Why did I choose those three pieces of legislation? (CoE Convention, DP Directive, GDPR)

I recently undertook a thematic discourse analysis using three pieces of legislation:

–          The Council of Europe convention for the protection of individuals with regard to the automatic processing of personal data, 1981

–          The Data Protection Directive 1995

–          The General Data Protection Regulation 2016

When you are undertaking research for a PhD, you have to continually document what you are doing, and be able to explain precisely why you did what you did; why you chose the methodologies that you did etc etc.

So a key question that has to be answered is: Why did I choose those particular pieces of legislation.

Well, first of all, I wanted to see how things have progressed over a period of time and I therefore opted to pick not one but three pieces of legislation; and the three I picked are spread over the period 1981 and 2016.

What I also wanted, was to look at international legislation, on the basis that international commitments would inform national legislation; and would provide a degree of harmonisation across multiple countries.

I also wanted to go back to the 1980’s, if possible, and so the Council of Europe Convention was an obvious candidate.  (Greenleaf 2017) describes the Convention as “the world’s only legally binding treaty on data privacy”. It was the first binding international instrument to set standards for the protection of individuals’ personal data.

Meanwhile, I chose two pieces of European Union legislation, because “The EU’s data protection laws have long been regarded as a gold standard all over the world”  (European Data Protection Supervisor 2017).

The two pieces of EU legislation that I chose were the Data Protection Directive 1995 and the GDPR 2016. Other potential contenders were the e-privacy directive 2002/58/EC and the data retention directive 2006/24/EC but I didn’t choose either of those, firstly because it would have been impractical to study more than three pieces of legislation; and because the main pieces of EU legislation governing data protection were the Data Protection Directive and the GDPR which will replace it in May 2018. The (European Data Protection Supervisor 2017) says that the GDPR is “one of its (the EU’s) greatest achievements in recent years”.

There were other international initiatives which I considered, but didn’t pick them because either they didn’t have the status of binding legislation, but were “guidelines” or a set of principles (for example the OECD guidelines on the protection of privacy and transborder flows of personal data); or they weren’t focussed exclusively on data protection or privacy – I am thinking here of the Universal Declaration on Human Rights adopted by the United Nations, the Council of Europe’s Convention on Human Rights, and the EU’s Fundamental Charter on Human Rights which was given binding legal effect in December 2009.

I didn’t choose to look exclusively at UK legislation for several reasons. I wanted to see how things had progressed over a number of years, and the Data Protection Bill which will implement the GDPR  hasn’t been finalised,  but is still progressing through the Westminster Parliament. Otherwise, the Data Protection Acts of 1984 and 1998 would have been potential candidates for the discourse analysis. But I also wanted to look at EU legislation because of the degree of harmonisation it enables across member states. That will be all the more the case with the GDPR given the way Regulations have direct effect, and therefore the level of harmonisation will be far greater than with the Directive.

Another question is why I didn’t look at US legislation.  The USA doesn’t have a general piece of data protection law. Rather, it has industry specific legislation. In a library context, each state does have legislation protecting the privacy of library users (apart from Kentucky and Hawaii which have Attorney Generals’ opinions) (American Library Association n.d.), but most of the legislation doesn’t take account of ebooks etc. One exception being California’s Reader Privacy Act 2011 which extends the protection of library records to ebooks. Another point is that federal laws such as the USA Freedoms Act take precedence over the laws of the individual states.

While the European Commission had been called upon by the European Parliament as early as 1976 to prepare a proposal for a directive harmonising data protection laws (Rudgard 2012), this wasn’t achieved until 1995; whereas the Council of Europe Convention was passed in 1981. (Rudgard 2012)

References

AMERICAN LIBRARY ASSOCIATION, n.d. State privacy laws regarding library records.

EUROPEAN DATA PROTECTION SUPERVISOR, 2017. The history of the General Data Protection Regulation.

GREENLEAF, G., 2017. Data Protection Convention 108 Accession Eligibility: 80 Parties Now Possible. Privacy Laws & Business International Report, 148, pp. 12-16.

RUDGARD, S., 2012. Origins and historical context of data protection law. In: E. USTARAN, ed, European privacy law: law and practice for data protection professionals. IAPP, .

 

Advertisements

An analysis of the literature on privacy in higher education libraries

A literature survey looking specifically for academic articles on privacy in higher education identified 42 articles.  However, this was filtered down to 33 when on further examination we ruled out ones that may have been written by academics but weren’t about higher education libraries; or were about user’s physical security rather than about their data being held securely; or where they weren’t sufficiently focused on libraries; or on privacy.

