3/17/2014 update: I went to the Library Committee’s meeting today. Dean Adriene Lim was adamant that she was not trying to avoid Senate review of the new library privacy policy, and that as far as she was concerned the Library Committee was the Senate, since it’s a Senate committee, but that she was fully willing to go through the regular Senate policy on policies.
She said had been told that AVP Chuck Triplett was the “guru” for UO policies, and so she asked him how to proceed. As you can see below, Triplett thought that there was no need for this privacy policy to go through the Senate process. Given that the administration’s motivation for this policy arose out of LibraryGate, or as they now call it, “the incident”, Triplett should have known better than to advise Lim to try and slip this through on the side.
This is from the OSU library’s privacy policy:
Patron information is strictly confidential. It is for the use of library staff only; it can, of course, be divulged to the patron. Patron information is not to be given to non-library individuals, including parents, friends, professors, university administrators, police, FBI, university security staff, or the CIA. Only a court order can require the disclosure of patron records. The university librarian is responsible for compliance with such orders.
Needless to say UO’s proposed new policy (in full below) is a lot weaker:
When a violation of law or established policy is suspected, the Libraries reserves the right to electronically monitor its public computers and network, and/or reveal a user’s identity to institutional authorities and/or law enforcement.
Frankly, it reads as a post-hoc justification for Lim’s decision to disclose my circulation records to the administration. I told Lim I thought this would be problematic, and that she should at least consider having something concrete to take to the Senate about implementing the promises that were made to the Senate about general review of UO’s public records problems, or perhaps something about the documents that were *not* in UO’s Presidential Archives – e.g. athletics money deals – and therefore were lost to history (yes, I did mention Hillary Clinton).
FWIW, the RegisterGuard report on that Senate meeting is here.
… The UO’s new dean of libraries, Adriene Lim, told the gathered faculty on Wednesday that she considers an individual’s right to privacy to be a universal human right.
But she also said that Oregon public records laws “spell out types of records that should be public and available for scrutiny. I’d be the first one to advocate for that openness and transparency.”
Coltrane and Lim said the issue of transparency will be reviewed by university officials after Hershner Hunter completes its investigation. [UO M: I’ve made a public records request to Dave Hubin’s Public Records Office for the contract showing what UO’s Interim General Counsel Doug Park has asked HH to do. No response yet.]
The university will “try to increase openness and transparency as much as we can,” Lim said. Coltrane said he’d bring the university’s Office of Public Records to the table.
Harbaugh said Wednesday that that’s what he had in mind when he sought the presidential documents at the archive – after being thwarted by the public records office.
He said he had no intention of violating student privacy laws or damaging the university.
“I’m trying to make a point about the university’s obsessive secrecy, about how it functions, makes decisions and operates as a public agency,” Harbaugh said.
3/12/2014: AVP Chuck Triplett advises Library Dean Adriene Lim that new Library privacy policy can bypass Senate review
Thanks to several people for leaking this email and proposed policy to UO Matters. Page down to see how it evolves as it gets exposed to the light of day. It’s now circulating on the Senate listserv, and we will be taking steps to
a) ensure Dean Lim does not implement this policy without Senate approval, and
b) ensure Chuck Triplett is monitored, to prevent future attempts to subvert the Policy on Policies.
Still no information on how Lim will deal with public records that were removed from the Presidential Archives by Johnson Hall.
The UO Board reaffirmed the PonP just last week. Triplett didn’t waste any time breaking it:
Date: March 11, 2015 at 9:20:07 AM PDT
To: Adriene Lim
Subject: Library privacy policy draft – latest version
Dear ULC members,
I’ve heard back from Chuck Triplett and he advises me that he doesn’t think our new Privacy Policy rises to the level of an “institutional policy.” This means that the draft would not need to go through more layers of review in the way that other institutional policies are reviewed. He thinks that, after we go through our library-level review, the policy can just be posted on our website.
