📋
Extracted from Consolidated Report
This investigation was originally published as part of a larger consolidated report containing multiple investigations. View the consolidated PDF for the complete document.
Santa Cruz County Grand Jury
• 2018-2019
2018-19 Consolidated Final Report with Responses 107 The 2018–2019 Santa Cruz County Civil Grand Jury Requires that the
⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 9 findings
F1
Page 109
The use of Gale Analytics on Demand by Santa Cruz Public Libraries was inconsistent with the library’s long-standing policy on Confidentiality of Library Records (policy 303, adopted February 2006; revised November 2010) and companion document, “Information We Keep About You.” AGREE PARTIALLY DISAGREE – explain the disputed portion x DISAGREE – explain why Response explanation (required for a response other than Agree): Libraries take patron privacy very seriously, and most adhere to the American Library Association’s “Library Bill of Rights” (http://www.ala.org/advocacy/intfreedom/librarybill) which includes VII. All people, regardless of origin, age, background, or views, possess a right to privacy and confidentiality in their library use. Libraries should advocate for, educate about, and protect people’s privacy, safeguarding all library use data, including personally identifiable information. It is with this lens that libraries constantly think about how much data they want to retain in their ILS, and how much they want to share with trusted vendors. SCPL’s former policy stated: The Santa Cruz City County Library System complies with all sections of the State of California Public Records Act (Protection of Library Circulation and Registration Records, Government Code Title 1, Division 7, Chapter 3.5). That is, all registration and circulation records of library users shall remain confidential and shall not be disclosed to any person, local, state, or federal agency except by order of the appropriate superior or federal court. The Library also treats patron requests for reference information and records of patron Internet use as confidential. Further, the Library Joint Powers Authority Board regards any inquiry about library use as an invasion of patron privacy. It prohibits staff from giving information about any library use absent a valid order from a superior or federal court or at the discretion of the Library Director. The common sense exception to this rule is when a law enforcement officer describes a situation involving immediate danger. It is not clear how the use of AOD is inconsistent with the Library’s longstanding policy on Confidentiality. The Companion document, “Information We Keep About You” is actually a web page. It will be updated. The Grand Jury concluded that AOD’s use is “permitted under the 2011–2012 version of California law, provided that the third-party vendors working in service of the library.” (p. 7) Respond by September 23, 2019 110 Santa Cruz County Civil Grand Jury Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
Related Recommendations (1)
R1
Page 118
Santa Cruz Public Libraries (SCPL), in coordination with the Library Advisory Commission (LAC) and Library Joint Powers Authority (JPA) board, should revisit the Library’s revised privacy policy (adopted June 6, 2019) to specifically address the use of data analytics and other tools utilizing patron information. (F1–F4, F7) HAS BEEN IMPLEMENTED – summarize what has been done x HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: The Santa Cruz Public Libraries Joint Powers Authority approved a new patron privacy policy at their June 2019 meeting after a six month consultation process that included staff groups and citizen members of the Library Advisory Commission. The Pacific Library Partnership, a consortium of 42 Bay area libraries, recently received an LSTA grant to develop California specific training workshops and a resource toolkit for libraries on privacy-related topics surrounding library data privacy and digital safety, including privacy policy and procedure best practices, tips for library staff for working with vendors in sharing patron data, and an overview of the data privacy lifecycle in libraries. The goal is to help libraries improve their policies, processes and procedures regarding patron data retention and sharing of data with vendors. PLP hired a data privacy consultant to develop the workshops and related toolkit and anticipates the workshops will take place between January and April of next year. The initial survey of PLP staff identified the top five topics PLP libraries are interested in are Data Privacy Lifecycle Best Practices; Data Retention Policies/Procedures, CCPA and its Implications; Privacy Policies/Procedures and Vendor Contracting, so PLP will be designing training in those areas. The Santa Cruz Public Libraries plan on participating in this training prior to attempting a rewrite of the current policy. Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 119 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
F2
Page 110
The use of Gale Analytics on Demand, or any other data analytics tool, by Santa Cruz Public Libraries is not clearly addressed in the Library’s newly revised policy, Confidentiality of Library Records & Patron Data Privacy Policy (policy 303, adopted June 6, 2019). AGREE x PARTIALLY DISAGREE – explain the disputed portion DISAGREE – explain why Response explanation (required for a response other than Agree): The Library is on the record for discontinuing its use of Gale Analytics on Demand in January 2019. All other third party software products are listed on the Library’s data privacy website. Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 111 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
