Tag Archives: data protection

EuroDIG 2021: Takeaway messages for libraries

The 2021 edition of the European Dialogue on Internet Governance offers an opportunity to take stock of recent developments in the policies and practices within the digital ecosystem which can be of interest and impact libraries in Europe – and around the world.

1)    Moving ahead to champion Open Science

Open Science, particularly its digital dimensions, was among the key topics of interest in this year’s EuroDIG. Noting the many helpful local, regional and international (e.g. discipline-specific) open science initiatives, UNESCO and other stakeholders discussed the value of developing a comprehensive shared definition and normative approach; and UNESCO itself offered an update on its draft Recommendation on Open Science.

Here, a summary of key points raised by various stakeholders and Member States during the UNESCO consultation (to which IFLA also contributed) included references to the importance of infrastructure (e.g. internet connectivity), of Open Science monitoring, and of non-profit and sustainable services and infrastructures to support Open Science in light of the risks of commercial monopolisation. In November 2021, the draft Recommendations are due to be submitted to the UNESCO Geneva Conference with a view to their adoption, followed by anticipated adoption among Member States.

Open Data. A closely related topic which may be interesting for libraries working in this area is open data – particularly how to open and share data which is more sensitive and requires further safeguards. Noting the current legal provisions which govern the lifecycles and usage of such data (e.g. laws such as the General Data Protection Regulation), the speakers pointed out some of the existing and possible approaches which can help enable such data-sharing to take place securely in practice. These include, for example, various licensing models, or setting out rules on access to such sensitive data – e.g. for specific purposes, or to limited types of stakeholders.

This discussion also pointed to the importance of investing in infrastructural support, education, and awareness-raising, to help researchers navigate the questions around opening sensitive data. These discussions are of course highly relevant for libraries offering support or training on research data management, licensing or copyright for their institutions.

2)    Online learning: where do we stand today?

Digital divides and inequalities. The 2021 EuroDIG also offered an opportunity to reflect on the lessons learned from the rapid shift to digital in learning and education, which has taken place in many parts of the world over the past year. One of the most prominent challenges here is, of course, the widely-noted digital divide – inequalities in access to suitable connectivity or devices (or even suitable spaces) for learners, and the ability to use them effectively.

The social element. The social dimension of learning is another consideration – with concerns expressed over the possible impacts of all-digital learning on students’ social interactions and wellbeing. Some survey data suggests, for example, that parents reported positive impacts of remote learning for students’ math and reading competencies – but see it as having a more negative impact on their social skills. This raises the question of whether it is possible to leverage existing (and develop new) applications and digital mediums to further promote meaningful interaction and wellbeing.

These points relate to the questions many libraries themselves have been grappling with since they introduced virtual programming to support learning and social interaction for children – from storytimes to creative workshops or clubs.

Platforms, walled gardens, educational content discoverability. Another part of the discussion focused on digital learning platforms and tools themselves. Here, stakeholders noted that it is crucial for platforms to not only optimise learning – but to also take fully into account learners’ digital autonomy, digital self-determination, privacy and ethics.

Another consideration is the  “walled gardens” of some commercial learning platforms – those characterised by limited interoperability and a lack of access to their learning materials from outside of the platform (e.g with access cut off once a course ends). For libraries, this latter point relates to their own concerns over equity and availability of access to digital learning materials. One of the draft take-away messages also highlights the importance of tools that increase the discoverability of educational content across the various available platforms.

3)    Privacy and data protection – not an obstacle to productivity

Built-in privacy. Another well-noted impact of rapid digitalisation is the immense increase in the amount of data being generated and collected in the process. Naturally, this puts into the spotlight questions around data privacy (especially for personal data) and data protection.

This echoes some of the questions libraries themselves had to answer during the pandemic – which platform can be used for virtual programming? How to minimise data collection? What initiatives targeting particular user groups are possible?

Some of the suggested measures to address these concerns included clear internal policies and processes which build in privacy at the outset, increased transparency and accountability, and, importantly, actively promoting the idea that “data protection is not an obstacle to productivity and innovation”.

