To what extent is privacy legislation reflected in the university libraries privacy policies in new zealand

study are to find out the legal framework of privacy which governs the New Zealand university libraries’ operations; to explore the state of the New Zealand university libraries’ policie

February, 2008

by

LEGISLATION REFLECTED IN THE UNIVERSITY LIBRARIES’ PRIVACY POLICIES IN NEW

ZEALAND?

Submitted to the School of Information Management,

Victoria University of Wellington

in partial fulfillment of the requirements for the degree of

Master of Library and Information Studies

LE THI TUONG VY

project

Many thanks to the managers at the eight university libraries in New Zealand for providing the privacy information and documentation Their collaboration has considerably helped me to finish the study in a restricted time

study are to find out the legal framework of privacy which governs the New Zealand university libraries’ operations; to explore the state of the New Zealand university

libraries’ policies in terms of the protection of their users’ privacy, to seek and

identify primary concerns of the privacy policies of New Zealand university libraries Content analysis was used as a research technique to analyse the wording of privacy policies of the eight university libraries of New Zealand which are available on their websites

The twelve IPPs of the Privacy Act 1993 can be used as primary cores of a privacy policy and privacy protection procedures of a university library At present, the eight university libraries of New Zealand do not have their own privacy policies/ procedures They are following overall privacy policies/ statements of their

universities The university privacy policies to some extent follow with the main principles of the Privacy Act 1993, however, they have not reflected clearly and sufficiently the privacy principles of the Privacy Act 1993 The existing university privacy policies are not consistently comprehensive across the libraries’ services and therefore have not been sufficient to prevent the potential privacy risks of the

libraries The privacy policy of university libraries should adhere strictly with the twelve IPPs of the Privacy Act 1993 and professional ethical principles, including: display privacy statement prominently, set up procedures to protect library users’ privacy, adopt the relevant legislation and professional library organization Code of Ethics, appoint a privacy compliance officer, develop training privacy program for the library staff and users and conduct privacy audit.

Keywords: Privacy, privacy legislation, privacy policy, university library

2.3.2 Overview of privacy principles of New Zealand 11

V DELIMITATIONS & LIMITATIONS 29

7.1 Research question 1: What are the privacy principles of the New

Zealand legislation? How are they applied to the university

7.2 Research question 2: How are the principles of New Zealand

privacy legislation demonstrated in the university libraries’

7.2.1 How are the principles of New Zealand privacy legislation

demonstrated in the libraries’ policies?

38

7.2.2 What critical factors should be considered when developing the

university libraries’ policies?

49

8.2 The future of privacy protection in New Zealand university

I INTRODUCTION

Kemp and Moore (2007) indicate that privacy has a very long established history since the ancient time of Socrates, Plato and Aristotle Although these philosophers considered privacy protection unnecessary, they could not deny the existence of privacy Gradually, privacy has been recognized widely In Middle Eastern and some Asian countries, privacy right is not viewed as a basic human right due to the unlimited Governmental control over the people and therefore is not well developed like Western countries (Klosek, 2007) During the mid and late 1990s, privacy became an increasing concern in Western countries due to: (1) their perception of privacy as a human right, (2) the adverse impacts of high technologies, (3) their fear

of cross-border data transfer, and (4) the response to the terrorist attack on 9/11 (Klosek, 2007) Many countries, in particular developed countries including United States and European countries, have legislative commitments to privacy (Longworth

& McBride, 1994; Moghe, 2003; Pedley, 2006)

The Universal Declaration of Human Rights (1948, Article 12) states that “No one should be subject to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honour or reputation” Protecting the privacy

of clients is also one of the most fundamental obligations of professionals, in particular with those who deal frequently with personal information of customers, such as doctors, lawyers, educators, priests, journalists, traders and

information/library practitioners (Adams, Bocher, Gordon, & Kessler, 2005)

In New Zealand, university libraries have to deal with a significant amount of

personal information of users University libraries are also considered as places

where users’ activities are strictly kept confidential and private (Bowers, 2006) How New Zealand university libraries comply with privacy legislation in addition to making information accessible for all their users, who are students, academic and administrative staff is still little known This study aims to explore how New

users’ privacy right via the formulating privacy policies/ regulations This is a critical issue internationally and nationally in order to protect a fundamental human right, to adhere to the national legislation and to monitor the technology impacts in the university libraries

II LITERATURE REVIEW

2.1 Purposes

The review discusses the concept of privacy and the impacts of privacy in libraries; privacy legislation with its historical background and the most important privacy principles of New Zealand, librarians’ attitudes towards privacy as well as the development of privacy protection policies of university libraries Accordingly, the review attempts to explore the trends and issues surrounding the privacy policies of the university libraries in New Zealand.