Related Recommendations (1)
R1
Page 118
Santa Cruz Public Libraries (SCPL), in coordination with the Library Advisory Commission (LAC) and Library Joint Powers Authority (JPA) board, should revisit the Library’s revised privacy policy (adopted June 6, 2019) to specifically address the use of data analytics and other tools utilizing patron information. (F1–F4, F7) HAS BEEN IMPLEMENTED – summarize what has been done x HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: The Santa Cruz Public Libraries Joint Powers Authority approved a new patron privacy policy at their June 2019 meeting after a six month consultation process that included staff groups and citizen members of the Library Advisory Commission. The Pacific Library Partnership, a consortium of 42 Bay area libraries, recently received an LSTA grant to develop California specific training workshops and a resource toolkit for libraries on privacy-related topics surrounding library data privacy and digital safety, including privacy policy and procedure best practices, tips for library staff for working with vendors in sharing patron data, and an overview of the data privacy lifecycle in libraries. The goal is to help libraries improve their policies, processes and procedures regarding patron data retention and sharing of data with vendors. PLP hired a data privacy consultant to develop the workshops and related toolkit and anticipates the workshops will take place between January and April of next year. The initial survey of PLP staff identified the top five topics PLP libraries are interested in are Data Privacy Lifecycle Best Practices; Data Retention Policies/Procedures, CCPA and its Implications; Privacy Policies/Procedures and Vendor Contracting, so PLP will be designing training in those areas. The Santa Cruz Public Libraries plan on participating in this training prior to attempting a rewrite of the current policy. Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 119 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
F3
Page 111
Santa Cruz Public Libraries did not adequately inform its patrons about the Library’s use of Gale Analytics on Demand or obtain their consent for this use. AGREE x PARTIALLY DISAGREE – explain the disputed portion DISAGREE – explain why Response explanation (required for a response other than Agree): “The Grand Jury initiated its investigation amid concern that SCPL may have violated State law by uploading patron data to the AoD cloud. As explained below, recent changes to the California Government Code should put this concern to rest.” (p. 6) The Grand Jury found, “California laws and regulations are silent on the need for libraries to obtain patron consent when engaging third parties.” (p. 5) They also concluded that AOD’s use is “permitted under the 2011–2012 version of the law, provided that the third-party vendors working in service of the library.” (p. 7) Respond by September 23, 2019 112 Santa Cruz County Civil Grand Jury Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
Related Recommendations (3)
R1
Page 118
Santa Cruz Public Libraries (SCPL), in coordination with the Library Advisory Commission (LAC) and Library Joint Powers Authority (JPA) board, should revisit the Library’s revised privacy policy (adopted June 6, 2019) to specifically address the use of data analytics and other tools utilizing patron information. (F1–F4, F7) HAS BEEN IMPLEMENTED – summarize what has been done x HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: The Santa Cruz Public Libraries Joint Powers Authority approved a new patron privacy policy at their June 2019 meeting after a six month consultation process that included staff groups and citizen members of the Library Advisory Commission. The Pacific Library Partnership, a consortium of 42 Bay area libraries, recently received an LSTA grant to develop California specific training workshops and a resource toolkit for libraries on privacy-related topics surrounding library data privacy and digital safety, including privacy policy and procedure best practices, tips for library staff for working with vendors in sharing patron data, and an overview of the data privacy lifecycle in libraries. The goal is to help libraries improve their policies, processes and procedures regarding patron data retention and sharing of data with vendors. PLP hired a data privacy consultant to develop the workshops and related toolkit and anticipates the workshops will take place between January and April of next year. The initial survey of PLP staff identified the top five topics PLP libraries are interested in are Data Privacy Lifecycle Best Practices; Data Retention Policies/Procedures, CCPA and its Implications; Privacy Policies/Procedures and Vendor Contracting, so PLP will be designing training in those areas. The Santa Cruz Public Libraries plan on participating in this training prior to attempting a rewrite of the current policy. Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 119 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
R2
Page 119
SCPL should implement a system for obtaining and managing patron consent for data analytics and other tools that use patron information. (F3) HAS BEEN IMPLEMENTED – summarize what has been done HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe x REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: N/A to the LAC Respond by September 23, 2019 120 Santa Cruz County Civil Grand Jury Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
