Print Page | Contact Us | Sign In | Join now
News & Press: News

Advisory note: ‘Contact Tracing’ for librarians and information professionals

07 July 2020  
Posted by: Nick Poole
Advisory note: ‘Contact Tracing’ for librarians and information professionals


CILIP has provided this advisory note in response to the call for libraries and information services, particularly public libraries, to undertake data-collecting activity as part of the Government’s ‘Contact Tracing’ initiative.

This statement has been prepared with reference to the advisory materials provided by the Information Commissioners Office (ICO) and following a discussion with the National Coronavirus Testing Programme team at the Department for Health and Social Care.

CILIP understands that the request to organisations to participate in ‘Contact Tracing’ pertains solely to England. Initiatives are under development in Scotland, Wales and Northern Ireland, but at the time of publication, this guidance is limited in scope to organisations operating in the jurisdiction of England.

Summary

CILIP is supportive of Contact Tracing in principle as part of an overall pandemic response strategy. As the European Center for Disease Prevention and Control (ECDC) states:

“Contact tracing is an effective public health measure for the control of COVID-19. The prompt identification and management of the contacts of COVID-19 cases makes it possible to rapidly identify secondary cases that may arise after transmission from the primary cases. This will enable the interruption of further onward transmission.”

We acknowledge that some library staff and users may not be concerned about the proposed data-collecting activity and that they may actively wish to participate in the Contact Tracing initiative. We further acknowledge the need to be pragmatic in order to minimise further human suffering as a result of COVID-19.

However, we have serious reservations about the fact that preparations for Contact Tracing were not made earlier, and that as a result organisations are being asked to implement the proposed data collecting activity in a way that presents material risks and without sufficient time to address key concerns.

This summary guidance is supported by a downloadable Briefing Note which provides additional context to the information presented on this page.

Conflicts with employer policy

CILIP recognises that your employer may adopt a policy that differs from the guidance provided here, and that you may therefore be asked to implement activities which do not meet the criteria set out below.

While we acknowledge that library staff may not be in a position directly to refuse to implement policies that form part of their employment, we recommend that any librarian or information professional in this position provides a copy of this advisory note to their employer and asks them to ensure that the proposed policy satisfies the criteria provided here.

Key criteria

Our advice therefore is that librarians and information professionals should not participate in the proposed Contact Tracing activity unless the following 7 criteria are met:

  1. No deterrent to library use
  2. No impact on people from marginalised, ‘at-risk’ or vulnerable groups
  3. No impact on safeguarding of children and young people
  4. No detriment to the user’s right to privacy
  5. No ‘cross-contamination’ with other library systems or user information
  6. Sufficient capacity and capability
  7. Legal clarity over the status of volunteers

Detailed note

  1. No deterrent to library use
  2. The data collecting activity must not present a deterrent – whether actual, perceived or implied - to any user wishing to make use of the library. In the case of public libraries, it is potentially unlawful to require a user to provide personal information as a condition of using the library. The Government guidance is clear that the provision of personal information for Contact Tracing is entirely voluntary. However, there remains a significant risk that users will feel ‘obligated by context’ to provide their personal information in a way which undermines the universality and impartiality of the service.

    You should not engage in the requested activity unless you are satisfied that your data-collection methodology (whether in person, via a form or sign-in sheet or through a terminal) is entirely at the library user’s discretion and presents no general impediment or deterrent to use.

  3. No impact on people from marginalised, ‘at-risk’ or vulnerable groups
  4. In addition to the general principle that data-collecting activity must not present a deterrent to library use, the act of requesting personal information on entry and exit from the library may deter people from marginalised or ‘at-risk’ communities, people classed as ‘vulnerable’ or those who may have legitimate cause to mistrust data collection by public authorities.

    You should not engage in the requested activity unless you are satisfied that your data-collection methodology presents no actual or implied deterrent for people from marginalised or at-risk communities or vulnerable people.

  5. No impact on safeguarding
  6. The request to capture personal information about library users includes information pertaining to children and young people.

    Although in situations involving a group (such as a family group) the information may be requested of the ‘lead member’ of the group, there is nevertheless a risk that library staff will be asking children or young people to divulge sensitive personal information in a way that raises concerns over safeguarding and child protection.