The 33 articles were then analysed based on key characteristics. The overwhelming majority were written about the USA:

Australia 1
China 1
Ghana 1
India 1
Malaysia 1
UK 3
USA 25

A range of research methods were used by the authors, but the overwhelming majority cited questionnaires or surveys:

Case study 1
Content analysis 3
Direct observation 1
Feedback sessions 1
Interviews 2
Questionnaire/Survey 13
Secret shopper expedition 1

A third of the articles had been written in the most recent three years

1993 2
1995 1
1996 1
1997 1
2001 1
2002 1
2004 2
2005 3
2007 3
2008 1
2010 2
2011 1
2012 1
2013 2
2014 1
2015 4
2016 3
2017 3

The journal articles appeared in a wide range of titles, although the most common one was the Journal of Academic Librarianship

2016 International Conference on Applied System Innovation (ICASI), 2016 1
ACRL Tenth National Conference 1
Asia Pacific Conference Library & Information Education & Practice 1
Aslib Proceedings 1
College & Research Libraries 2
Community & Junior College Libraries 1
Information Technology and Libraries 1
Journal of Academic Librarianship 5
Journal of Access Services 1
Journal of Information Science 1
Libraries in the digital age (LIDA) proceedings 1
Library & Information Science Research 2
Library issues: briefings for faculty and administrators 1
Library Management 1
Library Philosophy and Practice 1
Library Quarterly 1
Library Review 1
New Library World 1
Online Information Review 1
Privacy in the 21st century: issues for public, school and academic libraries (BOOK SECTION) 1
Reference Quarterly 1
Serials Librarian 1
Technical Services Quarterly 1
Other

 

4

 

Bibliography

ADAMS, H.R., BOCHER, R.F., GORDON, C.A. and BARRY-KESSLER, E., 2005. Privacy in the 21st century: Issues for public, school, and academic libraries. Libraries Unlimited, Inc.

CHANDLER, A. and WALLACE, M., 2016. Using Piwik Instead of Google Analytics at the Cornell University Library. The Serials Librarian, 71(3-4), pp. 173-179.

COOMBS, K.A., 2005. Protecting user privacy in the age of digital libraries. Computers in Libraries, 25(6),.

DAVIES, E., 1996. Data protection management in university libraries in the UK. Journal of Information Science, 23(1), pp. 39-58.

DAVIES, J.E., 1997. Managing information about people: data protection issues for academic library managers. Library Management, 18(1), pp. 42-52.

DETTLAFF, C., 2007. Protecting user privacy in the library. Community & Junior College Libraries, 13(4), pp. 7-8.

DICKSON, A. and HOLLEY, R.P., 2010. Social networking in academic libraries: the possibilities and the concerns. New Library World, 111(11/12), pp. 468-479.

ELLERN, G.(.D., HITCH, R. and STOFFAN, M.A., 2015. User Authentication in the Public Area of Academic Libraries in North Carolina. Information Technology and Libraries (Online), 34(2), pp. 103-132.

FIFAREK, A., 2002. Technology and privacy in the academic library. Online Information Review, 26(6), pp. 366-374.

FISTER, B., 2015. Big data or big brother? data, ethics, and academic libraries. Library Issues: Briefings for Faculty and Administrators, 35(4),.

FOUTY, K.G., 1993. Online patron records and privacy: Service vs. security. The Journal of Academic Librarianship, 19(5), pp. 289-293.

GAO, C., 2016. A study on strategies to improve the protection of personal information for university libraries users, Applied System Innovation (ICASI), 2016 International Conference on 2016, IEEE, pp. 1-3.

GREENLAND, K., 2013. Negotiating self-presentation, identity, ethics, readership and privacy in the LIS blogosphaere: a review of the literature. Australian Academic & Research Libraries, 44(4),.

HESS, A.N., LAPORTE-FIORI, R. and ENGWALL, K., 2015. Preserving patron privacy in the 21st century academic library. Journal of Academic Librarianship, 41(1), pp. 105-114.

JOHNS, S. and LAWSON, K., 2005. University undergraduate students and library-related privacy issues. Library & Information Science Research, 27(4), pp. 485-495.

JONES, K.M. and SALO, D., 2017. Learning Analytics and the Academic Library: Professional Ethics Commitments at a Crossroads. College & Research Libraries, , pp. crl17-1038.

MAGI, T.J., 2010. A content analysis of library vendor privacy policies: Do they meet our standards? College & Research Libraries, 71(3), pp. 254-272.

MAGI, T.J., 2007. The gap between theory and practice: a study of the prevalence and strength of patron confidentiality policies in public and academic libraries. Library & Information Research, 29, pp. 455-470.

MATHSON, S. and HANCKS, J., 2008. Privacy Please? A comparison between self-checkout and book checkout desk circulation rates for LGBT and other books. Journal of Access Services, 4(3-4), pp. 27-37.

NOLAN, C.W., 1993. The confidentiality of interlibrary loan records. Journal of Academic Librarianship, 19(2), pp. 81-86.

