Missouri Governor Jay Nixon.
Missouri library patrons can now rest assured that their library records for checkout of digital materials will remain private.
The Missouri State Legislature introduced two related bills aimed to update its existing privacy laws to include records for materials including ebooks, electronic documents, streaming video, music, and downloadable audiobooks, as well as the use of using Radio Frequency Identification (RFID) technology. Missouri Governor Jay Nixon approved one of the bills, which will go into effect on August 28, while rejecting the other.
Though the privacy of patrons’ library records has traditionally been sacrosanct, digital technology has transformed library services, and many states’ privacy laws have been slow to address records for digital media.
Thanks in part to the lobbying efforts of librarians across the state, Governor Nixon signed HB 1085, the Missouri House of Representatives bill expanding the purview of privacy laws concerning library records to include digital items from third-party vendors.
The existing privacy laws cover patrons’ personal information when they check out paper books. But electronic media, though accessed from the library’s gateway, is often administered by a third party.
Missouri “already had very strong protection of library records, but our main concern was that the digital age be taken into account, that digital records be included in [data privacy legislation],” said Jim Schmidt, legislative committee chair of the Missouri Library Association (MLA). Consumer protection was MLA’s main talking point when taking the issue to their State Representatives, Schmidt added.
“In order for users to access these services, vendors must authenticate them as [our library] cardholders; this gives the vendors access to our user database,” said Pam Klipsch, director of Missouri’s Jefferson County Library.
At Klipsch’s request, Missouri Rep. John McCaherty of Jefferson and St. Louis counties sponsored the bill to “to insure that any personally identifiable information about [users] and any information about the resources they accessed remained equally protected and confidential on the vendor side as on the library side of that transaction,” she said.
The bill requires third-party vendors to tell libraries and individual patrons if the vendor’s data servers experience a security breach, Klipsch explained. It also empowers patrons to take their library record privacy matters into their own hands, allowing them to request thaat the third-party vendors be investigated if the patron feels their data has been compromised. Librarians across the state will meet with third-party vendors to discuss the law’s implementation before it goes into effect in late August.
The second, rejected bill, Missouri Senate bill 523 (SB 523), concerned libraries in an indirect way. The bill would have allowed students to opt out of using RFID technology in their school identification cards, which often double as library cards.
RFID is used in items such as toll booth passes, credit cards, and animal collars, in which RFID “locator chips” can store all manner of data. When placed in student ID/library cards, RFID chips are able to store library record information. The bill was intended to protect students’ geographical locations from anyone with an RFID reader, and to prevent access to private data tied to their school IDs.
Governor Nixon vetoed SB 523 on the grounds that though the technology is not currently employed by any Missouri public schools, it has the potential to be used as a safety measure by schools. For instance, students could be located via their IDs during times of emergency or natural disaster. This also means that for now, any possible associated library records are also accessible via the chip.
This is definitely a positive move by at least one state government. In the era of assessment driven by budgetary constraint, many academic libraries are now facing a difficult choice as they are asked to validate the nature of their services and collections versus student success metrics. This assessment mission in itself parses data down to a personal level, especially, if the mission is to evaluate successful students versus unsuccessful ones. Careful consideration must be given to the cleansing of personal data points, even if institutions wish to evaluate the relationship of things like student GPA to library use.
This is also a positive move to bring direct accountability to library vendors for security measures and disclosures. ISO protections given by hosting providers are certainly in place, but aside from initial mention in a sales pitch, they are less often revisited by these providers proactively once a service is up and running. Unfortunately, libraries, much like other organizations and businesses, are seeming to be unquestioning in their embrace of “cloud” based services. These services often offer contractual assurances of security and reliability and off load the need for technical knowledge, but the larger question lingers as to content ownership and security of library data.
All in all, this is a good move in MO, but it would be great to see more done elsewhere.