2 2 Privacy as a concept

Privacy is difficult to define (Adams et al., 2005) and literature shows that the meaning of privacy varies from country to country, even in the same country with different contexts of legislation interpretation

In New Zealand, the Privacy Act 1993 defines information privacy principles as applying to all personal information Personal information therefore is considered widely as “information about an identifiable individual” In the United States, privacy has been considered as “a right to be let alone” (Klosek, 2007; Longworth & McBride, 1994) According to a number of authors (Adams et al., 2005;

McMenemy, Poulter, & Burton, 2007) , the widely acceptable notion is that privacy

is the right to prevent the disclosure of personal information to others and may involve both confidentiality and security

Nevertheless, privacy has played an important role in the formation of liberal democracies (Kemp & Moore, 2007) University libraries are a part of the

together University libraries may have the pressure to satisfy the increasing

academic demands via applying high technology (e.g RFID, websites, virtual reference, cameras etc.) while having insufficient knowledge about the technological mechanisms (Fifarek, 2002) The more information transactions the university libraries conduct via applying high technology, the more personal information they obtain, therefore the development of library policies as a tool to comply strictly with privacy protection principles would be essential Several authors (Adams et al., 2005; McMenemy et al., 2007; Pedley, 2006) point out that

the Library & Information Association of New Zealand Aotearoa (LIANZA, 1978),

the American Library Association (ALA, 1995), the Canadian Library Association (CLA, 1976) and the Chartered Institute of Library and Information Professionals (CILIP, 2007) all have principles or statements to respect for privacy in dealing with personal information

2 3 Privacy legislation of New Zealand

2 3.1 Historical background

The New Zealand Government was one of the first in the world to propose the establishment of a Privacy Commissioner in 1975 by law (Stewart, 1999) The recognition of privacy right in New Zealand was adopted for many years from 1974

to 1994, including the most remarkable trends such as the New Zealand Bill of Rights 1990, privacy reports in 1984-1989, the Privacy Bill and Privacy of Information Bill in 1990 and Privacy Commissioner Act 1991 There are two international documents that establish general privacy principles and have had significant influence on privacy legislation in New Zealand, namely the OECD Guidelines of 1980 and United Nations Guidelines of 1990 The OECD guidelines have been adopted in New Zealand via the Privacy Act 1993 ( Privacy

Commissioner, 2006) In addition, the European Data Protection Directive 1995 requests all EU member countries to implement its requirements about the

establishment of statutory privacy control It also applies a strict approach to notice, consent, accuracy and access of information Although the EU Directive is not obligatory to New Zealand, its provisions influence significantly the privacy compliance in this country because of its privacy ideals to specific industry conditions (Alderdice, 2000) The information privacy principles in the Act are associated closely with the concepts identified in the OECD guidelines In addition, the principles of the Privacy Act 1993 are also similar to regulations stipulated in relevant European privacy laws (Stewart, 1999) This implies that there is a high level of consistency in these laws across countries

In New Zealand, like some other countries, the Privacy Act 1993 has an interrelationship with other relevant laws on the handling of personal information These include the Archives Act (1957), Public Record Act (2005) and Official Information Act 1982 (Privacy Commissioner, 1998) This shows that privacy protection is a nationally legislative requirement in New Zealand and therefore university libraries must adhere to it strictly.

2.3.2 Overview of privacy principles of New Zealand

The Privacy Act 1993 consists of twelve privacy principles on personal information held by “agencies” Subsequently, “agencies” are defined widely in the public and private sectors They include all individuals as well as companies, banks, insurance organizations, medical centers, local councils and governmental departments (Longworth & McBride, 1994) In summary, the core principles of the Privacy Act

1993 stipulates “the rules on the collection, storage, security, accuracy, use and disclosure of personal information as well as an individual’s rights to access, and correct personal information” (Longworth & McBride, 1994, p 49)

Everyone and all entities in New Zealand are subject to the same privacy principles through the Privacy Act 1993 The Privacy Act 1993 provides the legal framework

in respect of privacy protection in New Zealand Various industrial sectors such as health, banking and marketing specify privacy principles to be appropriate their functional and operational organizations (Longworth & McBride, 1994) University libraries also have distinctions on their functions and operations and therefore how properly they control the privacy issues and reflect the privacy legislation in their

policies is a useful and necessary issue to explore This is for an in-depth

understanding of the privacy compliance issues and to construct a privacy policy as

a good tool for both legislative compliance and operational control purposes in

university libraries

2.4 Attitudes of libraries towards privacy

2.4.1 Privacy as a core mission

Privacy is a core mission of the behaviour of professionals, including librarians, because “it serves the public good by ensuring that we can communicate our needs

in an atmosphere of trust without sanction” (Adams et al., 2005, p 157)

Most of the literature indicates that privacy is a key concern for the library profession all over the world Libraries acquire information from a wide range of sources and then are to serve as “storehouses of knowledge” for popular use (Hafner

& Sterling-Folker, 1993, p.17) but librarians also commit to protect their users and visitors (Falk, 2004) McMenemy et al (2007) confirm that the right to user privacy should be respected

Many authors (Falk, 2004; McMenemy et al., 2007; Pedley, 2003) confirm that librarians understand the user-centered principle of their library’s missions so they recognize the importance of the guarantee of the security of users’ personal

information Privacy is regulated in most of the ethical codes or professional statements of library associations Davies (1997), when investigating privacy

protection in academic libraries in UK, found that that most of the librarians, in particular senior managers of such libraries, have recognized the legal

responsibilities of privacy protection and 91% of the education sector designated an employee to monitor privacy issues Sturge, Tenf & Ilife (2001), in an investigation

of digital libraries in UK, found that the privacy of information users has been treated in high regard by librarians as well as the public Adams et al (2005) also agree librarians appreciate the concepts of privacy, recognizing what constitutes a privacy violation, and understanding the librarian’s legal and ethical duties and recognize the importance of privacy protection Trushina (2004) confirms that librarians are aware of their legal and moral obligations and take responsibility to protect users’ information seriously

