demand by Santa Cruz Public Libraries is inconsistent with best practices in the library community regarding patron privacy.”

This, dear readers, is where I introduce you to the cookie jar.

A white hand taking a cookie from a clear glass cookie jar. Source – https://commons.wikimedia.org/wiki/File:Cookie_jar.jpg. Licensed under Creative Commons Attribution-Share Alike 3.0 Unported license – https://creativecommons.org/licenses/by-sa/3.0/deed.en.

There’s an old phrase – “caught with your hand in the cookie jar”. This is usually used when someone is caught doing something wrong. In this instance, the F7 response’s focus on “others do it, so why can’t we?” ignores the industry best practices section in the original report. Yes, there are many hands in that jar, but that alone doesn’t mean having your hand in the jar along with the others makes it right. You can’t point at others who had their hands in the jar saying that because they had their hands in the jar that you should have your hand in the jar, too.

Pointing at others not only tries to divert from the actual finding (being inconstant with best practices), but insinuates that you shouldn’t be punished because others haven’t been punished for doing the same thing. The best practices say that you shouldn’t have your hand there in the first place.

Overall, whatever gains we had in the recommendations section are overshadowed by the findings section. A library director not only oversees library operations, but sets priorities and strategic goals for the library. The library director has an overwhelming influence on organizational values, including how the library serves its patrons and its communities. Having a library director respond to privacy concerns brought up by members of the community—members who could also be patrons of the library – with dismissals and compliance-only responses sends a message to the community and the library staff that the library does not prioritize patron privacy beyond doing the bare minimum.

Why would the findings responses overshadow what’s already been done based on the report recommendations? Again, the library director sets the priorities, including where resources are spent and empowering staff to meet patron and community needs. A library director like the one we find in the responses in the findings section is less likely to fully fund a privacy program or give the assigned data privacy officer agency within the library to develop, implement, and assess privacy practices at the library. Any effort will end up being short lived, choked by lack of resources and staff agency.

I worry that many other library directors will adopt this type of response strategy when dealing with their communities’ concerns about privacy practices. This type of messaging is damaging not only to library staff who strive to protect patron privacy at the library and to the trust that patrons have in the library to protect their privacy, but to librarianship on an ethical level. In response to F1, the SCPL library director quotes Article VII of the ALA Bill of Rights:

VII. All people, regardless of origin, age, background, or views, possess a right to privacy and confidentiality in their library use. Libraries should advocate for, educate about, and protect people’s privacy, safeguarding all library use data, including personally identifiable information.

Given the responses in the finding section, the library director’s use of this quote might could have been replaced by the stock quote you find in many commercial businesses—“We value your privacy.” Based on the responses in the findings section, the first quote is starting to ring as hollow as the second.

[1] A Twitter thread analyzing the report can be found at  https://twitter.com/yo_bj/status/1143487843521556480

[2] There is no documentation in the report or response proving that the library performed such a legal review of AoD. It can be argued, then, that the civil grand jury did the legal review for them.

[3] For example, you can be in compliance with legal regulations and still have a privacy breach in the form of an ethics breach. The library profession has a few ethics codes, including codes of ethics from ALA and IFLA. Patrons also have rights in the library as outlined by those organizations as well, and those rights can be at odds with legal regulations.