R8
Page 125
SCPL should offer workshops for patrons to explain how the Library uses patron information and to explore related privacy issues. (F3, F4) HAS BEEN IMPLEMENTED – summarize what has been done x HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: N/A to the LAC Respond by September 23, 2019 126 Santa Cruz County Civil Grand Jury Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission Penal Code §933.05 1. For Purposes of subdivision (b) of §933, as to each Grand Jury finding, the responding person or entity shall indicate one of the following: a. the respondent agrees with the finding, b. the respondent disagrees wholly or partially with the finding, in which case the response shall specify the portion of the finding that is disputed and shall include an explanation of the reasons therefor. 2. For purpose of subdivision (b) of §933, as to each Grand Jury recommendation, the responding person shall report one of the following actions: a. the recommendation has been implemented, with a summary regarding the implemented action, b. the recommendation has not yet been implemented but will be implemented in the future, with a timeframe for implementation, c. the recommendation requires further analysis, with an explanation and the scope and parameters of an analysis or study, and a timeframe for the matter to be prepared for discussion by the officer or director of the agency or department being investigated or reviewed, including the governing body of the public agency when applicable. This timeframe shall not exceed six months from the date of the publication of the Grand Jury report, or d. the recommendation will not be implemented because it is not warranted or is not reasonable, with an explanation therefor. 3. However, if a finding or recommendation of the Grand Jury addresses budgetary or personnel matters of a County department headed by an elected officer, both the department head and the Board of Supervisors shall respond if requested by the Grand Jury, but the response of the Board of Supervisors shall address only those budgetary or personnel matters over which it has some decision-making authority. The response of the elected department head shall address all aspects of the findings or recommendations affecting his or her department. 4. A Grand Jury may request a subject person or entity to come before the Grand Jury for the purpose of reading and discussing the findings of the Grand Jury report that relates to that person or entity in order to verify the accuracy of the
F4
Page 112
Santa Cruz Public Libraries used Gale Analytics on Demand without adequately considering the patron privacy aspects of current California law. AGREE x PARTIALLY DISAGREE – explain the disputed portion DISAGREE – explain why Response explanation (required for a response other than Agree): “The Grand Jury initiated its investigation amid concern that SCPL may have violated State law by uploading patron data to the AoD cloud. As explained below, recent changes to the California Government Code should put this concern to rest.” (p. 6) The Grand Jury found, “California laws and regulations are silent on the need for libraries to obtain patron consent when engaging third parties.” (p. 5) Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 113 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
Related Recommendations (3)
R1
Page 118
Santa Cruz Public Libraries (SCPL), in coordination with the Library Advisory Commission (LAC) and Library Joint Powers Authority (JPA) board, should revisit the Library’s revised privacy policy (adopted June 6, 2019) to specifically address the use of data analytics and other tools utilizing patron information. (F1–F4, F7) HAS BEEN IMPLEMENTED – summarize what has been done x HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: The Santa Cruz Public Libraries Joint Powers Authority approved a new patron privacy policy at their June 2019 meeting after a six month consultation process that included staff groups and citizen members of the Library Advisory Commission. The Pacific Library Partnership, a consortium of 42 Bay area libraries, recently received an LSTA grant to develop California specific training workshops and a resource toolkit for libraries on privacy-related topics surrounding library data privacy and digital safety, including privacy policy and procedure best practices, tips for library staff for working with vendors in sharing patron data, and an overview of the data privacy lifecycle in libraries. The goal is to help libraries improve their policies, processes and procedures regarding patron data retention and sharing of data with vendors. PLP hired a data privacy consultant to develop the workshops and related toolkit and anticipates the workshops will take place between January and April of next year. The initial survey of PLP staff identified the top five topics PLP libraries are interested in are Data Privacy Lifecycle Best Practices; Data Retention Policies/Procedures, CCPA and its Implications; Privacy Policies/Procedures and Vendor Contracting, so PLP will be designing training in those areas. The Santa Cruz Public Libraries plan on participating in this training prior to attempting a rewrite of the current policy. Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 119 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
R3
Page 120
