Library privacy framework: Comparative review of data protection laws towards maturity model

Abstract

Libraries provide access to resources through varied services. However, they also pose ethical concerns arising from collecting, processing, and storing patrons’ personal data to provide such services. Therefore, to safeguard patrons’ privacy on the web, this study sheds light on patrons’ privacy, privacy gaps in libraries, and theorised a privacy framework for libraries. The qualitative content analysed the Europe’s General Data Protection Regulation/679) and India’s Digital Personal Data Protection Act using Westin’s privacy theory. Review to these two legislations were conducted manually using deductive approach, generating a total of 14 privacy checklists that act as guidelines for the maturity model for libraries. These 14-privacy checklist, viz., enactment, scope, data collection, lawful processing, consent, patrons’ rights, children’s data, data sharing and transfer, data retention and erasure, data security, grievance redress, obligations, policy updates and penalties, were generated from these two legal documents. Thereafter, the strengths and limitations of both pieces of legislation were categorised and discussed which led to the development of a maturity model that guides libraries to improve their privacy practices in stages. The maturity model was conceived in five stages, namely: (1) Initial Stage (No policy and undocumented practices), (2) Growth Stage (Basic compliance and implementation), (3) Defined Stage (Structured and documented processes), (4) Managed Stage (Proactively monitored and audited) and (5) Regulated Stage (Fully automated, AI-based with continuous improvement). The study sheds light on the various gaps in the analysis of legal documents and the maturity model. It also suggests further studies to improve the existing model. The study is helpful for librarians who oversee library policies, vendors associated with libraries, technologists who implement safe privacy practices, institutions that are concerned with students’ online welfare and ultimately, for libraries aiming to raise awareness of privacy literacy.

Keywords

library privacy policy patron privacy India’s Digital Personal Data Protection Act 2023 (DPDP Act)General Data Protection Regulations (GDPR)privacy maturity model library privacy practices

Get full access to this article

View all access options for this article.

References

Ali

Zaaba

Singh

, et al. (2020) Readability of websites security privacy policies: A survey on text content and readers. International Journal of Advanced Science and Technology 29(6): 1661–1672.

Al-Suqri

Akomolafe-Fatuyi

(2014) Security and privacy in digital libraries: Challenges, opportunities and prospects. International Journal of Digital Library Systems 3(4): 54–61.

American Library Association (2022) ALA | Issues & Advocacy. Available at: http://www.ala.org/ala/issuesadvocacy/index.cfm

Bareh

(2022) Privacy policy analysis for compliance and readability of library vendors in India. Serials Librarian 83(2): 148–165.

Bareh

(2024) Reviewing the privacy implications of India’s Digital Personal Data Protection Act (2023) from library contexts. DESIDOC Journal of Library & Information Technology 44(1): 50–58.

Bowers

(2006) Privacy and library records. Journal of Academic Librarianship 32(4): 377–383.

Breeding

(2016) Privacy and security for library systems. Library Technology Reports: Expert Guides to Library Systems and Services 52: 4.

Cooke

(2018) Privacy, libraries and the era of big data. IFLA Journal 44(3): 167–169.

Coombs

(2004) Walking a tightrope: Academic libraries and privacy. Journal of Academic Librarianship 30(6): 493–498. https://ur.art1lib.org/book/13228587/5f926c

10.

Shukla

(2020) Privacy policies of e-governance initiatives: Evidence from India. Journal of Public Affairs 20(4): 1–11.

11.

Digital Personal Data Protection Act (2023) Available at: https://prsindia.org/files/bills_acts/acts_parliament/2023/Digital_Personal_Data_Protection_Act,_2023.pdf

12.

Eroğlu

Çakmak

(2020) Personal data perceptions and privacy in Turkish academic libraries: An evaluation for administrations. Journal of Academic Librarianship 46(6): 102251.

13.

Gangadharan

(2016) Library privacy in practice: System change and challenges. A Journal of Law and Policy for the Information Society 13(1): 175–198.

14.

General Data Protection Regulation (2016) Official Journal of the European Union L119/1. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

15.

General Data Protection Regulation (2018) Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

16.

Hartman-Caverly

Chisholm

(2020) Privacy literacy instruction practices in academic libraries: Past, present, and possibilities. IFLA Journal 46(4): 305–327.

17.

Johns

Lawson

(2005) University undergraduate students and library-related privacy issues. Library & Information Science Research 27(4): 485–495.

18.

Lambert

Parker

Bashir

(2015) Library patron privacy in jeopardy an analysis of the privacy policies of digital content vendors. Proceedings of the Association for Information Science and Technology 52(1): 1–9.

19.

Lutkevich

(2022) Capability Maturity Model (CMM). Available at: https://www.techtarget.com/searchsoftwarequality/definition/Capability-Maturity-Model

20.

Magi

(2010) A content analysis of library vendor privacy policies: Do they meet our standards? College & Research Libraries 71(3): 254–272.

21.

Marky

(2023) Data collection is not mostly harmless: An introduction to privacy theories and basics. In: Gerber

Stöver

Karola

(eds) Human Factors in Privacy Research. Springer, pp.1–380.

22.

Massis

(2017) Privacy in the Library. Information and Learning Science 118(3/4): 210–212.

23.

McKinnon

Turp

(2022) Are library vendors doing enough to protect users? A content analysis of major ILS privacy policies. Journal of Academic Librarianship 48(2): 102505.

24.

National Digital Library (2022) Privacy Policy of National Digital Library of India (NDLI). National Digital Library, India. Available at: https://ndl.iitkgp.ac.in/privacy-policy

25.

Nichols Hess

LaPorte-Fiori

Engwall

(2015) Preserving patron privacy in the 21st Century Academic Library. Journal of Academic Librarianship 41(1): 105–114.

26.

Noh

(2020) A study on the changes in librarians’ perception before and after user privacy education. Library & Information Science Research 42(3): 101032.

27.

Norwich Public Library (2022) Safety, privacy & fact checking. Available at: https://www.norwichlibrary.org/online-safety-and-privacy/

28.

Penn State University Libraries (2022) Privacy workshop. Available at: https://guides.libraries.psu.edu/berks/privacy/toolkit

29.

Peterson

Meinert

Criswell

, et al. (2007) Consumer trust: Privacy policies and third-party seals. Journal of Small Business and Enterprise Development 14(4): 654–669.

30.

Prince

(2018) Do consumers want to control their personal data? Empirical evidence. International Journal of Human-Computer Studies 110: 21–32.

31.

Shuler

(2004) Privacy and academic libraries: Widening the frame of discussion. Journal of Academic Librarianship 30(2): 157–159.

32.

Singley

(2020) A holistic approach to user privacy in academic libraries. Journal of Academic Librarianship 46(3): 102151.

33.

Westin

(1967) Privacy & Freedom. Atheneum. Available at: https://scholarlycommons.law.wlu.edu/wlulr/vol25/iss1/20/

34.

Zimmer

(2013) Assessing the treatment of patron privacy in library 2.0 literature. Information Technology and Libraries 32(2): 29–41.

35.

Zimmer

(2014) Librarians’ attitudes regarding information and Internet privacy. Library Quarterly 84(2): 123–151.