Here's a link to a paper I wrote with Paul Neuhaus on privacy and virtual reference for the American Library Association. http://www.ala.org/ala/washoff/contactwo/oitp/MinowNeuhaus2005Sept15.pdf
LibraryLaw Blog
Issues concerning libraries and the law - with latitude to discuss any other interesting issues Note: Not legal advice - just a dangerous mix of thoughts and information. Brought to you by Mary Minow, J.D., A.M.L.S. [California, U.S.] and Peter Hirtle, M.A., M.L.S. Follow us on twitter @librarylaw 
« Do Michiganders have a state constitutional right to get library cards outside their jurisdiction? | Main | More papers on virtual reference »
Comments
The comments to this entry are closed.
Search
Mary Minow
Peter Hirtle
Recent Posts
- Library Digitization Chart
- Hate speech in library meeting rooms
- Should libraries remove books written by Bill Cosby?
- Libraries that want to protect
- Was CCC formed "at the suggestion of Congress"?
- What the University of Arkansas controversy can teach us about archival permission practices
- When a library consortium buys an ebook, does the market dry up for that book? : A Super quick interview with Jo Budler, Kansas State Librarian
- Zoia Horn made an impact
- The New Handbook of the Public Domain: Review
- Norway, Extended Collective Licensing, and Orphan Works
From my point of view, if something is going to possibly contain PII, it should be treated as PII.
Libraries - and virtual reference service and software providers - shouldn't assume that patrons are going to know about and opt to use anonymous e-mail to protect their identities. It's our duty to keep patron e-mail addresses confidential along with everything else (subject to local and national laws, etc.).
Thanks again - you've given me a lot of things to take action on, and adding a link to anonymity resources from our privacy policy is right up there.
Posted by: caleb | April 17, 2007 at 07:00 PM
Caleb - I forgot to comment on email. I meant to say that email addresses can be identifiers, but aren't necessarily so. Epic.org has a great list of ways to get anonymous emails...at http://www.epic.org/privacy/tools.html
If we do revise, I'll look at that section to make clarifications. Thx.
Posted by: Mary Minow | April 12, 2007 at 03:18 PM
Thanks Caleb for these comments. I hadn't seen that HIPAA-based article -thanks!
I confess that when the AOL data was spilled onto the internet, I spent at least an hour rummaging through, sort of like watching the aftermath of an awful car accident. I have little doubt that many of these folks are identifiable, and once their identity is ascertained, all kinds of their interests from shopping to sordid are strung along with them.
Perhaps a good term would be identification full content .. or partial content ...or such. I wouldn't use "transactional" since that term is used in pen trap laws to refer to mere phone numbers, email addresses etc - requiring the lowly legal threshhold that many refer to as a rubber stamp by a court. This differs from content data which requires TItle III wiretap orders, significantly more difficult to get from the courts.
There are no concrete plans to move further on these papers (I'm putting a link to two others in my next blog post)...so I don't really know.
Posted by: Mary Minow | April 11, 2007 at 11:47 AM
Mary this is excellent. I'm sorry to have missed this pre-conference back-when.
I find it hard to get people excited about privacy in virtual reference.
A few things I've noticed and/or wonder about:
- Who is defining Personally Identifiable Information and how?
I like that you acknowledge that PII can show up in transcripts (section III-8). In fact, I think it almost always does. I don't know what to call it - transactional PII, maybe - but I think it deserves recognition as a whole category of PII (as in section III-1).
It may vary from service to service and from media to media, but it is there often enough that I would love to see it acknowledged more broadly.
The AOL search data debacle proved at least that non-PII plus search terms can sometimes identify an individual.
http://www.techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data/
At the same time, you say in III-2 that e-mail addresses are not PII. How so? They don't have to be, but when does my personal e-mail address not identify me?
I think also that geographic and temporal information can be combined with other "non"-PII to identify an individual. "Using Lessons from Health Care to Protect the Privacy of Library Users: Guidelines for the De-Identification of Library Data based on HIPAA" by Scott Nicholson and Catherine Arnott Smith was particularly helpful in our plan to eventually ambiguate places and times in the data we have collected.
http://eprints.rclis.org/archive/00005255/
- Second, I wonder about the legal status virtual reference records that are stored in the same place as other public records - for example, on an employee hard drive or in an e-mail account (and server). Even in states where VR transactions are exempt from public records disclosure, it has to be nearly impossible to separate them out in the event of a request.
Finally, where is this going now? Further publication?
Posted by: caleb tr | April 10, 2007 at 04:10 PM