Sturges (2002), via a series of investigations from 2000 and 2001 by Loughborough University’s Department of Information on awareness of privacy issues and practice

of librarians of academic and special libraries and users of academic libraries in UK, indicates that users are very confident that their privacy is “safe with the librarians” but librarians did not consider the privacy protection as a high rated mission The quality of service to the library’s users was the highest priority of libraries and the computer system managers have not fully shared the librarians’ concerns on the privacy issues (Sturges, 2002) Sturges et al (2003), by distributing questionnaires to one thousand academic and special libraries, carrying out interviews with 400 educated users and representatives of 14 software supplier companies, also found that nearly one third of investigated libraries in United Kingdom had no privacy policy Therefore, the privacy protection in such libraries needs to be improved and Sturges (2002) emphasizes that they should develop good privacy policies to protect the users’ privacy effectively

Nevertheless, most of literature indicates that privacy is considered as one of the most important mission of library professionals In university libraries, the

professional value is very important so the privacy protection should be treated in high regard and regulated specially in the library’s policy

2.4.2 Privacy concerns

The Library community has recognized the importance of privacy protection for users’ information in compliance with both ethical and legal obligations Sturges et al.(2003), Adams et al (2005) and McMenemy et al.(2007) alert that information is treated as a commodity which has value to the owners and receivers and can be bought and sold Accordingly, there is a risk that major personal information would

be of interest to commercial purposes For example, Amazon.com is a bookselling business sector with a high interest in library user data ( Sturges, Teng, & Ilife, 2001) The identifying number of users visiting the host's website via a tracking cookie may also be sold for advertising purposes It shows that the financial pressures under which libraries struggle may possibly “be alerting librarians to the commercial potential of the data that is in their archives” (Sturges, Teng, & Ilife,

2001, p 396) The application of high technology in libraries has also dramatically affected libraries’ user privacy issues Integrated library systems, electronic

resources, emails, websites, virtual reference, inter-loan systems and library proxy servers collect a massive amount of users’ information and cause increasing concerns in privacy protection (Chmara, 2001; Coombs, 2004, 2005; Fifarek, 2002; Sturges et al., 2001) Falk (2004) and Butter (2007) found that current standards do not offer a platform for secure RFID systems and have several vulnerabilities that may cause high risks of privacy for libraries’ users Conversely, some researchers (Adams et al., 2005; Fifarek, 2002; Lichtenberg & Molnar, 2005) maintain privacy issues arising from technology applications are not particularly problematic as technology would also bring solutions to privacy issues via their well-established safeguard functions

By raising many privacy concerns, the literature shows that privacy protection in libraries in general and university libraries in particular is not an easy mission The more high technology university libraries implement the more difficulties they have

to face in privacy protection Libraries have more challenges in both legal and moral aspects after September 11, 2001 When the privacy of their users is threatened, librarians should adjust their policies for ensuring user privacy

Therefore, a further examination of privacy policies of university libraries in New Zealand is helpful to develop effective privacy policies of the library community in New Zealand

2 5 Privacy policies of university libraries

Most of researchers emphasize that beliefs in privacy rights are the main influences

on libraries’ users’ concerns and suggest that libraries should have clear policies that state what librarians can and can not do in compliance with legal and ethical aspects (Adams et al., 2005; Buchanan, Paine, Noison, & Reips, 2007; Yao, Rice, & Wallis, 2007) University libraries are no exception to this matter

Many recommendations of privacy protection policies of libraries have been proposed, such as establishing record retention policies (Vaughan, 2007), referring

to the guidelines of the library associations like the privacy tool kit of ALA, performing frequently privacy audits (Adams et al., 2005; Longworth & McBride, 1994) or referring to guidelines of privacy policies of other sectors (Nicholson & Smith, 2007)

It is understandable that all libraries are subject to similar privacy principles and also challenged by similar privacy concerns However, Adams et al (2005) note that there are some differences in terms of development of privacy policies among public, school and academic libraries due to the differences of such libraries’

functions

Academic libraries have been transforming from traditional libraries to based ones The transition from print resources to digitized or electronic ones has remarkable implications for academic libraries (Davies, 1997) and the privacy risks , such as personal surveillance through electronic facilities, the unintentional

computer-disclosure of users’ information via websites, virtual reference services and the ambiguity between privacy and public spaces, are also increasing and will not be limited to a single university library (Adams et al., 2005) In academic libraries , Adams et al (2005) insist that privacy threats are seen as threats to academic freedom that are highly valued to scholarship and teaching in academic environment There is a close relationship between a university’s policy and its library policy The academic library is essential to the mission of its university, therefore academic libraries must consider university privacy policy as well as the policies and practices of relevant departments (e.g IT, Human Resources, Security, Internal Audit) when formulating the library’s privacy policy

Generally, the issue of privacy has not been a major priority for libraries’

management (Sturges et al., 2003) In particular, Davies (1997) found that the privacy protection in university libraries is not sufficient as expected In his investigation of the assessment of awareness of privacy of 90 university librarians in

UK, nobody confirmed awareness as very good and only four as good

Approximately, two thirds of respondents described staff awareness as adequate and

a third rated it as poor According to Adams et al (2005), one content analysis of over thirty academic library policies in United States was done This research found that most of the privacy statements/ procedures of such libraries have essential elements for ensuring privacy right, such as commitment to privacy protection of library users, reference to ethical regulations, identification and statements about information to be collected and used and procedures to protect user’s privacy These findings are really useful to determine the essential parts of a privacy policy of a university library.

