In theory librarians are committed to protecting user privacy. What happens in practice?

The brief title of my PhD research is “Protecting the privacy of library users”. From the desk research that I have done so far, and the work to date on my literature review I have found evidence that what happens in reality doesn’t always live up to the theoretical commitment to protect user privacy: examples of data breaches, of library websites that leak privacy, of critical vulnerabilities in digital libraries (see for example KUZMA, J., 2010. European digital libraries: web security vulnerabilities. Library Hi Tech, 28(3), pp. 402-413) etc.

I am interested to know what are the root cause(s) of this failure to deliver on protecting user privacy.

Huang (HUANG, S., HAN, Z. and YANG, B., 2016. Factor identification and computation in the assessment of information security risks for digital libraries. Journal of Librarianship and Information Science, , pp. 1-17) says “Vulnerabilities may arise out of deficiencies in organizational structure, personnel, management, procedures and assets”.

I have put together a set of rough notes about a number of areas where I suspect that some clues as to the causes(s) might be found – or at least, where there might be potential for things to go wrong. But have I listed the right areas, am I missing any key ones, or should I be zooming in on any in particular:

  • Education/training
  • Contracts/licences
  • Law/regulation
  • Ethics/values
  • Technology
  • Information security
  • Who takes overall responsibility
  • Compliance issues
  • Physical (rather than digital) world
  • Vendors
  • Standards/guidelines
  • Third parties
  • Visibility/transparency
  • Privacy by design/by default

I can flesh these out a bit further if anyone is interested.

My research is in its early stages, so I haven’t yet reached the point of finalising the research questions I want to examine

Of course it is also worth asking the questions:

          Do library users actually worry about privacy in libraries?

          If so, why?

          If so, what in particular concerns them?

          And how would a failure to protect their privacy impact upon them?