Originally published December 17, 2025
As we shift our attention to information security and privacy policies, consider the following scenario where a well-intentioned community event exposed how easily gaps in data-handling practices can put patrons at risk.
The Gotham Public Library—a fictional, small, rural library in Texas—partnered yet again with the Madame Selina Kyle Foundation; this time to host a free digital literacy workshop and asked participants to provide their name, home address, phone number, email address, and library card number using a shared Google Form created by a volunteer. In the days following the event, several attendees began receiving unsolicited emails from LexCorp and phone calls promoting Harvey Dent’s election campaign. One patron filed a complaint, stating the only place they had shared that information was with the library. When staff investigated, they realized there was no written policy governing how patron information should be collected, stored, shared, or deleted, and the volunteer still had access to the form and its responses on a personal device. Because the library lacked a formal information security and privacy policy, staff were unsure how to respond, whether a legal violation had occurred, or what corrective actions were required. The incident ultimately eroded community trust and raised concerns at the next city council meeting about the library’s data handling practices - prompting Library Director Barbara Gordon to collaborate with her staff and key stakeholders to draft a formal policy.
Questions To Consider While Revising Or Creating An Information Security And Privacy Policy:
- What is the library’s mission statement, and how is it reflected in the policy?
- If the library’s mission emphasizes open and equal access to information, how does the policy’s treatment of collecting personally identifiable information when granting access to services support that?
- If the library’s mission statement mentions serving as a trusted community resource, how does the policy describe what data the library collects, why it’s collected, how long it is retained, and how it is protected?
- How will you manage information security and privacy?
- Which library records and types of records are confidential (registration and library-card information, circulation and borrowing history, hold or reserve requests, interlibrary loans, program registrations, public computer usage, internet or Wi-Fi session logs, meeting-room reservations or facility usage, overdue or fines information, records that could link a patron to specific materials or services)?
- What are the exceptions? When and how may information be shared (to the patron or authorized representative; when reasonably necessary for library operations; under valid court order or subpoena)?
- Who will serve as the custodian of records and be responsible for processing any requests? What are the procedures for when staff receive requests for records?
- What personal data will need to be collected to deliver services (cardholder info, necessary contact details)?
- How long will circulation or usage data need to be retained for administrative, service, or legal purposes? What are the secure disposal procedures once retention is no longer necessary?
- How will internal access to records be limited to authorized staff only? What requirements will there be regarding confidentiality training for staff?
- How will patrons be notified that their library records are protected? How can patrons request and review their own records?
- How will the library acknowledge that some library services (digital content providers, external databases, online registration, etc.) may be operated by third parties and that while the library will endeavor to use vendors that respect privacy, users should be aware of those vendors’ own privacy policies? How will the library ensure vendor contracts require compliance with the policy?
- What will be the library’s law enforcement and subpoena response protocol? How will it track such disclosures?
- Are you working with an attorney?
- Only an attorney can provide legal advice. This could be a City or County Attorney, an attorney on retainer, or an attorney on the board.
- If you’re not currently working with an attorney, have you contacted other libraries in your area to see if there is someone they’d recommend?
General Suggestions for Library Policies:
Use plain language: aim for a clear and concise summary that can be understood by any community member, even those that have never been to the library.
- Separate policy from procedure: a policy explains what the rules are, while a procedure explains how staff and patrons carry them out in practice. For example, a privacy policy might outline the principles guiding how the library collects, uses, stores, and protects patron information and ensure transparency while upholding the library’s commitment to confidentiality. Whereas, a privacy procedure would provide the step-by-step practices staff follow—such as how to securely handle requests for records, manage log data, verify identity, or respond to potential breaches—to implement that policy in day-to-day operations. Keeping policies and procedures separate will ensure that each document can be updated easily.
- Review regularly: reviewing all policies on a regular schedule will help ensure they’re up to date and useful for patrons. It might be helpful to question: Is it a simple change in wording or is it broken? Could your grandmother understand the policy? Does your policy reflect the actual practice? Has the policy kept up with the times? Is there still a viable reason to have the policy? Finally, incorporating legal review by an attorney (a City Attorney, County Attorney, board member, etc.) is highly recommended.
- Have policies approved by the library's governing authority: this adds legitimacy to library policies, and helps the governing authority understand how the library operates.
Trainings and Resources Related to Library Policies:
Writing Support- Write for your audience - plainlanguage.gov website
- Clear & to the Point: The Importance of using Plain Language in your Communications - TSLAC, Literacy Advance of Houston webinar
- Jargon-Free Libraries: Using the Language of Our Patrons - Colorado State Library webinar
- Library 101: Policies - North Dakota State Library short video
- Determining Whether a Document is a Policy, Procedure, or Guideline - University of Wisconsin Madison
- Notes on Library Policy - Vermont Department of Libraries
- Developing and Writing Library Policies and Procedures - By Stephen Henson of BE&K Engineering. Includes an excellent list of additional sources.
- Privacy Audits for Public Libraries (webinar) - Niche Academy
- Data Privacy Audit - San Francisco Public Library
- Privacy Policy - San Francisco Public Library
- Privacy and Confidentiality Policy - Mesa County Libraries
- Library Patron Privacy and Confidentiality Policy - Jefferson County Public Library
- Public Library Policy Resources - WiseLearn Resources
- Public Library Sample Policies - Colorado Department of Education
- Library Policies - Central Kansas Library System
- Public Library Director Toolkit - North Dakota State Library
***
If you’re in need of a thought partner or assistance finding Texas-specific examples while developing your library’s information security and privacy policy, don’t hesitate to reach out. Email our Library Development and Networking team at ld@tsl.texas.gov
Comments
Post a Comment