Most of the research on privacy policies of academic libraries has been performed in the United Kingdom or United States In New Zealand, no similar research about the privacy protection policies in university libraries is found Therefore, further

investigation on how effectively the New Zealand university libraries’ policies deal with privacy issues and whether there are common privacy elements of policies of such libraries with university libraries of other countries is essential

2.6 Conclusion of the literature review

Obviously, privacy protection is essential for libraries and considered as a core mission of librarians, in particular in academic libraries However, not much research has been done on the privacy issues in the context of libraries

Most of the found researches in relation to privacy concentrate to the level of awareness and the responses of libraries to privacy legislations and were done in United Kingdom or other countries Very little literature which analyzes the contents and the effectiveness of privacy policies of library has been done, in particular in the context of New Zealand libraries as a whole and university libraries in particular It

is timely to explore how effectively the university libraries of New Zealand reflect the privacy legislation via setting up and developing their privacy protection policies

2.7 Theoretical framework

The literature review shows that concern for privacy results from the enforcement

of privacy legislations and the ethics of library professionals (Falk, 2004;

Lichtenberg & Molnar, 2005; Lipinski, 2002)

In respect of legislative aspects, the Privacy Act 1993 of New Zealand promulgated twelve information privacy principles which govern all public and private

organizations in the country These privacy principles focus on two main aspects

which have considerably influenced university libraries These are (1) collecting and obtaining information and (2) using, disclosing and retention of information

Accordingly, the Privacy Commissioner of New Zealand issued the Privacy Impact Assessment Handbook which is considered a valuable checklist for identifying essential components of a privacy system (Privacy Commissioner, 2007)

As well as these national guidelines, in respect of professional ethics, the

International Federation of Library Associations (IFLA) and the Library &

Information Association New Zealand Aotearoa (LIANZA) have also proclaimed their privacy statements to defend the privacy in the context of libraries (IFLA, 2007; LIANZA, 2007) However, these statements mainly reiterate the privacy legislative principles

Therefore, in this study, the Privacy Act 1993 and the Privacy Impact Assessment Handbook of New Zealand will be used as a theoretical framework for this study

III RESEARCH PROBLEM

3.1 Problem statement

The literature review shows that the privacy protection is a core mission of libraries

in general and university libraries in particular Privacy is not only an internationally vital human right but also a nationally legislative requirement Furthermore, in university libraries where there are enormous academic demands and maximized technological application and privacy threats are seen as threats to academic freedom that are highly valued to scholarship and teaching in academic environment ( Adams et al., 2005), the privacy protection should be a priority of the libraries’ operations

However, most of the research on privacy of academic libraries has been conducted

in the United States and United Kingdom No similar research is found in New Zealand Therefore, the problem being addressed in the study is how the New Zealand university libraries protect their users' personal information via establishing written privacy policies in compliance with the privacy legislation

2 How do the university libraries reflect the privacy principles in their policies/ regulations?

• How are the principles of New Zealand privacy legislation demonstrated in the libraries’ policies?

• What critical factors should be considered when developing the libraries’ privacy policies?

3.3 Research objectives

The objectives of the study are:

• To find out the legal framework of privacy which governs the New Zealand university libraries’ operations;

• To explore the state of the New Zealand university libraries’ policies in terms of

the protection of their users’ privacy

• To seek and identify primary concerns of the privacy policies of New Zealand university libraries in accordance with the contemporary privacy principles

3.4 Definitions of terms

The key terms of the projects are defined as follows:

• Privacy legislation means the Privacy Act 1993 of New Zealand and other relevant regulations of the Government, Privacy Commissioner of New Zealand

on implementation of privacy protection in New Zealand, including Archives Act (1957), Public Record Act (2005) and the Official Information Act (1982)

• Universities’ libraries in New Zealand includes the libraries of the eight universities in New Zealand including Auckland University of Technology, Lincoln University, Massey University, University of Auckland, University of

Canterbury, University of Otago, University of Waikato and Victoria University

of Wellington

• Privacy policies of libraries are the written policies/ statement/ guidelines/ regulations/ rules and/ or any relevant documents of the libraries of the eight universities above which promulgate regulations on privacy protection of users’ personal information of the libraries

In contrast, the interpretivist paradigm is founded on the belief that social realities cannot exist outside the social contexts that create them (Guba & Lincoln, 1994) Epistemologically, interpretivist researchers focus on the “natural settings of social phenomena” (Pickard, 2007, p 11) Interpretivist researchers attempt to achieve an in-depth understanding the issue being investigated (Darke, Shanks, & Broadbent, 1998) Interpretivist researchers have to enter the situation being studied and interpret the way that meanings are created and sustained in the setting of the study