Digital skills. Another element that can help preserve privacy and data security is, of course, learning – both for staff members (to help guide internal processes) and users (to help understand and navigate their own use of the internet – e.g. online financial services). This will be familiar to many in the library field who are increasingly focused on supporting digital literacy and confidence within their communities.

4)    Paths towards a greener digital future

The complexity of the relationship between the ongoing digital transformation and environment and sustainability is, of course, well-noted. Technology has immense potential to help track and mitigate today’s environmental challenges. Yet it also contributes to these challenges in various ways, from energy consumption and resource extraction to e-waste.

A part of the EuroDIG discussions dedicated to environmental sustainability focused on a broader public perspective: the impacts of lifestyles and consumption patterns around technology.

As such, one of the key needed changes the participants highlighted were policies, practices and infrastructure facilitating the reuse and repair of technology. Another important element was raising public awareness and education, to enable communities to make sustainable choices – which also requires access to quality information and transparency about technology.

Such questions are of course of interest for libraries: from public procurement, to repair workshops held in libraries, to raising awareness about sustainable consumption patterns.

A related point focused on the link between sustainability and equality of access. Here, it can be worthwhile also to examine models of access that support equitable digital inclusion while keeping the number of new devices entering circulation lower (whether it is distributing refurbished technology, free public access to ICT, and others).

These are just some of the discussions from the 2021 EuroDIG which can be worthwhile and interesting for libraries to keep track of – with more sessions exploring questions around freedom of expression and content moderation practices online, formal and informal media literacy learning practices, and more.

You can take a look at the draft EuroDIG2021 takeaway messages, access all session recordings, and stay engaged with internet governance discussions to share insights, perspectives and good practices from across the global library field!

GDPR, three years on: five lessons on data privacy and libraries

When the General Data Protection Regulation (GDPR) came into force in 2018, it ushered in major changes in the policy dialogue and practice around data privacy – both inside the EU and globally. Three years on, libraries continue to work to uphold their ethical commitments to privacy in the evolving policy landscape.

The GDPR’s third anniversary gives occasion to reflect on the progress made so far, where discussions on data privacy, confidentiality and security stand today, and the implications of this for libraries. This blog presents five lessons:

1) Change is afoot, in Europe and beyond: The oft-cited trend of an emerging new generation of privacy laws continues; with legislation introduced, amended or currently under review in different parts of the world – from Canada to Brazil, Singapore to Australia.

In addition, with the ‘Privacy Shield’ framework for data exchange between the EU and the USA overturned, policy discussions around the privacy and security of cross-border data flows also remain high on the agenda. As such, mutual adequacy decisions and other arrangements further shape the global and local policy environments around data privacy.

Within Europe, Stakeholders are paying close attention to the outcomes of the implementation and ongoing enforcement of these policies. On the one hand, the past months saw a sustained growth in the number of breach notifications submitted and fines issued within the GDPR framework.

On the other hand, as a recent GDPR implementation progress report by Access Now notes, many complaints from private individuals are yet to be addressed; and data protection authorities and EU bodies flag some crucial challenges in enforcement – e.g. in the cross-national collaboration mechanism, national differences in implementation, and others.

The report highlights that GDPR is ‘still in its infancy’; but it is a flagship regulation that continues to have a significant impact on the global data privacy policy field. As such, for libraries around the world, it is worthwhile to keep up with these key developments as they continue to navigate their work with user (and employee) data.

2) It is not only governments that are changing their approaches: another emerging trend is private tech companies increasingly stepping into the roles of data protection stakeholders, and changing how online data flows unfold – e.g. with Apple’s software update and Google’s planned steps to reduce third-party tracking.

However, the reactions to these seem to be mixed – some celebrate the anticipated privacy gains, others express concerns over big tech having far-reaching capacity to act as data privacy regulators, and in particular whether private companies can ever be as accountable as public regulators. This does also raise questions about whether those companies already able to draw on the lessons of previous data collection will enjoy unfair advantages compared to competitors. Others noted that the benefits from privacy measures introduced by private companies may not be distributed equally – for example, with those who are able to afford more expensive devices ultimately enjoying higher privacy standards.

