Hostname: page-component-745bb68f8f-s22k5 Total loading time: 0 Render date: 2025-02-06T06:22:21.577Z Has data issue: false hasContentIssue false
  • English
  • Français

Data Protection in UK Library and Information Services: Are We Ready for GDPR?

Published online by Cambridge University Press:  19 March 2018

Josephine Bailey
Rights & Permissions [Opens in a new window]

Abstract

Against a backdrop of increasing data security and privacy concerns, current data protection law will soon be overhauled by the General Data Protection Regulation (GDPR). Previous research has indicated a lack of data protection management in libraries, however, it has been nine years since the latest study. This article by Josephine Bailey aims to provide an updated review of the extent of data protection management in UK library and information services and gauge preparation for the incoming GDPR.

Keywords

data protectionprivacyGeneral Data Protection RegulationGDPRlibraries
Type
Focus on GDPR
Information
Legal Information Management , Volume 18 , Issue 1 , March 2018 , pp. 28 - 34
Copyright
Copyright © The Author(s) 2018. Published by British and Irish Association of Law Librarians 

INTRODUCTION

This article is drawn from a recent Master's thesis at the University of Sheffield Information School. Thank you to everyone who participated in the survey for making this research viable.

PRIVACY V SECURITY

Online privacy and security, or the lack of it, is becoming a growing concern. In 2017, YouGov surveyed participants about their internet use and reported that 66% of respondents were concerned about cybercrime, 49% were concerned about cyberattacks and 39% were concerned by companies collecting and sharing personal dataFootnote 1 .

The same poll found that while 26% thought more should be done to protect privacy, an opposing 32% felt more should be done to fight crime at the cost of privacy and 24% thought the current balance was just right.

Such awareness is likely fuelled by recent high profile cybercrime and data breach incidents. In 2017 alone, well known organisations such as BUPA, Wonga payday loans, Three Mobile, Sports Direct and NHS England Trusts have suffered large data breaches compromising millions of records containing personal information.Footnote 2

The Office for National Statistics began reporting cybercrime as part of the Crime Survey for England and Wales for the first time in 2016 and reported 2.5 million cases of bank account or credit card fraud and nearly 2 million cases of computer misuse offence, which includes unauthorised access to personal information, hacking and intentional spreading of malware or virusesFootnote 3 .

In addition, the Information Commissioner's Office enforcement page provides a constant parade of businesses, charities, local councils and other organisations that have faced fines or prosecution for breaches of the Data Protection Act including: unsolicited marketing and unauthorised sharing or loss of personal information.

Furthermore, online security and privacy rights have been the focus of recent legislation including the Investigatory Powers Act passed November 2016, an independent commission into the Freedom of Information Act in 2016 and the current debate surrounding internet regulation.

The balancing act between privacy and security is correspondingly played out within the library and information sector.

LIBRARIES AND ‘THE PRIVACY TIGHTROPE’

Libraries across all sectors hold and process vast amounts of personal data including: patron details, circulation records and reservation requests. In addition, library facilities such as computers may also hold data including browsing histories, caches and cookies. Cloud based services will store and transfer data beyond the libraries' control.

In particular, library staff can deal with requests for information or resources that reveal sensitive personal data including: sexuality, political opinions, religious beliefs, health conditions or criminal proceedings. Kim & Noh point out that circulation records in particular, unlike other forms of personal data, are unique to libraries.Footnote 4

As a result, libraries not only have a responsibility to comply with the legislation but ‘a moral obligation to keep that information confidential’.Footnote 5

The commitment to protecting patrons' personal information and maintaining their privacy is enshrined in numerous codes of conduct and ethical statements throughout the profession; including those from the Chartered Institute of Library and Information Professionals (CILIP), the International Federation of Library Associations and Institutions (IFLA) and the American Library Association (ALA). This is particularly prevalent in the United States where legislation such as the PATRIOT Act 2001 overrides state law concerning privacy and grants government agencies access to library records without the patron's permission or even knowledge.Footnote 6

Figure 1. How would you rate your awareness of data protection legislation?

Figure 2. How would you rate your awareness of the incoming General Data Protection Regulation?

Figure 3. How often does data protection feature in staff training?

