Network Security, Collection and Retention of Personal Data, Patron Education

Network Security

Users may claim that their personal information was compromised due to inadequate network security at the library.  The library should adhere to best practices, and it would be helpful if the state library association, state library or other body were to maintain an updated statewide best practices document online.  For example, computer cache should be automatically cleared at frequent intervals.  The library should pay special attention to the detection of keyloggers or other mechanisms to capture user data.

Nevertheless, it is important to include language that explicitly disclaims responsibility as in the sample disclaimer below.

Faxes

A primary principle in minimizing the risk of identity theft is to avoid the collection and retention of personal data. In most cases, the library is merely a conduit. The patrons use the library’s resources (i.e. its computer equipment) to submit their E-government forms.  With proper network security in place, this data is not retained on any library computers.

Some libraries, however, allow users to receive faxes on library fax machines. The risk of accidental disclosure of personal data is commensurate with the amount of data received and the length of retention by the library.

It is recommended that such practices be minimized. In the event that the service is essential (e.g. no reasonable substitutes are available in the community), the library should issue disclaimers with the service stating that, despite best efforts, the library is not responsible for the security of the data.

Patron Education

Some patrons may spread out papers containing sensitive data such as social security numbers, birthdates, etc. while typing into library computers. Whenever possible, staff should try to remind patrons that this is a public area, and that they should be aware of their surroundings.