3) The relevance of GDPR and other privacy protections is greater than ever, including in libraries: it was under the framework of GDPR that the leap to digital during the pandemic took place. There are examples of how it helped inform the choice of medium for online programming (e.g. ruling out some channels, like WhatsApp). There are also examples of GDPR having an impact on whether some initiatives – like organised outreach to potentially vulnerable library users – were on the table.

But of course, as privacy remains an important consideration in many public discussions during the pandemic (e.g. contact tracing, vaccine passports), for countless librarians there is a heightened sense of responsibility and vigilance around data privacy.

As such, the year saw professional discussions, guides and toolkits put together to help libraries navigate privacy challenges during the pandemic – from contact tracing and temperature checks to supporting educators in protecting student privacy online.

When planning these adjustments and responses, going back to the basics – understanding the key building blocks of privacy today – can be helpful. For example, GDPR has helped shape the understanding of what personal data encompasses today – e.g. not just the obvious categories like names and addresses but also, for instance, graphic and photographic data, and so much more. It commits to principles like data minimisation – a concept which wasn’t new to libraries, of course, but nonetheless helpful in thinking about any organisation’s data management processes, and reducing risks and harms. All these elements and concepts can be helpful for libraries in structuring their thoughts on what privacy means today – even for those not falling under GDPR’s jurisdiction.

4) But it’s not always easy to enforce privacy: some of these measures are, of course, a matter of internal processes and are comparatively easier for libraries to implement (e.g. choosing a medium for online programming; maintaining strict policies and procedures in situations when contact tracing is required).

However, the past months also saw reflections on how it is significantly more difficult for libraries to keep up privacy standards, initially developed in an analogue world, in digital processes which involve powerful third parties.

These were exemplified in the library concerns around the surveillance capacities of academic library vendors (e.g. the ways vendors may use library patron data far beyond anticipated purposes, or even proposals for more intrusive data collection in academic libraries to enforce copyright).

Some of the proposed paths to solving these challenges include, of course, better understanding these phenomena, and supporting libraries’ work to renegotiate or recalibrate relationships and agreements with outside vendors.

5) Privacy and performance should not be seen as mutually exclusive: too often, it is easy to see privacy as a zero-sum game. However, this is not inevitable.

This was echoed during the discussions about public health interventions reliant on large-scale data collections: trading away privacy for other benefits is not always a helpful framing. Instead, built-in privacy which preserves and ensures trust in such public health interventions can help them find broader acceptance, while a lack of trust can undermine their success.

As a Data Privacy Toolkit by the Pacific Library Partnership puts it in the library context,

“Positive-sum verses “all or nothing” outcomes: taking a “we can have privacy or we can have this other thing” approach to privacy discussions leaves little to no room for discussions that address the privacy needs and concerns of everyone involved.”

 

The discussion about data privacy, of course, remains both technical and complex, and can at times feel overwhelming. But between ongoing efforts to identify practical measures libraries can take, their advocacy efforts, and an overarching commitment to privacy as a key part of their professional ethics, the work to ensure libraries deliver on this commitment continues!

Data Privacy Day 2021: Standing by Key Library Values in Challenging Times

28 January marks the annual Data Privacy Day, dedicated to raising awareness and celebrating this crucial right in communities across the globe. The past year saw important shifts and developments in discourses around privacy – and now is a good time for libraries to reflect and consider next steps.

Where does privacy discourse stand at the beginning of 2021?

Data protection, privacy and security continue to be among the key elements of discussions around how we should govern and regulate the internet and other digital technologies. Over the past months, significant developments in this area include:

  • The growing new generation of privacy laws and regulations around the world. The way in which the personal data of more and more of the world’s population is collected, stored and used is now subject to new privacy regimes which attempt to respond to a digital world. A recent report by Internet & Jurisdiction and ELAC, for example, points out that in Latin America and the Caribbean alone, there are several states reforming or modernising their data protection legislation or discussing bills at present. 2020 saw a new privacy act in New Zealand and the entry into force of the Californian Consumer Privacy Act, and more legislative measures can be expected around the world.
  • Data privacy considerations of COVID responses. Of course, measures taken to try to slow the spread of the COVID-19 pandemic have also been at the heart of the discussion on data privacy.