Library faculty still have until March 16, 2015, to provide input and comments, but I wanted to share with you the latest version of the draft because it contains two new sections that were added last week: 1.) a section was added to address the security cameras we have in our Special Collections & University Archives area. These cameras are not new — they’ve been in place for a while, but the Libraries had not finalized a policy regarding them yet); 2.) a few sentences were added to address the privacy audit and compliance concerns that were raised at our last ULC meeting. When the policy is finalized, the Libraries will conduct an audit of systems and services to make sure that we are complying with our own policy.
If you have any final comments about this latest draft, please let me know by March 16, 2015. Thank you for your help with this.
Best regards,
Adriene
Adriene Lim, Ph.D., MLIS
Dean of Libraries
Philip H. Knight Chair
University of Oregon Libraries
1299 University of Oregon
Eugene, OR 97403-1299
Phone: 541-346-1892
Email: [email protected]
Note: After I sent this email to Lim and cced the Senate listserv, she sent out an email changing her mind and deciding to ignore Triplett, and send this policy through the regular PAC process, which will bring it to the Senate.
Here’s the policy in dispute:
UO Libraries
Privacy Policy
Revised draft 3/9/15 – 11:44 am – Latest revisions highlighted in yellow
- Introduction
The University of Oregon Libraries affirms that privacy is an essential element of intellectual and academic freedom. For its core library functions, the Libraries subscribes to the Code of Ethics of the American Library Association, which states: “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” The courts have upheld the right to privacy based on the Bill of Rights of the U.S. Constitution. Oregon Revised Statute 192.502 (22) exempts from disclosure under open records law the records of a library, including: (a) circulation records, showing use of specific library material by a named person; (b) the name of a library patron together with the address or telephone number of the patron; and (c) the electronic mail address of a patron. This Libraries’ privacy and confidentiality policies are in compliance with applicable federal, state, and local laws.
- Commitment to Our Users’ Rights of Privacy and Confidentiality
This privacy policy explains your privacy and confidentiality rights, the steps the Libraries take to respect and protect your privacy when you use library resources, and how we deal with personally identifiable information that we may collect from our users.
- Notice & Openness
Library users have the right to be informed about the policies governing the amount and retention of personally identifiable information, and about why that information is necessary for the provision of library and other types of services. In all cases, we avoid creating unnecessary records, we avoid retaining records not needed for the fulfillment of the mission and operations of the library, and we do not engage in practices that might place personal information on public view. Information we may gather and retain about current and valid library users include the following:
- User registration information
- Circulation information
- Interlibrary loan information
- Electronic access information
- Other information required to provide library services
When you visit our Web site, we may automatically collect certain information. When you access our website, you can be seen by your IP address. If you’re unsure what this is, you can find out what is my IP online. Some data we collect:
- Domain, country, IP address
- Browser, platform, resolution
- Entrance-exit pages, referrals
- Date, time
- Search terms and search engines
This is standard practice for Web sites, and is not used for any purpose other than to evaluate how we can design the site to best serve your needs.
- Choice & Consent
If you wish to receive some library services, such as borrowing or interlibrary loan privileges, we must obtain certain information about you in order to provide you with a library account. If you are affiliated with UO, the Libraries automatically receives personally identifiable information from campus systems to create and update your main library account. When visiting the Libraries’ Web site, using overnight library access, and/or using our electronic services, you may choose or be asked to provide your name, DuckID/e-mail address and password (although the Libraries has no way to review the password), university/library account number, phone number, or home address. Individuals may also choose to waive the right to keep their circulation records confidential. For example, other patrons may ask who has an item checked out and if confidentiality has been waived, the Libraries will release only the name of the patron with the item checked out. (The confidentiality waiver is available at loan desks.)
- Access by Users
Individuals who use library services that require the use of personally identifiable information are entitled to view and update their information. You may view your personal information online or in person and request that it be updated if it is not correct. (For some services, corrections are made at the campus level if you are a UO affiliate.) You may be asked to provide verification of your identity during these instances. The purpose of accessing and updating your personally identifiable information is to ensure that library operations can function properly. Such functions may include notification of overdue items, recalls, reminders, etc. The Libraries will explain the process of accessing or updating your information so that all personally identifiable information is accurate and up to date.
