Research libraries and data privacy
The World Library & Information Congress is large (circa 4000 delegates). It’s large because it brings together librarians from across sectors and from all around the world. Despite the diversity, however, there are some strong commonalities, and these include copyright and freedom of information.
The session ‘Master of contents or How to win the battle over freedom in cyberspace?’ provided a forum for discussion of both of these areas. One of the session speakers, Brent Roe from the Canadian Association of Research Libraries, outlined legislative developments affecting data privacy in Canada. He, quiet rightly, pointed out that as we are opening up or increasing access to information online we are also exposing our users to an increased risk of invasion of privacy. In Canada, it seems the government have made several attempts at imposing Lawful Access legislation, “a term that refers to the legally sanctioned access to information about a person’s identity or activity on the Internet or on cellular phone networks, or even real-time interception of a person’s activity, normally by law enforcement agencies.” At the very least, this type of legislation has implications for libraries in relation to the tracking of searching and downloading of information.
Even without such legislation, the rise of the Internet of Things, social media, and the Cloud means that more data about individuals can be gathered more easily. Of course, as Roe states, libraries should play a role in educating users about data privacy within this new paradigm.
Given that European research libraries are working to help support and be part of the Collaborative Data Infrastructure (CDI), they have an even broader role to play. Libraries need to help ensure that the same rigour they apply to the protection of data they collect on their users is also applied for the users of the CDI. An Authentication, Authorisation, and Accounting Infrastructure (a research passport) is essential for the successful realisation of the CDI because it will facilitate seemless access to information, data, technology, and collaborative infrastructures. But it also raises questions over the exchange of personal data. Our study has revealed both technological and cultural barriers to its implementation, but addressing the issue of data privacy will be the biggest challenge to implementing a research passport.
Federated Identity Management (FIM) is the most practical solution for a research passport but it raises the following questions (among others):
What information can be exchanged with service providers?
How do we deal with providers from outside of the EU (who are not subject to the European Data Privacy Directive)?
Are online identifiers considered to be personal data?
How do we ensure a harmonised approach to data privacy is enforced across member states?
Data privacy is not simply a legislative issue, it is also a trust issue. For researcher to buy in to the CDI they must trust it. Libraries have a role to play in establishing and mediating this trust.