Correspondingly, the majority of literature on the topic also profusely advocates the necessity for library and information professionals to uphold the principle of patron privacy. Boehme-Neßler argues that intellectual privacy is a crucial pillar of democracy that allows citizens to explore controversial and diverse ideas without judgement: ‘if you anticipate that your reading habits will be monitored, then you will shrink back from consuming literature that is condemned by the mainstream.’Footnote 7

However, it may be argued that the traditional ethics of librarians surrounding user privacy are being challenged by new software tools and increased government interference and desire for surveillance.Footnote 8 The ‘dual responsibility’ of libraries to protect patrons' privacy whilst simultaneously supporting academic freedom and delivering tailored collections leaves them balancing on ‘a privacy tightrope’.Footnote 9

Previous research has demonstrated that users consider libraries a safe space and are not overly concerned about their privacyFootnote 10 however this lack of user awareness or concern means librarians should take extra care to ‘not take advantage of users' rights, expectations, and lack of information on library-related privacy issues’.Footnote 11 In fact, some commentators advocate the opportunity for librarians to raise their profile and garner further public support by using their skills to become ‘data protection champions’ and defend users' rights to privacy.Footnote 12

Despite the apparent commitment to privacy rights amongst librarians, others murmur that this obligation hinders libraries' ability to compete against providers who target and monitor user data to profile behaviour and deliver personalised services.Footnote 13 Still others highlight the contradiction between the public's concern for their privacy and the openness with which they share their personal details online.Footnote 14 Trepidation surrounding big data and the amount of information gathered by social media, search engines, malware, targeted advertising and government spying lead some to question whether expectations of a legal right to privacy are valid at all.Footnote 15

Against this backdrop, the UK Data Protection Act 1998 will soon be replaced by new legislation: the General Data Protection Regulation (GDPR, Reg 2016/679) which comes into force on 25th May 2018.

DATA PROTECTION MANAGEMENT IN LIBRARIES UNDER DPA AND GDPR

Examples of data protection management within libraries includes: ensuring the organisation is registered as a data controller with the Information Commissioner's Office, ensuring patrons can access the organisations data protection policy and that patrons are aware that under the Data Protection Act 1998 that they have a right to see the personal information held by the organisation.

Another key component includes a detailed records management policy that specifies how records are stored and managed, who can access them, the appropriate retention schedules and the secure destruction of records. Finally, staff should be regularly trained and aware of policies such as not disclosing patron information or borrowing history and preventing data security breaches.

Figure 4. Does your organisation issue any data protection documentation to staff?

Figure 5. Does your organisation issue any data protection documentation to users or customers?

The GDPR will update and replace the existing Data Protection Act 1998 (DPA). It is confirmed that the legislation will not be affected by the UK withdrawal from the European Union (ICO, 2017a)

In order to ensure compliance, organisations will need to review their current processes and make necessary changes to their procedures in order to demonstrate adherence to best practice. This might involve a number of key measures including appointing a Data Protection Officer and ensuring the organisation is registered with the ICO as a data controller and informing them of any data processing.

Conducting an internal audit of current procedures, record management and information security and a Privacy Impact Assessment will identify any potential risks and issues that may require attention.

It will be key to create a register of all personal information and how it is gathered, stored and processed to ensure all processing has a lawful ‘condition of processing’ as a basis. It will be essential to establish a retention schedule to ensure personal information is not being kept for longer than necessary.

Identifying any third party data processers and reviewing contracts will be required to ensure adequate security is in place and assess any processing that involves the transfer of personal information outside of the EU. In addition, systems that store and gather data should be reviewed to ensure data can be erased in line with the right of erasure.

Finally, relevant policies and guidelines should be revised to reflect best practice and privacy notices may need to be updated and made clear and accessible. Regular and up to date training for all staff will assist in reducing data breaches, but a clear procedure for reporting data breaches should be established.

Clearly, GDPR will usher in many changes, facilitating an overhaul of current data protection law.

But what is the current situation within library and information services and how will they be affected?

DATA PROTECTION SURVEY: ARE LIBRARIES READY FOR GDPR?

Despite good intentions from librarians, research into the level of data protection management in libraries has uncovered ‘a gap between theory and practice’.Footnote 16 Studies conducted over the last 25 years have been comparable in finding that the majority of library staff did not educate users about their rights, did not have a dedicated privacy or data protection policy and did not receive training.

