TO WHAT EXTENT IS PRIVACY LEGISLATION REFLECTED IN THE UNIVERSITY LIBRARIES’ PRIVACY POLICIES IN NEW ZEALAND? by LE THI TUONG VY Submitted to the School of Information Management, Victoria University of Wellington in partial fulfillment of the requirements for the degree of Master of Library and Information Studies February, 2008 Acknowledgements I wish to express my sincere thanks to my supervisor, Lynley Stone for her reading, commenting on early drafts of the study, her insightful advice and suggestions that have guided my subsequent revisions as well as her encouragement throughout this project Many thanks to the managers at the eight university libraries in New Zealand for providing the privacy information and documentation Their collaboration has considerably helped me to finish the study in a restricted time Page /78 Abstract University libraries are built on the concept of freedom for users to use the library and to access information and are also places where users’ activities are strictly kept confidential and private as a legislative requirement The main objectives of the study are to find out the legal framework of privacy which governs the New Zealand university libraries’ operations; to explore the state of the New Zealand university libraries’ policies in terms of the protection of their users’ privacy, to seek and identify primary concerns of the privacy policies of New Zealand university libraries Content analysis was used as a research technique to analyse the wording of privacy policies of the eight university libraries of New Zealand which are available on their websites The twelve IPPs of the Privacy Act 1993 can be used as primary cores of a privacy policy and privacy protection procedures of a university library At present, the eight university libraries of New Zealand not have their own privacy policies/ procedures They are following overall privacy policies/ statements of their universities The university privacy policies to some extent follow with the main principles of the Privacy Act 1993, however, they have not reflected clearly and sufficiently the privacy principles of the Privacy Act 1993 The existing university privacy policies are not consistently comprehensive across the libraries’ services and therefore have not been sufficient to prevent the potential privacy risks of the libraries The privacy policy of university libraries should adhere strictly with the twelve IPPs of the Privacy Act 1993 and professional ethical principles, including: display privacy statement prominently, set up procedures to protect library users’ privacy, adopt the relevant legislation and professional library organization Code of Ethics, appoint a privacy compliance officer, develop training privacy program for the library staff and users and conduct privacy audit Keywords: Privacy, privacy legislation, privacy policy, university library Page /78 TABLE OF CONTENTS Abstract Table of contents I INTRODUCTION II LITERATURE REVIEW 2.1 Purposes 2.2 Privacy as a concept 2.3 Privacy legislation of New Zealand 10 2.3.1 Historical background 10 2.3.2 Overview of privacy principles of New Zealand 11 2.4 12 Attitudes of libraries towards privacy 2.4.1 Privacy as a core mission 12 2.4.2 Privacy concerns 14 2.5 Privacy policies of university libraries 15 2.6 Conclusion of the literature review 17 2.7 Theoretical framework 17 III RESEARCH PROBLEM 19 3.1 Problem statement 19 3.2 Research questions 19 3.3 Research objectives 20 3.4 Definitions of terms 20 VI METHODOLOGY 21 4.1 Research paradigm 21 4.2 Research methodology 22 Page /78 4.3 Research technique 24 4.4 Data collection & analysis 26 4.4.1 Data samples 26 4.4.2 Data collection 27 4.4.3 Data analysis strategies 27 V DELIMITATIONS & LIMITATIONS 29 5.1 Delimitations 29 5.2 Limitations 30 VI TIMETABLE TO PERFORM THE STUDY 30 VII FINDINGS AND DISCUSSION 31 7.1 Research question 1: What are the privacy principles of the New Zealand legislation? How are they applied to the university libraries? 7.2 31 Research question 2: How are the principles of New Zealand privacy legislation demonstrated in the university libraries’ policies? 7.2.1 How are the principles of New Zealand privacy legislation 38 38 demonstrated in the libraries’ policies? 7.2.2 What critical factors should be considered when developing the 49 university libraries’ policies? VIII CONCLUSION 53 8.1 Summary of key findings 53 8.2 The future of privacy protection in New Zealand university libraries 54 Page /78 BIBLIOGRAPHY 57 APPENDICES 63 Appendix 1: Gantt Chart of timetable to perform the study 64 Appendix 2: Letter to the university libraries 65 Appendix 3: Letter to the universities’ Information Officers/ Privacy Officers 68 Appendix 4: Privacy policies of the eight universities in New Zealand 71 Appendix 5: Overview about privacy policies of the universities 73 Appendix 6: Comparison on the privacy compliance of the universities’ privacy policies 76 Page /78 I INTRODUCTION Kemp and Moore (2007) indicate that privacy has a very long established history since the ancient time of Socrates, Plato and Aristotle Although these philosophers considered privacy protection unnecessary, they could not deny the existence of privacy Gradually, privacy has been recognized widely In Middle Eastern and some Asian countries, privacy right is not viewed as a basic human right due to