- Data Integrity & Security
Data Integrity: The data we collect and maintain at the Libraries must be accurate and secure. We take reasonable steps to assure data integrity, including using only reputable sources of data, providing our users access to their own personally identifiable data, and updating data whenever possible.
Data Retention: We protect personally identifiable information from unauthorized disclosure once it is no longer needed to manage library services. Information that should be purged or shredded at regular intervals designated by the Libraries includes personally identifiable information from reference interviews and instruction sessions, and circulation history regarding materials in our library collections. The Libraries retain confidential transcripts from virtual reference sessions, but the majority of those sessions involve anonymous users.
Tracking Users: In order to obtain premium access, we ask affiliated library visitors or Web site users to identify themselves by logging into our systems, and to reveal personal information if they wish to borrow materials, request special services, register for programs or classes, or make remote use of those portions of the Libraries’ Web site restricted to registered borrowers under license agreements or other special arrangements. Additionally, some library e-resource vendors may require users to create accounts to use their sites, but these accounts are not under the Libraries’ control. However, we regularly remove cookies, Web history, cached files, or other computer and Internet use records and other software code placed by users on our library computers.
Cookies: Users of networked computers will need to enable cookies in order to access a number of resources available through the Libraries. A cookie is a small file sent to the browser by a Web site each time that site is visited. Cookies are stored on the user’s computer and can potentially transmit personal information. Cookies are often used to remember information about preferences and pages visited. You can refuse to accept cookies, can disable cookies, and remove cookies from your hard drive. Our library servers use cookies solely to verify that a person is an authorized user in order to allow access to licensed library resources. We will not share cookies information with external third parties. Some library vendors may use cookies for their sites, but these cookies are not under the Libraries’ control.
Security Measures: Our security measures involve managerial and technical policies and procedures, and contractual agreements with system vendors, to protect against loss and the unauthorized access, destruction, use, or disclosure of user data. Our technical security measures to prevent unauthorized access include encryption in the transmission of data where possible, and storage of data on secure servers or computers.
Confidentiality and Staff Access to Personal Data: We will not disclose any personal data we collect from you during reference interviews, instruction sessions, or other activities to any other non-library party except where required by law, established institutional policy, system-related needs (i.e., third-party library service providers who have contractually agreed to maintain user confidentiality), or to fulfill the individual user’s service request. We permit only authorized library staff with assigned confidential passwords to access personal data stored in the Libraries’ computer systems for the purpose of performing library work. The Libraries do not sell or lease users’ personal information to companies, universities, or individuals.
- Enforcement & Redress
The Libraries will not share data on individuals with external third parties, unless required by law or by way of formal contracts with third-party library system vendors who have agreed to maintain user confidentiality. Library users who have questions, concerns, or complaints about the Libraries’ handling of their privacy and confidentiality rights may file written comments with Library Administration. The Dean of Libraries will respond in a timely manner and may conduct a privacy investigation or review of policies and procedures. Only the Dean of Libraries and/or her/his designees are authorized to receive or comply with requests from law enforcement officers, as noted in formal policies and procedures. We will not make library records available to any agency of state, federal, or local government unless a subpoena, warrant, court order, or other investigatory document is issued by a court of competent jurisdiction and is in proper form. We have trained all library staff and volunteers to refer any law enforcement inquiries to library administrators and managers. In order to ensure that our library programs and services are enforcing this privacy policy, we conduct regular privacy audits of our systems and services protocols. Those looking for similar services to ensure that they’re properly handling people’s data and correctly protecting it should check out this site for more information on the matter – https://www.privacyhelper.co.uk/gdpr-consulting. (This highlighted section was added to address a comment made by a ULC member regarding enforcement and training relative to the new policy.)
- Security Cameras
The UO Libraries operates security cameras for the purpose of creating a safer environment for all those who live, work, and visit campus. Use of security cameras enhances existing security measures, deters crime, and functions to protect personal safety and valuable materials and equipment. For more information about the use of security cameras and access to recorded images in the UO Libraries, please see the separate policy on this topic [URL pending].