It has been nine years since the latest study I could find which specifically surveyed library staff about data protection or privacy policies in libraries. In light of this, and with consideration of the imminent changes of the GDPR, it was apparent this topic was worth revisiting to explore any developments and determine if the new regulations have heightened awareness of data protection principles.

As a result, I decided to conduct a new survey of library staff following the methodology of previous research to establish the level of policies, training and awareness of data protection within the sector. I also hoped to gather opinions and perceptions of data protection legislation and review examples of current compliance to propose models of best practice. I designed the survey using Google Forms, selecting the questions in response to previous research and distributed it via JISC mailing lists and social media.

SURVEY RESULTS

The survey was open for a month and received 162 responses. The survey was dominated by the academic sector who made up 64% of respondents despite concerted efforts to increase responses from other sectors. Nearly half of all responses were from members of staff who have worked in the industry for sixteen years or more which may be indicative of greater concern for data protection amongst more senior staff with management responsibilities. Large organisations with over 100 LIS staff were most frequently represented and nearly all respondents had undertaken an LIS degree (93%) providing little basis for comparison by qualification.

To assess levels of knowledge or understanding of data protection, participants were asked to rate their awareness of current data protection law and of the incoming GDPR legislation at the start of the survey. The majority of respondents rated their awareness of current data protection law as average, but with a larger distribution amongst high or very high awareness. From this data it could be implied that awareness of data protection legislation has increased over the years and mirrors the trend of growing awareness of data protection issues discussed previously.

This contrasts strongly with the next question which asks participants to rate their awareness of GDPR. The majority of respondents (35%) rated their awareness as very poor, with a larger distribution of responses at the bottom end of the scale and a mean response of poor overall. Accordingly, comprehension of current data protection law does not equate to awareness of the new incoming legislation.

A key objective of the survey was to assess the level of data protection training or advice information professionals had received, as staff training is key to good practice and will become an integral feature of GDPR. Crucially, the survey sought to identify whether this had been delivered as part of the job or whether this knowledge was sought on the respondents own initiative from supporting institutions such as professional associations or special interest groups. Interestingly, 62% of respondents reported having received data protection training within the workplace, compared to 14% who had only received training outside the workplace and 24% who had received neither, Again, this is a more positive response than that recorded by previous studies.

100% of those with least experience (0–2 years) in the sector had never received training or did not know if it was provided. This would indicate that data protection training does not form part of staff induction as all responses recorded a job title indicating at least some experience in the sector. Awareness of staff training increased with length of service highlighting the “ad hoc” nature of staff training.

Breakdowns of data protection training methods revealed that online training and staff presentations were equally popular formats.

This survey observed that 69% of participants reported that their organisation issued documentation such as guidelines or policies to staff compared to 6% who didn't issue any documentation. Whilst this is a favourable outcome compared to the previous findings, it is key to highlight that a quarter of all participants did not know whether any guidelines were available. Responses differed little amongst organisation size. 100% of respondents with 0–2 years' experience were not aware of any staff documentation implying this is not included in staff induction – awareness of staff guidelines or policies increased with length of service.

Respondents were asked how current the policies were to identify if data protection had become a recent trend due to influences such as GDPR, high profile data breaches reported in the media or growing concerns over user privacy. This survey found that 12% of policies were updated annually but most respondents did not answer or did not know. This may be because documentation was produced within the organisation rather than by library staff hinting that the number of library specific privacy policies would be much lower than the data revealed in the previous questions.

The questionnaire also asked participants to specify what sources they had consulted as a tangible measurement of engagement as opposed to more subjective impression of awareness. Sources included the legislation alongside industry guidelines and general journal articles. As a contrast to previous studies, the highest number of participants had consulted the Data Protection Act itself as opposed to library association guidelines which was amongst the least consulted sources. Surprisingly, a similar number had also consulted the Information Commissioners Office website and general journal articles however nearly 20% had not consulted anything.

As part of GDPR, all public authorities will be required to hire a Data Protection Officer. As a result, this study aimed to investigate how many staff were aware of a qualified individual within their organisations. Positively, this study found 71% were aware of an officer, 4% reported no officer and 25% did not know. Although this indicates an increase in the awareness of dedicated data protection staff, a sizeable percentage were not aware of an individual in their organisation who would be able to provide advice or expertise.

