Sunday, 28 July 2019

Library staff as privacy advocates

I was asked by the Princh marketing team to write a guest post for their blog. In my original draft I was mentioning Princh but they politely asked that I do not use them as an example so their name was removed. Here is the version that was published; you can also view it on the Princh blog.

Defending the right to privacy is one of our roles

I personally believe that libraries exist to defend people’s rights to enrich and improve their own lives, their environment and society. We library staff make this happen by facilitating access to and by sharing information, knowledge and culture. We stand for freedom of information and freedom of expression; and, as highlighted in the International Federation of Library Associations and Institutions (IFLA) Statement on privacy in the library environment, “privacy is integral to ensuring these rights”.

As a member of CILIP, the UK library and information association, the ethical principles I have signed up to clearly state that I “make a commitment to uphold, promote and defend […] the confidentiality of information provided by clients or users and the right of all individuals to privacy”.

Because of our profession's commitment to providing access to information that is “a reflection of the plurality and diversity of society [...] free from all forms of ideological, political or religious censorship or business pressure”1, our stance is often mistaken as being neutral. But we are not neutral; this is clear when it comes to privacy. If we do not make efforts to protect citizens' privacy we are in effect allowing others to collect and use the personal data of our users. It is only by taking steps to defend the right to privacy that we can live up to our own ethical standards and our role as a profession.

Leading the way for better data protection

Voluntarily or involuntarily, users of our libraries tell us about themselves, their interests, their financial situation, where they're planning to go on holiday, what health issues they or someone close to them is encountering. Even if we never speak to a library member about any of those things, we could potentially infer them from their borrowing record or Internet browsing history.
We owe it to citizens to make sure we treat this personal information with care, to keep it private by keeping it secure and to be transparent about what we do with it.

Data protection legislation and guidelines express the practical ways in which we should interpret, support and protect the right to privacy. In the European Union we are lucky to have the General Data Protection Regulation (GDPR), which came into force in 2018. GDPR is a fantastic improvement for the protection of citizens' rights. This said, a lot of us are still working on improving our compliance with the Regulation. I see the GDPR principles (as set out in article 5) as a basis for us to work from, whichever country we are based in. It's about making sure that we:
  • know for what specific purpose we want that personal data;
  • collect only the information necessary and keep it only for the time we realistically need to use it;
  • are transparent with citizens regarding how we handle their information and explain it to them in simple words at the time they provide us with their data.
Exercising our rights as individuals

Privacy is about choice. For citizens to be in a position to make an informed choice – about whether to take steps to actively protect their privacy – they need to be aware of the risks to their personal data, of their rights and of what could help them to better protect their privacy.

Are you making informed choices about how your personal data is used?
In Europe it is a legal requirement for websites to tell you whether they are installing cookies – small files within your browser – and what these do. Some cookies collect information to create a profile of you, including where you are and what your interests are.

When you land on a website for the first time and the cookie consent information appears, do you automatically click “Allow all cookies” or do you check first what those cookies are doing? Do you feel that you made an informed decision?

We can promote and defend the right to privacy through having more awareness of it and being the ones to demand more information on how personal data is handled in everyday life. We can do that within our library services; we should also champion those privacy and data protection rights outside of work. I would love it if next time we have to travel to a conference we each asked the train company, the airline and the hotel staff: “Is it mandatory for me to provide that personal information? What do you use it for? How long do you keep it?” And for all the people we interact with to realise: “Ah, the library workers are in town.”

Practising what we preach stand for

I believe we library staff should be privacy advocates. We should publicly show our commitment to the right to privacy and demonstrate best practice in terms of data protection in our own services. We should uphold, promote and defend these rights on behalf of all citizens.

