General Patron Privacy Concerns

Key Topics

Password and login help

In order to protect patrons’ privacy, policies limiting how much staff can do with patron passwords are necessary. In our work, library staff said they spend a significant amount of time helping patrons with their passwords–creating new ones, recovering forgotten ones, and explaining to patrons why they can’t write down or remember a password for the patron.

Mobile devices (patron owned)

Most patrons now own a smartphone, tablet, and/or e-reader, and they may be able to access various library services through their own devices. That said, troubleshooting these problems for patrons can be difficult; there many different operating systems and models of device and library staff are unlikely to be familiar with all of them. Staff may also not want to personally handle these devices because of liability issues. Patrons may get frustrated with staff trying to walk them through an issue, or they may ask staff to fix the problem for them. In our research, many library staff indicated that it would be helpful if there were clear guidelines on how much help they can and should give patrons.

Mobile devices (library owned)

Some libraries loan mobile phones, tablets, Wifi hotspots, or laptops to patrons. Patrons may not know what happens when a checked-out device gets checked back in with the library. Library staff should be transparent about what process is in place, if any, to delete patron data before the device is checked out by another patron, and provide patrons with best practices to prevent personal information from being stored on these devices.

Library wifi 

For many people, public libraries are one of the few places that provide free access to WiFi. However, with all public WiFi, there are risks to users’ privacy. Steps should be taken to both reduce these risks and to inform patrons of any risks associated with public WiFi. 

Social media

Social media is now used by most American adults, and people may share a lot of private information via Facebook, Instagram, Twitter, and other social media platforms. There are ways to reduce privacy risks associated with social media, and it is important to both explain these risks to patrons and also show them how to change their privacy settings. 

Recommended Actions

Recommended Action: Decide on a policy of how much support staff can provide when helping patrons with password management. For example, can staff type in the password? Or is this something that needs to be done by the patron? In our research, several library staff recommended having patrons enter passwords in most situations because that empowered them and reinforced to them that it was something they were capable of doing, but there may be times when exceptions need to be made. This is something that should be discussed and decided upon so that staff have clear guidelines for what to do in these patron interactions.

Recommended Action: Staff members should limit their handling of patrons’ devices. Our research has shown that many library systems prohibit staff from touching devices; in practice, however, it is sometimes necessary for staff to handle patrons’ smartphones and other devices, such as when a patron has mobility limitations. When handling a patron’s device, recommended guidelines include keeping within sight of the patron when handling their device, making sure patrons are in charge of agreeing to terms or accepting cookies, or making sure that patrons are always the ones holding their device.

Recommended Action: Provide patrons with clear guidelines on how to create strong and memorable passwords, and how to reset passwords. Remind patrons that passwords should not be shared with anyone, even library staff. See this SDSF resource for passwords.

Recommended Action: Check with your library’s IT person/department regarding the security settings of the wireless network. Communicate any risks of using the WiFi with patrons. Consider adding a warning to a landing page. 

Recommended Action: Provide information to patrons on how to adjust their privacy settings on social media. See these SDSF resources on changing Facebook settings and “Who can see my social media posts?“.

Recommended Action: Library staff should strive for transparency in communicating library practices concerning patron privacy and confidentiality parameters.

Recommended Action: Develop a mobile device borrowing policy. This policy can communicate the following to patrons:

• Who can borrow a mobile device
• How long a device can be checked out for 
• Where the device can be used
• What accessories are provided when a device is borrowed (ex. chargers)
• Any associated fines or fees for devices returned late or damaged
• What to do if the patron notices damage
• What patrons can and cannot do with the devices
• What happens to the patron’s personal data that are stored in the devices

As devices are constantly changing, policies will have to adapt. Therefore, policies should include a disclaimer about the library’s right to change or modify the policy.

Examples of Library Policy

“Library staff will help you use the computers to find the information you need. Library staff and volunteers also will help you learn to use search tools on the Internet computers, although they cannot provide extensive one-on-one instruction.” –Multnomah County Public Library (Oregon)

All devices are the responsibility of the owner. Library staff is not allowed to configure patron’s equipment, nor can they provide more than general assistance in getting connected to the internet.” —Nocona Public Library (Texas)

“The wireless connection provides less security than wired networks; users should exercise caution when transmitting credit card numbers or other sensitive information. Users are urged to protect their computers with firewall software and data encryption.” –Acton Memorial Library (Massachusetts)

“The Library’s WiFi does not provide a secure connection.  Patrons use the Library’s wireless Internet access at their own risk. The Library encourages patrons to use virus protection, a personal firewall, and other measures to protect personal information from disclosure. Patrons using their portable computing devices are solely responsible for protecting their personal information and assume all risks of an invasion of privacy or disclosure of personal information that may occur when using the Library’s WiFi.” –Boulder Junction Public Library (Wisconsin)

Users should also be aware that another wireless user may be able to view or change files on any wireless user’s computer. The Library recommends that users install and use virus protection software, firewall software, and security patches or upgrades to identify and eliminate viruses in any data, files, or programs they obtain from external computers or networks, and to protect their computers from intrusion. –Monterey Public Library (California)

“SFPL champions the protection of personal privacy. SFPL will keep confidential all such information that it purposefully or inadvertently collects or maintains to the fullest extent permitted by federal state and local law, including the California Public Records Act, the San Francisco Sunshine Ordinance, and the USA PATRIOT Act.

• The Internet is not a secure medium. Email is not necessarily secure against interception.
• The Library does not monitor an individual’s use of the Internet. Computer search stations are programmed to delete the history of a user’s Internet session once the session is ended. The Computer Booking history is deleted every day.
• Internet computers are provided with privacy screens for your privacy. In accessing various Internet sites, please be conscious of others in your vicinity, particularly children.
• SFPL does not provide information about patrons’ library records, use of other SFPL materials, or use of the Internet to law enforcement officials without an appropriate court order. However, law enforcement officers may take action on their own if they observe illegal activity in plain view. Internet users are reminded that illegal use of the Internet is prohibited by State and Federal laws, and by SFPL policy.” –San Francisco Public Library (California)

“The Library uses an online computer reservation program that allows the public to reserve a computer in order to access the Library’s catalog, the Internet and other resources. The Library’s public computer search stations are programmed to delete the history of a library user’s Internet session and all searches once an individual session is completed. Booking history is deleted every day.” –San Francisco Public Library (California)

“Enhancements to the Library’s online catalog system that offer greater functionality and customized features that may impact user confidentiality will be activated by the Library only if such enhancements are optional to the user. Use of enhancements is governed by privacy statements and terms and conditions of the vendor.” –San Francisco Public Library (California)

“The Library reserves the right to modify the Mobile Device policy and Mobile Device Borrower Agreement at any time. Blocking software is not available on mobile devices and the library cannot be held responsible for any content viewed. By checking out a mobile device, the patron agrees they will not engage in illegal activities, they are solely responsible for the mobile device, and they are eighteen years or older. The library is not responsible for loss or damage to patron’s data for any reason while the patron uses a library mobile device.”  –Eastern Monroe Public Library (Pennsylvania) 

The Internet offers access to a wealth of material that is personally, professionally and culturally enriching to individuals of all ages. However, it also enables access to some material that may be offensive, disturbing, illegal, inaccurate or incomplete. Users are encouraged to evaluate the validity and appropriateness of information accessed via the Internet. –Multnomah County Library