7. Records Management
The Libraries manage a significant portion of the University’s non-permanent and permanent administrative records. For these functions, we adhere to the University’s Records Retention Schedule and established information security policies, along with the Association of Records Management and Administration’s Code of Professional Responsibility (http://www.arma.org/r2/who-we-are/code-of-professional-responsibility)
8. University Archives and Special Collections
The Libraries manage the University Archives which contains permanent historical records about the University, and Special Collections materials. In the context of managing and providing access to these materials, we adhere to the Society of American Archivists’ Core Values Statement and Code of Ethics for Archivists (http://www2.archivists.org/statements/saa-core-values-statement-and-code-of-ethics). The Libraries’ Special Collections and University Archives (SCUA) unit maintains a separate database and reference file that contain user-registration information, but this information is confidential and will not be shared with external third parties, except in specific, rare law-enforcement situations noted in Section 5.
- Learning Management System
The Libraries manage the University’s learning management system and other enterprise educational technologies and systems. Policies governing these services and their usage include but may not be limited to:
- Student Records Privacy Policy for Students (http://registrar.uoregon.edu/records-privacy)
- UO Acceptable Use of Computing Resources Policy, (https://it.uoregon.edu/acceptable-use-policy)
- Use of Email for Official University Communication Policy (http://policies.uoregon.edu/policy/by/1/01-administration-and-governance/e-mail-use-official-university-communication)
- Guidelines for Official Mass Email, and the Information Security Program (http://policies.uoregon.edu/policy/by/1/01-administration-and-governance/email-guidelines-official-mass-email)
These policies are accessible via the UO IT Web site (https://it.uoregon.edu/acceptable-use-policy) and the University of Oregon policy library.http://policies.uoregon.edu/)
- Violations of Policies and Laws Prohibited and Not Protected
Users must comply with established institutional policies and with the law while using the Libraries’ resources and services. Nothing in this statement prevents the Libraries from exercising its right to enforce established rules or policies; protect its facilities, network and equipment from harm; or prevent the use of the Libraries’ facilities and equipment for illegal purposes. When a violation of law or established policy is suspected, the Libraries reserves the right to electronically monitor its public computers and network, and/or reveal a user’s identity to institutional authorities and/or law enforcement. Staff members are authorized to take immediate action to protect the security of library users, staff, collections, data, facilities, computers, and the network.
Note: This policy has been adapted from the ALA Library Privacy Policy model,
http://www.ala.org/advocacy/privacyconfidentiality/toolkitsprivacy/libraryprivacy, and has been reviewed March 2015 by the ALA Office of Intellectual Freedom, in order to determine adherence to foundational library privacy principles.
How does running a policy past the faculty advisory committee count as sneaking it past the august body of the senate.
I hear an axe grinding.
God forbid, anyone try to codify policy around this place without your (personal) approval.
Play the tune Bill and we will all dance.
Was this policy really run past the faculty advisory committee? Did the committee approve it?
The Faculty Advisory Committee is not the Senate. It has no power to approve policies. It has no role in policies. It has no power to approve anything.
All policies must go to the Senate President, who refers them to the Senate Executive Committee. Policies that involved academic matters (like the use of UO libraries!) go through a process involving the Senate.
The Faculty Advisory Committee is not part of the faculty shared governance process at the University of Oregon. It is simply an advisory committee to the University President, having nothing to do with faculty governance.
Many universities have library privacy policies as local policy – see
http://www.library.tufts.edu/privacyPolicy.html
If you don’t want to follow the link, Tufts, as just one example, has the policy reviewed by University Library Council and General Council.
But if you want to believe there is a plot – more power to you, man.
Bill,
Glad you got my “leaked” email. This should do a lot for the cause of transparency.
Your buddy.
P. S. Love the headline. Really makes this policy seem sinister!
I could be wrong but the last time I checked, the University Library Committee is a Senate Committee and its membership is drawn 100% from the faculty senate.
This comment appears to reflect a misunderstanding of the University’s system of shared governance. Policies that have academic relevance must be brought to the Senate for approval before going to the President for approval and posting. The Constitution forbids the Senate from delegating its authority to any person or committee.