SCPL management and staff, in coordination with LAC and the JPA board, should stay abreast of changes to state law, especially as it concerns patron privacy and evolving technology, and update Library policies and practices in response to such changes. (F4) x HAS BEEN IMPLEMENTED – summarize what has been done HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: Library staff drafted a new policy that was reviewed by several staff groups, the Library Advisory Commission and approved by the Joint Powers Board in June. Library IT developed a web page at: https://www.santacruzpl.org/data_privacy/. It has the library’s policies and a list of third party vendors and their privacy agreements with the Library. The Library has developed a cookies usage statement for patrons visiting our website. SCPL implemented a data breach procedure. Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 121 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
R8
Page 125
SCPL should offer workshops for patrons to explain how the Library uses patron information and to explore related privacy issues. (F3, F4) HAS BEEN IMPLEMENTED – summarize what has been done x HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: N/A to the LAC Respond by September 23, 2019 126 Santa Cruz County Civil Grand Jury Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission Penal Code §933.05 1. For Purposes of subdivision (b) of §933, as to each Grand Jury finding, the responding person or entity shall indicate one of the following: a. the respondent agrees with the finding, b. the respondent disagrees wholly or partially with the finding, in which case the response shall specify the portion of the finding that is disputed and shall include an explanation of the reasons therefor. 2. For purpose of subdivision (b) of §933, as to each Grand Jury recommendation, the responding person shall report one of the following actions: a. the recommendation has been implemented, with a summary regarding the implemented action, b. the recommendation has not yet been implemented but will be implemented in the future, with a timeframe for implementation, c. the recommendation requires further analysis, with an explanation and the scope and parameters of an analysis or study, and a timeframe for the matter to be prepared for discussion by the officer or director of the agency or department being investigated or reviewed, including the governing body of the public agency when applicable. This timeframe shall not exceed six months from the date of the publication of the Grand Jury report, or d. the recommendation will not be implemented because it is not warranted or is not reasonable, with an explanation therefor. 3. However, if a finding or recommendation of the Grand Jury addresses budgetary or personnel matters of a County department headed by an elected officer, both the department head and the Board of Supervisors shall respond if requested by the Grand Jury, but the response of the Board of Supervisors shall address only those budgetary or personnel matters over which it has some decision-making authority. The response of the elected department head shall address all aspects of the findings or recommendations affecting his or her department. 4. A Grand Jury may request a subject person or entity to come before the Grand Jury for the purpose of reading and discussing the findings of the Grand Jury report that relates to that person or entity in order to verify the accuracy of the
F5
Page 113
Santa Cruz Public Libraries used Gale Analytics on Demand without examining the contract for this service, thus raising potential liability issues related to data ownership, data breaches, and patron privacy. x AGREE PARTIALLY DISAGREE – explain the disputed portion DISAGREE – explain why Response explanation (required for a response other than Agree): N/A to the LAC Respond by September 23, 2019 114 Santa Cruz County Civil Grand Jury Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
Related Recommendations (1)
R4
Page 121
SCPL should review the contracts for all third-party digital services used by the Library, including those provided by library consortia. (F5, F6) x HAS BEEN IMPLEMENTED – summarize what has been done HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: N/A to the LAC Respond by September 23, 2019 122 Santa Cruz County Civil Grand Jury Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
F6
Page 114
The contract is unclear and does not contain language that protects the interests of the Pacific Library Partnership, its member libraries, and their patrons. AGREE x PARTIALLY DISAGREE – explain the disputed portion DISAGREE – explain why Response explanation (required for a response other than Agree): N/A to the LAC Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 115 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
Related Recommendations (1)
R4
Page 121
SCPL should review the contracts for all third-party digital services used by the Library, including those provided by library consortia. (F5, F6) x HAS BEEN IMPLEMENTED – summarize what has been done HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: N/A to the LAC Respond by September 23, 2019 122 Santa Cruz County Civil Grand Jury Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
F7
Page 115
The use of Gale Analytics on Demand by Santa Cruz Public Libraries is inconsistent with best practices in the library community regarding patron privacy. AGREE x PARTIALLY DISAGREE – explain the disputed portion DISAGREE – explain why Response explanation (required for a response other than Agree): There are major disagreements within the public library community about the use of big data to improve programs and services. Large libraries systems around the country buy and use AoD and other products like CommunityConnect by CIVICTechnologies. In the Bay area, Sacramento Public used and Oakland Public uses AoD to plan and market programming by branch. Like most government entities, SCPL is faced with a tension between providing relevant and convenient access to its services and the need to ensure the data security and privacy of its users. Respond by September 23, 2019 116 Santa Cruz County Civil Grand Jury Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
