Tag Archives: ethics

GDPR, three years on: five lessons on data privacy and libraries

When the General Data Protection Regulation (GDPR) came into force in 2018, it ushered in major changes in the policy dialogue and practice around data privacy – both inside the EU and globally. Three years on, libraries continue to work to uphold their ethical commitments to privacy in the evolving policy landscape.

The GDPR’s third anniversary gives occasion to reflect on the progress made so far, where discussions on data privacy, confidentiality and security stand today, and the implications of this for libraries. This blog presents five lessons:

1) Change is afoot, in Europe and beyond: The oft-cited trend of an emerging new generation of privacy laws continues; with legislation introduced, amended or currently under review in different parts of the world – from Canada to Brazil, Singapore to Australia.

In addition, with the ‘Privacy Shield’ framework for data exchange between the EU and the USA overturned, policy discussions around the privacy and security of cross-border data flows also remain high on the agenda. As such, mutual adequacy decisions and other arrangements further shape the global and local policy environments around data privacy.

Within Europe, Stakeholders are paying close attention to the outcomes of the implementation and ongoing enforcement of these policies. On the one hand, the past months saw a sustained growth in the number of breach notifications submitted and fines issued within the GDPR framework.

On the other hand, as a recent GDPR implementation progress report by Access Now notes, many complaints from private individuals are yet to be addressed; and data protection authorities and EU bodies flag some crucial challenges in enforcement – e.g. in the cross-national collaboration mechanism, national differences in implementation, and others.

The report highlights that GDPR is ‘still in its infancy’; but it is a flagship regulation that continues to have a significant impact on the global data privacy policy field. As such, for libraries around the world, it is worthwhile to keep up with these key developments as they continue to navigate their work with user (and employee) data.

2) It is not only governments that are changing their approaches: another emerging trend is private tech companies increasingly stepping into the roles of data protection stakeholders, and changing how online data flows unfold – e.g. with Apple’s software update and Google’s planned steps to reduce third-party tracking.

However, the reactions to these seem to be mixed – some celebrate the anticipated privacy gains, others express concerns over big tech having far-reaching capacity to act as data privacy regulators, and in particular whether private companies can ever be as accountable as public regulators. This does also raise questions about whether those companies already able to draw on the lessons of previous data collection will enjoy unfair advantages compared to competitors. Others noted that the benefits from privacy measures introduced by private companies may not be distributed equally – for example, with those who are able to afford more expensive devices ultimately enjoying higher privacy standards.

3) The relevance of GDPR and other privacy protections is greater than ever, including in libraries: it was under the framework of GDPR that the leap to digital during the pandemic took place. There are examples of how it helped inform the choice of medium for online programming (e.g. ruling out some channels, like WhatsApp). There are also examples of GDPR having an impact on whether some initiatives – like organised outreach to potentially vulnerable library users – were on the table.

But of course, as privacy remains an important consideration in many public discussions during the pandemic (e.g. contact tracing, vaccine passports), for countless librarians there is a heightened sense of responsibility and vigilance around data privacy.

As such, the year saw professional discussions, guides and toolkits put together to help libraries navigate privacy challenges during the pandemic – from contact tracing and temperature checks to supporting educators in protecting student privacy online.

When planning these adjustments and responses, going back to the basics – understanding the key building blocks of privacy today – can be helpful. For example, GDPR has helped shape the understanding of what personal data encompasses today – e.g. not just the obvious categories like names and addresses but also, for instance, graphic and photographic data, and so much more. It commits to principles like data minimisation – a concept which wasn’t new to libraries, of course, but nonetheless helpful in thinking about any organisation’s data management processes, and reducing risks and harms. All these elements and concepts can be helpful for libraries in structuring their thoughts on what privacy means today – even for those not falling under GDPR’s jurisdiction.

4) But it’s not always easy to enforce privacy: some of these measures are, of course, a matter of internal processes and are comparatively easier for libraries to implement (e.g. choosing a medium for online programming; maintaining strict policies and procedures in situations when contact tracing is required).

However, the past months also saw reflections on how it is significantly more difficult for libraries to keep up privacy standards, initially developed in an analogue world, in digital processes which involve powerful third parties.

These were exemplified in the library concerns around the surveillance capacities of academic library vendors (e.g. the ways vendors may use library patron data far beyond anticipated purposes, or even proposals for more intrusive data collection in academic libraries to enforce copyright).

