So long, Sunderland – and some data-related unfinished business

After nearly four and a half years at the University of Sunderland, I’m moving on to a new role at ORCID, as their Education & Outreach Specialist.  For most of my time at UoS, I’ve been the E-Resources Librarian and the Law Librarian, which has been a very interesting combination of roles.

When I started at UoS in 2012, we still had Classic Athens authentication and Single Sign-On running in parallel, EDS was implemented but needed more work, and EZproxy was hardly used.  Since then, the use of Classic Athens has been discontinued and SSO has been fine-tuned to give different access permissions to different types of users, EZproxy authentication is in place for all platforms which support it, and I’ve overseen the successful migration of our old EDS to the new EDS FTF.

I’ve enjoyed teaching others about various e-resources topics, especially while dressed as a pirate.  Other subjects included licences and subscriptionsjournals and platforms, and hyperauthorship.

Writing and editing my chapter on Open Access for the Legal Academic’s Handbook helped me to distill and refine my ideas in this field.  Participating in Helsinki University Library’s International Staff Exchange Week 2014 was an excellent experience and further fuelled my Suomi-philia.  And developing a framework for Professional Practice Forum helped to develop communications and nurture relationships within our Senior Library Staff team.

My participation in UKSG has grown from attending the 2013 conference (where I first heard about ORCID), the 2014 conference, being invited to join the UKSG Research & Innovation Sub-Committee, and then being elected to UKSG Committee.  I’m looking forward to carrying on this role in my new job, and glad that ORCID is fully supportive of my involvement.

I would like to thank the colleagues who have helped to realise many of these projects, especially Rachel Webb and Ian Frost, trusty allies in periodicals and IT.

Lastly, there is some unfinished business concerning EBSCO EDS and Single Sign-On.  Bref, EBSCO and Eduserv are proposing a change to how users log in to EDS, so that they will also  immediately be logged in to their personal folders.  This solution will appeal to libraries, as users often struggle with the current situation where you log in first to the system, and then again (with different credentials) to access your personal folders.  However, this change involves sending users’ personal data outside the EU, and therefore has Data Protection implications.  Here is my most recent communication to Eduserv on the matter, sent in advance of last week’s webinar “Approaches to authentication – evolution, security, options for the future”:

I would like to ask you about how the use of EDS and SSO fits with the Data Protection Act (1998) requirements that personal information used by organisations is not transferred outside the European Economic Area without adequate protection.
I have made this enquiry before have been told that it is up to the organisation to decide if EBSCO’s use of servers outside the EU complies with the DPA (really?).  This respondent also quoted the Safe Harbor framework, appearing not to know of the EU Court of Justice decision in 2015 that the Safe Harbor regime did not provide a valid legal basis for EEA-US transfers of all types of personal data.
I wonder if someone at this webinar may be able to provide a better response.  I urge Eduserv and EBSCO not to pass this matter back to individual organisations alone, but to offer some advice and guidance about the implications, especially as many library staff making decisions about implementing the EDS & SSO option may not be aware of the legal implications.

I have not yet had a response from them, and the recording of the webinar has not yet been released so I don’t know if it was addressed during the session.

Library colleagues, please be alert to the implications, keep asking Eduserv and EBSCO about this, and don’t let your users’ data be released without adequate legal and ethical safeguards.

Copyright fight: Authors Guild v. HathiTrust

Disclaimer: I am not a lawyer! This summary is written in good faith and any errors are my own (let me know and I’ll correct ’em).  Carry on…

HathiTrust is a collaborative project between a number of university libraries and other institutions to establish a repository to digitise (archive) and share access to their collections.

The HathiTrust collection includes both public domain and in-copyright content from a variety of sources, including Google, the Internet Archive, Microsoft, and partner institution projects.

Public domain content from HathiTrust is publicly accessible, and in-copyright content is accessible to authenticated users.

