In 2011 the Friends of Gloucestershire Libraries raised privacy and data protection concerns,via their blog, regarding the use of user records by volunteers in ‘community libraries’:
“Library records contain information about people’s addresses, details about vulnerable people – for example the housebound, and exemptions such as exemptions for foster children, fines and borrowing history.
As paid, trained, library staff who are CRB checked, are set to be replaced by volunteers, alarms bells started to ring. I wrote to Library Services Manager, Sue Laurence, several months ago (21st April) asking if volunteers in the community libraries would be able to see these public records free because if so, unless a suitable policy was in place, then they could potentially use the record for nefarious reasons.”
Further concerns have been raised in terms of the role of volunteers in administrating the ‘Books on Prescription’ scheme. These books are prescribed by local GPs to patients with mental health conditions which are then collected from the local library. There is the potential for both embarrassment and raise issues around privacy, particularly if the person picking it up lives next door, or just down the street from the person issuing it.As Catherine Bennett noted in her recent opinion piece for The Guardian:
“In the short-term, this might be less of a problem than the embarrassment, anticipated in smaller community libraries, of ordering from a local volunteer with a hazy grasp of data protection a title such as Overcoming Low Self-Esteem, Overcoming Binge Eating, or Break Free from OCD. All the above, with many other frank self-help titles, feature on Books on Prescription, a collaboration between GPs and libraries – and 33,000 volunteers. Is the service confidential? Totally, of course. But if in doubt, just ask the untrained and inexperienced librarian at the desk.”
Some councils may have allowed full access to user records on their Library Management System (LMS), but others like Warwickshire have restricted it because they obviously have concerns in terms of their obligations under the Data Protection Act 1988.
Many, or most councils, now see volunteer-led libraries as sitting outside their statutory remit and offer varying degrees of support or none at all. This support could initially include training on data protection, but who knows how comprehensive and ongoing this is?
Paid, trained and experienced library staff are given constant reminders, briefings and training on data protection and other related matters. Paid staff must also adhere to a ‘code of conduct’ which includes ensuring that they respect their obligations towards maintaining confidentiality. Furthermore, they are bound by ‘customer care standards’ which cover all aspects of communication, including the sharing of information. They deal discreetly with personal details and enquiries on a day-to-day basis, it’s the way they are wired, part of their ethos if you like.
Now, we are not saying that public library workers don’t make mistakes or abuse their trust – some do, but the vast majority do not. If they were to abuse this trust, and if such activity is discovered, they would be held accountable for their actions under relevant legislation and could potentially lose their jobs. Of course, this is not to suggest that the majority of volunteers are anything but trustworthy. But they are not subject to the same scrutiny as paid, trained and experienced staff. And the implications for this could be very serious indeed.
These issues remain a serious concern, as illustrated by this recent comment on an article about proposals to extend the use ofvolunteer-led libraries in Swindon:
“Presumably all the training that you refer to has gone on bringing volunteers up to speed on IT…What does this training involve exactly? And are all volunteers CRB checked, up to date with health and safety procedures, confidentiality, data protection and so on?”
We suppose the only way we’ll ever find out about the extent to which volunteer-led libraries meet their obligations under the Data Protection Act is if something goes wrong or someone blows the whistle. Until then, many library users will just have put their trust in a fragmented and unregulated service.