Some of the proposed paths to solving these challenges include, of course, better understanding these phenomena, and supporting libraries’ work to renegotiate or recalibrate relationships and agreements with outside vendors.

5) Privacy and performance should not be seen as mutually exclusive: too often, it is easy to see privacy as a zero-sum game. However, this is not inevitable.

This was echoed during the discussions about public health interventions reliant on large-scale data collections: trading away privacy for other benefits is not always a helpful framing. Instead, built-in privacy which preserves and ensures trust in such public health interventions can help them find broader acceptance, while a lack of trust can undermine their success.

As a Data Privacy Toolkit by the Pacific Library Partnership puts it in the library context,

“Positive-sum verses “all or nothing” outcomes: taking a “we can have privacy or we can have this other thing” approach to privacy discussions leaves little to no room for discussions that address the privacy needs and concerns of everyone involved.”

 

The discussion about data privacy, of course, remains both technical and complex, and can at times feel overwhelming. But between ongoing efforts to identify practical measures libraries can take, their advocacy efforts, and an overarching commitment to privacy as a key part of their professional ethics, the work to ensure libraries deliver on this commitment continues!

Data Privacy Day 2021: Standing by Key Library Values in Challenging Times

28 January marks the annual Data Privacy Day, dedicated to raising awareness and celebrating this crucial right in communities across the globe. The past year saw important shifts and developments in discourses around privacy – and now is a good time for libraries to reflect and consider next steps.

Where does privacy discourse stand at the beginning of 2021?

Data protection, privacy and security continue to be among the key elements of discussions around how we should govern and regulate the internet and other digital technologies. Over the past months, significant developments in this area include:

  • The growing new generation of privacy laws and regulations around the world. The way in which the personal data of more and more of the world’s population is collected, stored and used is now subject to new privacy regimes which attempt to respond to a digital world. A recent report by Internet & Jurisdiction and ELAC, for example, points out that in Latin America and the Caribbean alone, there are several states reforming or modernising their data protection legislation or discussing bills at present. 2020 saw a new privacy act in New Zealand and the entry into force of the Californian Consumer Privacy Act, and more legislative measures can be expected around the world.
  • Data privacy considerations of COVID responses. Of course, measures taken to try to slow the spread of the COVID-19 pandemic have also been at the heart of the discussion on data privacy.

Looking at this issue through a human rights lens, the UN Human Rights Council Special Rapporteur on the Right to Privacy recently examined two key privacy aspects of pandemic responses – data protection and surveillance. While the report clarifies that much more data is needed to assess the necessity and proportionality of various measures, it is nevertheless crucial to keep in mind the dangers of non-consensual methods and the danger of function creeps – including in technology-based responses.

  • Privacy and the ‘leap to digital’. And of course, there is the broader reality of a rapid ‘leap to digital’ that many countries experienced during the pandemic, with the urgency of moving online risking coming at the expense of a full exploration of the implications of the choices made. From organisations and businesses grappling with the data privacy implications of remote work, schools and others needing to bear in mind what leaving cameras on during lessons could reveal about pupils and teachers alike; and to social, leisure or study activities that people carry out online – all these raise important considerations.

Libraires, of course, have fully felt the impacts of these trends. Librarians, just like the communities they serve, have faced the trends set out above, in particular as regards the need to shift to working from home – with all the staff data privacy implications this entails. For those remaining open, some have been asked or required to collect, store and process health and/or visitor data.

Many have broadened their offering of digital materials for users to lend, which emphasises the importance of longstanding discussions about third party vendor privacy policies – for example around the data that publishers and others collect about how readers use materials.

Already in the first half of the year, patron privacy considerations were particularly pressing for school and academic libraries, with urgent questions around student data and remote learning.

Similarly, other efforts – from online storytimes to homework help – all come with crucial choices on how to protect patron privacy.

The global library field responds. When faced with these questions, the library field has seen a vast array of active and vigilant responses. Libraries have spoken out about the importance of patron privacy – from the Japanese Library Association’s Intellectual Freedom Committee to CILIP’s Policy Statement on COVID-19 that highlights, inter alia, the importance of upholding the right to privacy when implementing measures to curb the spread of the pandemic.

Members of the global and national library fields – e.g. in Italy, the US and Czechia – collected and disseminated useful information, including suggestions and ideas on how to navigate privacy considerations during the pandemic. They also shared practical guidance, key questions and good practices around the new patron privacy considerations.