OLTMANN, S.M., 2017. Intellectual Freedom in Academic Libraries: Surveying Deans about Its Significance. College & Research Libraries, 78(6), pp. 741.

OSAE OTOPAH, F. and DADZIE, P., 2013. Personal information management practices of students and its implications for library services, Aslib Proceedings 2013, Emerald Group Publishing Limited, pp. 143-160.

RONI, N.A.M., NAPIAH, M.K.M. and HASSAN, B., 2011. Impact of ICT on privacy and personal data protection in two Malaysian academic libraries. Asia Pacific Conference Library & Information Education & Practice, .

RUBEL, A., 2014. Libraries, electronic resources, and privacy: the case for positive intellectual freedom. Library Quarterly, 84(2), pp. 183-208.

RUBEL, A., 2012. A framework for analyzing electronic resources, privacy and intellectual freedom.

RUBEL, A. and ZHANG, M., 2015. Four facets of privacy and intellectual freedom in licensing contracts for electronic journals. College & Research Libraries, , pp. 30-30 pages.

SHULER, J., 2004. Privacy and academic libraries: widening the frame of discussion. Journal of Academic Librarianship, .

SUTLIEFF, L. and CHELIN, J., 2010. `An absolute prerequisite’: The importance of user privacy and trust in maintaining academic freedom at the library. Journal of Librarianship and Information Science, 42(3), pp. 163-177.

SUTTON, L., 2001. Advocacy for intellectual freedom in an academic library. ACRL Tenth National Conference, (15-18),.

VOELLER, S., 2007. Privacy Policy Assessment for the Livingston Lord Library at Minnesota State University Moorhead.

WILKES, A.W. and GRANT, S.M., 1995. Confidentiality policies and procedures of the reference departments in Texas academic libraries. RQ, 34(4), pp. 473-485.

YUVARAJ, M., 2016. Perception of cloud computing in developing countries. Library Review, 65(1/2), pp. 33-51.

ZAUGG, H., MCKEEN, Q., HILL, B. and BLACK, B., 2017. Conducting and using an academic library data inventory. Technical services quarterly, 34(1), pp. 1-12.

 

 

Academic articles on library privacy in higher education

Bibliography

ADAMS, H.R., 2005. Privacy in the 21st century: issues for public, school, and academic libraries. Libraries Unlimited.

AMOAH, G.B., 2016. Assessment Of Library User Security In Sam Jonah Library, University Of Cape Coast.

BOWERS, S.L., 2006. Privacy and Library Records. Journal of Academic Librarianship, 32(4), pp. 377-383.

BOWRON, C.R. and WEBER, J.E., 2017. Implementing the READ Scale at the Austin Peay State University Library. The Journal of Academic Librarianship, 43(6), pp. 518-525.

CARLSON, S., 2004. To use that library computer, please identify yourself. Chronicle of Higher Education, 50(42),.

CHANDLER, A. and WALLACE, M., 2016. Using Piwik Instead of Google Analytics at the Cornell University Library. The Serials Librarian, 71(3-4), pp. 173-179.

COOMBS, K.A., 2004. Walking a tightrope: Academic libraries and privacy. The Journal of academic librarianship, 30(6), pp. 493-498.

DAVIES, E., 1997. Data protection management in university libraries in the UK. Journal of Information Science, 23(1), pp. 39-58.

DETTLAFF, C., 2007. Protecting user privacy in the library. Community & Junior College Libraries, 13(4), pp. 7-8.

ELLERN, G.(.D., HITCH, R. and STOFFAN, M.A., 2015. User Authentication in the Public Area of Academic Libraries in North Carolina. Information Technology and Libraries (Online), 34(2), pp. 103-132.

ERIC DAVIES, J., 1997. Managing information about people: data protection issues for academic library managers. Library Management, 18(1), pp. 42-52.

FIFAREK, A., 2002. Technology and privacy in the academic library. Online Information Review, 26(6), pp. 366-374.

FISTER, B., 2015. Big data or big brother? data, ethics, and academic libraries. Library Issues: Briefings for Faculty and Administrators, 35(4),.

FOUTY, K.G., 1993. Online patron records and privacy: Service vs. security. The Journal of Academic Librarianship, 19(5), pp. 289-293.

FYFE, T.M. and PAYNE, G.W., 2009. Undergraduate medical education: Redefining the role of the librarian, Positioning the Profession: the Tenth International Congress on Medical Librarianship 2009, pp. 1-9.

GREENLAND, K., 2013. Negotiating self-presentation, identity, ethics, readership and privacy in the LIS blogosphaere: a review of the literature. Australian Academic & Research Libraries, 44(4),.

HASMAN, L., 2012. Librarian-facilitated problem-based learning course in a school of dental medicine. Medical reference services quarterly, 31(3), pp. 336-341.

