Privacy By Design and the Online Library
The Information Standards Quarterly (ISQ) just came out with its Identity Management issue, and my feature on Privacy By Design leads it off. Here’s a link to the article’s web page. A word to the wise – if you download the PDF, don’t try to read it in the browser – save the file, open it and then read it. Otherwise you may find it slow to read through this heavily-illustrated piece.
Source: Figures and Quoted Text Below From Information Standards Quarterly, ISSN: 1041-0031
Introduction: “Like many industry segments, higher education and public libraries face a business imperative to support more complex online use cases for patrons and partners….Faculty, staff, students, alumni, and even “walk-ins” (or visitors) may be associated with multiple borrowing or authorizing institutions. Each partner…may also have different entitlements and licensing or other business practices that must be respected.
With the requirement to differentiate from, or add value to, the ocean of free Internet content, libraries must support value-added services or content that are not provided freely to anonymous users. As research and collaboration enablers, they must support these services from discovery to delivery, in some cases providing a level of full-text search without “giving away the farm” to subscribing institutions, customers, or partners.
At the far end of the spectrum for business value and disruption, many businesses, and even individuals, may simultaneously become both consumers and providers …in…“bring your own cloud” and “bring your own identity” environments.”
Privacy and Security Challenges: The article goes on to describe the identity and privacy landscape in the public and academic (online) library environment. It notes that in inter-library loan, and other content-sharing arrangements, patrons personal data is often shared rather than referred using the InCommon federation or other available mechanisms. It discusses the regulatory landscape briefly and the use of privacy policies to obtain overly-broad opt-in from users. The article notes that as libraries seek to add value by striking up relationships with commercial content providers they risk getting sucked deeper into the seamy ad-tech world of third-party data brokering than is really required for their business model.
Hence the need for a Privacy By Design (PBD) Approach: For this part I encourage readers to go directly to the article. If you’re pressed for time, skim through the first part – which I’ve just summarized – until you get to the heading “How Libraries Can Apply the Seven Principles of Privacy By Design.” As I’ve done previously, I used PBD principles here to outline conceptual architecture solutions for a large community, ecosystem or use case such as libraries or personal cloud storage. Although PBD isn’t prescriptive, you’ll see that its a great framework to work with and become more prescriptive for your use case. For libraries, I prescribe data collection minimization, claims-based federation, de-identification and options for self-asserted identity and/or pseudonymity among other things.
Finally: If you’re interested, I previously wrote a little Privacy By Design backgrounder. There, I covered Dr. Ann Cavoukian’s way of presenting the initiative, which is always inspiring to hear. Since then, Dr. Cavoukian has moved on the professorial role, but the initiative lives on, with an user forum planned for February 2015.