Commercial marketing techniques make extensive use of personal information to target content. Libraries, however, must take a more tempered approach when marketing content and services to ensure patron privacy with policies that govern how personally identifiable data can be stored, accessed, used, and shared.
In general, there are four approaches that libraries can take in relation to patron privacy. As library leaders consider implementing new tools for improving user outreach, they need to consider which model best suits their mission and strategic initiatives:
- Strict privacy. At one end of the spectrum, the library configures its integrated library system (ILS) to never retain circulation history in transaction files or borrower records.
- Full retention. At the other end, the library configures the ILS to always retain circulation history and records.
- Optional retention. Patrons can choose to have the system retain their borrowing history and other data that may enable personalized services, and they may view their own information. Unless the patron opts in, the system follows the model of strict privacy.
- Optional privacy. Patrons can choose to have the system remove or anonymize their history. Unless the patron opts in, the system follows the full retention model.
Although privacy policies vary from library to library, they share some general prevailing concerns. One is data encryption in both storage and transmission. Any sensitive data should be encrypted to prevent unauthorized access. Because patron records contain personally identifiable information such as names, email addresses, and birth dates, they must be held securely to prevent data breaches. Encryption ensures that even if an intruder gains access to the internal system, the information will not be accessible without the required digital credentials. Most modern database management systems have built-in capabilities to store data with encryption. When data is transmitted from one system to another or accessed through an application such as an ILS, use of secure protocols such as HTTPS provides strong protection from interception of data on the internet or other networks.
Another general concern is data anonymization. To preserve patron privacy, reporting or analytics should be based on fully anonymized data sets. Ideally, any data collected removes personal information before it is recorded. When personal details are needed for essential operational processes, the data can be anonymized as soon as transactions that require those details conclude.
When it comes to data collection and retention, the ILS creates and keeps essential records for every circulation transaction. While it is necessary to maintain data linking a patron and an item during the course of a loan, another set of data retention issues applies once the item is returned. From a strict privacy perspective, no records should be retained that make it possible to reconstruct the use of that item by a specific patron in a specific period.
Rather than completely remove circulation transaction records, libraries could replace personally identifiable data with placeholders that retain specific characteristics of the patron but not the person’s specific identity. These anonymized circulation history records can be used for statistics and analytics while respecting privacy requirements.
Which privacy model a library chooses will have an impact on its strategies for personalized services and marketing. But even under the strictest privacy models, libraries can work with patrons and vendors to implement effective marketing and outreach services.
Adapted from “Patron Engagement and Marketing Products and Services for Public Libraries,” Library Technology Reports vol. 58, no. 2 (Feb./Mar. 2022).