Listed below are a number of practical steps that library & information professionals can take in order to protect the privacy of their users.
I have been impressed by the way in which in Newcastle they have organised several cryptoparties, but much more than that, they have created a forum for people to discuss the issues involved and housed on the forum are a number of useful resources and documents.
Meanwhile CILIP Scotland has worked with Scottish PEN, and speakers from PEN have spoken at CILIPS events – see for example http://www.slideshare.net/CILIPScotland/surveillance-digital-security-and-privacy-in-libraries
Anyway, here are a number of suggestions of things librarians can do to help protect the privacy of their users (updated 26th February 2017):
1. Default search engine (on public access terminals set the default search engine to one which respects privacy such as Startpage, Duckduckgo, or Oscobo)
2. Default browser (use a browser such as Firefox)
3. HTTPS (see https://letsencrypt.org/ for example)
4. Vendor management: when negotiating licence agreements, make sure that there are robust provisions covering privacy & confidentiality
5. Ad blocking software
6. Organise a cryptoparty
7. Develop a forum for discussion of privacy issues, sharing best practice, knowledge of tools (this could be a natural extension of a series of privacy training events/cryptoparties)
8. Create an area on the library website dedicated to privacy issues ( a good example is that of San Jose Public Library, and their site lets you generate a custom privacy toolkit geared towards your own organisation’s online needs)
9. Include privacy within any digital literacy training offered to your users
10. Use software to automatically return library pc’s to their native state when a user has finished with the machine
11. Carry out a cyber security risk management audit (see useful article by Caro and Markman 2016 on the topic)
12. Where data is housed in a data centre controlled by an external vendor, librarians should ensure they know where it is located, and what certifications the facility has (to ensure it meets industry best practice)
13. If you are getting rid of equipment such as a photocopier, remember patron privacy. Some copiers (and other types of office equipment) have hard drives capable of storing confidential personal information, and these need to be safely wiped and destroyed.
14. Do you undertake regular penetration testing (ethical hackers)/network security checks to mitigate risk of data security breaches? Do this for both internal and external systems
15. Embedded content: check if your library is leaking catalog searches to Amazon https://go-to-hellman.blogspot.co.uk/2016/12/how-to-check-if-your-library-is-leaking.html
16. Make sure you are using a secure form of authentication to connect with self-serve units, journals databases, ebook platforms etc. If, for example, you are using SIP2, is it encrypted and if so how. One example of a secure method for authentication would be Open ID
17. Have you signed up to the Library digital privacy pledge ?
18. Use the NISO patron privacy framework to inform their actions.
19. Ensure that users’ print jobs can only be retrieved at the printer by using their own library card number.
20. Monitor security alerts from CERT and install software patches and software updates to defend against attacks