Now that WA restaurants have to keep logs w/customer names & contact information, I'm wondering when libraries are going to be asked by the gov to have a similar log for anyone visiting the library as part of the reopening process.
I might have a thing or two to say about that.
I might have a thing or two to say about that.
This restaurant log is mainly for contact tracing, which is a tried and true way of reducing infections in a population in previous outbreaks.
However, that doesn't erase the fact that the restaurant now has more data on their customers that they wouldn't have had before.
However, that doesn't erase the fact that the restaurant now has more data on their customers that they wouldn't have had before.
Now imagine that a library was asked to keep a patron visitor log for contact tracing.
Depending on the state's library confidentiality laws, this information is protected from disclosure. But again, the library now has created a paper trail of a patron's use of the library.
Depending on the state's library confidentiality laws, this information is protected from disclosure. But again, the library now has created a paper trail of a patron's use of the library.
Current data privacy and security practices at libraries vary widely. The paper log could be securely stored in a locked cabinet in a locked office... or it could be sitting behind the circulation desk on a shelf for anyone to access.
And that's just the beginning.
And that's just the beginning.
What data is the library collecting? Name, barcode, phone number, address?
What happens if this data is entered into a spreadsheet on a local work computer? A database that lives in a 3rd party cloud service?
What starts out with a paper log fast becomes a privacy nightmare.
What happens if this data is entered into a spreadsheet on a local work computer? A database that lives in a 3rd party cloud service?
What starts out with a paper log fast becomes a privacy nightmare.
All of that comes from a request from local authorities to do *manual* contact tracing.
When tech companies start collecting data from contact tracing apps, the library has very little recourse in protecting the patron's right to privacy (in this case just visiting the library).
When tech companies start collecting data from contact tracing apps, the library has very little recourse in protecting the patron's right to privacy (in this case just visiting the library).
And all of *gestures widely at everything* privacy mess around contact tracing is only the beginning.
The other big can of privacy worms is patron health data.
Some people might not be aware that libraries are now collecting patron health data as part of the reopening process.
The other big can of privacy worms is patron health data.
Some people might not be aware that libraries are now collecting patron health data as part of the reopening process.
Some libraries, such as The Seattle Public Library, are having library staff conduct medical screening surveys of any patrons wanting to enter the building - durkan.seattle.gov/2020/04/seattl…
Again, once you collect the data, there's the risk of harm through a data breach or leak.
Again, once you collect the data, there's the risk of harm through a data breach or leak.
There are a number of privacy concerns with any collection of patron data, but adding health data to the mix just makes those concerns that more worrisome.
I've addressed some of these concerns at chooseprivacyeveryday.org/when-libraries…
I've addressed some of these concerns at chooseprivacyeveryday.org/when-libraries…
<IANAL>
One thing that folks keep saying is that any type of health data is protected by HIPAA.
Unless you're working in a medical library that fits HIPAA's definitions of a covered entity or business associate, that health data isn't protected under HIPAA.
</IANAL>
One thing that folks keep saying is that any type of health data is protected by HIPAA.
Unless you're working in a medical library that fits HIPAA's definitions of a covered entity or business associate, that health data isn't protected under HIPAA.
</IANAL>
It's safe to assume that most libraries do not have the data privacy/security policies, procedures, & infrastructure in place to meet HIPAA requirements.
If you're considering collecting patron health data, you need to take a long, hard look at your library's data protections.
If you're considering collecting patron health data, you need to take a long, hard look at your library's data protections.
Even if you decide to collect the data - does this data fall under your state's library confidentiality laws?
How about public records request regulations? I know of at least one time where patron medical data was released through a public records request.
How about public records request regulations? I know of at least one time where patron medical data was released through a public records request.
[Related PSA - limit use of staff email to collect, store, or share individual patron data, including any health-related data. Staff email is subject to public records requests.]
I know I keep opening up multiple cans of privacy worms in this thread, but this is EXACTLY WHAT YOU ARE DOING if your library goes anywhere near collecting patron data for contact tracing or COVID-19 related medical screenings.
Tying up the general data privacy thread here with another thread about contact tracing and privacy, ICYMI -