Standing by key library values. It is encouraging to see that libraries continue to be strong privacy champions and advocates even in these times, finding more ways to support the privacy and digital wellbeing of their communities.

From Singapore to the Netherlands, we have seen traditional online safety and security skills support programmes migrate online – for example, as published tip-sheets or courses, or live webinars. New ideas are being explored – from awareness-raising virtual exhibits to the potential of a library VPN for patrons.

Ensuring library capacity and resources – a key priority. These responses demonstrate the evolving application of twin library priorities – safeguarding patron data in library processes, and helping build their communities’ awareness and skills to defend their own privacy, outside of library environments. However, as the past year showed,  the new circumstances – particularly the shift to digital – raise challenging new questions and demands.

News from Finland, for example, points out that many libraries need to address patron privacy in new ways – including questions which may require legal advice. Similarly, Public Libraries Victoria discusses libraries’ experiences with helping seniors navigate online services –  a crucial part of their offering; however, the shift to digital here can also put increased pressure on library staff in navigating complex privacy questions when offering hands-on support.

This highlights the importance of making sure that libraries have the capacity and resources to carry out these tasks. This includes, inter alia, IT resources – since cybersecurity and data privacy and fundamentally linked. As libraries face new and increasing tasks and duties – to meet the demand and expand digital offerings while maintaining data privacy and security – it is crucial that they have the resources to do so.

 

Many key challenges and developments of 2020 continue to impact the work of libraries around the world. As they continue to face these, libraries maintain their support and ethical commitment to privacy – and we look forward to another year of active dialogue and exchange of good practices in support of data privacy!

IFLA Statement on Libraries and Intellectual Freedom, 20 Years On – the UK Perspective

FAIFE is marking the 20th anniversary of the IFLA Statement on Intellectual Freedom. To understand where the debate on intellectual freedom stands today, we are talking with the members and expert advisors of the FAIFE Committee. Today, we’re getting the perspective from the United Kingdom from Louise Cooke, Professor of Information and Knowledge Management at Loughborough University.

 

This year we celebrate twenty years since the IFLA Statement on Intellectual Freedom was prepared by IFLA FAIFE and approved by the Executive Board of IFLA on 25 March 1999 in The Hague, Netherlands.

This seems a good point to stand back and reflect on where we are now as a society in terms of intellectual freedom, and some of the challenges facing this critical human right.

Of course, our perspectives will differ according to where in the world we are living, not to mention our own subjective views: therefore, this blog can only be written from my own perspective as a UK citizen. However, comments and reflections from your own personal and geographical perspective would be welcome in the comments section below. Please feel free to contribute!

The term ‘intellectual freedom’ can mean many things even to a single person. Article 19 of the UN Universal Declaration of Human Rights, that relates to intellectual freedom, states:

“Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” (United Nations, 1948)

Although not explicitly using the term ‘intellectual freedom’, this is a useful starting point for a definition.

It is inclusive – everyone has an equal right to this basic civil liberty. It also acknowledges the right to hold opinions without interference, whether or not we choose to express them.

In addition, it does not constrain itself to freedom of expression (i.e. the right to speak, write or publish controversial opinion) but also highlights the importance of freedom of access to information, in whatever form it takes and wherever we may be in the world.

In the UK this right is all too often taken for granted: albeit that it is restricted by numerous legislative instruments (such as the Obscene Publications Act 1964, the Counter-Terrorism and Border Security Act 2019 and the Public Order Act 1986) and social norms that proscribe potentially offensive or harmful speech, there is a general belief that we are relatively free to voice our opinions and to access information without constraint.

The UK Human Rights Act 1998 Article 10 reflects the UN UDHR in asserting that everyone has the right to freedom of speech, including the right ‘to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers’. Since 2005, we have also held a legal right to request information held by public authorities via the Freedom of Information Act 2000.

However, it must be borne in mind that these rights are qualified, for example in the interests of national defence and security and, in the case of the Human Rights Act, also for ‘the protection of health and morals’, all of which exemptions seem sufficiently broad (and vague) as to raise questions about the validity of the protection of freedom of speech and freedom of access to information in practice.

The UK is currently undergoing a period of turmoil, change and uncertainty, in particular with regard to the proposed exit from the European Union.

A recent ‘Democracy Audit’ (Dunleavy, Park & Taylor 2018) carried out by scholars at the LSE highlighted the adverse impact of divisions over Brexit and chaotic political party relations, the polarisation of debate and the damaging impact on small parties inflicted by the ‘first past the post’ electoral system, and the damage caused to public services by the austerity agenda pursued between 2010 and 2018.