In addition, interpretivist researchers also aim to place their findings and interpretations into contextual social science (Pickard, 2007)

The study’s purpose is to understand how the New Zealand university libraries comply with the privacy legislation via formulating their privacy policies in their organizational context The privacy policies of the libraries are created from human perceptions in compliance with the privacy legislative principles In order to gain in- depth understanding of these policies, the study had to be placed in the

organizational context of the libraries as well as in correlation with other factors affecting the privacy issues, such as legal enforcement, ethics, management and technology impacts The study cannot be quantified via numeric data as physical objects, but must be evaluated according to the identified categories which are formulated by human views and perceptions, i.e the legal legislative concepts and the university libraries’ regulations The study did not seek to discover an objective truth but must be flexible to deal with the fluidity of the libraries’ states Therefore, the interpretivist paradigm was the proper alternative to be adopted in the study

large scale social trends (Bryman, 2004) The quantitative approach is normally adopted in positivist research

On the contrary, the qualitative approach aims to understand people and the social and cultural contexts which they live It focuses on the social or organizational context in order to solve problems or concerns with small scale aspects of social reality In the qualitative approach, the researchers are the central data gathering and analyzing instrument so they have to qualify some necessary characteristics such as responsiveness, adaptability and knowledge-based expansion Qualitative

researchers often use words in their analyses of society, based on the verbal opinions

or documents of participants The researchers seek close involvement with the people/ organizations being investigated in order to deeply understand the meanings

of wordings or actions or the state of studied issues (Bryman, 2004) The qualitative approach is normally unstructured so that the possibilities of getting meanings of data are increased The research contribution to the research setting can be useful and positive rather than detrimental (Creswell, 2003) Results of qualitative research are often transferable The qualitative method is normally appropriate for

• The study was mainly based on the views/ interpretations about privacy principles of participants, i.e the New Zealand university libraries

• The study was based on the wordings of written privacy policies of the New Zealand university libraries or their relevant documents The study will not be based on the statistical numbers of privacy policies when investigating

• The study was not limited by any structure of privacy policy, as each library may have different contents of their privacy regulations depending on their subjective perceptions and judgment

• The researcher was involved closely with the state of New Zealand libraries via using knowledge of the privacy legislation and of libraries’ operations to

understand and explain the studied issues

Consequently, in comparison with the characteristics of the quantitative and qualitative approaches, the qualitative approach suits the study purpose

4.3 Research technique

Content analysis is considered as a highly flexible technique with many advantages such as being suitable for qualitative, quantitative and mixed method approach and enabling the researcher to overcome the geographical gap (Bryman, 2004) Content analysis focuses on the detailed examination of the contents of a particular body of material in order to identify patterns, themes, biases and meanings Content analysis has been used by a wide variety of disciplines, including sociology, psychology, education, business and political science (Berg, 2006) For a qualitative approach, the researcher can give subjective meanings or interpretations to the content (Wolfer, 2007)

For this study, content analysis was chosen as the research technique due to the following reasons:

• The study analysed the contents of the Privacy Acts 1993, Privacy Impact Assessment Handbook of the Privacy Commissioner of New Zealand and relevant legislative documents to identify a categorised template on privacy policy applied for university libraries;

• The study collected and analysed the written policies/ regulations of the eight university libraries of New Zealand to identify the characteristics of such policies

in accordance with the categories identified via the legislative documents reviewed

• The content analysis enabled the researcher to analyse the documentation data carefully and continually and therefore potential bias could be minimised;

• The study approached collectively representative written documents from many libraries to come up a comprehensive and objective conclusion

• As the written documents can be accessed at a time convenient to the researcher, the obstacles of time limitation and geographical gaps was overcome

However, according to Creswell (2003), some disadvantages of content analysis are anticipated:

• The difficulty of accessing protected information would require the researcher to search out the information in hard-to-find places;

• Materials/ information would be incomplete or inaccurate

In order to overcome these disadvantages, the researcher must spend much time to search for information carefully For example, the privacy policies of libraries sometime may not be formulated in a separate document, but are included in other relevant documents, for example, the Code of ethics, the statutes of IT records or the staff handbooks Therefore, the researcher will occasionally have to consult with the contact person in the libraries to locate the appropriate data resources

Nevertheless, due to the many advantages mentioned above, content analysis was

employed in the study

4.4 Data collection and analysis

4.4.1 Data samples

The data to be analysed in this research are documentation materials, including privacy legislative documents, privacy policies of the libraries and relevant articles/research These documents were divided into three groups, including:

• Group 1: The privacy legislation of New Zealand including Privacy Act 1993, the Privacy Impact Assessment Handbook and other relevant regulations of the Government, Privacy Commissioner of New Zealand on implementation of privacy protection in New Zealand These documents was be used to formulate vital categories of the privacy policies for the university libraries

• Group 2: The existing written privacy policies of eight New Zealand libraries in

over of the country These policies was the target objects to be assessed of the study The participating libraries include:

