Book Reviews

Managing Data for Patron Privacy: Comprehensive Strategies for Libraries. Kristin Briney and Becky Yoose. Chicago, IL: ALA Editions, 2022. 176p. Paper, $69.99 ($62.99 ALA members) ISBN: 978-0-8389-3828-7.

Not long before I sat down to write this review, Baker & Taylor, a leading content distributor to academic, public, and school libraries, fell victim to a ransomware attack. Though Baker & Taylor remedied the issue within weeks, the incident left those using the service at a standstill. The attack left Baker & Taylor’s clients fearful of interacting with the distributor online and unsure if any customer data was compromised. With security breaches seemingly becoming more commonplace, Kristin Briney and Becky Yoose’s Managing Data for Patron Privacy: Comprehensive Strategies for Libraries arrives at an all-too-important moment to inform library workers of their role in handling patron data. This extensive how-to guide, which spans ten chapters, explores relevant themes impacting library patrons, including the overall security of data, current risks in various library settings, and a given library’s current patron data management process. Rooted in their work in consultancy for research data management and extensive experience in library data in various library settings, Briney and Yoose signal to readers not only a sense of urgency but passion for discussing this critical topic.

Chapter 1, “The Value of Data and Privacy,” discusses the idea that “data has value” and often goes undersecured. Though data collection has seemingly become second nature to library workers, data management’s role is rarely scrutinized. The authors convincingly argue that librarians’ lackluster approach to data management costs patrons their integrity, stating, “When data is breached or leaked, patron privacy is lost” (5).

Before diving into the text, the authors introduce readers to two librarians—one a systems librarian at a public library, the other a science librarian at a university—whose engagement with data makes the claims of the book concrete for readers. Following these librarians throughout this book is a delight as we see their decision-making process based on what was currently happening in their respective libraries and how past practices in data management lead to their decisions. As a former public librarian now in an academic setting, I see the value in including multiple perspectives as examples mentioned throughout the text apply to different library settings.

In chapter 2, “The Data Landscape,” readers are introduced to various pressures that shape the field’s commitments to library patron privacy. Briney and Yoose give examples of federal regulations, many of which have become well known among library workers, including the Freedom of Information Act. Adding these legislative pieces and others will be particularly helpful for those new to working in libraries.

Chapter 3, “Data Inventory,” considers the components of conducting a successful library data inventory. I found this chapter to be incredibly instructive. It includes clear and feasible suggestions for getting started, such as identifying stakeholders, “key people who have knowledge of the relevant data practices (32),” and determining the elements of a data inventory (including the purpose of the data being collected, how long it should be kept, and those who have access to it).

The following chapter on risk assessment makes it clear that not all risk is equal. Though the authors include explanations of threats that are deemed malicious or technical, I especially appreciate Briney and Yoose’s addition of threats that mount over time, arguing that “as data sets grow, there is an increased risk of re-identification and broader damage should a data breach occur. Data growth is not risky in and of itself. Rather, data growth increases other risks” (51).

The authors discuss policy implementation in chapter 5. I can’t be the only one who cringes when the time comes to write effective policy, and this aversion must be why Briney and Yoose include tables throughout that help the reader envision what might be included in institutional policies regarding a library patron confidentiality policy, keeping topics in mind to incorporate in each. In chapter 6, the authors revisit the librarians from the initial case study. The public librarian has created an encrypted drive to store and share patron data from an integrated library system. In contrast, the academic librarian works with library IT and a systems librarian to secure a work laptop and encrypt a USB to move files securely. I found these librarians’ experiences incredibly relatable.

In the remaining chapters, the authors explore data practices after implementing strong policies. Chapter 7 discusses strategies for handling data after a contract with a vendor is not renewed, including that “the vendor should provide confirmation to the library that the deletions were successful” (115). Chapter 8 takes on library assessment and forces readers to think critically about how their assessment aims to minimize harm to minority communities. The authors argue that “…when considering assessment on minoritized groups, it is better to bring impacted groups into the discussion early…” (125). In a predominantly white profession, this is a necessary addition that often goes unacknowledged in the LIS.

In chapter 9, the authors discuss particular privacy training areas for library workers to focus on, ranging from responding to data requests from law enforcement to handling incidents of data breaches. Not to be overlooked, Briney and Yoose give a nod to the well-known Library Freedom Project (LFP) and its Library Freedom Institute. The inclusion of LFP is intentional, acting as an excellent introduction to library workers and LIS students who may be interested in exploring privacy issues in libraries.

The authors conclude by urging readers to remain diligent in their work advocating for patron data privacy, with acknowledgment given to groups and networks available for support and resources.

Kristin Briney and Becky Yoose have written an essential book that serves as a call to action, urging library workers to think critically about what we deem “patron data” and how and why we as library workers manage patron data. Though not required, reading this book in chapter order was extremely helpful. The fact that it can act as a “go-to-this-chapter-to-learn-X” guide allows readers to peruse the topics they are most interested in. If you seek a book that challenges your idea of patron data and your position in managing it while offering real-world, applicable examples as a guide, Managing Data for Patron Privacy: Comprehensive Strategies for Libraries is a must read. — Jasmine Shumaker, University of Maryland, Baltimore County