Skip to main content

Policy Corner: Information Security and Privacy


Originally published December 17, 2025



As we shift our attention to information security and privacy policies, consider the following scenario where a well-intentioned community event exposed how easily gaps in data-handling practices can put patrons at risk.


The Gotham Public Library—a fictional, small, rural library in Texas—partnered yet again with the Madame Selina Kyle Foundation; this time to host a free digital literacy workshop and asked participants to provide their name, home address, phone number, email address, and library card number using a shared Google Form created by a volunteer. In the days following the event, several attendees began receiving unsolicited emails from LexCorp and phone calls promoting Harvey Dent’s election campaign. One patron filed a complaint, stating the only place they had shared that information was with the library. When staff investigated, they realized there was no written policy governing how patron information should be collected, stored, shared, or deleted, and the volunteer still had access to the form and its responses on a personal device. Because the library lacked a formal information security and privacy policy, staff were unsure how to respond, whether a legal violation had occurred, or what corrective actions were required. The incident ultimately eroded community trust and raised concerns at the next city council meeting about the library’s data handling practices - prompting Library Director Barbara Gordon to collaborate with her staff and key stakeholders to draft a formal policy.


Because privacy policies are about more than just protecting data—they’re one of the clearest ways a library demonstrates its respect for patron trust—revisiting yours ensures that the library’s information practices not only honor confidentiality but also remain grounded in your community’s needs. And right now, it matters more than ever: in April, the Texas State Library and Archives Commission (TSLAC) approved updated accreditation criteria for Texas public libraries. These new minimum standards, outlined in the Texas Administrative Code, officially went into effect September 1, 2025, and will first be used for accreditation with the 2026 Annual Report. Among the revisions is a new requirement that every library have written policies for circulation, collection development, technology use, and information security and privacy. Libraries will certify these policies in the 2027 Annual Report, with a deadline of July 31, 2027, to meet the new minimums. So, as you look at your information security and privacy policy, here are some questions and resources to help make sure it’s both accreditation-ready and community-centered.

Questions To Consider While Revising Or Creating An Information Security And Privacy Policy:

  • What is the library’s mission statement, and how is it reflected in the policy?
    • If the library’s mission emphasizes open and equal access to information, how does the policy’s treatment of collecting personally identifiable information when granting access to services support that?
    • If the library’s mission statement mentions serving as a trusted community resource, how does the policy describe what data the library collects, why it’s collected, how long it is retained, and how it is protected?

  • How will you manage information security and privacy?
    • Which library records and types of records are confidential (registration and library-card information, circulation and borrowing history, hold or reserve requests, interlibrary loans, program registrations, public computer usage, internet or Wi-Fi session logs, meeting-room reservations or facility usage, overdue or fines information, records that could link a patron to specific materials or services)?
    • What are the exceptions? When and how may information be shared (to the patron or authorized representative; when reasonably necessary for library operations; under valid court order or subpoena)?
    • Who will serve as the custodian of records and be responsible for processing any requests? What are the procedures for when staff receive requests for records?
    • What personal data will need to be collected to deliver services (cardholder info, necessary contact details)?
    • How long will circulation or usage data need to be retained for administrative, service, or legal purposes? What are the secure disposal procedures once retention is no longer necessary?
    • How will internal access to records be limited to authorized staff only? What requirements will there be regarding confidentiality training for staff?
    • How will patrons be notified that their library records are protected? How can patrons request and review their own records?
    • How will the library acknowledge that some library services (digital content providers, external databases, online registration, etc.) may be operated by third parties and that while the library will endeavor to use vendors that respect privacy, users should be aware of those vendors’ own privacy policies? How will the library ensure vendor contracts require compliance with the policy?
    • What will be the library’s law enforcement and subpoena response protocol? How will it track such disclosures?
  • Are you working with an attorney?
    • Only an attorney can provide legal advice. This could be a City or County Attorney, an attorney on retainer, or an attorney on the board.
    • If you’re not currently working with an attorney, have you contacted other libraries in your area to see if there is someone they’d recommend?


General Suggestions for Library Policies:

  • Use plain language: aim for a clear and concise summary that can be understood by any community member, even those that have never been to the library.