The main aims of digitisation projects like HathiTrust include ensuring long-term preservation of the materials (waiting until the works pass into the public domain often means the opportunity for scanning them in good condition has passed); making the content of books and journals more discoverable; opening up library content to students and others with print disabilities; and ensuring the continued relevance of the book culture in an increasingly digital age (list taken from the Committee on Institutional Co-operation, a HathiTrust partner).

The Authors Guild Lawsuit

(surely that should be Authors’ Guild? #pedant)

In September 2011, the Authors Guild, the Australian Society of Authors, the Union Des Écrivaines et des Écrivains Québécois (UNEQ), and eight individual authors filed a lawsuit against HathiTrust and a number of American universities, citing gross copyright violation.

In October 2012, a federal court ruled against the Authors Guild, finding that HathiTrust’s use of books scanned by Google was fair use under US law.

The HathiTrust repository contains over 10.5 million scanned books, most of which were created as part of the Google Books project.  Of these, about 31% are in the public domain, meaning that the remaining 69% are still in copyright.

Some of the main issues in the case were:

  1. The storage of scanned book images and text files for preservation purposes
  2. Indexing the full-text of the files for search purposes (though the search results show only where search terms appear in the catalogued items and do not allow the full text of the item to be read)
  3. Format-shifting to make works accessible to users with disabilities (e.g. creating a digital copy of a work that can be read by a person with visual impairment using screen reading software, even if digitising the work for other reasons is not permitted)

Main outcomes of the case for information professionals

Sections 107 and 108 of the US Copyright Act

Section 108 of the US Copyright Act allows libraries to make copies (within limits) for preservation and research.  It includes an explicit statement preserving the application of fair use:

Nothing in this section . . . in any way affects the right of fair use as provided by section 107.

The copyright owners argued that because one specific statute (108) applies to libraries, the general statute on fair use (107) cannot apply.  The court ruled that libraries may apply Section 108 and Section 107 on fair use: section 108 on library privileges doesn’t limit the scope of fair use (section 107).

Search indexing

Although the defendants argued that creating copies for preservation is “transformative,” the court did not agree.

Maintaining text files for searching is a transformative use, because the copies serve an entirely different purpose from the original works, but as the files were only for search and not for full-text access, no copyrighted content was accessible.

Search indexing is a transformative use, and it is a fair use.

Accessibility

American educational institution are mandated to serve needs under the Americans With Disabilities Act.

Section 121 of the US Copyright Act permits an “authorized entity” to make formats of certain works available to persons who are visually impaired.  An “authorized entity” is one that has a “primary mission” to serve those needs.  The court decided that although libraries and universities have many functions, they do have a “primary mission” to serve those needs.

There is no conflict of interest with commercial use, as there is no market for scanning and making materials available to people who are print-disabled, nor is one likely to develop.

Access for people who are print-disabled is a transformative use, and it is a fair use.

Commercial use

The court decided that the HathiTrust partner libraries weren’t making materials available for commercial use, even though they partnered with Google to carry out the scanning.

This is important for UK copyright holders whose works in US libraries have been digitised via Google Books or similar projects.

See this summary from Columbia University on “Effect on the Market for the Works”:

  • For noncommercial uses, the plaintiff must show “by a preponderance of the evidence that some meaningful likelihood of future harm exists.”
  • The court rejected the argument of lost sales, finding that sales of books would have not served text searches or access for persons who are print disabled.
  • The court found that the copies in HathiTrust were not a security risk, noting the evidence presented about the security measures in place.
  • The court also found assertions of future licensing revenue to be “conjecture” without evidence of some actual harm.
  • In broad terms, the court also ruled that copyright owners “cannot preempt a transformative market” and uses that are in a “transformative market” do not cause a loss of license revnue.
  • The projected high cost of any possible license market would also be cost prohibitive for an initiative such as HathiTrust, and it may not be possible at all given the numerous works and the need to locate copyright owners.
  • Regarding the needs of the print-disabled, the evidence showed that they are a “tiny minority” and a market to allow them access to millions of books “is consequently almost impossible to fathom.”