HESS, A.N., LAPORTE-FIORI, R. and ENGWALL, K., 2015. Preserving patron privacy in the 21st century academic library. Journal of Academic Librarianship, 41(1), pp. 105-114.

IFENTHALER, D. and TRACEY, M.W., 2016. Exploring the relationship of ethics and privacy in learning analytics and design: implications for the field of educational technology. Educational Technology Research and Development, 64(5), pp. 877-880.

JASCHIK, S., 1993. Putting student theses in libraries violates privacy law. Chronicle of Higher Education, 40(2), pp. pA32-pA32.

JOHNS, S. and LAWSON, K., 2005. University undergraduate students and library-related privacy issues. Library & Information Science Research, 27(4), pp. 485-495.

JONES, K.M. and SALO, D., 2017. Learning Analytics and the Academic Library: Professional Ethics Commitments at a Crossroads. College & Research Libraries, , pp. crl17-1038.

MAGI, T.J., 2010. A content analysis of library vendor privacy policies: Do they meet our standards? College & Research Libraries, 71(3), pp. 254-272.

MAGI, T.J., 2007. The gap between theory and practice: a study of the prevalence and strength of patron confidentiality policies in public and academic libraries. Library & Information Research, 29, pp. 455-470.

MATHSON, S. and HANCKS, J., 2008. Privacy Please? A comparison between self-checkout and book checkout desk circulation rates for LGBT and other books. Journal of Access Services, 4(3-4), pp. 27-37.

NOLAN, C.W., 1993. The confidentiality of interlibrary loan records. Journal of Academic Librarianship, 19(2), pp. 81-86.

OLTMANN, S.M., 2017. Intellectual freedom in academic libraries: surveying deans about its significance.

PROIA, A.A., 2013. A new approach to digital reader privacy; state regulations and their protection of digital book data. Indiana Law Journal, 88(4),.

RAFIQUE, G.M., 2017. Personal Information Sharing Behavior of University Students via Online Social Networks. Library Philosophy & Practice, , pp. 1-24.

RONI, N.A.M., NAPIAH, M.K.M. and HASSAN, B., 2011. Impact of ICT on privacy and personal data protection in two Malaysian academic libraries. Asia Pacific Conference Library & Information Education & Practice, .

RUBEL, A., 2014. Libraries, electronic resources, and privacy: the case for positive intellectual freedom. Library Quarterly, 84(2), pp. 183-208.

RUBEL, A., 2012. A framework for analyzing electronic resources, privacy and intellectual freedom.

RUBEL, A. and ZHANG, M., 2015. Four facets of privacy and intellectual freedom in licensing contracts for electronic journals. College & Research Libraries, , pp. 30-30 pages.

SHULER, J., 2004. Privacy and academic libraries: widening the frame of discussion. Journal of Academic Librarianship, .

SUTLIEFF, L. and CHELIN, J., 2010. `An absolute prerequisite’: The importance of user privacy and trust in maintaining academic freedom at the library. Journal of Librarianship and Information Science, 42(3), pp. 163-177.

SUTTON, L., 2001. Advocacy for intellectual freedom in an academic library. ACRL Tenth National Conference, (15-18),.

ZAUGG, H., MCKEEN, Q., HILL, B. and BLACK, B., 2017. Conducting and using an academic library data inventory. Technical services quarterly, 34(1), pp. 1-12.

 

Text of talk for @infolawcentre 17 Nov 2017

Children & digital rights – privacy in libraries: talk for IALS conference

The library’s role is to provide access to material and to do so whilst at the same time ensuring absolute confidentiality and anonymity.

Why does the privacy of children matter?

Carrie Gardner (quoted in (Adams 2002)) says “Often, if people do not think their information requests and information-gathering activities are going to be kept private, they won’t ask for the information. They would rather suffer the consequences of not knowing”.

At the tween stage (a youngster between 10 and 12 years of age considered too old to be a child and too young to be a teenager) they are just finding their way. They are just at the cusp of recognizing who they are and learning about the world. They need privacy as a form of freedom to develop as a person.

Then as teenagers, as part of their process of development they may well be looking for materials on sensitive topics (Tough topics for teens http://lauraperenic.blogspot.co.uk/2016/03/tough-topics-bookmarks-and-poster.html )

If children were to look for material about these topics by going online and accessing electronic resources such as ebooks or ejournals, the question arises as to who could potentially access that information, for how long it is kept, and for how long it can be linked back to an identifiable individual.

If a library user accesses an ebook from home, their personal data is processed by the library; by the e-book vendor; and by the e-reader software company. The e-book vendor may use third party cookies, and whilst they may claim that these cookies don’t contain any personally identifiable information and can only be used to identify machines rather than individuals, the reality is that device fingerprinting can be used to fully or partially identify individual users.