Looking at this issue through a human rights lens, the UN Human Rights Council Special Rapporteur on the Right to Privacy recently examined two key privacy aspects of pandemic responses – data protection and surveillance. While the report clarifies that much more data is needed to assess the necessity and proportionality of various measures, it is nevertheless crucial to keep in mind the dangers of non-consensual methods and the danger of function creeps – including in technology-based responses.

  • Privacy and the ‘leap to digital’. And of course, there is the broader reality of a rapid ‘leap to digital’ that many countries experienced during the pandemic, with the urgency of moving online risking coming at the expense of a full exploration of the implications of the choices made. From organisations and businesses grappling with the data privacy implications of remote work, schools and others needing to bear in mind what leaving cameras on during lessons could reveal about pupils and teachers alike; and to social, leisure or study activities that people carry out online – all these raise important considerations.

Libraires, of course, have fully felt the impacts of these trends. Librarians, just like the communities they serve, have faced the trends set out above, in particular as regards the need to shift to working from home – with all the staff data privacy implications this entails. For those remaining open, some have been asked or required to collect, store and process health and/or visitor data.

Many have broadened their offering of digital materials for users to lend, which emphasises the importance of longstanding discussions about third party vendor privacy policies – for example around the data that publishers and others collect about how readers use materials.

Already in the first half of the year, patron privacy considerations were particularly pressing for school and academic libraries, with urgent questions around student data and remote learning.

Similarly, other efforts – from online storytimes to homework help – all come with crucial choices on how to protect patron privacy.

The global library field responds. When faced with these questions, the library field has seen a vast array of active and vigilant responses. Libraries have spoken out about the importance of patron privacy – from the Japanese Library Association’s Intellectual Freedom Committee to CILIP’s Policy Statement on COVID-19 that highlights, inter alia, the importance of upholding the right to privacy when implementing measures to curb the spread of the pandemic.

Members of the global and national library fields – e.g. in Italy, the US and Czechia – collected and disseminated useful information, including suggestions and ideas on how to navigate privacy considerations during the pandemic. They also shared practical guidance, key questions and good practices around the new patron privacy considerations.

Standing by key library values. It is encouraging to see that libraries continue to be strong privacy champions and advocates even in these times, finding more ways to support the privacy and digital wellbeing of their communities.

From Singapore to the Netherlands, we have seen traditional online safety and security skills support programmes migrate online – for example, as published tip-sheets or courses, or live webinars. New ideas are being explored – from awareness-raising virtual exhibits to the potential of a library VPN for patrons.

Ensuring library capacity and resources – a key priority. These responses demonstrate the evolving application of twin library priorities – safeguarding patron data in library processes, and helping build their communities’ awareness and skills to defend their own privacy, outside of library environments. However, as the past year showed,  the new circumstances – particularly the shift to digital – raise challenging new questions and demands.

News from Finland, for example, points out that many libraries need to address patron privacy in new ways – including questions which may require legal advice. Similarly, Public Libraries Victoria discusses libraries’ experiences with helping seniors navigate online services –  a crucial part of their offering; however, the shift to digital here can also put increased pressure on library staff in navigating complex privacy questions when offering hands-on support.

This highlights the importance of making sure that libraries have the capacity and resources to carry out these tasks. This includes, inter alia, IT resources – since cybersecurity and data privacy and fundamentally linked. As libraries face new and increasing tasks and duties – to meet the demand and expand digital offerings while maintaining data privacy and security – it is crucial that they have the resources to do so.

 

Many key challenges and developments of 2020 continue to impact the work of libraries around the world. As they continue to face these, libraries maintain their support and ethical commitment to privacy – and we look forward to another year of active dialogue and exchange of good practices in support of data privacy!

The EU General Data Protection Regulation, Two Years On

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force in the EU. This marked a fundamentally new approach to data protection, privacy, security and user rights. Naturally, libraries as controllers of user data – patron registration data, library website uses, and much more – saw new obligations, responsibilities and processes that they needed to implement. Two years on, where does GDPR stand, and how will it continue to impact the library field?

The implementation and enforcement of GDPR has given rise to a flurry of activity over the past two years. Access Now points out that more than 140000 complaints have been submitted between May 2018 and May 2019 alone. Those found guilty of breaching its provisions have been held to account, with 231 fines or other sanctions levied over the past two years.