Digitisation projects such as those carried out by HathiTrust and its partner universities are non-commercial.

Other reports and opinions on the case

United States District Court, Southern District of New York: The Authors Guild, Inc., et al., against Hathitrust, et al. 11 CV 6351 (HB) Opinion & Order

The Chronicle of Higher Education – Judge Hands HathiTrust Digital Repository a Win in Fair-Use Case

Columbia University Libraries/Information Services Copyright Advisory Service –  Court Rules on HathiTrust and Fair Use

Copyright Librarian – Author’s Guild v Hathi Trust: A Win for Copyright’s Public Interest Purpose

HathiTrust – Information about the Authors Guild Lawsuit

The Michigan Daily – ‘U’ wins copyright lawsuit against Hathitrust digitalization project

Wired – Judge Says Fair Use Protects Universities in Book-Scanning Project

Licences for e-resources

I made these notes from Essential law for information professionals by Paul Pedley (3rd edition) – it’s great, buy your own copy!  See also this post on other things I learned from this book.

Key issues to consider when negotiating an e-resource licence

  • Applicable law – preferably the national law of where your organisation is located
  • Ensure that statutory rights are recognised – licence should include a term like this:

This agreement is without prejudice to any acts which the licensee is permitted to carry out by the terms of the Copyright, Designs and Patents Act 1988 and nothing herein shall be construed as affecting or diminishing such permitted acts in any way whatsoever

  • Perpetual access to the licenced materials – check for “on termination of this licence, the publisher shall provide continuing access for authorised users to that part of the licenced materials which was published and paid for within the subscription period”.  Nature allows post-cancellation access rights subject to the payment of an annual access fee
  • Warranty and indemnities – the licence should contain a clear warranty that the publisher/licensor is the owner of the intellectual property rights in the licenced materials and/or that they have the authority to grant the licence.
  • End-users – the library should not incur legal liability for each and every infringement by an authorised user
  • Non-cancellation clauses – e.g. no penalty for cancelling print in order to sign up to the electronic version of an information source
  • Non-disclosure clauses – if the licence contains a non-disclosure clause, it needs to be clear what information is subject to the obligation of confidence and you need to decide whether this is reasonable.  Public authorities need to bear in mind their obligation under the FOIA, and vendors need to recognise that public authorities can’t simply ‘contract out’ of their FOIA obligations
  • Termination clause – which sets out the mechanism or circumstances in which the licence terminates
  • Reasonable endeavours’ and ‘best endeavours’ clauses – these are ambiguous and should be avoided.  The difference: ‘reasonable’ = probably requires the relevant party to take one reasonable course; ‘best’ = probably requires the party to take all reasonable courses they can.  If these phrases are used, make sure that the contract expressly spells out a specific set of steps that the person subject to the obligation is required to do as part of using their reasonable or best endeavours to perform the obligation

If 3 months’ notice of cancellation is require for e-resources licences, consider handing in the notice of cancellation with signed contract, to ensure maximum flexibility when the licence agreement is due for renewal.

The British Library carried out an analysis of 100 licences that had been offered to them, and compared them using the following criteria: archiving, printing, downloading and electronic copying, fair dealing, visually impaired, inter-library loan and legal exceptions.  It includes the wording used in the contracts, which makes for interesting comparisons!

IFLA’s licensing principles which should prevail in the contractual relationship and written contracts between libraries and information providers.

It’s important for both sides to be clear about what they are trying to achieve and be upfront about what is non-negotiable.

Factors that can make or break a deal

  • Applicable law
  • Warranties and indemnities
  • Remote access
  • Price
  • Access by walk-in users
  • Inter-library loan
  • Fair use
  • Archival access/perpetual rights
  • Adequate definition of authorised users
  • IP access
  • Definition of university/campus as a single site

Bear in mind usage data.  Do you get automatic admin rights to this info and in a format you require?  If not, put a clause in the contract requiring the vendor to supply you with usage data on a regular basis.  This will help you spot patterns including suspiciously high use from one particular user.

