Meeting Minutes for 11/06/2019

Marmot Privacy, Security, & Accessibility Committee 
Minutes
11/06/2019

Marmot Privacy, Security, & Accessibility Committee Creation - Adam

  • Last fall and early spring, Marmot was confronted with the Pin access issue due to the Linda.com/Linked-In change in policy.  
  • At that time, it became apparent that there were a number of different factors that Marmot deals with both in terms of providing an ILS or providing Pika, as well as the IT support that we provide to a number of libraries around the state.
  • The deal with these interconnected issues of privacy, security, and accessibility that libraries are consistently being mindful of the accessibility of the content and the services they provide while trying to balance out security and privacy concerns.
  • It became important to begin having a vehicle for Marmot to operate in a member-driven capacity to make sure they are looking at things that come up regarding privacy, security, & accessibility from a comprehensive perspective rather than making one-off judgment calls in the central office. 
  • All these factors lead to the beginning of this group because there are a lot of different elements that this group can tackle.  As well as a lot of different directions this group can get started.  
  • Long term, Adam sees this as a group that Marmot would turn to advise them on policy, on best practices, on procedures, on settings, and on making sure that they are keeping up-to-date with the changing landscape that applies to all libraries.

Committee Discussion

  • One of the reasons that Nicole agreed to chair the committee is because she is part of the Library Freedom Institute that is privacy-focused and trains librarian staff on privacy issues. 
  • What topics or main goals does the group see this committee taking
    • Sean thinks the main goal is to create solutions for a lot of the problems, and approaching the challenge of IT versus library philosophies.  Sometimes these two go hand-in-hand versus sometimes they are at odds, so finding that middle ground.  
    • Finding solutions or best practices that could be recommended to the membership as resources for the member to approach, even if it is individually.
      • One example might be a policy about data destruction where some of the data is at Marmot.   Marmot’s stance is that they do not own the data it is the library’s data, so how do we create good guidelines for Marmot and for the library’s resources to write policies, practices, and procedures.
    • Brandon added that the current landscape of libraries and patron privacy has big organizations harvesting personal information. He thinks these organizations will realize in the next couple of years that libraries are one of the last few remaining places with housed and protected personal data. If these organizations could get access to that mass amount of information, it would be very sellable data. How do libraries approach that kind of information and how to keep it secure with best practices for vendors.  We should keep a watchful eye on who is accessing patron data, and what are their current business practices.
    • Nicole mentioned that patron privacy is an area that she has done a lot of work on through the Library Freedom Institute.  It is interesting to take a look at vendor policies. Most libraries do not realize how much data these vendors are gathering.  
    • Nicole thinks patron privacy and vendor access would be good areas for discussion.  If we make decisions collectively we want to proceed, this might help to get vendors to change their policies.
    • Brena mentioned that she was getting ready to do a privacy audit on their library, but circumstances precluded them from finishing.  However, this is something she would like to do, and wondered if anyone else would also be interested, or be covered in this committee?  Guidance on this process would be appreciated.
    • Nicole mentioned that she does not have a privacy policy for their library, and would like to work on this as a group. 
    • Nicole shared a link to the http://www.ala.org/advocacy/privacy/toolkit which has a lot of different recommendations. 
    • Brena has looked at the tool kit and mentioned that it provides guidance for staff.
    • Denise chatted that next month the Bemis staff will train on 'Patron Privacy and the Law' presented by Crystal Schimpf, of the Colorado State Library.
    • Nicole thought it would be good to ask Crystal Schimpf to do some training for this group, and to have her advise the group.  Crystal has some really great handouts for the Colorado protection for consumer’s data privacy act.
    • Shana is interested in topics about vendor relationships and how to keep up on what information they may be gathering about patrons. The other topic she would like to see discussed is pin numbers for accounts.
    •  Nicole would like to learn Marmot’s security practices to understand the infrastructure of what goes on behind the scenes, and what we should be expecting with the security measures that are being taken with everyone’s user’s privacy.  It would be a good place to start if that worked for the Marmot staff.
    • Sean thinks Nicole’s idea is a good approach and wondered if JB might want to be part of this committee because he is the System Admin and handles a lot of the infrastructure.  Brandon can speak about Sierra aspects.
    • Brandon wanted to know if Nicole was interested in all the different layers of security for Sierra, and all the other services.  As well as how Marmot's services interact with each other? Something like a vendor wanting patron authentication?
    • Nicole was not sure how vast all the different pieces that Marmot does for security, so this information would need to be broken down.  Even if it was just a general overview would be a good place to start. Nicole does not exactly know what she does not know.  
    • Brandon thinks that Marmot can probably categorize or summarize the different things they do like things that are secure now and pieces that could be more secure.  
    • Nicole wanted to know if Marmot advised people about their logins to make sure they are secure?
    • Brandon responded that the approach that Marmot has taken is doing what they need to do to follow being compliant with privacy laws.  With school libraries, Marmot needs to comply with FERPA laws. Marmot started requesting that libraries create their own password reset policy.  Marmot does not have any control over staff turnover and shared logins. If Marmot does not know about staff turnover, they do not know the password needs to be changed. Sierra can be accessed from anywhere, especially with a Sierra Web login.
