 Okay, welcome. We'll go ahead and get started. My name is Lisa Janike Hinchleff. I'm a professor at the University Library at the University of Illinois at Urbana-Champaign. I'm very pleased to be joined today by Danielle Cooper, Associate Director of Libraries, Scholarly Communications and Museums at Ithaca SNR, and Sarah Shrees, Vice Dean of the University of Arizona Libraries at the University of Arizona. Thanks for attending this session today on licensing privacy and how we might use our contractual language and the challenge of approaching the monitoring compliance issue with respect to contractual language for privacy. There is a project website for this project at publish.illinois.edu slash licensing privacy, and all of the resources that we talk about today are already there or will be there over time. And so I welcome you to take a look at that for licensing privacy project. This project emerged from discussions at the September 2018 National Forum on Web Privacy and Web Analytics. And I look around the room and I see a number of people who were actually present in Montana for that session, which was trying to sort of look at the whole gamut of web privacy concerns and what we might do as a profession in the library world to take strides towards improving analytics practices relative to user privacy, tracking, third party tracking, targeting, and the goal of that convening was to produce a roadmap for how we might move forward on these questions of analytics in support of privacy. One of the pathways that we ended up discussing from that was this pathway of developing and maintaining model license language with respect to user privacy. I don't remember, it might have been pathway six or something. And the idea here with this pathway was the recognized need for us to look at our contracts as a way of leveraging our values and our priorities. We saw this as a productive pathway based on established and successful best practice, past practice in librarianship. We have past examples of the model licenses and we have examples of where libraries have prioritized a particular value in our contractual work in order to move things ahead and things that are important to us. For example, with respect to accessibility, with respect to preservation of digital content that we license, these sorts of things. We also felt that having a model license language would communicate the priority of this issue to the library business community that would help them hear from us about what, you know, it's easy to say privacy is important but what do we actually want? And so a way of communicating that priority as well as some language and then facilitating communication and improving efficiency in negotiations by having some agreed upon model language that we could draw from. So in fall of 2018, not too long after that September forum, myself and Katie Zimmerman from MIT Libraries gave a session actually at this CNI conference called negotiating for what we want, a proposal for model license language on user privacy, beginning a dialogue with the community of what would this look like if we undertook this work in a very pragmatic way. And that resulted in fall of 2019, the securing and the awarding of a grant from the Mellon Foundation that would support this work. Now you might notice fall of 19. So what we thought we were going to do versus what we actually did, you can imagine all the ways that this is different but I'm gonna say again that we're very grateful to the support from the Andrew W. Mellon Foundation and particularly the graciousness and flexibility of our program officers as we have pivoted this project multiple times again and again to keep moving it forward in light of the system that we're facing. So our theory of impact for this grant was to seek to use the power of library licensing agreements to affect change in third-party platform practices. So the ways that our library business community, the vendors treat user data in order to bring them into alignment with library values of privacy, confidentiality and respect for user control over the user's own data. We of course know that there's been much work in the community to start these conversations, for example, the NISO privacy principles and the like but to really move these into operation and into the contractual language. So prior to realizing we would have a pandemic, the idea was we were gonna have a contract language review, we're gonna interview some library leaders and then we were gonna have this in-person meeting, generate language, finalize it, vet it with the community and disseminate it. So that is not what we did. Instead, we were able to do still the contractual language review and we've pivoted to a series of sort of investigations and disseminations that revolve around a set of white papers and webinars. The white papers themselves reflect different topics of investigation. So one is those interviews with library leaders for where do we put privacy in the priority stack when we are negotiating these contracts. We also were able to develop a new part of this project that wasn't initially envisioned but an actual rubric that libraries can use to assess a contract that they are already in or they might be approaching. And then we have some additional to come including a primer on authentication and authorization as well as some placeholders to be determined. So as you're listening here today, if you're like, wow, another white paper I'd love to see in that series, be prepared at the end for the conversation time because we definitely wanna hear what else we can do with this. We've been holding webinars for each of the white papers and the tools, dialogue sessions such as these, this one being the first one in person but other sessions that we've done online. We will of course finalize these resources and model language and disseminate them. So this has really moved to being a very multifaceted and dynamic project that we're actually able to leverage these funds to do far more than we initially anticipated. So that's the good silver lining news. So I'm serving as the PI of this project and we've had a number of consultants, Daniel Cooper, one of them. Also Becky Hughes from LDH Consulting Services who developed