In America under section 215 of the PATRIOT Act, the authorities could gain access to that sort of information, whilst imposing a gagging order on the library to ensure that no-one was even aware that they had asked for the information. The American Library Association is dedicated to ending ongoing mass surveillance, which continues despite important reforms made by the USA FREEDOM Act of 2015 which replaced the PATRIOT Act.

And in the UK a similar situation pertains under the Investigatory Powers Act 2016.

People often think that the only way the law enforcement authorities would be able to access such information is where they serve a warrant. But there are a number of routes through which such information could be requested, and they don’t all need a warrant.

In what ways does privacy play out in a library context?

One example relates to circulation records.

A couple of years ago there were reports of the leaking of the school library borrowing history of author Huraki Murakami (McCurry 2015). This yet again raised the issue of privacy (Finch 2015).

Another example would be requests for assistance to find information on sensitive issues. (Catherine) Beyers found herself responding to requests by teachers and parents for information on sensitive issues related to specific students she served. This aspect of her work included “helping teachers locate materials for children about suicide, having a parent in jail, or loving with a disabled sibling” (Adams 2002).

(Ferguson, Thornley et al. 2016) bring together a number of ethical scenarios. One was about privacy versus potential harm to individuals. A school librarian noticed that a child had been reading about sex abuse. The librarian normally regards what children are reading as ‘off limits’ and does not inform teaching staff. A child reading about sex abuse, however, raised alarms. The outcome was that ‘the person with pastoral responsibility for that individual child was alerted.’ In this case, therefore, ‘confidentiality would not be the predominant factor’ although the interviewee added that this was ‘obviously challengeable.

In another case study (Ferguson 2016), a library manager helped save the life of a suicidal client.

Such cases test the limits of LIS professionals’ commitment to protection of client confidentiality, where there is potential harm to that client.

Use of fingerprints as ID instead of a library card

Many school libraries across the UK have implemented technology enabling pupils to take out books by scanning their thumb prints instead of using a card. Such systems are intended to replace library cards and save time and money in managing the libraries. However, the use of electronic fingerprinting systems in this way to manage loans of library books has raised a number of privacy concerns.

In 2006 the Department for Education and Skills and the Information Commissioner said parents could not prevent schools from taking their children’s fingerprints.

Thankfully, the Protection of Freedoms Act 2012 now provides stronger protections. Chapter 2 deals with the protection of biometric information of children in schools. It says that “if, at any time, the child (a) refuses to participate in, or continue to participate in, anything that involves the processing of the child’s biometric information, or (b) otherwise objects to the processing of that information, the relevant authority must ensure that the information is not processed, irrespective of any consent given by a parent of the child.

What has my child looked at online or checked out?

This raises issues of intellectual freedom of young people, childrens’ rights to privacy, responsibility, and freedom to use library materials.

Could – or indeed should – a parent have access to data about what their child has been looking at online?

When faced with the parent-child relationship, to whom is the library responsible? The child possessing a library card is the cardholder of record. However, in many libraries the parent has traditionally been asked to sign as the financially responsible party to try to control losses and recover the cost of lost books.

(Hildebrand 1991 p3) says “Honoring privacy is a concrete expression of respect for another person. We need to start out with a belief that it is desirable for adults in our society to allow children to experience privacy and respect”.

(Symons, Harmon 1995 p13) While a surface acceptance of user’s rights to privacy may be easy, implementation of this right throughout library operations and in the face of pressure is, in fact, difficult. Library employees end up on the grounds of privacy and confidentiality explaining to parents that although they may be billed for their children’s lost books, they are not entitled to a list of everything their children have checked out.

Issues around filtering and monitoring of content

(Wyatt 2006) Librarians are often reluctant to monitor patrons’ Internet access. Monitoring seems to be in direct conflict with the librarian’s ethical duty to honor a patron’s privacy (Skaggs 2002 p851).

At least one parent has sued a public library for allowing her child to access pornography on the Internet. In the American case Kathleen R. v. City of Livermore 104 Cal.Rptr.2d 772 (2001), a minor boy accessed pornography through the Internet and distributed it to his friends. His mother sued the library claiming that “the government had a constitutional duty to protect her minor son from the offensive material found on the Internet” (Kendall 2003 p221).

Although the public library has not been found legally liable for failure to monitor children’s unfiltered access, the question remains whether the librarian should play the role of a monitor? If parents do not see the public library as a safe place for their children, they will not allow them to go there.

By never encountering inappropriate content, individuals do not develop the ability to decipher for themselves which content might be appropriate or not. Given the unreliability of filtering software, this is an essential skill in today’s world. We also need to take account of other measures to achieve child protection that may have a less restrictive impact on information access: e.g. situating public access terminals apart from areas designated for use by minors; and providing user education, support and training (Cooke, Spacey et al. 2014).