Related Recommendations (3)
R1
Page 118
Santa Cruz Public Libraries (SCPL), in coordination with the Library Advisory Commission (LAC) and Library Joint Powers Authority (JPA) board, should revisit the Library’s revised privacy policy (adopted June 6, 2019) to specifically address the use of data analytics and other tools utilizing patron information. (F1–F4, F7) HAS BEEN IMPLEMENTED – summarize what has been done x HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: The Santa Cruz Public Libraries Joint Powers Authority approved a new patron privacy policy at their June 2019 meeting after a six month consultation process that included staff groups and citizen members of the Library Advisory Commission. The Pacific Library Partnership, a consortium of 42 Bay area libraries, recently received an LSTA grant to develop California specific training workshops and a resource toolkit for libraries on privacy-related topics surrounding library data privacy and digital safety, including privacy policy and procedure best practices, tips for library staff for working with vendors in sharing patron data, and an overview of the data privacy lifecycle in libraries. The goal is to help libraries improve their policies, processes and procedures regarding patron data retention and sharing of data with vendors. PLP hired a data privacy consultant to develop the workshops and related toolkit and anticipates the workshops will take place between January and April of next year. The initial survey of PLP staff identified the top five topics PLP libraries are interested in are Data Privacy Lifecycle Best Practices; Data Retention Policies/Procedures, CCPA and its Implications; Privacy Policies/Procedures and Vendor Contracting, so PLP will be designing training in those areas. The Santa Cruz Public Libraries plan on participating in this training prior to attempting a rewrite of the current policy. Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 119 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
R5
Page 122
SCPL should adopt guidelines and practices suggested by the American Library Association with regard to patron privacy and data analytics services. (F7) x HAS BEEN IMPLEMENTED – summarize what has been done HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: The ALA “Privacy Tool Kit,” provides detailed guidance on implementing policies to protect patron privacy. The Library has implemented practices including designating a privacy officer with authority to administer privacy policies, reviewing privacy clauses in contracts with third-party vendors, and conducting privacy audits. ALA recommends that contracts with third-party vendors contain language that explicitly protects the interests of the library and the privacy of its patrons. The Library is currently reviewing their contracts with vendors. Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 123 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
R6
Page 123
SCPL should designate a data privacy officer and give this officer full authority and responsibility to implement and enforce the privacy policy, and to periodically report to the SCPL director, JPA board, LAC, and the public. (F7) x HAS BEEN IMPLEMENTED – summarize what has been done HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: N/A to the LAC Respond by September 23, 2019 124 Santa Cruz County Civil Grand Jury Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
F8
Page 116
Santa Cruz Public Libraries used Gale Analytics on Demand without adequately evaluating the effectiveness of the tool. AGREE x PARTIALLY DISAGREE – explain the disputed portion DISAGREE – explain why Response explanation (required for a response other than Agree): N/A to the LAC Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 117 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
Related Recommendations (1)
R7
Page 124
SCPL should perform a meaningful evaluation of any tool that uses patron information to determine if the benefits outweigh the risks to patron privacy. (F8) x HAS BEEN IMPLEMENTED – summarize what has been done HAS NOT BEEN IMPLEMENTED BUT WILL BE IMPLEMENTED IN THE FUTURE – summarize what will be done and the timeframe REQUIRES FURTHER ANALYSIS – explain scope and timeframe (not to exceed six months) WILL NOT BE IMPLEMENTED – explain why Response explanation, summary, and timeframe: N/A to the LAC Respond by September 23, 2019 2018-19 Consolidated Final Report with Responses 125 Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
F9
Page 117
The use of Gale Analytics on Demand by Santa Cruz Public Libraries has created disagreement among Library staff concerning the traditional responsibility of libraries to protect patron privacy, the validity of data analytics as a planning tool, and potential security vulnerabilities of the system. x AGREE PARTIALLY DISAGREE – explain the disputed portion DISAGREE – explain why Response explanation (required for a response other than Agree): N/A to the LAC Respond by September 23, 2019 118 Santa Cruz County Civil Grand Jury Patron Privacy at Santa Cruz Public Libraries Library Advisory Commission
No recommendations for this finding