Where do you start?
  1. Learn more about the topic
    If you feel like you need to learn more about rights, practices and tools you may find the library advocate resources on Artefacto's libraryskills.io site useful. It's a “starter collection” I have recently curated (more resources will be added in the future, and suggestions are welcome!)
  2. Make changes in your library service
    You may need to start by asking questions, having discussions with your colleagues – and doing it all over again. Think of the things that would be easier to change first, start with small steps before moving on to bigger pieces of work and more radical changes. I included suggestions of areas to look into in Leading the way : a guide to privacy for public library staff.
  3. Work with partners and suppliers
    We work with others to provide specific services used by staff and citizens. Where do these partners and suppliers stand on the rights to privacy and data protection? Do their practices match our own standards? It is up to us to ask the questions, explain our position and say what changes we want to see.


1 Words borrowed from the Association des Bibliothécaires de France Bib'lib charter of the fundamental right of citizens to have access to and share information and knowledge via libraries, article 1. English version at:http://www.abf.asso.fr/fichiers/file/ABF/biblib/charte_biblib_abf_uk.pdf [Accessed 23/06/19]

Sunday, 24 February 2019

Data4good conference

I am interested in open data and privacy for/in libraries, but I am also aware that I am always learning - and those areas are no exceptions. So I was very excited when in 2018 I was invited to be part of the Data4good conference which took place at the Library of Birmingham on 14 November. Not only was I going to a conference all about data, I was going to be on a panel in the session about responsible data and ethics! 😁

And so, thanks to Pauline Roche and the lovely people at DataKind UK, I went. The Data4good conference was organised by non-profit organisations involved in data work and aimed at fellow charities. I have to admit I was a bit nervous as to what attendees would think of a library person speaking at a conference aimed at the non-profit sector. What helped me (on top of reassurance from the organisers!) was thinking that actually, staff in public libraries and charities have a similar goal: we all work to help people, to improve their lives, society, environment. (And I am sure some of you are also thinking that some UK public library services are operated as/by non-profit organisations.)

Photo of Data4good conference bag and programme


"Combining data geekery with a desire to do good"
The programme was packed. The opening speakers did a great job of setting the tone of the conference and providing examples of using data for good. I am afraid the talk I now remember most is Karl Wilding's (director of policy at NCVO). He stated a few things that were probably obvious for the audience but needed to be said - and while he was talking I kept thinking things like: "This totally applies to the library sector too!" and "I wish library colleagues could hear this!" You can access his notes from the conference programme web page but here are three ideas I picked out:
  • "Think about how you can use data to tell a story, to change people's lives" - it's not about the data, it's what you use it for.
  • Sometimes we as organisations move faster than our members [also read colleagues, stakeholders...] We have to be mindful that not everybody agrees with us, that not everybody thinks this stuff is powerful.
  • On values and data ethics:
"There are a number of standards like GDPR on how we use data; I think as civil society we should go further than that."

Responsible use of data
The session I took part in was entitled How to innovate with data whilst being respectful [click to download the presentation]. I provided a short introduction to online rights and data privacy - how it impacts us as individuals and why it concerns non-profits.

Tom Walker from The Engine Room then gave concrete examples from the charity sector and introduced the Responsible Data Forum. The site is a place for anyone in the sector to get information about using data responsibly. There is also a very active RD mailing list for members of the community to discuss particular points further.

Responsible data definition (slide)
Responsible data definition - slide from Tom Walker's presentation
(click on the image if the text is too small)

If you read one page from the Responsible Data site, I would recommend RD 101: Responsible Data principles by Zara Rahman. Here's an extract that again struck me as particularly relevant for the libraries and information sector, and close to one of the messages I have been trying to promote through my privacy work.
"Holding ourselves to higher standards: In many cases, legal and regulatory frameworks have not yet caught up to the real-world effects of data and technology. How can we push ourselves to have higher standards and to lead by example? 
Working in social change and advocacy means we hold ourselves to a certain set of ideals. Profit isn’t our goal – positive social change is."

But back to the Data4good session: next Amy O'Donnell from Oxfam explained what they'd done to embed responsible data practices within the charity. Oxfam developed their responsible data policy in 2015 and went on to create a training pack for staff.

The training pack includes an "Agree or disagree?" deck of cards meant to get staff thinking - and talking - about responsible data management. Staff are encouraged to explain and discuss why they agree or disagree with the statement on their card. Some example statements:
  • Once we've collected information, it belongs to our organisation and we can do whatever we want with it.
  • Privacy is more important than transparency.
  • To make data anonymous, we should remove all names.