    • Brandon hopes that this committee can come up with some best practices or standards for Marmot staff to reach out to a library to have them change a password.
    • Nicole asked where does the group want to start
      • She is hearing a lot of need for best practices around guiding Marmot on how to deal with data or Sierra logins 
      •  The group wants to talk more about vendors and privacy audits   
      • Shana thinks doing a privacy audit would be a good place to start 
        • Next getting an overview from Marmot about what they already do for security
        • Maybe coming up with some guidelines or best practices, or just assessing where the libraries are now with privacy
        • Sean agreed with Shana.  
    • Sean mentioned that if the group is also talking about privacy and data security getting a good view on what is already happening, and what the group thinks should be happening, and how to get to that point. 
    •  Nicole agreed with Sean.
    • Nicole wondered how the group wanted to move forward?  Would we want Marmot to let the group know what they are doing, and when they need the group’s advice in different areas?
    •  Sean thinks at the next meeting the group could bring in a framework on how the group is approaching privacy and data security.  We can add in components on expectations that libraries should have their own privacy policies, and where we need to strengthen. We are looking at policies that are complementary.  We have a Marmot policy that compliments a library policy, but they both have to exist to cover a topic.
    • Brandon mentioned data retention.  He wondered how much data that members are comfortable keeping for statistical purposes.
    • Nicole wondered what libraries think about data retention.  For example, Sierra keeps the last patron who checked out an item. That alone has so many different implications since you can have that information on a record for years.
    • Nicole asked if the group should plan their next steps which include when the group should meet, should we start with the Marmot framework for privacy and security.
    • Nicole was thinking the group should meet every other month to quarterly.  The group agreed that every other month sounded like a good start.
    • Denise asked if personal data could be stripped from other data? 
    • Sean replied that it really depends on what set of data you are talking about.  Its taking activity data that is useful but striping out anything that is personally identifying. It makes the data semi-useful, but you lose some of the benefits of data when you strip out specific things. For libraries, we need to find that balance. There are a lot of things that can be done to de-identify or anonymizing data.  We would want to look at ways to get better statistics out of services but keeping the data secure.
    • Denise suggested mid-January for the next meeting and decide at each meeting when to meet next.
    • Action Item: Sean and Brandon will work on a report that they will share before the next meeting. They will put together a list of topics on a priority spreadsheet. 
    • Nicole asked where the group will get access to reports or spreadsheets, or forms where everyone can add ideas,  as well as meeting minutes.
    •  Sean mentioned that sharing a folder that lives on the Marmot Google Drive would be difficult.  Sharing a document inside the folder will work.
    • Brandon mentioned that following what we currently have set up for other committees, we could put things on the Marmot website on the committee page.  We would have the meeting recordings, minutes, and links to documents on the committee page. Brandon reminded the group that any meeting minutes, recordings, or documents on the committee page will be public.  
    • Nicole would like the recordings on the committee page.  She asked if it was possible to have a private page for sensitive information? 
    • Brandon replied that Marmont only has Google Docs at the moment.  With Google Docs we could share documentation individually with each of the group members via email. We could put the link on the website, but make it so people need to request access, and Marmot will get a notification.
    • Sean mentioned that it would be something that at the end of each meeting the group discusses if they talked about anything that is sensitive.  Most of the conversation will probably be about best practices, and will not be any danger to it being made public. There may also be some procedures that we do not want to open to the world.   
    • Nicole asked if Sean and Brandon need any help putting things together for the next meeting like having the committee think about certain topics, or what the committee can bring to the table?
    • Brandon mentioned that it would be helpful if group members had password policies to share that would be beneficial. 
    • Sean mentioned that bringing to the table any progress, so we can look at good components that compliment what we are doing, and look at holes between what library’s policy and Marmot’s policy.  Where are the gaps that we need to help fill? Some libraries may not even have policies yet.  
    • Brandon thinks it would be good to share any Marmot created documentation with the group before the meeting, so it can be discussed at the next meeting.
    • Nicole asked about the best time for the meeting to avoid having anyone from the group have to choose not attending another scheduled committee meeting.
    • Brandon suggested that if the meeting was on the first Wednesday of the month, it would be after the Discovery Committee meeting from 2 p.m. - 3 p.m. This would be the next meeting on Wednesday, January 8th from 2 p.m. - 3 p.m., which is the second Wednesday since the 1st falls on a holiday.  We could just say that all future meetings are the day after the Discovery Committee meeting, whether it’s the 1st or 2nd Wednesday.  
    • Action Item: Nicole will send out a Doodle Poll asking what dates work best for the next meeting.
Meeting Date: 
Wednesday, 2019, November 6
Documentation Type: 
Meeting Minutes
Upload File: 
PDF icon Marmot Privacy, Security, and Accessibility Committee Minutes 11.06.2019.pdf
Committees: 
Privacy, Security, & Accessibility Committee