    This raises a further consideration that the staff involved in the data-collecting activity should be appropriately trained and, where appropriate, background-checked prior to collecting the personal information.

    You should not engage in the requested activity unless you are satisfied that your data-collection is being undertaken by appropriately-trained staff and in a way that presents no material risk to safeguarding or child protection.

  7. No detriment to the user’s right to privacy
  8. As noted in the guidance document Leading the Way: A Guide to Privacy for Public Library staff, written by Aude Charillon for CILIP and the Carnegie UK Trust:

    “As safe spaces in communities that enable access to information, knowledge and culture, public libraries have a clear role to play when it comes to data privacy. It is important that public library users and library workers feel confident and well informed about how their data is being collated, stored or shared by the library service and its contractors, or by the online services offered in library buildings.
    Public libraries also have a responsibility to enable library users and library workers to make informed decisions in relation to their privacy.”

    The responsibility of individual librarians and information professionals to protect the privacy rights of their users extends beyond the narrow question of what is legal and includes an ethical duty to promote the values and purpose that position public libraries as the trusted and safe hearts of their communities.

    Notwithstanding the fact that it is voluntary, the proposed data-collecting activity represents a potential risk to the individual users’ right to privacy. You should therefore not engage in the requests activity unless you are satisfied that it in no way represents a risk to the privacy of any individual.

  9. No ‘cross-contamination’ with other library systems or user information
  10. Despite the fact that the ICO has indicated that it has adopted a ‘pragmatic view’ on compliance with Data Protection law in support of Contact Tracing, your library or information service nevertheless remains accountable for compliance.

    This means that under no circumstances should there be ‘cross-contamination’ between data collection for the purposes of library tasks (such as data that might be stored in an LMS or as part of an e-lending platform) and data collection for the sole and express purpose of Contact Tracing.

    You should not implement the proposed data-collecting activity where there is a material risk that your organisation’s policy will cause you to use data collected for one purpose, for the alternate purpose of Contact Tracing.

  11. Sufficient capacity and capability
  12. Legal responsibility for compliance with Data Protection law remains with your library or information service, notwithstanding the fact that the data-collecting activity is for the purposes of Contact Tracing.

    This means that you should have adequate capacity and expertise in place to be able to guarantee that the data-collecting activity is legally compliant and that there is no risk to the security or integrity of the data collected.

    You should have sufficient staff to be able to ‘manage’ the data-collecting activity itself, as well as to ensure the security of the information collected. You should be able to implement a reliable Data Retention and Deletion policy which ensures your compliance with the obligation to delete the data (whether in hard-copy or digital format) 21 days after it was collected. You should also ensure that you have appropriate staff in place to comply with the right of the data subject to request access to the data, or that it should be amended or deleted.

    You should not implement the proposed data-collecting activity where you are not confident that sufficient staff are available, or that staff have not been appropriately trained to manage the data-collecting activity in a way that is legally-compliant and does not conflict with the above considerations.

  13. Legal clarity over the status of volunteers
  14. Because the data-collecting activity technically constitutes data processing on behalf of the library, volunteers should not be asked to undertake this activity without both appropriate training and a Volunteer Contract which explicitly references the terms under which the volunteer may undertake data collection on behalf of the library.

    You should not implement the proposed data-collecting activity where doing so relies on the use of volunteer support, where volunteers have not received appropriate training and where there is no Volunteer Contract in place which establishes the legal right of the volunteer to delegate for the library as data processor.

Note

As noted above, CILIP acknowledges the value of Contact Tracing as part of the Government’s overall pandemic response strategy. Our aim in providing this Advisory Note is not to obstruct measures to promote public safety but rather to highlight that the implementation of the proposed data-collecting activity presents serious practical, legal and ethical challenges for libraries and information services which ought to have been considered prior to the issuing of their request.

We hope that given sufficient time, effective data collection can be put in place which protects the individual user’s right to privacy, does not deter anyone from making use of the service and does not create additional and unnecessary legal risk for the library or information service.


Published: 7 July 2020


More from Information Professional

News

In depth

Interview

Insight

This reporting is funded by CILIP members. Find out more about the

Benefits of CILIP membership

Sign Up for our non member newsletter

Contact us