Indeed, just a few days ago, the Irish Data Protection Commissions issued a draft decision regarding Twitter’s GDPR compliance, moving closer towards the completion of a major cross-border GDPR case. Earlier, national authorities have already administered fines to Facebook, Google and WhatsApp; and several countries across the world introduced data privacy legislation inspired by GDPR or the global conversation it had launched.

Nonetheless, despite these arguably positive stories of authorities acting to protect privacy,  the Access Now report also points out the challenges that GDPR implementation has faced – such as the resource constraints Data Protection Authorities may face or the challenges of cross-border cases. Similarly, in their Open Letter marking the second anniversary of GDPR, European Digital Rights calls for more action to address the GDPR enforcement gaps.

Keeping Up with Events

The timing is helpful. A formal review of GDPR is due for its second anniversary. In addition, the area of data regulation will likely see more significant activities in the coming months and years. Just a few months ago, the European Commission led by Ursula van der Leyen has unveiled an ambitions EU Data Strategy, which will aim to facilitate data flows throughout the EU and enable broader use of data in services and products.

As a result, in 2021, Europe can expect a proposal of an EU Data Act; which will of course be linked to GDPR when it comes to such questions as data sharing and user rights (e.g. portability).

Of course, the current pandemic has also raised questions pertaining to GDPR. The COVID crisis has, for example, prompted questions about the more extensive use of health data for research purposes, employee data, or tracing applications and geolocation – and how these relate to the privacy and security protections guaranteed by GDPR rules.

The European Data Protection Supervisor has reiterated that GDPR is designed to be a broad legislation, with rules and regulations which are applicable to crises situations such as this. Nonetheless, there will be a lot of value in an evaluation of the degree to which violations of the right to a private live have been justifiable, and whether tougher or clearer rules are necessary.

Libraries and GDPR, looking ahead

This points us to the question of what these developments can mean for libraries. With the demand for digital library offerings and services surging during COVID, it is particularly important to keep in mind the need to at all times ensure the privacy and security of user data that such activities generate.

GDPR highlights the importance of “privacy by design”, meaning that privacy and security measures are taken into consideration and embedded into the design of new data processing operations from the outset. Similarly, data controllers need to ensure the privacy and security of users’ data when making use of any new third-party platforms or services.

If you are introducing new digital services or processes to your library, it’s crucial to consider whether these might entail collecting any new personal data, or processing it differently. On what grounds would the new data be processed? Are third party suppliers also respecting privacy?

We are yet to see the long-term impact of the pandemic on library services – including the question of whether this large-scale shift to digital will be sustained. In the meantime, it is crucial for libraries to continue putting privacy and security first in any new services or offerings, and keep an eye on any possible future legislation in the field of data regulation!

Why Privacy Matters, For Everyone: Chose Privacy Week 2019

Choose Privacy Week was initiated by the American Library Association to draw attention to the importance of privacy, and what people can do about it. It is a great opportunity to learn about the important role librarians play in achieving this.

This year’s theme of Choose Privacy Week is “Inclusive Privacy: Closing the Gap”, and raises awareness of the privacy inequities imposed on vulnerable and historically underrepresented groups. It highlights how libraries can close the privacy gap for those who need it most.

Why Privacy Matters

Privacy is of course a right. As set out in Article 12 of the Universal Declaration of Human Rights, people should be able to live free of arbitrary interventions in their private life.

There is a good reason for this. The possibility to have a private life is central to much of what makes us human. In particular, it gives us the freedom to think, speak and access information freely.

IFLA’s submission to the UN Special Rapporteur on Privacy stresses this point, underlining that without privacy, there can be a powerful chilling effect on creativity and innovation.

Privacy has traditionally been seen as a means of protecting the individual against efforts by states to import control. However, increasingly, it is privacy in the face of companies that is coming to the fore.

Data collection has never been easier, and the companies whose services we use are increasingly able to draw conclusions about us on the basis of what they see. Indeed, many of these conclusions may reveal traits and preferences of which we are not necessarily conscious ourselves.

Clearly advertising has done this for years, but the possibility to do so in such a targeted, individual manner is new.

