What are the privacy responsibilities of  public libraries?

http://www.ontla.on.ca/library/repository/mon/5000/10308563.pdf

For a library visitor, privacy essentially means the right to be able to read any book or access
any reference material without fear of having the subject matter made known to others.
Can someone obtain a list of the books you have borrowed? If you use a computer at a
library, does anyone later check to see which Web sites you visited?
This publication looks at some common questions library users and library staff may have
about privacy rights and what libraries can do to protect privacy.
Public library boards are institutions governed by the Municipal Freedom of Information
and Protection of Privacy Act (MFIPPA). This Act specifies how organizations such as
libraries may collect, use, retain, disclose and dispose of personal information. Public
libraries are also governed by the Public Libraries Act, which establishes specific operating
rules.

“Personal information” encompasses a wide range of information. It is defined in MFIPPA,
in part, as “recorded information about an identifiable individual.” This could include, in
the library context, information on a patron’s borrowing habits, as well as information
related to one’s computer use, including sign-up sheets and information on any Internet
use.

INFORMATION AND PRIVACY COMMISSIONER/ONTARIO December 2002
ANN CAVOUKIAN, Ph.D. COMMISSIONER

Q: Why do libraries need to collect the personal information of library users?

A: Libraries require this information in order to provide library service. Personal
information is collected under the authority of the Public Libraries Act for the
administration of library operations. An example of this is a library collecting your
name and address when you apply for a library card. Libraries need this information
so they can record who has borrowed books or other material. As well, libraries
need to be able to contact individuals who have asked that books or other material
be put on hold for them.

Q: Is there a risk someone can learn which books I have read or which videos I have
borrowed?

A: Releasing personal information, other than in the limited circumstances (see
question 4) set out in the MFIPPA, would violate the Act. For example, a library
cannot disclose to a reporter a list of the books or videos that you have borrowed
without your consent. Libraries also have an obligation to take reasonable measures
to prevent unauthorized access to such records and to dispose of personal
information in accordance with the regulations under that Act.
Personal information that has been used by a library should be retained for one year
after use, or a shorter period set out in a bylaw or resolution made by the library
board. Libraries will, however, maintain a record linking a user to library material,
until the book, videotape or DVD has been returned and any outstanding charges
paid.

Q: Can I see what information my library may have on file about me?

A: In most cases, yes. Under MFIPPA, library patrons have the right to access their own
personal information, subject to very limited exemptions. An example of one of the
exceptions to access is when the information in question is a research or statistical
record.

Q: Are there laws regarding the confidentiality of library records?

A: Yes. Subsection 28(1) of the Public Libraries Act allows people to inspect any
records that the board’s secretary has (a right distinct from the right of access under
MFIPPA). This right, however, is subject to subsection 28(2), which incorporates
all of MFIPPA’s exemptions to the right of access.

In addition, in certain circumstances set out in Part II of MFIPPA, municipal
institutions, including public libraries, are allowed to use and disclose personal
information in the course of conducting their business (as opposed to in the course
of responding to access requests). Section 32 provides that disclosure of personal
information is not permitted except in certain circumstances. The ones that may be
relevant to public libraries include:
(b) if the person to whom the information relates has identified that
information in particular and consented to its disclosure;
(c) for the purpose for which it was obtained or compiled or for a consistent
purpose;
(d) if the disclosure is made to an officer or employee of the institution who
needs the record in the performance of his or her duties and if the
disclosure is necessary and proper in the discharge of the institution’s
functions;
(g) if disclosure is to an institution or a law enforcement agency in Canada
to aid an investigation undertaken with a view to a law enforcement
proceeding or from which a law enforcement proceeding is likely to
result.

Q: What privacy rights do children have? What information about the children’s
library-related activities must be kept confidential and what information can be
given to parents?

A: Children have the same privacy and access rights as adults, except that section 54(c)
of MFIPPA provides that a person who has lawful custody of the individual may
exercise the rights of access of an individual less than 16 years of age. Accordingly,
if a child under 16 would be entitled to access the information, so would his or her
custodial parent.

Q: How can I help safeguard my privacy when accessing the Internet via computers
at public libraries?

A: Using any public computer is not the same as using a computer at your home since
a complete stranger may sit down to use the computer as soon as you leave it.
Depending on the way the library has configured its computers, the next user may
be able to see what Web sites you have visited. In order to prevent this, ask library
staff whether it is permissible to clear the Web browser’s history and cache files to
prevent others from backtracking to the Web sites that you visited.

Q: Do libraries track/monitor which Web sites I visit?

A: If a library collects personal information such as which Web sites an identifiable
patron visits, the library is required, under section 29(2) of MFIPPA, to provide
an appropriate notice of collection to the individual about this practice. Log files
of all Internet library-based activities are routinely kept for a variety of technical
purposes, but are not necessarily associated with any particular user.

Q: Would libraries ever give my personal information to the police, if a request were
made?
A: Section 32 (g) of MFIPPA allows for disclosure “to an institution or law
enforcement agency in Canada to aid an investigation undertaken with a view to
a law enforcement proceeding or from which a law enforcement proceeding is
likely to result.” That section is permissive. In other words, unlike the case of a
library being presented with a valid search warrant, which would make disclosure
mandatory, under section 32(g), the library would be able to exercise its own
discretion regarding whether to release the information to police (in the absence
of a search warrant).

A number of libraries are taking a proactive role by continually educating staff
and library users about library privacy principles, policies and procedures. Some
are taking extra steps to help preserve the privacy of library users by placing
privacy screens around computers. If you have more questions about privacy
matters relating to library use (for example, fundraising and library user records),
please speak with the staff at your local branch or visit the Ministry of Culture’s
Web site: http://www.culture.gov.on.ca/culture/english/culdiv/library/foippa.htm.