  • Separate policy from procedure: a policy explains what the rules are, while a procedure explains how staff and patrons carry them out in practice. For example, a privacy policy might outline the principles guiding how the library collects, uses, stores, and protects patron information and ensure transparency while upholding the library’s commitment to confidentiality. Whereas, a privacy procedure would provide the step-by-step practices staff follow—such as how to securely handle requests for records, manage log data, verify identity, or respond to potential breaches—to implement that policy in day-to-day operations. Keeping policies and procedures separate will ensure that each document can be updated easily.
  • Review regularly: reviewing all policies on a regular schedule will help ensure they’re up to date and useful for patrons. It might be helpful to question: Is it a simple change in wording or is it broken? Could your grandmother understand the policy? Does your policy reflect the actual practice? Has the policy kept up with the times? Is there still a viable reason to have the policy? Finally, incorporating legal review by an attorney (a City Attorney, County Attorney, board member, etc.) is highly recommended.

  • Have policies approved by the library's governing authority: this adds legitimacy to library policies, and helps the governing authority understand how the library operates.


Trainings and Resources Related to Library Policies:

Writing Support
Policy Basics
Example Policies
***


If you’re in need of a thought partner or assistance finding Texas-specific examples while developing your library’s information security and privacy policy, don’t hesitate to reach out. Email our Library Development and Networking team at ld@tsl.texas.gov
Labels:

Comments

Post a Comment

Popular posts from this blog

Notes From the Field: Waltz Across Texas, First Dance

Originally published August 1, 2024 Library Developments Blog |  Library Development and Networking Division Texas State Library and Archives Commission In July, I kicked off the first in a series of day-long turns around clusters of small public libraries to tour their spaces and chat about how the Texas State Library and Archives Commission (TSLAC) can best support their leadership. This round, the fancy feet of Continuing Education and Consulting Team Manager Katherine Adelberg accompanied me as we spun through New Braunfels Public Library, Seguin Public Library, and Martindale Community Library. New Braunfels Public Library New Braunfels is perched on the brink of the Hill Country, right between San Antonio and Austin on I-35. Spanning Comal and Guadalupe counties with its 105,000 residents, it’s not only one of the fastest-growing cities, but is also regarded as one of the best 50 places to live in the United States. Established in 1845, New Braunfels is known for its German...
Post a Comment
Read more

New Year, Old You: Using the Genealogy Resources at the Texas State Library and Archives Commission for Reflection and Renewal

Originally published February 12, 2025 Library Developments Blog    Library Development and Networking Division Texas State Library and Archives Commission   As the new year has well and truly begun, many people reflect on the past, seeking to understand where they come from, who their ancestors were, and how their family's history shaped their present. One of the best ways to begin exploring their roots is to visit their local library. Frequently, small rural libraries serve as repositories of local history. But, what about if a patron’s family has moved throughout various regions of the state? For a more expansive approach, utilizing the rich genealogy resources available at the Texas State Library and Archives Commission (TSLAC) can provide a bigger picture. Whether they’re a seasoned researcher or just beginning their journey into family history, TSLAC offers a variety of tools to help patrons uncover the stories of their ancestors. A Treasure Trove of Records Th...
Post a Comment
Read more

Growing Library Leaders With Google Education Trainer Certification

At the Texas Association of School Library Administrators (TASLA) Workshop on June 14, 2016, I was part of a five-part panel presentation that focused on how campus librarians can become library leaders even though they are not library administrators. This presentation was later featured on TASL Talk s as a series titled “Growing Library Leaders.” Become a Certified Google Education Trainer grew out of my portion of the presentation and was originally published September 8, 2016. On April 10, 2018, it was re-posted on the Round Rock Independent School District's Teaching & Learning Blog Librarians have always been at the forefront of information technology, even if we haven’t always had that reputation. Be it in tablets, scrolls, codices, microforms, or databases, we’ve always gone where the information is in order to find answers. Unfortunately, as mere access to information has taken center stage, school libraries run the risk of becoming a Starbucks-without-the-cof...
Post a Comment
Read more