May 27, 2022

New Resource: “A Practical Guide to Performing a Library User Data Risk Assessment in Library-Built Systems”

The following guide and worksheet were recently published by the Digital Library Federation’s (DLF) Privacy and Ethics in Technology Working Group.


A Practical Guide to Performing a Library User Data Risk Assessment in Library-Built Systems


Kristin Briney
Becky Yoose
John Mark Ockerbloom
Shea Swauger


DOI: 10.17605/OSF.IO/V2C3M

From the Introduction and Scoping Statement

Libraries collect data about the people they serve every day. While some data collection is necessary to provide services, responsible data management is essential to protect the privacy of our users and uphold our professional values. One of the ways to ensure responsible data management is to perform a Data Risk Assessment. A Data Risk Assessment is a process of identifying data the library collects about users, understanding how it manages that data, identifying the risks associated with that data, and then selecting an appropriate risk mitigation strategy.

While libraries often have vendor-based data collection systems, we focus here on library-built systems that collect data. Such systems include stand-alone open source technology, as well as systems and data that interact with third-party products. There will naturally be some overlap of risks and mitigation strategies between library-built and vendor-built systems, but there are additional considerations when working with vendor-built technologies that are not addressed here and are worthy of consideration. This document covers important definitions to understand the different types of data that exist and what threats are associated with each, strategies that libraries can use to reduce the likelihood that the data they collect will harm anyone, and tools that could be helpful in performing a Data Risk Assessment.

Direct to Full Text Guide and Worksheet

See Also: Webinar Recording
Recorded April 29, 2020

About Gary Price

Gary Price ( is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. Before launching INFOdocket, Price and Shirl Kennedy were the founders and senior editors at ResourceShelf and DocuTicker for 10 years. From 2006-2009 he was Director of Online Information Services at, and is currently a contributing editor at Search Engine Land.