A clearly defined privacy statement or notice is best practice for organisations and will be a key element of GDPR. Participants were asked whether their organisations issued guidelines, policies or procedures to users and if so how these made available and when they were updated.

44% were aware of data protection documentation for users or customers, compared to 9% who had no documentation and 48% who did not know.

Comparing the two results together, we can see a higher percentage of awareness for staff policies as we would expect but a concerning result that the majority of respondents did not know if privacy policies existed for users bearing in mind the requirement for one in GDPR.

In addition, when asked if they would like to receive more training and support regarding data protection over 71% agreed or strongly agreed that more training was desired, with a small minority of only 6% who did not feel more training or support was necessary. The vast majority of respondents (89%) wanted to learn more changes in new legislation demonstrating interest in the incoming GDPR.

Participants were asked whether they felt data protection management was an important element of library and information services. Satisfyingly, the data showed that only 2% disagreed that data protection was an important element of library and information services, whilst an overall majority of 85% agreed or strongly agreed. 100% of those with least experience in the sector agreed or strongly agreed that library and information professionals should educate users about their privacy right. Interestingly, the percentages of those who agreed or strongly agreed with the statement decreased with length of service perhaps demonstrating higher enthusiasm amongst newer professionals than more senior members of staff.

DISCUSSION

It is noted that when directly compared to previous studies, this study delivered higher percentages for respondents who were aware of data protection legislation, had received training, were aware of data protection policies and had an appointed data protection officer. However, finer details including how often policies were updated and whether the organisation was registered under the act produced fewer positive responses.

Although the majority of participants felt their awareness of data protection was above average at the start of the study, when asked to rate the confidence in their level of knowledge towards the end the mean response was between poor to average. In addition, the vast majority either agreed or strongly agreed that they would like to receive more training and support regarding data protection.

For GDPR, the level of awareness was even lower and an overwhelming majority wanted to learn about the new incoming legislation.

The majority of respondents stated they had access to data protection documentation such as guidelines for staff or privacy policies for users delivering a positive impression of an informed profession. However, further questioning of particulars such as how often policies are updated revealed few applicants were aware of the details.

SO, ARE LIBRARIES READY FOR GDPR?

Overall, the survey results provided a more positive picture than previous research suggested. The majority of respondents were aware of the existing legislation, knew of the incoming legislation and several of the key aspects. It seems there has been increased awareness of data protection amongst library staff.

Despite offering front line services, librarians appear to have little input with key aspects of data protection law, relying on the external organisation to provide the relevant policies, training and safeguarding.

In relation to GDPR, library staff seem aware of gaps in their knowledge and express enthusiasm for learning more, but require more training and engagement from management.

Below are some examples of data protection management that library staff in particular can be aware of:

  • Identify who in the organisation is responsible for data protection or information governance.

  • Review any records management policies surrounding the handling of patron details, circulation records or reservation requests. Are details written down on paper or filed as documents? If so, are they stored in locked cabinets? How long are details kept for and are they destroyed securely i.e. shredded rather than just thrown in the bin?

  • Ensure patron details are only accessed by those in the organisation who require access to perform their duties. Ensure passwords or logins are not written down or kept next to the computer. Ensure screens are always locked when staff leave the computer. Consider privacy screens or adjusting the angle of screens to hide patrons' personal information from readers.

  • Review systems such as Library Management Systems – is data such as borrowing or search histories recorded? Is data transferred outside of the EU? How long is information recorded for?

  • Review privacy policies of third party vendors and the storing of data via back up files, web servers and use of encryption.

  • Ensure privacy notices and contact details of the data protection or information compliance department are clearly accessible via your website, for example by a link on your homepage.

  • Promote patron privacy, for example ensuring there are notices warning if any CCTV is in operation or displaying guidelines on how to disable cookies or browsing histories.

  • Ensure staff are trained and aware of procedures for not disclosing patron information.

  • Prevent data security breaches through awareness of phishing scams, viruses and malware and make sure staff know who to report a breach to.

  • Remember that patrons have a right to access any information about them including records and emails so only document the necessary details and nothing more.

  • Seek advice from professional associations, mail lists or interest groups to gain and share knowledge and awareness.