When I run privacy workshops, the moments I find most fascinating is when participants start asking this kind of questions and everyone else pitches in with their opinion and knowledge. I think Oxfam's "Agree or disagree?" cards are a good way to bring people to those debates. I'm already thinking of how I could use some of the cards, with extra statements more specific to libraries, in future workshops.

Oxfam's "Agree or disagree?" card deck
Oxfam's "Agree or disagree?" card deck

Data literacy
After lunch there was a "curiosity and cake" session - a concept close to an unconference with cupcakes. Each table had a pre-defined topic and a facilitator. Participants were asked to collect a cupcake on the way in, then sit at a table that had a topic they wanted to discuss and/or learn more about. I passed many tables I would have been interested in (data ethics and governance, open data sets), but eventually I settled at the data literacy table.

The discussion at the table covered:
  • What is data literacy? We agreed that it is about being able to collect data, use it and analyse it; but being able to do all this in an ethical way. 
  • Why should people be data literate? The answer to this relates to what your organisation is trying to achieve, or what your role is within the organisation. For example, in my library I want citizens to be data literate so they are in a better position to make informed decisions based on raw or visualised data. And I want colleagues to be data literate both so they can better uphold citizens' privacy; and so they make best use of the data we do collect to gain insights into the library service and in turn use these insights to inform their work.
  • How do you work towards uniform data literacy across the organisation? It is very hard to reach all individuals, at different levels of the organisation. We also talked about resources available to teach data literacy to staff in non-profit organisations, such as databasic.io and the IFRC Data Essentials playbook.
  • How can you engage non-data literate people with the importance of becoming data literate? How do we demystify data and data literacy? I mentioned the data days (e.g. Datamorphosis) we'd held at Newcastle City Library in 2016 and the next idea which would be a kind of "data as art" event: helping people feel less intimidated by data sets by making them visualise data through activities they may be more familiar with, such as art and craft. Very helpfully, another participant pointed out that I should plan my event not just around data visualisation but to include a data analysis stage, in which we would ask: "What does this visualisation tell you? What do you think? What should we do about it?"

Icon of a human head with an open box inside it
mind by Adrien Coquet from the Noun Project

Further thoughts
I'm going to stop here with the account from the conference sessions to try and order some of my thoughts instead.

Data literacy is a topic I am getting back into, as I am co-organising Voyage of the Data Treader 2 (a data camp for library staff) next month and I have also committed to organise at Newcastle Libraries another data day for citizens. While writing this blog post I took the time to explore databasic.io and I spotted several activities I would like to adapt and re-use for my own work. The Build a data structure activity is like a short version of the "data as art" event I want to run at Newcastle Libraries, with useful pointers on what to highlight as a facilitator. And I will be proposing Deconstruct a dataviz (perhaps mixed with another activity) as an unconference session at Voyage of the Data Treader; it looks like a great way to talk about what we would want to use library data for and building stories with data.

I recently subscribed to the Responsible Data mailing list, out of curiosity.
Having somewhere professionals from the same sector could talk about matters relating to data protection and citizens' privacy is something I've been discussing with Ben White (British Library) and Fred Saunderson (National Library of Scotland) in the past couple of years. They came up with the idea as they were working to make their organisations GDPR-compliant and thought colleagues across the libraries, archives and museums sectors would be going through similar things and have similar questions.
We thought it would be handy to have one place that curates useful sources of information for the sector(s), but also where colleagues could ask questions with everyone with a bit of experience contributing to the answers. As a result of our conversations we set up an informal group called CHIPA (for Cultural Heritage Institutions Privacy Alliance) with its own website and Twitter account - and yes, there is a mailing list ready. But it hasn't really taken off; one of the reasons for that is our own lack of time to get it moving further.
Now that I see how active the RD list is, there's the question: is something like it needed for our sector? Would a different way to share best practice be more useful? I'd be curious to read your thoughts!