the unlimited Governmental control over the people and therefore is not well developed like Western countries (Klosek, 2007) During the mid and late 1990s, privacy became an increasing concern in Western countries due to: (1) their perception of privacy as a human right, (2) the adverse impacts of high technologies, (3) their fear of cross-border data transfer, and (4) the response to the terrorist attack on 9/11 (Klosek, 2007) Many countries, in particular developed countries including United States and European countries, have legislative commitments to privacy (Longworth & McBride, 1994; Moghe, 2003; Pedley, 2006) The Universal Declaration of Human Rights (1948, Article 12) states that “No one should be subject to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honour or reputation” Protecting the privacy of clients is also one of the most fundamental obligations of professionals, in particular with those who deal frequently with personal information of customers, such as doctors, lawyers, educators, priests, journalists, traders and information/library practitioners (Adams, Bocher, Gordon, & Kessler, 2005) In New Zealand, university libraries have to deal with a significant amount of personal information of users University libraries are also considered as places where users’ activities are strictly kept confidential and private (Bowers, 2006) How New Zealand university libraries comply with privacy legislation in addition to making information accessible for all their users, who are students, academic and administrative staff is still little known This study aims to explore how New Zealand university libraries comply with the privacy legislation to protect their Page /78 users’ privacy right via the formulating privacy policies/ regulations This is a critical issue internationally and nationally in order to protect a fundamental human right, to adhere to the national legislation and to monitor the technology impacts in the university libraries Page /78 II LITERATURE REVIEW 2.1 Purposes The review discusses the concept of privacy and the impacts of privacy in libraries; privacy legislation with its historical background and the most important privacy principles of New Zealand, librarians’ attitudes towards privacy as well as the development of privacy protection policies of university libraries Accordingly, the review attempts to explore the trends and issues surrounding the privacy policies of the university libraries in New Zealand 2 Privacy as a concept Privacy is difficult to define (Adams et al., 2005) and literature shows that the meaning of privacy varies from country to country, even in the same country with different contexts of legislation interpretation In New Zealand, the Privacy Act 1993 defines information privacy principles as applying to all personal information Personal information therefore is considered widely as “information about an identifiable individual” In the United States, privacy has been considered as “a right to be let alone” (Klosek, 2007; Longworth & McBride, 1994) According to a number of authors (Adams et al., 2005; McMenemy, Poulter, & Burton, 2007), the widely acceptable notion is that privacy is the right to prevent the disclosure of personal information to others and may involve both confidentiality and security Nevertheless, privacy has played an important role in the formation of liberal democracies (Kemp & Moore, 2007) University libraries are a part of the borderless society where information transactions and privacy rights often come Page /78 together University libraries may have the pressure to satisfy the increasing academic demands via applying high technology (e.g RFID, websites, virtual reference, cameras etc.) while having insufficient knowledge about the technological mechanisms (Fifarek, 2002) The more information transactions the university libraries conduct via applying high technology, the more personal information they obtain, therefore the development of library policies as a tool to comply strictly with privacy protection principles would be essential Several authors (Adams et al., 2005; McMenemy et al., 2007; Pedley, 2006) point out that the Library & Information Association of New Zealand Aotearoa (LIANZA, 1978), the American Library Association (ALA, 1995), the Canadian Library Association (CLA, 1976) and the Chartered Institute of Library and Information Professionals (CILIP, 2007) all have principles or statements to respect for privacy in dealing with personal information Privacy legislation of New Zealand 3.1 Historical background The New Zealand Government was one of the first in the world to propose the establishment of a Privacy Commissioner in 1975 by law (Stewart, 1999) The recognition of privacy right in New Zealand was adopted for many years from 1974 to 1994, including the most remarkable trends such as the New Zealand Bill of Rights 1990, privacy reports in 1984-1989, the Privacy Bill and Privacy of Information Bill in 1990 and Privacy Commissioner Act 1991 There are two international documents that establish general privacy principles and have had significant influence on privacy legislation in New Zealand, namely the OECD Guidelines of 1980 and United Nations Guidelines of 1990 The OECD guidelines have been adopted in New Zealand via the Privacy Act 1993 ( Privacy Commissioner, 2006) In addition, the