the rubric. I also wanna thank our advisory group, Ann Ocreson, Katie Zimmerman and Scott Young who have also participated in guiding this work as we move forward. I wanna talk a little bit about the vendor contract and policy rubric which was just released about 10 days ago developed by Becky at LDH Consulting Services. Becky reviewed all of the documents we have out there that say what we want our privacy principles to be, the values the profession has and identified eight different domains of privacy and three privacy levels. And we'll talk about that in a second. The rubric then can be used to look at a contract and a policy document across these eight domains and score each of the domains at one of the three privacy levels. I want to be very clear that this rubric does not generate a total score. These domains are not of equal size to each other and they may or may not be of equal importance as Daniel will share with us with respect to different libraries priorities. There's also a number of supplemental materials. There is a glossary of an immense number of terms that are in the contracting and privacy space as well as example contract language at all three levels for each of the categories. So the key concept that we developed through this is the concept of minimal viable privacy. Now you might recognize where we took this sort of from as the notion of minimal viable product. But an important component of this is, minimal viable privacy means like you could accept it. It does not mean that it necessarily will be what you as a librarian or what you as a library would see as an acceptable level of privacy. So we have meets minimal viable privacy does not meet and exceeds in each of the eight domains. So there's a potential for eight ratings does not generate a total score but anything on this rubric that you click on it's an interactive PDF. It will actually generate a concern list for you that you can kind of use as a punched list with your vendor to discuss and say, well here's the ones where you're not even meeting MVP and we'd like to see this move in this direction. So the eight different domains are listed here on the screen and each of these domains is defined within the rubric by what we're looking at. But this notion of data collection, user data rights, data disclosure, data processing, the actual privacy policy, data ownership, the concept of user surveillance and data security and accountability. And as I said, on each of these eight domains, a library can then say, does it meet, exceed or does not meet in this area? And this is what one page of the rubric looks like. So each of those eight domains has a page and under each of the categories of meets does not meet there are additional details that detail out what you're looking for. So for example, on this one of data disclosure, we have a number of different things that you're looking for on meets minimal viable or what you may be concerned about if it does not meet it, which also shows you that a vendor might actually have subchecks right across all three of the levels. We were grateful to a number of people who tested this rubric for us and helped us understand how to make it better. They wanted a lot more place to take notes and the ability to save this as a actual like interactive PDF that you could update. So it is also works as a sort of like way of sort of crystallizing your thinking and saying where are we gonna pay attention to? Possible use cases for this that we've already heard people talking about is just even going through this rubric is an amazing discussion starter for a library. Are we even thinking about these things? Do we even know what these things are? Maybe we should even look at our own library website. All these sorts of things. Obviously the intention with this model license language is that you could use it in contract negotiation. So we've identified model language or example language here of exceeds minimal viable privacy. So that might be something you wanna draw upon. By the way, all the contract language is itself excerpted from contracts that are available publicly. We just removed any identification of a particular institution in order to abstract it a little bit. So contract negotiations, you could use this as an information gathering tool from the vendor. You could also use it as sort of like your own internal process of thing that things have to meet at least a certain threshold. And you would decide as a library what that threshold is. You can obviously use it to review privacy status of resources you already have. So we may already have contract, no we already have contracts with many, many vendors. We could use this as sort of a stock taking of saying are there any that are of particular concern and that even if we're not in contract negotiations right now we might like to raise some questions or concerns. We also heard a number of librarians who are our testers telling us that they saw this as an incredible training tool for people who were new to e-resource acquisition, potentially even library school students engaging with this rubric as a class activity like with example rubric and policy. I would note as well that this rubric was developed as an intended audience of academic librarians. Members of the library business community have already begun using this rubric for product review and employee training, which was kind of heartening to me. So less than 48 hours after having the webinar and producing this I had a number of contacts from people saying could we please talk with you more about this. This is the kind of tool that really helps us because libraries have been telling us please make this more private but we didn't know what you actually wanted. So this is I think very heartening in my mind as well. So what I'd like to do is to ask Danielle to also share with you then her findings on the views from library leadership. Hi everyone. I can't see you because I'm too short but hopefully you can see some part of my head. Happy to be here. So I'm Danielle Cooper. I'm the Associate Director of Libraries, Scholarly Communications and Museums at Ithaca SNR. And I wanna thank Lisa and CNI for having us here to talk about this project. And I will be talking about the