Public libraries have been hit particularly hard by this agenda, with nearly 130 public library closures in 2018 alone, and many local libraries being ‘deprofessionalised’ and left to community groups to run.

This is a concern for intellectual freedom: whilst well-meaning volunteers may prevent a local area from being left with no library service, volunteers are not usually professionally trained and may not hold the same awareness of, and commitment to, the professional body CILIP’s commitment to the principle of intellectual freedom and rejection of censorship and its newly revised Ethical Framework.

Meanwhile, work carried out at Loughborough University between 2012 and 2014 on UK public libraries’ management of internet access, found that, while the use of filtering software appears to be ubiquitous in UK public libraries, most professional and frontline library staff regarded the expediency of this to be of greater import than the potential adverse impact of filtering on intellectual freedom.

In addition to the impact of public library closures, increasingly restrictive anti-terrorism legislation, and the use of filtering software, public libraries in the UK are, as elsewhere, subject to challenges from members of their local community regarding appropriateness of material held by the library.

Censorship challenges to books held in Scottish public libraries are detailed in a 2012 paper by Taylor and McMenemy, which also discusses the actions taken by the libraries concerned in response to the challenges.

Although this study is also a good example of the use of Freedom of Information legislation to shine a light on the extent of censorship in libraries, and the protection that can be offered by a carefully developed and implemented collection development policy, it also reflects the fact that there is no room for complacency with regard to the state of intellectual freedom in UK public libraries.

Moreover, as new challenges and threats arise in line with new technological developments that offer ever greater opportunities for surveillance and more sophisticated and widespread data collection and analytics, the need for librarians to be constantly aware of their ethical responsibilities with regard to protection of user privacy and the protection of intellectual freedom will only become more acute.

Going Beyond – Promoting Vulnerable Voices in Libraries

IFLA’s Intellectual Freedom Statement turns 20 in 2019. This is the first in a series offering perspectives, and raising questions, about its different provisions. 

 

A recent TechDirt blog highlighted an effort by Cloudfare – one of the biggest companies offering content delivery services on the internet – to protect particular sites and services.

Through its Project Galileo, Cloudfare looks to offer ‘some of the most politically and artistically important work online’ free use of the best available defences against cyberattacks.

It raises two interesting points.

First of all, there is the reality that while any site can be targeted using cyber-weaponry, that some are more vulnerable than others.

Both governments and private groups can use various techniques to stop particular sites from operating. Cloudfare already works to protect voter registration and other electoral sites for example.

Secondly, there is the parallel with debates about whether particular content should be regulated or blocked (as opposed to which content should be protected). In effect, should some sites be treated better (or worse) than others? And how should decisions about this be made?

 

How does this relate to the work of libraries ?

First of all, it is clear that certain books in libraries are more likely to face criticism and requests for removal than others. The problem seems worst for content addressing LGBTQ+ issues, that addressing particular political or religious themes and other books and materials deemed offensive by particular groups.

IFLA’s own Statement on Intellectual Freedom argues that content should be selected on professional grounds, and reflect the diversity of the community. It speaks out against discrimination in general (without distinguishing between positive and negative discrimination).

Meanwhile, the Public Library Manifesto stresses that ‘Collections and services should not be subject to any form of ideological, political or religious censorship, nor commercial pressures’.

While complaints from local politicians and members of the community may require a different sort of response to a cyberattack, the response is still necessary. A number of librarians and library associations have done so, highlighting both the challenges of censorship in general, and celebrating those books which face the most criticism.

 

This leads to the question of how – and whether – libraries should go out of their way to support works which may not prove popular with some.

The spirit of the Statement on Intellectual Freedom, as well as the Public Library Manifesto, certainly goes in the direction of actively providing a diverse range of content, reflecting a diverse range of interests – including the artistically and politically important work targeted by Cloudfare. Many of the types of content frequently subject to challenge are indeed connected with the interests, of certain groups.

But what does this mean for what libraries can and should do to acquire diverse – and sometimes difficult – content, especially given inevitable budget constraints? How does it affect the way libraries promote and display works? How can libraries best defend the choices they make when challenged?

Cloudfare can clearly rely on a panel of experts, but this is not likely to be possible for libraries. What do you think about how libraries can (or should) champion intellectual freedom by supporting vulnerable voices, in the face of opposition and challenges.