• Group 3: Relevant documents, such as the IFLA, the LIANZA privacy

statements, scholarly and professional research/ articles and privacy policies of other sectors in New Zealand such as banking, e-commerce and health sectors These documents were used as reference resources for the recommendation in

the study

Nexis-• Search on the participating libraries’ webpages to obtain their guidelines/

policies about privacy;

• Send person-in-charge of the libraries and universities a letter outlining the study purpose and asking for the libraries’ cooperation by providing their privacy policies/regulations, in case the privacy policy is not published in the webpage Please refer to Appendices 2 and 3

4.4.3 Data analysis strategies

Data analysis is the process of bringing order, structure and meaning to the mass of collected data (Gorman & Clayton, 2005) During data analysis, the data will organized categorically, reviewed repeatedly, and continually coded According to Berg (2006), content analysis is chiefly a coding operation and data interpreting process

The documents was read and coded in terms of identify concepts of privacy principles (Leedy & Ormrod, 2001) In this research, the concepts are presented by explanation needed categories The privacy legislative documents, libraries’ privacy policies and relevant selected documents were examined to collect data for each category in relation to the research questions

The process of formulating the categories was:

• Creating preliminary categories;

• Reading units of data;

• Assigning categories;

• Re-reading units of data; and

• Assigning the same or a new category

(Gorman and Clayton, 2005)

The data analysis for each sub-research question followed the following process:

Step 1 - Sub-research question 1: What are the privacy principles of the New Zealand legislation? How they are applied to university libraries?

To answer this question, the preliminary categories, which represent the key principles of privacy applied to New Zealand libraries, were formulated based on the examination of the Privacy Act 1993, Privacy Impact Assessment Handbook of the New Zealand

The preliminary categories included collecting, correcting, disclosing, assessing and preserving information New categories or sub-categories were added during the reading and analyzing all documents to ensure that these categories reflect various aspects of the content of the privacy policies of university libraries

The list of identified categories was used as a template to assess the effectiveness of the university libraries’ policies

A data collection form was designed in connection with identified categories to collection information from all documents

Step 2 - Sub-research question 2: How do the university libraries reflect the privacy principles in their policies/ regulations?

Privacy policies of the libraries were analysed to identify how far and how deeply the privacy policies satisfy the privacy principles in terms of identified categories Privacy policies (Group 2) of the eight university libraries were read and analysed to find phrase, sentences, or concepts which are appropriate to each category and/or sub-category All matching of each category/ sub-category will be recorded in the data collection form Then, the data was compared and synthesized to assess the effectiveness of the privacy policy of each library as well as the differences between the eight libraries’ policies

After that, relevant documents (Group 3) , which are the FILA and LIANZA statements and other relevant documents/research were analysed to identify which factors have affected the university libraries’ privacy policies and then to offer a proper recommendation for formulating an effective privacy policy for New Zealand university libraries

V DELIMITATIONS AND LIMITATIONS OF THE STUDY

5.1 Delimitations

The study did not examine privacy issues which libraries have to comply with for their internal operations/ management, such as staff confidentiality The study is limited to the libraries’ activities which are directly related to the personal information of the users

The study was bounded by the written privacy policies/ regulations of libraries in dealing with their clients' personal information, which were provided by the person-

focuses on documentary evidence The study did not conduct interviews or observations, so the implementation of libraries in practice and individual perceptions of librarians was not be analysed

The study was conducted within four months so the study did not include all territorial libraries The study only confined itself to the eight New Zealand university libraries However, all libraries of New Zealand are subject to the same Privacy Act 1993, the findings of this study would also be helpful for other libraries

5.2 Limitations

As mentioned in point 4.3 above, the study faced the limited availability and accessibility of privacy documents of university libraries and had to be reliant on the libraries’ cooperation The insufficient or inaccurate resources would occur and therefore bias and incomprehensive recommendations would arise

VI TIMETABLE TO PERFORM THE STUDY

Please refer to Appendix 1

VII FINDINGS AND DISCUSSION

7.1 Research question 1: What are the privacy principles of the New Zealand legislation? How are they applied to university libraries?

The Privacy Act 1993 consists of twelve information privacy principles (IPPs) which are regulations on the collection, storage, security, use and disclosure of personal information as well as an individual’s rights to access and correct personal information (Longworth & McBride, 1994) The twelve IPPs can be summarized and grouped as follows:

Group A: Collection of Personal Information

• IPP 1: Purpose of collection of personal information

Personal information is only collected for “lawful and necessary purposes” and directly related “to the function or activity of the agency” (Longworth &

McBride, 1994) The notion of “necessary purposes” of this principle is

consistent with the words of “ adequate but not excessive” information of the OECD Guidelines, therefore, “if the collection of the information is excessive in relation to the purpose, it may equally be argued that the information is not necessary for that purpose” (Privacy Commissioner, 1998, p 61) “Whether the information is collected in connection with a function or activity of the agency may be apparent, for example, from the statue by which the agency was established” (Longworth & McBride, 1994, p 50) It appears that in the context of

a university library, the collection of information must be consistent with the function of the library which is regulated in the university policies

• IPP 2: Source of personal information

“Personal information shall be collected directly from the individual concerned” The exceptions occur when the information is publicly available information or the individual concerned authorizes collection of the information from someone else (Longworth & McBride, 1994, p 51) In application to the university library,

in practice, the collection of information is normally conducted in enrolment registration and therefore it can be seen that the collection of information is directly from the students who are mostly the library’s users

