« Panhandling and libraries | Main | 14 State Chapters Endorse ALA's National Security Letter Resolution »


On the 'interference with contract' point, my guess is that the LMS system suppliers may not have a clear point of law on which to act - particularly in this fast-paced web world of Web 2.0, 'mashups', open systems, etc., which they themselves happily espouse at user group meetings and promotional events. They just don't like the fact that a third party has 'mashed' them up without asking them about it first - and to be fair to them I do think they could make some reasonable data protection arguments in their defence.

The subtle area is around a library service's continued working relationship with its LMS provider if the service continues to promote Elf as a good customer service enhancement when the LMS provider is unhappy with the arrangement. It will be interesting to know how that scenario plays out.


Good to hear about your PINs... and something to think about with regards to contract interference.

Philip writes: "there is no provision for a third party (such as an aggregator like Elf) to sit between the library customer and the LMS system"

While it's clearly important to see privacy safeguards protected by contract, I don't see how any contract could bind a third party who didn't sign the contract. Or is this perhaps some tort such as "interference with contract" ? Or broader UK privacy protection than in the U.S.?

Thanks for moving my comment to a more contemporary place, Mary. On the points you raise:

a) The impression I get from an LMS supplier that I have been talking to is that, just because customers may feel inclined to share their card number and PIN with a third party, this does not necessarily mean that those customers have the authority to invite that third party into the licensed working arrangement between the LMS and the library service in question. So, while on one level you could argue that the customer can give consent to their personal and transactional information being gathered and manipulated by Elf, there may be another level of approval required to allow Elf to make the connection to the LMS system in order to carry out that process. There may even be a specific limitation somewhere in the software licensing agreement which the library service has entered into with the system supplier which says, effectively, that library staff can go into specified files and do specified things, and library customers can go into a different range of files (e.g. WebOpac) and do other specified things, but there is no provision for a third party (such as an aggregator like Elf) to sit between the library customer and the LMS system. And it seems to be this intermediary/aggregator role that the supplier(s) seem to want to place on a properly contracted footing with agreed safeguards around privacy and data protection. Without any such contract, the LMS supplier seems to feel that their systems/installations are being invaded by a third party which customers have no authority to invite into the process.

b) Regarding PIN numbers on UK systems, my impressions of systems other than our own is that they can be set at a higher level of security than some of the experiences descibed in earlier postings. In our own system we can define a minimum length of PIN anywhere between 4 and 10 characters. There is, of course, the usual weakness around a default PIN until the customer changes it to something known only to themselves; however at least our system sets the default to the customer's date of birth, which is no safeguard against unauthorised use by close acquaintances and families, but is probably a slightly stronger default than phone numbers or address features.


The comments to this entry are closed.