Questions for the panel debate

Privacy vs Personalisation – Access Lab 2020

Do contracts between publishers and libraries define privacy policies and are those taken into account when setting up institutional access. 

Sebastian: From our perspective as a discovery service, third parties can’t influence/define our privacy policies. 

Peter: I’m not aware that they are yet, comprehensively, although of course, all services will be GDPR-compliant by now. From my intermediary ‘systems / digital services librarian’ role, I’ve added several questions to our workflow for the acquisitions lead to consider when in the initial conversation with a publisher or service, regarding personalization, SAML attribute release, etc.    

Once the student’s data has been resold 50 times it’s difficult to know where it came from.  EU says data should be “proportional”, if a publisher can’t say why it’s stored, then how can you know is “proportional”? 

Sebastian: This is not applicable to Semantic Scholar because we don’t sell or redistribute user data to third parties. 

Peter: I don’t know whether publishers trade data, I’d suspect as in Sebastian’s case that they don’t; just that some appear to be following the tendencies of the ad-driven, silicon valley model of user aggregation and attention engagement, and that this isn’t always in our members’ interests when you consider them as library users. That is, both in terms of user experience terms (an example would be a ‘Buy this’ button when an institutional subscription is already in place, or calls to action to link the institutional account to a personal platform account). Also, when it comes to the compulsory attribute release we see in certain cases, that may not be in their interests in terms of an individual’s right to informed consent.  

I believe under GDPR a data controller/processor does need to be able to say why the data is being stored, and I think in the main this will be in suppliers’ privacy statements. I do agree that the term ‘proportional’ is open to interpretation!    

Agree with Ganesh, surely data privacy starts well before University these days, GCSE level age possibly? 

Ganesh: My view is that data privacy education should start as early as possible, especially considering the plethora of information available to students. Additionally, it is good practice to teach these skills to students about this topic, but they need to be empowered and have agency. It is an interesting point to suggest that this could occur at the time of preparing for GCSEs. However, at that stage, their originality and depth of work does not require accessing numerous sources which need awareness of data privacy. My suggestion is that you provide the students with the resources and the responsibility towards comprehending the complex issues of data privacy which are constantly evolving.  University students are for the most part adults and they are able to contribute to and participate in society in a meaningful way. Introduce them to the pertinent concepts, guide them but let them forge their own paths in the use of modern information technologies. 

Peter: I’d hope so, but I don’t know. I’d agree that in terms of online safeguarding, it’s likely to be heavily emphasized from GCSE stage in the UK. The sorts of questions we’re discussing are more likely to be addressed in GSCE Computer science or Philosophy and Ethics, although I’m not sure how many schools offer these. I know proponents of coding into schools, etc, a few years ago were disappointed that it was made a cross-curricula outcome (therefore, probably sidelined due to lack of time and skills), rather than the compulsory specialized learning unit they’d hoped for. I believe having an informed insight into the material aspects of hardware and software design, as well as the culture and history of computing, is the best position from which to address the ethical questions democratically, but that is a high aspiration and a challenge to everybody! 

There is a lot of discussion about giving consent but how about not giving consent? Can the library and publishers deliver the same student experience without that consent from the students?  

Ganesh: Delivering a consumer experience which is customized requires the input of certain information. I am a firm believer that there is not a hard and fast rule about how much to contribute. I do agree that giving consent is important since it permits the university and publishers to gain insight into what resources are being used and how. When the attributes of this information are shared, there needs to be an initial breakdown about where the data goes and why. Then students will know how important their decision is to publishers and libraries. Consenting gives valuable data which can be analyzed and improve resources which are continually subscribed to and this is obviously important to optimize the student experience but not every attribute needs sharing. In short, I think that the student experience needs the provision of consent, and once the reasons for and against are made by students themselves and a decision is reached, the experience can be richer for all. 

Sebastian: As a discovery service we always ask for consent and give users the opportunity to opt out of receiving our newsletter or personalized emails. 

Peter: First of all, I think there’s an open question about whether individual students *do* have informed consent as yet (see question 2) – is a long privacy statement which very few have read (though legally have agreed to) really doing its job? Is agreement by the university or library to share attributes with a provider with the aim of seamless single sign on an example of giving the student informed consent?  (Though granted, that can be an example of us making an informed choice on their behalf, as in the afternoon talks from librarians at AccessLab2020)? There may be improvements to be made here across the sector and wider culture. But from the perspective of an academic librarian, I think the same user experience without some level of consent wouldn’t be possible without the direct or implied consent (or even desirable – how could we run an online library circulation system without members agreeing to an account?).  

I think that to answer the question meaningfully – to take constructive action -  would require more of an effort on the profession’s part to build tools and come up with creative solutions ourselves and in open collaboration with our providers, our IT staff, maybe even (perhaps most promisingly) academics and our students. Good examples were proposed by Roger Schonfeld a few years ago: https://scholarlykitchen.sspnet.org/2015/07/29/a-single-user-account/.  As it is, I suspect expediting a smooth user / student experience is the overriding consideration for most UK universities, the better-resourced providers *do* deliver this and I’m not aware of any ‘saying no’ to new acquisitions or subscription renewals on the basis of inadequate mechanisms of consent, outside public libraries in the United States.