Privacy and confidentiality in digital reference.(Current Issues)

In a library, the right to privacy is the right to open inquiry without having the subject of one's interest examined or scrutinized by others. Confidentiality exists when a library is in possession of personally identifiable information ... about users and keeps that information private on their behalf.--American Library Association, "Questions and Answers on Privacy and Confidentiality." (1)

The library community possesses a decades-long history of trying to protect the privacy and confidentiality of library users. The American Library Association (ALA) incorporated this sense of privacy into the ALA Code of Ethics in the early 1960s. This dedication to privacy has faced, and continues to face, challenges from private citizens, the law enforcement community, and numerous technological developments. Among these technological developments can be included the introduction of digital reference services to library users. An important by-product of these services are digital reference records that challenge users' expectation of privacy. This article will attempt to show the relationships between privacy and digital reference records, how privacy can be compromised in the digital reference environment, and what actions librarians can take to maintain the privacy of these records.

The need to protect library patrons' privacy appears to be self-evident, but is not necessarily so. Libraries are public spaces so it is not uncommon for other patrons to overhear a user's reference question, notice what someone is viewing on-screen, or see what books a user is checking out. If users are willing to make their research interests known in such a public space, then why should librarians worry about protecting users' privacy? That question has many possible responses. There is a significant difference between learning one piece of information about a person's research and being able to uncover that person's entire research agenda. Patrons may be comfortable with a librarian knowing their research agenda, but do they want their boss, next-door neighbor, or insurance company to know? Secondly, users routinely divulge their names, e-mail addresses, telephone numbers, and other personally identifiable information (PII) to obtain access to library services. This information must be protected from hackers and others seeking to utilize the data for nonlibrary-related purposes. These examples are pretty obvious. Most privacy challenges arise when privacy rights conflict with other social values. Should parents or guardians be allowed to find out what their children read or what questions the children ask a librarian? Should a librarian notify police if someone requests information about modifying semiautomatic weapons? Can anyone obtain a public library's chat reference transcripts to use for research? After all, the library is a public institution supported by tax dollars. Should libraries routinely destroy records in the name of protecting privacy when the records might prove invaluable to future historians studying the importance of libraries in society? The answers to these questions are not so readily apparent. For this reason, it is important that librarians have guidelines to follow, whether they be laws, codes of ethics, policies, or procedures. This is as true in the digital reference realm as in other aspects of library activity.

Certainly some of the issues discussed in this article are time sensitive. Technological developments will render the privacy features of some chat reference products moot within a year. Chat reference as we know it today may be superseded by more advanced technologies within five years. Other privacy influences, such as the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, may wax or wane in succeeding years.

Patrons' concern for the privacy of their library records will probably increase rather than diminish. The trend toward digital libraries and digital reference services will almost certainly continue. Whatever the future brings in reference services, the author hopes that the broader principles outlined in this discussion will have enduring relevance as the technological, legal, and library environments change over time.

Types of Reference Records and Privacy Features

This discussion encompasses six types of digital reference records derived from digital reference services.

Chat reference garners the greatest interest at present and will be featured in this analysis. For the purposes of this article, chat reference refers to "online, interactive, remote transactions with patrons. In this broad definition, the chat function is essential but it does not exclude other software features utilized by librarians." (2)

E-mail reference antedates chat reference by many years. E-mail records share many privacy concerns with chat reference as libraries often retain the transcripts from both services indefinitely.

Web forms, though one might argue that they are simply a modified version of e-mail, are more structured forms of e-mail. Web forms often gather the same types of PII.

Librarians and computer researchers have been experimenting with automated reference tools for a couple of decades. Only the National Library of Medicine currently runs an automated reference agent. The automated reference agent, named Cosmo, does not require patrons to register or to provide any PII. The librarian only sees a log file of what the patron types. The log file does not record IP addresses or any similar data. If someone really wants to check, it might be possible to link a question with an IP address by matching the log file to transaction logs. (3)

Knowledge bases and some frequently asked questions (FAQs) are really outgrowths of chat, e-mail, and Web forms that attempt to take advantage of previous questions and responses. Librarians (or computer software) strip PII from the chat, e-mail, or Web form records before posting the remaining information to the knowledge base.

Transaction logs chronicle certain elements of reference transactions. Though not strictly reference, these records share many common privacy interests with digital reference records.

Various kinds of private information are gathered during a digital reference transactions. Many privacy elements appear in multiple reference tools. Libraries exhibit wide disparities regarding what types of data they collect. No library gathers all of the data points enumerated in table 1.

The interaction between library user and librarian constitutes the most consistent and important element in digital reference records. This includes the initial question, a reference interview (if conducted), a response from the librarian, and any follow-up questions and responses. The transcript of this interaction may include referrals to other library departments, other libraries, or to individual librarians with appropriate knowledge or subject specialization.

Next in importance, especially from a privacy perspective, is the PII collected when a patron registers. Many libraries request such elements as name, e-mail address, or a form of verification unique to the institution. In a public library setting, the latter may be a zip code, a library user's card number, telephone number, or mailing address. Some institutions collect demographic data such as the status of a user (e.g., graduate student, elementary school student) This serves the dual function of identifying the service's constituency and allowing the librarian to target responses to the user's knowledge level. In consortial settings, users may be required to identify their institutional affiliation. Some data points, such as IP address, browser information, and originating URL, are unique to chat reference.

The identity of the librarian (in this case used generically to represent all persons staffing reference services) staffing the service is the final significant element. Some digital reference services shield the librarian's identity by using a generic appellation (e.g., reference desk). Librarians in other institutions opt to identify themselves as a way to personalize the service. For e-mail reference, this means that anyone viewing the record may learn the librarian's name, work phone number, e-mail address, and anything else a librarian chooses to include in a signature file.

All these delineated elements possess the potential to affect the privacy interests of users and librarians.

Privacy Features of Chat Software Products

When one examines the data elements …