research we did with library leaders on their perspectives about the strategies that make sense for their libraries on this issue. And just for some context, part of the reason why I was asked on behalf of SNR to do this research is because SNR is a not for profit research organization and we regularly are doing work related to library leadership's viewpoints such as through our Triennial Library Director Survey. So the interviews that we did for this project were with leaders about how privacy concerns inform their libraries negotiations and agreements with vendors. We also did a few exploratory interviews with librarians in this phase to understand a bit more about licensed negotiations and how it informs planning on the ground because that would be useful for a later phase of the project. So there may be some folks in the audience who were interviewees and I wanna take the opportunity to thank those both here and not here for taking the time to speak with me on this issue. So at a very high level, the key takeaway from the findings from the interviews was that from the perspective of library leaders, there are limits to how much libraries can leverage licensing language to advocate for patron privacy. I'll spend a little bit of time now going into the findings a more depth and this is the list of what I'll be talking about. So first, talking about the issue of privacy and where it actually fits in the priority stack for libraries, we tried really hard with our admittedly exploratory and small sample to get a variety of perspectives among leaders but even among the staunchest proponents, there was a recognition that the issue of privacy does not take precedence when negotiating licenses. So this means that the gains that can be made for patron privacy through licensing language are usually quite modest. So some of the challenges that leaders spoke to me about about how they prioritize privacy when conducting negotiations is that there's just a sheer amount of pressure in terms of honoring what faculty want, that that's always gonna take precedent over any other priority, including privacy. There was a very specific angle to the way vendors are operating that they found particularly challenging and that was the leveraging of the personal account. So, and as a way to get around some of the protections or ways of advocating that would normally be done through a license. Finally, when it came to where there are more challenges versus affordances with prioritizing goals, it really comes down to the type of vendor. I had a number of leaders speak to me about the reality that with many of the forms of products or offerings that they are negotiating for, there really is no other equivalent. So it's not so much like you can have healthy competition but that was less of an issue with more of the digital tools and platforms relative to content offerings. We spent some time speaking about experiences negotiating and perhaps unsurprisingly, these were actually described as being relatively painless experiences and that's because the goals were quite modest typically. So there's not so much friction because the ask isn't too big typically. They shared with me that there really is ultimately an onus on the libraries to remain vigilant, that that is actually a piece to it that's really important to think through because they're finding that privacy terms are changing so frequently in between renewals. Finally, it was really interesting to hear folks share about their perspective on government policy and what role that plays in how they decide how to negotiate and what sort of things to advocate for. A number of directors spoke to me about how states have outdated policies or that they have blanket terms that are quite draconian so that makes it a challenge for the library to advocate a particular position even if they have one. We spent some time talking also about policy within the library and how that informs the way that decisions are made and negotiations go and what I heard was that successful licensing processes including how language related to privacy is included in the terms involves quite a bit of delegation and cooperation among those in the library. So there is quite a value to policy in so far as it empowers library staff to make decisions on their own and that delegation has been a really important piece to keep this work sustainable. So some of the challenges here include simply carving out the time and the resources to meaningfully revisit policies. I talked to several folks who had done some really exciting work several years ago but recognized that it would be challenging even though they needed to ultimately go back to it. There was also the reality that the issue of privacy extends beyond the library on campus and working with other units and centralized. Leadership can be quite challenging and ultimately is this question of the extent to which you balance prescriptiveness to inform negotiations with an opportunity to make the policy more educational or pedagogical. So we did spend some time talking about the common tactics that are used to advocate for the library's position and what kind of interventions were typically being going back to and again and again with the licenses. I imagine that a number of these will not be surprising to folks in this audience but it's certainly a different experience when you have a critical mass or a larger group of people consistently reporting the same tactics over the course of interviews. So they typically would speak about things like resisting, signing, non-disclosure agreements with the recognition of course that whether you're in a public or a private institution that is a variable about how that tactic would work. They really emphasize the reality that there's opportunities to clarify which terms are being consented to and who can consent to terms and this is especially relevant when you start getting into the place of the personal account and the idea that maybe it's not possible for somebody to personally consent to something that is then required for a class. Of course there's always opportunity to clarify when and how user data can be shared and this is especially important because vendors are typically expecting people to actually