At times it seems as though there is an unhealthy desire to monitor childrens internet activities. In August 2017 the BBC reported on a French company offering “invisible PC spy software”. The company was criticised after it said its product could be used “to find out if your son is gay”. It listed a number of clues that might cause a parent to suspect that their son might be gay. One of which was being more interested in reading and theatre than in football. BBC News Online story from 23 August 2017(BBC News Online 2017)

Many libraries use filtering software. Indeed, in America, the Children’s Internet Protection Act requires public and school libraries to have a policy of Internet safety for children. CIPA’s amendments specifically require protection that “blocks or filters” access to visual depictions that are obscene or harmful to minors. If libraries fail to comply, they will not receive federal funding through the E-rate program, which provides a bulk of the federal funding for library Internet connectivity.

(Ledbetter, Heiss et al. 2010 p187) draw attention to the issues around the expectations regarding children’s privacy change throughout the course of child development, and privacy invasions may occur frequently within parent-child relationships. (Petronio 1994) notes that the college years are a time when parental expectations of their children’s privacy can be particularly unclear. Although undergraduates view their college years as a time of increasing independence, ‘‘parents may contradict these expectations by invading the children’s privacy boundaries’’ when the child returns home or when away at college (Petronio 1994 p244). Therefore, parental invasive behaviors ‘‘may send a message to college-aged children that indicates the reluctance of parents to let go’’ (p. 245).

‘‘When I am using the computer, they come behind me and read over my shoulder for a few minutes;’’ ‘‘My dad reads the instant messages I write.’’

‘‘My mom would sometimes try to read my online blog.’’

Likewise, computer-based defences consisted of concealing online conversations such as changing passwords, deleting emails, or closing open windows when a parent enters the room.

Children do want to hide things from parents. It may seem like a contradition in terms, but children may well seek out the privacy that a library can offer as a public space.

Personalization & providing a tailored service

(Adams 2002) While the privacy of students and underage patrons must be protected, Pat Scales, cautions against carrying protection too far. “My primary concern regarding privacy issues as it relates to children and young adults is that we cannot allow privacy to interfere with ‘best practice.’

“This is especially true with reader guidance issues. For example, I feel that it is important that I know what a child likes to read in order to lead him/her to another book they will like. I’m not going to reveal my knowledge to another person, but that child may need my guidance. I don’t believe that we should force guidance on a child, but we cannot totally serve their needs if there is complete privacy.”

Fisk (2016) says adolescents are more likely to value privacy from their parents and other local adults moreso than they are the somewhat more distant-seeming but ever-present threat of corporate surveillance.

In conclusion, libraries face a number of ethical challenges in their work, and that is true of their work with children just as it is for other age groups. Issues such as:

  • What has my child checked out
  • Situations where children consult material on difficult or controversial topics
  • Use of fingerprinting as a form of ID instead of a library card in school libraries, and
  • The use of filtering and monitoring of internet activity
  • Personalization & providing a tailored service

These all pose challenges for a child’s privacy and confidentiality.

 

REFERENCES

ADAMS, H.R., 2002. Privacy and confidentiality: now more than ever, youngsters need to keep their library use under wraps. American Libraries, 33(10), pp. 44-48.

BBC NEWS ONLINE, 2017. French firm offered spyware to “find out if your son is gay”. BBC News Online, .

CONGER, S., PRATT, J.H. and LOCH, K.D., 2013. Personal information privacy and emerging technologies. Information Systems Journal, 23(5), pp. 401-417.

COOKE, L., SPACEY, R., MUIR, A. and CREASER, C., 2014. Filtering access to the internet in public libraries: an ethical dilemma? Globethics.net, pp. 179-190.

FERGUSON, S., THORNLEY, C. and GIBB, F., 2016. Beyond codes of ethics: how library and information professionals navigate ethical dilemmas in a complex and dynamic information environment. International Journal of Information Management, 36(4), pp. 543-556.

FINCH, D., 2015. Privacy and the young reader. Dawn Finch’s blog, .

FISK, N., 2016. The limits of parental consent in an algorithmic world. LSE Media Policy Project Blog, .

HILDEBRAND, J., 1991. Is privacy reserved for adults: children’s rights at the public library. School Library Journal, .

KENDALL, J., 2003. LIBRARY INTERNET ACCESS POLICY. J.Juv.L., 24, pp. 218-273.

LEDBETTER, A.M., HEISS, S., SIBAL, K., LEV, E., BATTLE-FISHER, M. and SHUBERT, N., 2010. Parental invasive and children’s defensive behaviors at home and away at college: mediated communication and privacy boundary management. Communication Studies, 61(2), pp. 184-204.

MCCURRY, J., 2015, 12. Librarians in uproar after borrowing record of Haruki Murakami is leaked. The Guardian.

MCKINNEY, K.D., 1998. Space, body, and mind: Parental perceptions of children’s privacy needs. Journal of Family Issues, 19(1), pp. 75-100.