European Data Protection Directive 1995 requests all EU member countries to implement its requirements about the Page 10 /78 Appendix GANTT CHART OF TIMETABLE TO PERFORM THE STUDY Appendix Letter to the university libraries [Date] [Name] [Position] [Address] Dear [Sir/ Madam] RE: PRIVACY POLICIES/ DOCUMENTATION OF THE [NAME OF LIBRARY] I am Le Thi Tuong Vy, a post-graduate student of Victoria University of Wellington As a part of the requirements for the Master of Library and Information Studies, I am currently undertaking a research project which is examining the privacy policies of New Zealand university libraries in relation to the contemporary privacy legislation of New Zealand The study is to examine the content of the privacy policies of university libraries in New Zealand which will assist the libraries with a better understanding privacy compliance issues My study focuses on the privacy policies which are applied in the library to protect the privacy of users, who are students, academic and administrative staff Page 65/78 I would be grateful if you would provide me with access to on-line documents or send me hard copies of the library privacy policies The documentation may include the privacy rules, statements, notices, guidelines, staff handbooks, code of ethics or other relevant documents (e.g IT, Human Resources and or Security regulations) which stipulate privacy regulations in dealing with the library’s users If you are not appropriate person for the request, please help me by providing the name and email address of the authorized person in your library who can assist me in this matter The information you provide will be held confidentially The information will not be disclosed in a way that allows the library to be identified and the information will not be used for any other purposes without your prior permission Any photocopying charges or delivery fees arising will be fully reimbursed Should you have any queries or questions, please not hesitate to contact my supervisor or myself via the following addresses: Supervisor Lynley Stone Senior Tutor School of Information Management Victoria University of Wellington Mobile: 027 5200 401 (VUW) 027 290 2843 (Personal) Fax: 09 815 7499 Email: lynley.stone@vuw.ac.nz Page 66 /78 Student Le Thi Tuong Vy C/o School of Information Management Victoria University of Wellington PO Box 600, Wellington Email: vy_letuong@yahoo.com Your assistance would be a great contribution to the success of my research It would be highly appreciated if you could reply to me by 15 December 2007 I look forward to hearing from you Many thanks for your kind assistance Yours sincerely, Le Thi Tuong Vy Page 67 /78 Appendix Letter to the university Information Officer/ Privacy Officer [Date] [Name] [Position] [Address] Dear RE: PRIVACY POLICIES/ DOCUMENTATION OF THE [UNIVERSITY] I am Le Thi Tuong Vy, a post-graduate student of Victoria University of Wellington As a part of the requirements for the Master of Library and Information Studies, I am currently undertaking a research project which aims to examine the privacy policies of New Zealand university libraries in relation to the contemporary privacy legislation of New Zealand My study focuses on the privacy policies which are applied in the library to protect the privacy of users, who are students, academic and administrative staff I understand that the privacy policies of the library must be read and applied in conjunction with the University policy that deals with personal information I have found some of documents in relation to personal information on the University’s web, including: • … • … Page 68 /78 I would be grateful if you have a double check on whether the University has any [other] policies about personal information and provide me with copies of print or electronic documents If you are not appropriate person for the request, I would be grateful if you could pass my request on to the authorized person in the university who can assist me in this matter The information you provide will be held confidentially The information will not be disclosed in a way that allows the library to be identified and the information will not be used for any other purposes without your prior permission Any photocopying charges or delivery fees arising will be fully reimbursed Should you have any queries or questions, please not hesitate to contact my supervisor or myself via the following addresses: Supervisor Lynley Stone Senior Tutor School of Information Management Victoria University of Wellington Mobile: 027 5200 401 (VUW) 027 290 2843 (Personal) Fax: 09 815 7499 Email: lynley.stone@vuw.ac.nz Student Le Thi Tuong Vy C/o School of Information Management Victoria University of Wellington PO Box 600, Wellington Email: vy_letuong@yahoo.com Page 69 /78 Your assistance would be a great contribution to the success of my research It would be highly appreciated if you could reply to me by 28 December 2007 I look forward to hearing from you Many thanks for your kind assistance Yours sincerely, Le Thi Tuong Vy Page 70 /78 Appendix PRIVACY POLICIES OF THE EIGHT UNIVERSITIES OF NEW ZEALAND NAME OF UNIVERSITY PRIVACY POLICIES University of Auckland • Privacy Auckland University of Technology • • • • University of Waikato • Staff Code of Conduct • Privacy Act requests • Personal Info and Privacy Policy Massey