push back on their licensing terms and this is an area where you can fruitfully get to a better place by simply reclarifying the language. Finally, it was fairly commonly reported that there'd be a required of a notification in the event of a data breach but interestingly enough I do not think that even I don't think even one person had an example where that had happened after they'd required it but they still saw it as part of the tactical approach. So it's one thing to actually negotiate for terms that would be appropriate and it's another thing to actually ensure compliance. We wanted to make sure with these interviews that we also did the diligence to find out how libraries are approaching that part of this process. As you can see none of the libraries included in the study had specific staffing mechanisms in place to proactively monitor vendor compliance with licensing terms that were related to privacy so any changes to the terms also make it more challenging for vendors to track their own compliance and that was something that was really interesting to hear as well because the library leaders were recognizing that it's almost like a two-way street and that not only is it hard for them to track but it's also hard for the vendors to track every time you negotiate one-on-one. So there was one library in the study that's using web crawlers to flag any changes to privacy terms posted on vendor websites between negotiations but that doesn't necessarily capture that the vendor is violating those terms so it was really just about keeping up to date about the changes that the vendor had made and had thought that the onus was on the library to realize that the change had happened and then compliance monitoring as it relates to single sign-on would really need to involve staff with other campus units with security responsibilities and again as per my earlier findings it's particularly challenging for libraries to coordinate and some of the libraries that felt that they'd been most successful were speaking about wins really related to getting groups of stakeholders together from across campus to really be on the same page with this issue. So the study here is relatively modest but we identified two ways forward that I think are really important to flag. The first is simply around staying current because the terms are perceived to be proliferating and it can be very challenging to develop model language that is quickly out of date because it's quickly out of date. So the idea here is that it would be helpful to have more flexible approaches to developing and collecting model language. Some folks that were interviewed talked about things like Wikis or applying version numbers to term instances but this idea that coming up with a model language and then hoping that it could be applied that they were concerned about the idea that it'd be out of date quite quickly. Finally there's the issue of going broad so the reality is that licensing language does have a fairly narrow utility when advocating for privacy and it was pretty consistent across the interviews that there needed to be other strategies that libraries would have to attend to beyond model language. There were a number of leaders who really thought that their policy especially was an opportunity to create awareness among patrons and empower staff to make independent decisions. Some had really gone to the next level especially with their library websites and turning that into a pedagogical opportunity through their statements on privacy. Now, Lisa am I introducing her to you? Now it's time for Sarah Street, geez. Boom, boom, boom. So I'm gonna stay right here rather than stand up. So I'm just gonna talk from my perspective as a library administrator at an institution that's still really in the process of getting our house in order around this issue. So we've been thinking a lot about how we do this about the resources necessary to do this and sort of just all of the various pieces there. I was talking to one of our electronic resources librarians who's been with us for years and years and years about this issue and I just wanted to quote what he said. This issue has so many layers and it's like an onion. When you peel back each one it just brings more tears. So. So. So I thought I'd actually talk about this in terms of layers. In terms of institutional like layers as well as sort of larger layers up and some of the things that we're thinking about. And I'm gonna echo a little bit some of what we've, what you've already heard here that hopefully can bring up some other specific areas within the institution that really complicate this conversation. So I think the first thing is that the most important thing is I've been thinking about is libraries need to be really clear about their priorities around privacy. And they need to be clear about that that the librarians and staff need to share that clarity, right? So that delegation I think is really important but everybody needs to have kind of the same understanding of what is our, what are not, do we have non-negotiables around privacy? What's our point at which we say we would we walk away from a contract which we have never done and it's hard to imagine doing as we've said because the priorities for us have been price and access and those have really driven our conversations around contracts. But are there things that we will really push on as hard as we can and are there things that we give on? But you need to have that clarity and so much of this is really complicated. A lot of it is technical and so that education piece is really important. I was really pleased to see the rubric that came out because I do think that's a great education tool. The glossary is so helpful as well to sort of get our staff on kind of the same page and to be able to have those conversations within the library with the leadership and staff that are involved in these conversations. So that's sort of the first thing. Like I feel like if you're not on the same page and have a clear understanding of your priorities you can't really move forward from there, right? I also think the other piece there is being as clear as possible and as transparent as possible with your institution, with your users around this