• IPP 3: Collection of information from subject

The Privacy Act 1993 regulates that the agency must ensure that the individual concerned is aware of by whom and why the information is collected This principle is one of the most important provisions of the Privacy Act 1993 It appears that collection of personal information should be done with the knowledge or consent if the individual concerned The principle requires individuals to be made aware of the followings:

- “The fact of collection;

- The purpose for which the information is being collected;

- The intended recipient;

- The name and address of the agency collecting and that will hold the information;

- Any law authorizing or requiring the collection and whether that law makes the supply of the information voluntary or mandatory;

- The consequences if the request for information is not provided; and

- The rights of access and correction.”(Privacy Commissioner, 1998, pp 65)

64-In respect of this principle, the Privacy Commissioner (1998) suggests that such matters should be issued specifically in codes of practice Accordingly, in order

to satisfy the IPP3, the university library as a agency should set up specific procedures to ensure library’s users are aware of the purpose and the intended recipient of the collection of personal information However, “the obligation to

inform the individual does not apply if those steps have been taken in relation to the collection, from an individual, of the same information or information of the same kind, on a recent previous occasion” (Longworth & McBride, 1994, p 55) Accordingly, when the personal information is collected by the University and the necessary above procedures were performed, it is unnecessary for the library

to redo it

• IPP 4: Manner of collection of personal information

Personal information must not be collected by unlawful or unfair means The unfair means, for example, is the situation which leads to misunderstanding of the purpose of collection (Longworth & McBride, 1994) It requires that the

university library should clarify the circumstances in which the personal information may or may not be collected

Group B: Storage and security of personal information

• IPP5: Storage and security of personal information

The agency must take reasonable security to prevent loss, unauthorized access, use, modification or disclosure of personal information (Longworth & McBride, 1994) This IPP is interpreted that the agency like the university library should have many measures to ensure the security of the personal information, for example, operational security, technical security, security of transmission and security when disposing of personal information

Group C: Access to personal information

• IPP 6: Access to personal information

Concerned individuals are entitled to access to and correct information relating

to them (Longworth & McBride, 1994) The obligations on an agency, like a university library, on receipt of a request for access include:

- providing assistance to users seeking access,

- transferring requests for access to other agencies

- making decisions on requests

- giving reasons when a request is refused

- informing users of their right to complain to the Privacy Commissioner (Longworth & McBride, 1994)

These requirements should be reflected clearly in the library’s privacy policy

Group D: Correction of personal information

• IPP 7: Correction of personal information

Individuals are entitled to correct information relating to them It means that the university library, when requested by a user, is required to correct the personal information to ensure that the information is accurate, up-to-date, complete, and not misleading (Longworth & McBride, 1994) It is noted that the Privacy Act

1993 has an interrelationship with the Official Information Act 1992, in particular in terms of the requests for personal information If the requestor is a New Zealand citizen, a permanent resident of New Zealand or an individual who

is in New Zealand and the request is for personal information about him or herself, the Privacy Act 1993 will apply If the requestor is a company or other legal entity and or the request is for personal information about third party, the Official Information Act will govern However, the IPPs of the Privacy Act 1993 are the core principles that privacy policies of the university libraries should articulate

• IPP 8: Accuracy, etc., of personal information to be checked before use

The information must be accurate, up to date, complete, relevant and not misleading This principle supports the IPP7 to guarantee the accuracy of the personal information

Group E: Retention and use of personal information

• IPP 9: The agency must not keep personal information for longer than necessary

This IPP does not require an agency like the university library to keep personal information for a fixed period or for any statutory period In addition, there is no legal limit, therefore, it would appear that most personal information may be retained indefinitely but “not overlook the purpose of use of personal

information” (Longworth & McBride, 1994, p.63) Accordingly, the internal audits of the personal information should be performed regularly to determine whether the retention is necessary (Longworth & McBride, 1994)

• IPP 10: Limits on use of personal information

Personal information collected for one purpose should not to be used for another purpose without the authorization of the individual concerned (Longworth & McBride, 1994) Any exception must comply with the relevant regulations by law Accordingly, non-compliance is acceptable, for example, if:

- “The use for another purpose is authorized by the individual concerned,

- The source of the information is a publicly available publication,

- The use for another purpose is necessary to prevent or lessen a serious or imminent threat to public health or safety, the life or health of the individual concerned of another person” (Longworth & McBride, 1994,

p 51) The non-compliance should be mentioned explicitly in the privacy policy of the university as a guideline for staff on the use of user’s personal information