PARKE, R.D. and SAWIN, D.B., 1979. Children’s privacy in the home: Developmental, ecological, and child-rearing determinants. Environment and Behavior, 11(1), pp. 87-104.

PETRONIO, S., 1994. Privacy binds in family interactions: The case of parental privacy invasion. The dark side of interpersonal communication, , pp. 241-257.

PETRONIO, S. and ALTMAN, I., 2002. Boundaries of privacy.

RATZAN, J.S., 2004. CIPA and the roles of public librarians, a textual analysis. Public Libraries, 43(5), pp. 285-290.

ROWAN, D., 2002. Little brother’s fingerprints all over the library. The Times, .

SKAGGS, J.A., 2002. Burning the Library to Roast the Pig-Online Pornography and Internet Filtering in the Free Public Library. Brook.L.Rev., 68, pp. 809.

SYMONS, A.K. and HARMON, C., 1995. Protecting the Right To Read: A How-To-Do-It Manual for School and Public Librarians. ERIC.

WYATT, A.M., 2006. Do librarians have an ethical duty to monitor patrons’ internet usage in the public library? Journal of Information Ethics, , pp. 70-79.

 

Floridi, Groups & Privacy

One aspect of my research is to consider information privacy from the perspective of entities.

The discourse analysis that I have been undertaking has helped confirm my view that we cannot really understand information privacy by focussing exclusively on the individual. That instead we need to look at a number of different levels – the individual, the group, the company/institution, and society as a whole; and more than that we need to consider all of the stakeholders. And that this includes entities that have a data protection role or function

When I started my research in February, I had been looking at Luciano Floridi’s theory of ontological friction; and then a few months later I went back to his works and started to look at what he had written about groups. The most substantial item on group privacy is at https://www.stiftung-nv.de/sites/default/files/group-privacy-2017-authors-draft-manuscript.pdf

Today I was re-reading a number of articles by Floridi, and what struck me was that he makes numerous statements which help to justify looking at the group & institutional perspective. And that one can’t really understand Floridi’s thinking on groups without also taking on board his thoughts on digital ICTs and their revolutionary nature.

Where he says that the current ethical approach is too anthropocentric and nominalist, I would add that that is also true of data protection legislation such as the General Data Protection Regulation which also focusses heavily on the individual.

The GDPR isn’t exclusively focussed on the individual, though. Article 80 looks at the representation of data subjects, and even though it doesn’t use the words “collective action”, that is what the article deals with; although one must also mention that this is one of the many derogations in the legislation and that therefore there won’t be a consistent approach across all member states.

But coming back to Floridi, these are some of the statements I am thinking of as far as justifying the need to think beyond the individual:

To be clear, I agree with all of the statements below:

·         Floridi argues for an interpretation of privacy in terms of a protection of the information that constitutes an individual – both in terms of a single person and in terms of a group

·         He believes that groups may have a right to privacy

·         He thinks that the current ethical approach is too anthropocentric (only natural persons count) and nominalist (only the single individual person counts)

·         The infosphere denotes the information environment which is constituted by informational entities

·         “The very concept of democracy takes something away from the individual to emphasise the centrality of the “multiagent” system”

·         Agents need not be persons, they could for example be organizations

·         He acknowledges that digital ICTs treat most people not as individuals but as members of specific groups

·         “the information flow requires some friction in order to keep firm the distinction between the multiagent system (the society) and the identity of the agents (the individuals) constituting it”.

 

There are a number of areas where I don’t agree with Floridi’s views on privacy.

In The 4th Revolution (chapter 4), Floridi says that it is common to distinguish four types of privacy, and that these are all “freedoms from”:

  • physical privacy
  • mental privacy
  • decisional privacy
  • informational privacy

There are a number of ways in which I differ from Floridi’s analysis. Firstly, he classifies the four privacy types as all being “freedoms from”, whereas there are indeed a number of different privacy types and they are not all “freedoms from”. There are also a number of privacy types which are “freedoms to”…

Secondly, I would categorise “decisional privacy” not as a freedom from, but as a freedom to.

Thirdly, I prefer the privacy typology of Koops et al who put forward nine privacy types, where informational privacy overlays all the others.

Certainly Floridi sees informational privacy as being the most important of them all, and that is true also of Koops et al. And I would agree with them both on that.

I find that there are times where Floridi uses analogies that they are more confusing than helpful. The one that I had particular difficulty with was the analogy of information privacy in terms of “my” as in “my body” rather than “my car”, and of thinking of someone using my personal data as being like an organ being ripped from my body. The whole point about information is that it has as a key characteristic its non-rivalrous nature. And therefore, when someone takes my data, it doesn’t mean that I no longer have it. He speaks elsewhere about cloning, and that is more akin to what happens in practice.