as well is pretty important because I think that also sends signals out to the organization. And it's been referenced a couple of times that this topic can be really complicated because you're working with others on campus around this. And I do wanna highlight that. So we have been surprised over especially I would say the last two years. We now have parts of our contract review of course goes through our CISO office, the information security office. We are now seeing pretty intensive data security terms being added to our contracts. That cover not everything. It's not necessarily about privacy but it does cover. There's some significant overlap between those two pieces. And that is something that has really impacted the types of negotiations that we're having with vendors because that's coming from the institutional level and has been endorsed by our Board of Regents, et cetera. It has a different weight as we're attending to those negotiations. So that's another piece is understanding what your institutional framework is. I think particularly around data security because privacy is a little different as I said but it does have an impact on those conversations. You also have sort of some of our same vendors who are selling, who are making contracts with other parts of the university, right? Who aren't paying attention to the same things that the library's paying attention to. And I think that that's an area too where trying to have conversations that are cross institutional about the importance of privacy or as an institution where our lines are on this is pretty critical because you'll have, we might be protecting patrons in one area but in another area we're not, right? And it's the same company. So that can become really, really complicated. So those are some things that I wanted to touch on in terms of some of the institutional pieces and the complicating views. You also have of course around as was mentioned around issues around authentication, seamless access. You have the types of conversations that libraries need to be having with their central IT shop around this and those are conversations where you really have to get into again alignment around privacy and what they're sharing versus sort of what we want to be able to do that. So it's a lot of work to do this in terms of the types of conversations and often these are like leadership conversations, right? So this is also a lot of what I found a lot of my time talking to administrators and other parts of the campus rather than sort of you can sort of push it down a little bit but it is, I think it requires leadership to sort of step up and to have those conversations. The other things I'll just say here that I just want to note as I've been thinking about this more is I do think that we have some real roles here for community level and consortium and consortial level conversations around. I mean, I think this is a really good example of the type of work that can be done that could have a much broader community impact. So the rubric for example. But I also think that this is an area where I would want to see not just library conversations but conversations within our within EDUCAUS and IT. So cross library EDUCAUS conversations but also with I think organizations like AAU and APLU about sort of privacy more generally like broadly about higher ed. So could we imagine groups coming together to assert what we see as best practices around this that could have a broader impact than within just the library community or just the IT community. And then I think finally the other thing I'll say here that we haven't quite mentioned though Danielle referenced sort of governments or regulations. I mean, I do think that there is a real need here for user privacy legislation that could help set a bar in terms of what is expected at a national level for user privacy. And this is an area where I think the type of, I also wonder about the role of organizations like AAU, APLU, ARL, ALA in terms of advocating for that type of legislation that could help sort of again set that bar. So I think, again, this is ultimately about in some ways about trust, right? It's about setting library priorities and I think it is going to take a lot of work across the community to think about how we do this and how we ensure compliance, which is something I haven't really touched on, which I find very hard to get my mind around. So I will pass it back. So this is actually something that's come up repeatedly since in this process, which is, okay, let's assume we could get some language. Let's assume we could sort of move in this direction, perhaps unfortunate, but we do have some trust issues across the community. But so what does trust but verify look like in this, particularly to the degree that if we are taking this on in a contract, in some ways libraries are also making promises to their users, right? So something that I know I in my own library encouraged a process that I then participated in actually back in like 2017, 2016, was a review of our own library privacy policy to make sure that it was actually descriptive, not aspirational, like this is what we do as opposed to this is what we wish we could do. A lot of library statements about protecting patron privacy, if you read them, they probably aren't completely accurate. And I'm looking at and I'm seeing Cody Hansen here who gave a great session at CNI, I think spring, maybe 2020, something, the previous, spring 2019, where he looked at sort of what is actually happening on publisher websites and then sort of saying like, ooh, maybe we should be a little clearer about what is actually happening to patrons. So as we move in this direction, we are aligning a lot of different language, right? It's our promises to our patrons, it's what we're asking for from the library business community, it's what we're asking our institution to help us sort of enact and create an environment for. So the challenge we have is that ultimately, probably libraries have limited capacity to monitor compliance with license terms for user data privacy. This is limited for a number of reasons, some of it is actual like, do we have a person? But the other part of the challenge of this here is of course, like some of this stuff you