Old Man is right. Here’s a link to the Policy on Policies: http://tiny.cc/zumlvx.
Dean Lim, I don’t know what it was like at your last university but this is Eugene!
Are you hazing the new library dean or something? She’s handling the crappy situation she came into pretty darn well. Sometimes I can’t tell if you are joking in your headlines or just being mean.
As every other commenter has mentioned, this policy is pretty standard but in light of all that’s happened also seems real reasonable if a little late.
Dean Lim is hardly sneaking around when she asks for input from the UO Libraries faculty and the ULC before sharing it with the wider UO community. Also this is library policy, let us make the decisions about it.
Finally, being a jerk about this Dean is hardly going to help us with these issues. She’s doing work that needs doing and she’s attempting to change a culture of putting up with a very opaque administrative team. Also you’re going to have to trust me on this one, but if we need to replace her when she gets done with this crappy working environment our options are *seriously* not good.
Thanks for your comments, however, this is not only a “Library Policy”. It affects everyone who uses the library.It lets the Library share patron’s circulation records with the UO General Counsel. Maybe that’s not as bad as sharing confidential counseling records with the GC, but it’s not good.
Additionally, from the emails I’ve seen, Dean Lim only agreed to take this new privacy policy to the wider UO community *after* I obtained her email to the contrary, and sent it to the UO Senate.
And then there’s the fact she went to Chuck Triplett for advice on this, instead of the PAC or the Senate. She knew how controversial this would be, so she tried to get Triplett’s help hiding it. Pretty bad.
And she won’t make public basic info about the archives unless I pay $210.63: https://uomatters.com/2015/03/library-dean-adriene-lim-wants-210-63-to-produce-archives-docs.html
I’d like to believe she’s better than this – but where’s the evidence?
You know far more than I about public records but I have to pay for Archives documents and I work here. As for the process she took, it seems like it’s anyone’s guess as to the proper way to run these. She’s new here and the UO is insanely Byzantine with its fiefdoms. I’m sure I won’t convince you it’s not nefarious, but seriously, please give her a break.
Like I say, I’m open to convincing, but I need some evidence.
(What do you mean you pay for archives? For paper copies? For digital copies?)
They are free at OSU unless you want them to make copies for you or digitize them. And even then, the first hour of work is free if you just want documents.
Well… it does also cost 25 cents per page if you want to have pages copied. But there is a free page scanner with a USB port.
I have only asked for print copies of things and yes I have to pay for it. See:
http://library.uoregon.edu/special-collections/rates
While it was updated recently, you’ll note the page is an old one, created in 2012. When I was in library school filling these requests was one of my jobs, supported in part by the fees collected for doing so.
As for the process, it seems more than fair that the Dean ask for the opinion of the 100s of us working in the library who will have to use and explain to patrons what our policies are. The ULC seems like a reasonable user group of interested potential patrons. This is all far better than other policy changes where we were just handed them fait accompli. Maybe your department is more democratic, but we are big and complicated. I’d rather send out a policy that was considered by many of us who understand the details than see senate time go towards wordsmithing.
Yet I could swear that our library’s policy used to mirror that of OSU. I remember being told that user info could only be released if the requester had a warrant. If that’s as I remember it, then this is indeed a weakening of the privacy policy.
OSU’s privacy policy is solid. Why can’t the UO library just adopt it too?
I don’t know. I’ll guess that Doug Park wrote a confidential, attorney-client protected opinion explaining it all.
I too think the motivations by the librarians weren’t nefarious, and am happy to forward any input on how the proposed privacy policy might be changed before it is submitted to the Senate.
Also, I propose we put uomatters and Dean Lim in a room together and make you two hug it out.
I’ll have to run that by legal.
Good luck releasing any student info with that policy. FERPA is waiting for the first time it happens.
By the way, whatever happened to the two scapegoat librarians that Dean Lim put on administrative leave while some outside lawyer investigated their “illegal” release of UO archive docs? Have they quietly returned to work or what?
It’s “what”, apparently.
Dean Lim revealed Tuesday that the two librarians will NOT be reinstated.