Essential law for information professionals

I’ve recently enjoyed reading Paul Pedley’s book, Essential law for information professionals (3rd edition).  Best read a chapter at a time, it gives a practical introduction to the many areas of law you may encounter in your work in an information context.  I particularly liked how he used examples of real cases to illustrate how library staff have become embroiled in legal action and what the outcomes and learning points were.

Here are some of my gleanings:

  • Do you know the difference between R and TM? ® is a registered trade mark and ™ is an unregistered trade mark
  • You can search the Data Protection public register here
  • An escrow agreement is recommended if using cloud computing services – it is an agreement to require the service provider to deposit their source code and related materials with a neutral third party.  If release conditions are triggered (e.g. service provider goes into administration) the customer can access the application, their own proprietary data and intellectual property which supports the software as a service solution [SaaS].
  • And finally, a separate post about e-resource licences

When preparing notes for this post, I was worried that I might be infringing copyright law (how ironic) but decided in the end that since I have given full attribution and that I have only referred to a few short sections of the book (less than a chapter or 5%), it would probably be ok.

Libraries and the Freedom of Information Act

This is the second of two posts based on session I attended recently entitled What’s private and what’s public? Data Protection and Freedom of Information.  This post does not constitute formal legal advice.

The Freedom of Information Act 2000 (FoI) refers to information which you have an obligation to provide, whereas the Data Protection Act 1998 (DPA) is concerned with information which you must not disclose.

FoI is underpinned by the public right to know what is done by public bodies and how they operate.

The basic FoI right is to be informed in writing by the public authority whether it holds info of the description specified in the request; and if this is the case, to have that info communicated within twenty working days.

Most libraries and archives are publicly funded, and therefore affected by FoI.  The focus is on policies and procedures but FoI affects all information held, including manuscripts and rare books.

Is it an FoI request?

  • It must be in writing and include an address to which reply can be made
  • The request does not have to come from someone based in the UK
  • The request does not have to mention FoI explicitly

Does this sound familiar?  Most reference enquiries will come under the Act, so in fact many libraries were complying with the principles of FoI long before the Act came into being.

FoI exemptions

No need to supply the information if:

  • it is accessible by other means
  • It would adversely affect commercial interests
  • it would contravene data protection provisions
  • it would breach confidences
  • it is not your information to share
  • you plan to publish it soon
  • it would cost too much

More details about FoI exemptions

  • it is accessible by other means – policies and procedures may already exist on your website, but it would be good practice to supply a copy anyway.  Other example: reference requests where the information exists in books which could be purchased by the enquirer or accessed via a local library, inter-library loan or at the British Library
  • it would adversely affect commercial interests – for example, information about preferred supplies or buildings contracts
  • it would contravene data protection provisions – such as disclosing personal information about another person
  • it would breach confidences – not a complete exemption, as you must still weigh the public interest
  • it is not your information to share – such as deposited manuscripts or other material given but with conditions, or information affecting other University bodies
  • you plan to publish it soon – for example, a catalogue or critical edition.  Informal advice suggests that a time frame of “within three years” is reasonable.  It does not have to be the library that is the publisher of the information
  • it would cost too much – when considering expense, distinguish between (1) gathering/establishing the info, (2)  deciding whether it’s exempt and  (3) producing/supplying the info.

Deciding whether it’s exempt is not chargeable

Producing/supplying the information is chargeable at cost in advance

Calculating the costs of gathering the information is more complicated.   The cost is calculated at £25/hour to a maximum of £450 – the equivalent of 18 hours’ work.

If the costs of gathering the information will be less than this, you must supply the information for no more than the cost of supply (i.e. you must absorb up to 18 hours’ worth of work time).