University • Privacy Policy • Procedure for collection, use and disclosure of personal information (Privacy Act) • Official Information Policy Web privacy and security statement Internet, Intranet and E-mail Policy Personal Information Information Security Policy • Records Management Policy • Risk Management Policy • Protected Disclosure Policy Victoria University of Wellington • Privacy Policy • Library Statute Page 71 /78 Lincoln University • Privacy Statement 9 9 Collection of Information Use of Personal Information Disclosure of Personal Information Data quality / access • Library regulations and rules 2007 University of Canterbury • Code of Ethics of Library • Privacy Policy University of Otago • Personal Information and Privacy • Discipline Regulations Page 72 /78 Appendix OVERVIEW ABOUT PRIVACY POLICIES OF THE UNIVERSITIES Notes : “9”: Yes “-” : Not found “X” : Not clear “1” : Very good “2” : Good “3” : Need improved University name codes C D E F G No Categories identified A B Does the library have separate privacy policies/ regulation? - In In draft draft - - - - If no, does the library follow the University privacy policies/ statements? 9 9 9 9 Definition of “privacy” and “confidentiality” policies - - - - - - - - Detailed definition of “personal information” X X - X - Does the privacy policy state the role of privacy/ confidentiality in library’s activities? - - - - - - - Are users informed of the library’s practices to protect privacy and risks to their privacy? - - - - - - - Does the policy and procedures observe the 9 9 9 9 Notes H Page 73 /78 twelve IPPs of the Privacy Act 1993? Does the policy conform to other relevant regulations (such as Official Information Act 1992, Guidelines of Ministry of Education, of Ministry of Social Development etc )? - - 9 - Does the current policy align with professional policies (such as LIANZA, IFLA’s privacy statements/guidelines)? - - - - - - - - Duration of the privacy policies - Indefinite - Definite - - - - - - - - Are there exemptions, exceptions or special conditions listed out? - - - - - - - Is there any provision on responding to polices/courts/ government officials’ orders of various types? - - 9 - - - 10 Penalties - - - - - - - 11 Audit/ compliance process for privacy Is there any provision about the role of privacy officer? - - - - - - - - - - - - - Is there provisions for training staff and or users - - - - - - - 12 13 Page 74 /78 about privacy? 14 Ranking the privacy compliance of the policy 3 3 3 Page 75 /78 Appendix COMPARISON ON THE PRIVACY COMPLIANCE OF THE UNIVERSITY PRIVACY POLICIES Notes : “9”: Yes “-” : Not clear A University name codes B C D E F G 9 9 9 - - - - - - - 9 9 - - - 9 9 - - - Is there any prior informed consent to users? Is there any provision about the personal information collected directly from the individual concerned? What measures does IPP the policy mention Storage and about the protection personal information security of security? personal - Physical information - Technical - Operational - On - 9 - - - 9 9 - - 9 9 IPPs Issues Is the collection for a lawful purpose? Is the purpose Collection connected with a of personal function of the information library? Is the information to be collected listed out? Is collection necessary? IPPs 1- Notes H Page 76 /78 - transmission On disposing Does the policy state who may or may not access the personal Access to information information? - - 9 - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9 - - - - - - - - - - - - IPP Does the policy outline the specific conditions under which access may be granted? Is there any personin-charge making decisions on requests? Is there any person handling the complain on request? Does the policy IPPs 7-8 regulate the inform Correction other agencies to the of personal adjustment or information correction of personal information? Does the policy commit that personal information is accurate, up to date, complete, relevant, and not misleading? Does the policy state how to correct inaccurate information? Does the policy IPPs 9-11 mention how long the personal Retention Page 77 /78 information will be and use of kept? personal information Does the policy regard to a recourse for a user if he/she feel personal privacy has been violated in the library? Is there any provision of training for students/ users and staff on protecting personal privacy? Does the policy clearly define in what circumstances the information should be disclosed? IPP 12 Unique identifier Does the policy mention about assigning a unique identifies to an individual ort require the individuals to disclose any his/her unique identifier? If yes, explain why? - - - - - - - - - - - - - - - - - - - - - - - (*) - - (*) National Student Index Page 78 /78 ... of the study is ? ?To what extent is privacy legislation reflected in university libraries? ?? privacy policies in New Zealand? ” In order to address the main research question, the following sub-questions... explored: What are the privacy principles of the New Zealand legislation ? How they are applied to university libraries? Page 19 /78 How the university libraries reflect the privacy principles in their... purpose is to understand how the New Zealand university libraries comply with the privacy legislation via formulating their privacy policies in their organizational context The privacy policies of the