References

Footnotes

1 YouGov. (2017). Survey Report. Retrieved 2 August 2017, from https://d25d2506sfb94s.cloudfront.net/cumulus_uploads/document/guozfocn1q/YGC,%20GB%20Surveillance%202017.pdf

2 PolicyBee LLP. (2017). The UK's biggest cybersecurity and data breaches in 2017. Retrieved 2 August 2017, from https://www.policybee.co.uk/blog/13456/uk-biggest-cybersecurity-and-data-breaches-in-2017/

3 Office of National Statistics. (2017, 20 July). Crime in England and Wales: Appendix Tables. Retrieved 2 August 2017, from https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/datasets/crimeinenglandandwalesappendixtables

4 Kim, D. & Noh, Y. (2014). A Study of Public Library Patrons' Understanding of Library Records and Data Privacy. International Journal Of Knowledge Content Development & Technology, 4(1), 5378 CrossRefGoogle Scholar. http://dx.doi.org/10.5865/ijkct.2014.4.1.053

5 Magi, T. (2007). The gap between theory and practice: A study of the prevalence and strength of patron confidentiality policies in public and academic libraries. Library & Information Science Research, 29(4), 455470 CrossRefGoogle Scholar. http://dx.doi.org/10.1016/j.lisr.2007.07.001

6 Bowers, S. (2006). Privacy and Library Records. The Journal Of Academic Librarianship, 32(4), 377383 CrossRefGoogle Scholar. http://dx.doi.org/10.1016/j.acalib.2006.03.005

7 Boehme-Neßler, V. (2016). Privacy: a matter of democracy. Why democracy needs privacy and data protection. International Data Privacy Law, 6(3), 222229 CrossRefGoogle Scholar. http://dx.doi.org/10.1093/idpl/ipw007

8 Zimmer, M. (2014). Librarians' Attitudes Regarding Information and Internet Privacy. The Library Quarterly, 84(2), 123151 CrossRefGoogle Scholar. http://dx.doi.org/10.1086/675329

9 Coombs, K. (2004). Walking a Tightrope: Academic Libraries and Privacy. The Journal Of Academic Librarianship, 30(6), 493498 CrossRefGoogle Scholar. http://dx.doi.org/10.1016/j.acalib.2004.08.003

10 Sturges, P., Davies, E., Dearnley, J., Iliffe, U., Iliffe, U., Oppenheim, C., & Hardy, R. (2003). User privacy in the digital library environment: an investigation of policies and preparedness. Library Management, 24(1/2), 4450 CrossRefGoogle Scholar. http://dx.doi.org/10.1108/01435120310454502

11 Johns, S., & Lawson, K. (2005). University undergraduate students and library-related privacy issues. Library & Information Science Research, 27(4), 485495 CrossRefGoogle Scholar. http://dx.doi.org/10.1016/j.lisr.2005.08.006

12 Sutlieff, L. & Chelin, J. (2010). ‘An absolute prerequisite’: The importance of user privacy and trust in maintaining academic freedom at the library. Journal Of Librarianship And Information Science, 42(3), 163177 CrossRefGoogle Scholar. http://dx.doi.org/10.1177/0961000610368916

13 Estabrook, Leigh S (1996). Sacred trust or competitive opportunity: using patron records. Library Journal. v121 (n2), p48(2)Google Scholar.

14 Boehme-Neßler, V. (2016). Privacy: a matter of democracy. Why democracy needs privacy and data protection. International Data Privacy Law, 6(3), 222229 CrossRefGoogle Scholar. http://dx.doi.org/10.1093/idpl/ipw007

15 ibid.

16 Magi, T. (2007). The gap between theory and practice: A study of the prevalence and strength of patron confidentiality policies in public and academic libraries. Library & Information Science Research, 29(4), 455470 CrossRefGoogle Scholar. http://dx.doi.org/10.1016/j.lisr.2007.07.001

Figure 0

Figure 1. How would you rate your awareness of data protection legislation?

Figure 1

Figure 2. How would you rate your awareness of the incoming General Data Protection Regulation?

Figure 2

Figure 3. How often does data protection feature in staff training?

Figure 3

Figure 4. Does your organisation issue any data protection documentation to staff?

Figure 4

Figure 5. Does your organisation issue any data protection documentation to users or customers?