[Libs-Or] FW: Message from ALA OIF

Wed Dec 15 16:29:02 PST 2004

My first two attempts to send this message to Libs-or was rejected as possibly being 
spam.  But since I really do think that this message might be of interest to 
many in libraries I am attempting to forward it again.  Yes, I have changed the subject entry and bits of other language to try to get the message through.  Maybe it is spam. ;-)

============================================================
From: "Don Wood" <dwood at ala.org>
Date: 2004/12/15 Wed PM 02:53:38 PST
To: <member-forum at ala.org>
Subject: [MEMBER-FORUM:350] Two New Questions to Questions and Answers on Privacy and
	Confidentiality

Two new questions and have been added to Questions and Answers on
Privacy and Confidentiality
http://www.ala.org/ala/oif/statementspols/statementsif/interpretations/questionsanswers.htm

All hyperlinks were accessed and corrected today.

*********************************************************************

Can libraries use social security numbers (SSNs) in patron databases or
for other means of uniquely identifying our users?

SSNs are not entirely random numbers: the first three digits indicate
in which state the number was issued, and the next two numbers indicate
the order in which the SSN was issued in each area. Only the last four
numbers are randomly generated. Thus, even the disclosure of an SSN
without further action does divulge private information.

Some states restrict the use of social security numbers to
circumstances explicitly authorized by law, particularly for the
reporting of income for employees. Section 7 of the Federal Privacy Act
of 1974 provides that any agency requesting an individual to disclose
his or her SSN must "inform that idividual whether that disclosure is
mandatory or voluntary, by what statutory authority such number is
solicited, and what uses will be made of it." The Family Educational
Rights and Privacy Act (FERPA) requires publicly-funded schools to
obtain written consent for the release of personally identifiable
information, whcih courts have ruled includes SSNs. The widespread use
of SSNs by public and private agencies had created a dual threat of
fraud victimization and the invasion of privacy, by linking significant
amounts of personal and financial information through a single number.
In November 2004 the GAO noted that ". . . it is clear that the lack of
a broad, uniform policy allows for unnecessary exposure of personal
Social Security numbers."

Libraries have long used SSNs to trace patrons who have outstanding
fines or overdue materials, often through collection agencies. In fact,
the current state of internet technology often allows an individual to
be located without the use of an SSN. Libraries that choose to use SSNs
in patron databases or to identify users should:

* inform patrons whether providing their SSNs is mandatory or
voluntary, and under what statutory authority the SSNs are solicited;

* inform patrons of the purpose for which SSNs will be used;

* use encryption to protect SSNs within patron databases, and;

* investigate other methods of uniquely identifying patrons and tracing
those who have outstanding fines or overdue materials.

Sources:

EPIC. Social Security Number (SSN) Privacy Page:
http://www.epic.org/privacy/ssn/(last accessed December 15, 2004).

Family Educational Rights and Privacy Act (FERPA):
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html(last
accessed

November 19, 2004).

Governmental Accounting Office. Social Security Numbers: Governments
Could Do More to Reduce Display in Public Records and on Identity Cards,
GAO-05-59, November 9, 2004:
http://www.gao.gov/docsearch/abstract.php?rptno=GAO-05-5(last
accessed November 19, 2004).

Privacy Act of 1974 and Amendments (as of Jan 2, 1991):
http://www.epic.org/privacy/laws/privacy_act.html(last accessed
November 19, 2004).

Privacy Rights Clearinghouse. Your Social Security Number: How Secure
Is It? http://www.privacyrights.org/fs/fs10-ssn.htm (last accessed
December 15, 2004).

Sample library policies:

Maine State Library. "Note on Use of Social Security Numbers as ID
Number:"
http://www.maine.gov/msl/infotech/minerva/circulation/loadpats.htm.

College of William & Mary. Earl Gregg Swem Library. "Faculty
Circulation Services:"
http://www.swem.wm.edu/Services/Faculty/circ.htm#socialsecurity.

*********************************************************************

Can circulation or registration information be used for other library
purposes, such as to generate mailing lists for fund-raising by the
library or its Friends group?

The Fair Information Practice Principles of "Notice and Openness" and
"Choice and Consent" should be reflected in library privacy policies.
See "How to Draft a Library Privacy Policy." Some states impose
restrictions on the use of personally identifiable information (PII) for
any purposes other than circulation or administration. In other states
it is illegal to provide library user PII to any third party except
under court order. (See "State Privacy Laws Regarding Library Records").
In all states, regardless of the status of the law, library policies
regarding the collection, use and dissemination of PII should be
carefully formulated and administered to ensure that they do not
conflict with the ALA Code of Ethics that states "we protect each user's
right to privacy and confidentiality." Libraries choosing to use PII for
any library-related purpose other than for which the PII was gathered
should consider the following standard "opt in" practices:

* Notice should be provided to all users of any library use of PII. 

* Any use of PII beyond circulation or administration should be
authorized only on an opt in basis. At the time of registration, users
should be asked to opt in to additional and specifically enumerated uses
of their PII (e.g., for fund-raising appeals). The PII of those who
decline to 'opt-in' should not made available for any additional uses. 

* Any time a library decides to extend use of PII in ways not already
authorized, it must seek user opt in. Libraries should presume that all
non-responders wish to opt out of the new use. 

============================================================

Diedre Conkling

  Lincoln County Library District
  P.O. Box 2027, Newport, OR  97365
  Phone & Fax:  541-265-3066
  http://lcld.library-blogs.net/
  Work:  diedre at mail.crsn.lib.or.us
  Home:  diedrec at charter.net