can only actually see in the sense of test it out if you make an account and then try and see what starts happening with recommendations that come into, and this is not like go to the website and run a little accessibility checker on it because so much of where user data might actually go in a way that surveillance or recommenders or recommenders you didn't expect to have happening is only going to happen once you have an account. And so like which library among us is gonna volunteer to set up 400 accounts on, or just even 200, right? To see what starts, and then to try and keep track of that because it'll happen over time. So the conversation that we wanted to have today, although we can have a lot of other parts of this conversation, is some community reaction and thought on this compliance question. We have models kind of out in the world of sort of vendor report and attestation, and we're sort of going with a version of attestation right now of like, well you put it in the contract, we agreed to the contract so we assume that you're meeting the contract. There are other approaches to attestation where you have some additional documents that maybe are filled out during the process with respect to data security, or sorry, accessibility, there's the heck that, HECVAT, you know, would something like that be useful to our community if we had some sort of standard reporting process that's I believe managed by EDUCAUSE. There are approaches obviously out there in the world where one goes to some sort of third party certification. And an audit process, obviously, the further we move along here, we also start to see the increased cost on the vendor side. And so clearly if we were doing something that was some sort of third party certification or audit, we would want the library community to say, yes, this is the one, like this is what we're gonna look for, just like we might look with a VPAT for accessibility as well. So this is really a question of sort of like, what do you think? Is it feasible to do anything besides attestation? Is it desirable to do anything besides attestation? If you could design something we would do, what would you want that next white paper or rubric or document to be? Because there is the possibility here of still developing additional resources that would be useful to the community. Because if I can say like, I don't know, I think it's okay to say this. Like as with many things when we brainstorm what we think a solution might be, which is we thought the solution was model license language, like a document that we would all use, I love this onion tears better. It's like actually the license language itself is kind of like the least complicated part of this. And ultimately I think regardless of whether we have model license language, which we will, I promise. I think it's gonna be these other tools that are actually going to make some sort of change in our process and our community. So with that, I'm going to invite people to the microphone and I'm gonna take a lot of notes as you're talking, interested in compliance, but also in this topic sort of more broadly, there's a real opportunity to continue to scope the development of this project as long as we're doing things virtually because it's way cheaper to have Zoom meetings than to bring everyone to Chicago. So, thank you. Hi, I'm David Millman from NYU. Good to see you all. Thank you for this work. It's really, it's wonderful. And I don't know how to answer your compliance question, but I have, I'm in the middle of a negotiation right now and this is reminding me of some of the issues I have and it's not, I'm looking at some of the language that you're suggesting and it's mostly around data about individuals and I'm wondering if we should be also thinking about product development that doesn't really require that kind of data that's more about the transactions that are taking place between our users and those systems. So I'm thinking of the Nexus, Lexus, WESLA issues where they were just using the data where they didn't need to know who the people were to create products based on the trend information alone. And so I'm wondering if you could, you could tackle that next, we appreciate that. So the notion of sort of the analytics that sort of are generated by product use that then sort of say, oh look, there's another product that could be developed here or that sort of thing. Right or how are they sharing that within their own corporation or you can imagine. Okay, great, thank you. I'll just say that I have seen language actually at Arizona. We had an early iteration of our data security that actually included some elements where the university asserted that all of the, those transactions were university data and so we're subject to all of the terms that were within the security policy which included language around product development, so being notified if there was product development. Also if we ended the contract that all of that data would come back to the university, which I found quite interesting in that, I mean it was pretty broad sweep to my mind because it's really hard for me to imagine being given, you know. You don't want that data set? Huge logs, transaction logs, but they asserted that within that contract. Now they've scaled that back since and I think part of that might've been pushed back but it is a really interesting question. Sarah Ruhi here from PLOS, really excited to finally hear this presentation because I've been hearing a lot about it and I really appreciate the work. I think it's gonna be really useful from a vendor perspective to have this rubric and this data. I think I might have a riff on David's question actually. I'm trying to understand what user data means given the many different ways in which case PLOS and native OA publisher engages with users. So we have user data that comes from people submitting. You have user data coming from reviewers, from editors. You have data around how people are reading content. You have thankfully we're not stuck in IP authenticated type stuff although that's monitorable as well. And those data banks are largely siloed in a lot of cases and the approach that we've sort of taken largely because of the lack of federal guidance is if it's