• IPP 11: Limits on disclosure if personal information

Agency shall not disclose the information to another individual or agency, except for regulated permissible non-compliance (Longworth & McBride, 1994) In the context of a university library, pursuant to this IPP, the disclosure the personal information should be to the correct person who is the individual concerned or the authorized person The disclosure the information and even the exception should be signified in the library privacy policies and the university regulations

as well

Group F: Unique identifiers

• IPP 12: Unique identifiers

Agency shall not assign a unique identifier to an individual unless the assignment

is really necessary for the agency to perform its function(s) efficiently and shall not require the individual to disclose any his/her unique identifier if not

necessary (Longworth & McBride, 1994) In practice, a student has a unique ID

in the university and may have a barcode in the libraries, which are considered as unique identifier(s) This is only acceptable for operation purposes of the

university as a whole and the library in particular, however, the university and the library should provide student(s) the purpose of assigning that unique identifier(s) and inform the student to keep his/her identifier(s) confidential The university and the library should also clarify certain reasonable circumstances in connection with the purpose of such assignment in which the student would be disclose his/her unique identifier(s)

In the Privacy Act 1993, the term “agencies” is defined widely in the public and private sectors They include all individuals as well as companies, banks, insurance organizations, medical centers, local councils and government departments

(Longworth & McBride, 1994) Obviously, the university’s library is governed by the Privacy Act 1993 as the library is part of the government agency, the university Librarians “process personal data as part of their daily work”, including “the

maintenance of users registration records, circulation records and management statistics on usage of the information services” (Pedley, 2006, p 61) therefore the universities’ libraries need detailed guidelines for staff on privacy matters The university libraries also work with databases, intranets and websites through which they collect and process personal data of users “The confidentiality of the

transaction between the users and libraries across all sectors, and university libraries

in particular is clearly protected in all the most prominent statements of the ethics of the librarians” (Sturges et al., 2001, p 366) To quote the most relevant New Zealand example, LIANZA in the Confidentiality of Library Records statement on

15 November, 1984 states that:

“Every person has a basic right to privacy Each person has a right to protection from the misuse and unwarranted use of personal information and to decide with whom and to what extent such information may be shared The New Zealand Library Association recognises and endorses this right”

In terms of a networked environment like university libraries where there is a close relationship between the study/ research activities and information transactions, personal information which includes information transactions/ performance can be regarded as “inherently insecure” (Sturges et al., 2001, p 366) The university libraries in New Zealand have a role as major providers of knowledge and academic information for students and staff, therefore privacy incidents may arise significantly

in the daily work of the libraries The libraries as an independent institution from providing information services have always hold a great deal of data about their users’ interaction with information and ideas (Sturges et al., 2001) This is a reason why the university libraries might be particularly concerned about the privacy protection of their users Specifically, technological developments such as databases,

computer networking, digital wireless communication and advanced sensors bring

many benefits as well as many challenges to university libraries Accordingly, in order to prevent from privacy incidents and to protect the libraries’ reputation, the

university libraries should set up proper privacy policies which are precisely appropriate to the libraries’ activities

Summary

The twelve IPPs of the Privacy Act 1993 have set a framework to set up a privacy policy for a university library Most of the IPPs are relevant to the university library’s client services such as collection, storage, correction, use, access to and retention of personal information of the library’s users However, the twelve IPPs only provide general principles on privacy for all agencies in New Zealand Each industrial sector such as health, banking, insurance and marketing which has distinctive activities and deals with many privacy issues has issues its own privacy code to apply the IPPs efficiently and effectively Similarly, the IPPs in themselves are not sufficient to guide university libraries in their daily operation, and therefore they need to develop their own more detailed guidelines In order to protect the user’s privacy, the university libraries should specify the IPPs in their own privacy policy

7.2 Research question 2: How are the principles of New Zealand privacy legislation demonstrated in the university libraries’ policies?

7.2.1 How are the principles of New Zealand privacy legislation demonstrated

in the libraries’ policies?

Findings

Six of the eight university libraries do not have a separate privacy policy in dealing with customers, while two Libraries B and C are in the process of drafting a privacy policy, in recognition that more specific guidance is needed Instead of having their own policies, the eight university libraries currently comply with the universities’ overall policies on privacy Consequently, this study is based on the wording of the

individual university policies rather than look at the libraries’ policies, as there are

no separate library policies

In addition, the eight universities of New Zealand have adopted the document NZVCC "Guidelines for Tertiary Institutions - The Privacy Act 1993" which appeared in its final form in July 1996 and was released in three parts:

Part 1: Student Issues Part 2: Staff Issues Part 3: Research Issues This guideline specifies the twelve IPPs of the Privacy Act 1993 on matters in relation to University activities such as medical certificates, photographs, ethnicity data, contact details, video surveillance, the university telephone directory,

conditions to be agreed to by temporary employees, and release of examiners names and reports However, in their privacy policies, seven of the eight universities do not refer to these Guidelines and only one confirms to comply it Although the

Guideline is not connected directly to the university libraries, these are still the primary principles for the establishment and development of privacy policies for the

universities

The fundamental goal of all university libraries is the same, i.e “provision of the information source the user is seeking” (McMenemy et al., 2007, p 17) Although the eight libraries do not have their own privacy policies, the privacy rights of the libraries’ customers have been mentioned briefly either in their codes of staff, other internal services rules or their privacy commitment on their websites It appears that the university libraries recognize the important role of privacy right in their daily work and understand that this is part of the ethical standards of librarians, and their legislative responsibilities Therefore, it shows that university libraries have tried to balance privacy against other values such as intellectual freedom and censorship as the university libraries have not only made information available to everybody but also have protected their users’ privacy Upon the privacy commitments, the