If this was only about advertising, it would not necessarily be so important, although clearly still has a certain ‘creepiness’ factor. However, more is at stake. It can also shape the content we see on line – which stories, posts or search-results are promoted.

Ironically, perhaps, the effort to personalise services comes at the cost of individuality and privacy, as a coded version of your personality is constructed, held on a server somewhere, and then used.

This is not just an issue on social media, but also in the research space. With efforts to move from institutional to personal log-ins to academic articles, the possibility for publishers and platforms to monitor use, and make their own efforts to tailor results and experience also arise.

This is a problem, because it means that we cannot assume that the person next to us is seeing the same thing as we would. Moreover, given that the algorithmic version of your personality can only work on the basis of past data, it does not allow for you to change in the future, potentially locking you into a particular set of preferences and interests.

 

Privacy Can’t Be A Luxury

Yet privacy – and the need for privacy – may not be equally distributed or equally shared.

A first challenge is for people who belong to a vulnerable or marginalised group. In many cases, they may feel the need to hide what it is that makes them unique, given political, cultural or social pressures in the society around them.

The internet has been a major source of support for many in this position, given the possibility to connect to those in a similar situation elsewhere, without having to use what may be a hostile public space.

To have these characteristics and interest coded and used to shape advertising and online experience (and potentially even inform governments) takes these gains away.

There may also be challenges for people on lower incomes, who may, for example, be more reliant on smart phones to access the internet (which pose a number of privacy concerns).

They can also be obliged to share more personal information anyway online in order to apply for government services or other programmes. A 2017 study on privacy, poverty and big data by Data & Society reveals some key trends.

Add to this stories of internet subscribers being asked to pay more for a privacy-friendly connection, or the fact that more expensive phone brands are using privacy as a selling point, and the potential connection between income and the right to a private life becomes clear.

Finally, there is often not a connection between the risks faced, and the ability to do something about it.

Recent privacy legislation, such as the General Data Protection Regulation in the European Union, gives important new rights to individuals. The success of this depends on people being sufficiently skilled and motivate to choose privacy.

Yet is seems clear that even where there is awareness, there may not be the skills – or even the attitude – necessary to act on it. As the Data & Society study shows, while there is demand, people with less money, less time, and less education may feel helpless in the face of companies and government agencies.

This is just as true in the case of right to be forgotten cases. While there is certainly a place for such rules in protecting people against unfair, irrelevant or incorrect information about them being found through search results, the risk is that it becomes a tool for those in positions of power to ‘edit’ the historical record.

 

How Libraries Can Help

A year ago IFLA and the FAIFE Committee used the momentum of the Chose Privacy Week to bring awareness to how personal data ownership affect libraries and library users and offered practical steps that individuals can take to keep their private lives private in regards to the General Data Protection Regulation.

A year after, there is still a need to work to ensure that everyone really is aware of, skilled and motivated to use their choice of privacy.

Libraries have an expertise in information management, and a responsibility to help others develop their own information literacy skills. With more and more library resources found online, libraries can not only offer a means of accessing information and expressing yourself in as private a way as possible, but can encourage privacy-friendly behaviours in their users’ own lives.

In short, the library is not only a trusted source of information but also a community support and can “close the privacy gap” for its users by providing a safe space, training and resources to help them take control of their private lives and data.

Here are a few steps that you can take to ensure the users privacy:

  • Make use of the privacy guidelines for libraries. In 2016, IFLA published the IFLA Statement on Privacy in the Library Environment. The Statement is intended to give guidance to libraries and information services in an environment that includes mass surveillance by governments and routine user data collection by commercial interests that provide content or services through the Internet.
  • Reduce data traces online. Greater care in choosing privacy settings, and simply better data hygiene can all help. And there are great tools such as the Data Detox Kit already available.
  • Apply tools to protect user privacy. ALA has created a list of resources on relevant tools, you can find the list here, while Scottish PEN has a Libraries for Privacy Toolkit.
  • Watch presentations and webinars on the subject. You can learn a lot by watching webinars such as the IFLA webinar on the GDPR, or the ALA video on raising privacy awareness in your library.
  • Help raise awareness throughout Chose Privacy Week!