GDPR compliant, we can all go home which is easier said than done right but that's kind of been our bar. I think there's a question embedded in there. So like which kinds of use are you speaking to in all of this work and if we're sitting there biting our nails about it is GDPR a standard that you can say if I check that box I'm pretty comfortable from the library perspective as to the standard. Thanks. Sure, thank you, Sarah. So I'm gonna say that with the respect to this particular project, I believe it or not in fall 2018 we actually weren't talking about transformative and pure publish agreements all the time like we are right now. So we weren't really thinking so much about author data as an example. So we were thinking about when libraries have contracts the kind of data we would be sort of seeing represented in those contracts which primarily meant reader data because libraries at that point in fall 2018 especially in the United States were primarily actually not participating in sort of the pay to publish side of these things. So what I would say is if I were writing this now it would be where the library is paying then we sort of see ourselves as having a role to play with respect to this. Now obviously you're not gonna have anonymous authors. Like you can't like IP authenticate an author's submission. So I think there's a reasonableness standard here. But yeah there's all kinds of data about people. What I would say is that GDPR's definition of personal data and privacy, while it certainly gets you a long way it is not an absolute match to what librarians mean by privacy. So at this point pretty much I'd expect any sort of vendor in the library business community of any size almost to be GDPR compliant and yet we're still having these conversations so I will say that I think it's not. So it's definitely difficult to tease out the difference between sort of a legislative definition and sort of the library's value on privacy. And I mean I will say I think Sarah's kind of alluded to this and I'd be interested to have her talk about this a little bit more. Like I wanna be really clear like the library world isn't actually all of one mind. Like when we say privacy. So certainly that makes it more challenging. Which I think is why so many vendors came back to me and was like, oh a rubric, you wrote it down. Like okay this I can work with. And ALA does have some vendor checklists as well but they're not actually, they're kind of more principles as opposed to actually sort of more tactical. But Sarah I'm wondering if you could talk a little bit about the challenge of even getting one library like understanding privacy together. Yeah I mean I think that it's absolutely correct that you definitely have different viewpoints listen to any learning analytics conversation and you'll hear that right. And I would say that I'm gonna try to speak generally here I would say that leadership within Arizona had some pretty differing opinions on sort of the how far we might want to go on user privacy or that I don't wanna say how far but like how many resources we wanted to put into this work. And so that has been a, I'll say let's say a journey to get us to a place of common agreement on that which has been really useful I think really good conversations but it's taken us a while to get there. So yeah I mean it's you know and you can see that then across the library community right. So I can imagine within like consortial contracts like the conversations there are gonna be that much harder because every library might have a different policy position as well on that. So yeah your mention of learning analytics actually makes me kind of wanna make a little bit of a connection between a session that was held earlier today if you attended the Data Doubles presentation with Kyle Jones and Michael Perry. Kyle and I also have a grant on prioritizing privacy and learning analytics but he has this Data Doubles project and the Data Doubles project has actually been investigating student perceptions and expectations around like their data relative to their institution. So it's not just learning analytics it's also institutional data et cetera because one thing we haven't even brought into today's dialogue is so like how do faculty and students feel about being tracked? I mean are they like super happy about it and no problem is this just a librarian thing? Well okay so it turns out and I'm there's a lot of detail and I highly recommend their project I would do a disservice to attempt to summarize it but my big takeaway in talking with them and understanding that project is that students actually this is again relative to their institution are quite okay with their institution using data about the student but they want a consent and an active consent process and absent and active consent process they want an absolute transparency process and this is I think even one of the things where you can say is like regardless of sort of where you are on that privacy like the librarian privacy value continuum and you know I would argue that in some ways the students in the librarians are not fully aligned on this the students are very clear that they want the transparency around this so that would even still move us forward in a certain kind of user control way because privacy is not our only value right? We also have values around confidentiality there seems to be some value that is not as articulated around like user control and this is definitely in the library community the degree to which the library takes a paternalistic role relative to user data or a role that says we want to create conditions in which you can make an informed choice and I would say those two are still sort of very much battling is maybe too strong but these are definitely not they are easy to find both of those positions in the community. Yeah I'll just add to that I think the transparency piece is really critical because I do think it provides for us at least for me and one of the things I've been trying to really push us towards is thinking about how we can be as transparent as possible especially around sort of are the major vendors that we have in place. Can we have a place on our website that says basically this is what this vendor says