Floridi believes that digital ICT’s have a revolutionary impact, and that “ICT’s are more redrawing than erasing the boundaries of informational privacy”, which I would agree with. He also believes that they can increase or decrease informational privacy; and that you can’t  have the possibility of them increasing privacy without also have the possibility that they can decrease privacy; and again I would agree. While digital ICTs both empower and disempower people, we don’t really get a detailed discussion of the balance or imbalance between the two. In The Fourth Revolution he gives examples of how digital ICTs can empower people, but for me the examples given are not compelling or wholly convincing. One example relates to reputation management companies. Whereas, for me there are a number of problems with reputation management. Firstly, it isn’t a one-off exercise. As soon as a search engine like Google changes its algorithm, this could undo the previous efforts of a reputation management company. And, secondly, it doesn’t empower everyone equally, although I recognise that these companies have a large number of customers. Many people would not be able to afford the services of a reputation management company.

 

 

 

 

 

Privacy : a glossary of terms

Anonymisation Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place.
Blagging Knowingly or recklessly obtaining or disclosing personal data or information without the consent of the data controller.
Cipher-suite A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol.
Cryptoparty A CryptoParty is simply a collection of people who come together with a common goal of helping each other safeguard their digital privacy and security.
Cybersecurity User-centred, primary concern is keeping personally identifiable information (PII) private. Source: Measuring vendor cybersecurity presented by  Chris Markman at Internet Librarian International 2016 session D203 Tuesday October 18th 2016.
Datafication Datafication model presented in Mai’s 2016 paper, wherein new personal information is deduced by employing predictive analytics on already-gathered data.
Dataveillance Monitoring and evaluation
Digital footprint Trail or body of data that exists as a result of actions and communications online that can in some way be traced back to an individual.
Digital literacy The set of skills necessary to navigate, access and contribute to the new information environment
Doxed Having your real personal information (e.g. name, address, phone number) discovered and revealed on the Internet, destroying anonymity
Encryption Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties.
Enrichment Where a catalogue or database contains cover images (for books and journals etc)
Evercookies Evercookie is a JavaScript-based application which produces zombie cookies in a web browser that are intentionally difficult to delete.
IMSI Catcher (or Stingray) An IMSI-catcher is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users. Essentially a “fake” mobile tower acting between the target mobile phone and the service provider’s real towers, it is considered a man-in-the-middle (MITM) attack.  (Wikipedia definition as at 6 July 2016)
Loveint: Practice of spying on people you like
Onboarding Combining our online personas with our offline selves (building psychological profiles)
Panopticism A social theory named after the Panopticon, originally developed by French philosopher Michel Foucault in his book, Discipline and Punish. (role of Jeremy Bentham)
Sniffing A packet sniffer is a utility that has been used since the original release of Ethernet. Packet sniffing allows individuals to capture data as it is transmitted over a network. Packet sniffer programs are used by network professionals to diagnose network issues, and by malicious users to capture unencrypted data, like passwords and usernames.
Teleological The philosophical study of nature by attempting to describe things in terms of their apparent purpose
Third party An entity that is involved in some way in an interaction that is primarily between two other entities
Tracking As users browse the web, their browsing behavior may be observed and aggregated by thirdparty websites (“trackers”) that they don’t visit directly. (from Tracking excavator: uncovering tracking in the web’s past  https://trackingexcavator.cs.washington.edu)

Some conclusions from a discourse analysis

We found that undertaking a discourse analysis is a valuable way of testing a theoretical framework and model; and that this would be the case whether or not you conclude that they are robust and withstand the rigours of the discourse analysis process, because it will either vindicate your framework and model in whole or in part; or else it will give an indication of what they should contain.

It is likely that you will see your research project from a different perspective; that it will make you question the validity and the comprehensiveness of the concepts that you have identified; and whether or not minor or major changes are required.

In our case, the discourse analysis led us to add separate categories for values, rights and freedoms; safeguards and protections; and necessity and proportionality; although one could argue that necessity and proportionality should be treated as a subset of safeguards and protections.

The coding process is very subjective, but we found that undertaking a discourse analysis across several texts can help to overcome some of the problems because you can monitor trends across the different texts; and where the texts are spread across a long time period, it is possible to see how things have changed from a temporal perspective.

We chose to undertake a thematic discourse analysis in order to test both our theoretical framework and model. We conclude that It is impossible to entirely set aside any previous thoughts about how to approach the analysis, but it is nevertheless still feasible to learn lessons from the approach.

We found ourselves creating new themes that weren’t in our theoretical framework and model; and even where there were commonalities between the original framework & model, and the groupings of categories that emerged during the exercise, they proved useful because they helped clarify our thinking on those themes, and we had used different ways of expressing similar concepts. It was only by undertaking the discourse analysis that we broadened out the “entities” category to encompass data protection roles and functions.