Wednesday, November 03, 2004

Privacy and Public Libraries

Last week, I gave a presentation to a group of directors of public libraries in Nova Scotia. Library staff are regularly called upon to consider privacy issues, particularly in connection with public use internet stations. Police regularly ask for information related to who was using a particular terminal at a particular time, often in connection with threats made or other allegedely illegal conduct. In addition, some libraries are contemplating offering reading suggestions based on reader preferences, a form of "data mining".

PIPEDA applies in Nova Scotia and public libraries are not, by and large, engaged in commercial activities. While they were interested in PIPEDA, most of the discussion related to privacy best practices they can adopt to meet the growing expectation of their users. The presentation is available here: Privacy and Public Libraries


Anonymous said...

Thanks so much for posting your presentation. Do I read it correctly to say that Canadian library users do not have legal protection for their records unless a public library formally adopts the Model Code (or a similar policy)? Are there any provincial laws that protect library user records?
Mary Minow, LibraryLaw Blog

privacylawyer said...

We don't have consistent protection of library patron records in Canada. Our federal system divides jurisdiction between the federal government and the provinces. For example, the provinces have jurisdiction over property and civil rights in a province while the feds have jurisdiction over trade and commerce. The federal government came up with a federal privacy law in 2001, but have to rely on their trade and commerce power to implement it. This means that the Personal Information Protection and Electronic Documents Act (PIPEDA) only applies to "commercial activities", something that public libraries are usually not engaged in. (If they sell their member list, it is deemed to be a commercial activity and PIPEDA applies to the sale.)

Because the provinces have jurisdiction over civil rights, there is concurrent jurisdiction that means that provinces can legislate in the privacy area as well, and put in place laws with wider application. Here in Nova Scotia, the provincial government has not done so, meaning that PIPEDA applies in the province, but again only to commercial activities.

But all provinces have public sector privacy and access laws. Nova Scotia's is called the Freedom of Information and Protection of Privacy Act (FOIPOP), which governs records held by public bodies. I do not believe that public libraries are public bodies under FOIPOP, so there is no privacy protection under that law. (This may not be the case in other provinces. For example, public libraries are under the Ontario Municipal Freedom of Information and Protection of Privacy Act and under the Alberta Freedom of Information and Protection of Privacy Act.)

This leaves library users records unprotected in Nova Scotia, by either federal or provincial law. What I recommend is that libraries still follow the good information practices set out in the Canadian Standards Association Model Code for the Protection of Personal Information, which is the mandatory standard under PIPEDA. It requires (i) appointing a privacy officer, (ii) developing a privacy policy and a statement of purposes for which personal information is collected, used and disclosed, (iii) getting consent for the use of personal information, (iv) only using and disclosing personal info for the purposes for which it was collected and for which consent has been obtained, (v) only retaining information for as long as is reasonably necessary, (vi) safeguarding the info against all threats, and (vi) having a complaint mechanism. If you have a privacy statement that becomes part of the user agreement, it should be binding upon the library and give the users specific rights vis-à-vis their information. In my experience, users expect that their privacy will be respected and libraries should live up to that expectation.