they do with user data this is our contract language and so you know that this is what we're agreeing to because at least then people can see that and understand that so yeah but it's a challenge to track that because that also then gets into the changing terms et cetera where you can't always say this is what's happening. Hey hello. Morris York Big Ten Academic Alliance so this isn't a very well formed thought but a possible approach and especially is like the negotiating table is such a tense place for everybody to be and potentially a model something like the library accessibility alliance which does accessibility testing of publishers, vendor websites and things like that fairly intensive process and it's an idea of pooling money from multiple places it was started by BTAA then Acerl joined then Gwilla Greater Washington Research Alliance is their consortium is there now sorry WRLC and it is pooled in money to be able to contract out and do those kind of reports and it's a partnership with the vendors and publishers as a joint effort is like we want these audits we're gonna be able to post those reports publicly and things like that and to me the library accessibility alliance is really interesting as a model since it started small with a few institutions it's not like a big thing like let's all agree on what accessibility is or what privacy is let's start small and then start to grow it and see the evidence and the success and then those who join in can and things like that so this is just a potential model to approach privacy Thanks that's really helpful Rob Hilliker from Roan University so that's funny because I'm usually a very pro cooperation person but I think I'm almost taking an opposite idea from Marisa's there which is is there a way to operationalize or like actualize the cost to the vendors for non-compliance that seems like something that could be part of license terms I know it's not common I mostly see it in IT where like downtime translates into right if you're down this much time you get a refund or a discount on the next renewal is there a way to put some skin in the game but maybe not confrontationally maybe cooperationally to say look this is the value of privacy let's quantify that in some way that doesn't have to be necessarily rigorous but it has to then put a cost on the table to say okay we're gonna invest in meeting the terms of this agreement because otherwise there's a cost to us that's quantified in the license language I mean another approach you know I'm also thinking about sort of brown M&M tests too right like is there a way to have heuristics that aren't difficult to check for that would show that there's the right pieces in place to support the claims that they're making about the privacy protections they have in place so can we figure out a privacy downtime yeah I think one of the very low hanging fruit that seems like quite reasonable is if you change your privacy policy that we've agreed to in this contract you would let us know that you changed it like because usually the policy itself is not in the contract it just sort of refers to this thing that's somewhere else and you know so as things that are elsewhere change like I guess that would be notification attestation and notification and right now we're kind of missing even notification in a number of these things which I think ultimately comes back to I keep coming back to like what we're telling our users right so like if we've told them it's this thing and then it's not the trust our users have in us has a chance of eroding and I'm thinking right now how much I'm happy I am not a law librarian with my students like wanting to cancel Lexus, Texas and Westlaw and like that is a very difficult situation to manage when your patrons are wanting you to cancel a resource so not something most of us deal with Mark Parris, Brandeis University so actually that point speaks to one of the issues kind of stepping back from this and I really like the idea of the heck vat for this process I think that would help but kind of taking a step back those license terms it seems like we need better data on our light we probably all invested in going through our licenses digitizing them putting license terms in our resource management systems et cetera et cetera but there has been a standard for a long time the ONIX PL standard for license terms and vendors have never lived up to providing license terms in that format for us to actually consume electronically and then to be able to do analytics on to be able to do things like compliance and holding accountable and understanding the broad spectrum of where our licenses live in terms of the terms and conditions so is there a space here to actually begin to also put that infrastructure in place in terms of license terms and given a standard already exists in ONIX? Thank you. I knew you were gonna come up because the word standards was said it's like you say it and he appears. It's magic. Just to respond to the last question with regard to ONIX so sorry Todd Carpenter at NISO with regard to ONIX PL yes that standard exists yes that's a reasonable approach the challenge is with encoding license terms and that information is there's a Venn diagram of people who understand the legal side and the Venn diagram of people who understand the encoding side and that Venn diagram crosses in about three people and we tried to engage those people and we did manage to encode several dozen licenses actually with the help of the Mellon Foundation many thanks for that but it never got anywhere because the lawyers who are involved in that process don't really understand the technology and the technologists don't wanna spend time with lawyers but we've tried. There are more tears. We just like yeah. We are at the end of our time I wanna thank all of you for thinking with us here today I wanna thank Danielle and Sarah for their wonderful remarks I hope to hear from many of you both of the webinars we've had so far are also available as recordings on the Licensing Privacy website and I will be very happy to hear additional ideas you can find me very easily email address and the like and I'd love to continue these conversations so thank you so much to your contributions here today.