However, if the costs of gathering the information will be more than 18 hours, you may decline to fulfil the request; offer to do it under FoI and charge at £25 per hour; or offer to do it outside the terms of the FoI.

There is no fee chargeable for fulfilling FoI requests, unlike DPA-related enquiries where data subjects can ask to see all our records relating to them within 21 days, for a small admin fee.

Helping the enquirer

Do everything you can to help the enquirer with their request.  If the information they’re asking for is too broad or vague, advise them to rephrase their request.  If they make the request by phone or in person, advise them to make a proper request in writing.

Time limits

The time limit of responding to FoI requests within twenty working days includes Mondays-Fridays only, not weekend days.  It excludes public holidays but not other closed days, and does not take account of personal leave.

The clock starts with initial receipt of the request by the University and ends with supply or refusal of the request.

Ensuring compliance

Responsibility

Each department of the University should have a nominated first point of contact for all FoI matters.  The team which receives the original request is responsible for assessing it and seeking assistance if necessary.

Timescale

Date stamp on opening, identify person/dept opening and any forwarding dates or details Assess within two working days Respond within another 8 working days Open mail for employees away for more than 10 working days (or fewer by agreement) unless marked private or personal Open mail if just marked confidential

Email

It is recommended that you have a folder for FoI emails and keep all correspondence (including replies) for one year.

If you will be away from work for more than 10 working days, ensure that your auto-reply includes an invitation for anyone with a request for information to resubmit it to another specified address.

Providing the answer

The enquirer may express a preference for receiving a copy of the material, a summary of the content of the material, or coming to inspect the material.

They may request to have the material in a re-usable form e.g. as a spreadsheet, not a PDF.  Accede to the preference unless other factors apply.

Copies can exceed fair dealing limits but should be accompanied by a note about legitimate use of the material.

Problem areas

  • Policies and procedures – these are often sensitive
  • Misdirected requests – the time needed to reroute the request is included within the time limit
  • Manuscripts and rare items – is it unique or effectively unique?   Refers to terms and conditions, and consider whether they include personal information about a living person
  • Time limits

In summary, think of most FoI requests like normal reference enquiries and do everything you would normally do in terms of providing a prompt, helpful reply.

In trickier cases, seek advice from your nominated FoI contact and record all the steps you take, including forwarding messages to other teams or awaiting a reply from someone else and keep it all moving along so that you can respond to the enquirer within the time limit.

See also: Libraries and the Data Protection Act

Libraries and the Data Protection Act

This is the first of two posts based on session I attended recently entitled What’s private and what’s public? Data Protection and Freedom of Information.  This post does not constitute formal legal advice.

The Data Protection Act 1998 (DPA) is mostly concerned about information you must not disclose, whereas the Freedom of Information Act 2000 (FoI) covers information which you have an obligation to provide.

Personal data in libraries

In libraries, we hold information which is affected by the DPA, such as:

  • Info about students themselves and their use of libraries – where they’ve been, what they’ve borrowed, name, address, email etc ; as well as information about staff and possibly non-members of the University (external visitors)
  • Other examples: trading information about customers  (if your organisation has an online shop); personnel info about staff (such as the results of Criminal Records Bureau checks,  employment records)

8 principles for handling personal data

Data must:

  1. Be processed fairly and lawfully
  2. Be held only for specified purposes
  3. Be adequate, relevant and not excessive
  4. Be accurate and kept up-to-date
  5. Not be kept for longer than necessary
  6. Be processed in accordance with the data subject’s rights
  7. Be kept secure
  8. Not be transferred outside the European Economic Area, unless the recipient country can ensure an adequate (equivalent) level of protection

How the University fulfils these criteria

  1. Be processed fairly and lawfully – our processing is lawful because we undertake it in pursuit of the legitimate interests of our business, namely providing readers with books.  The University of Oxford asks its members (and external readers) to sign their agreement to the University holding the data when they apply for their University Card.  The agreement reads: “I understand that the information will be collected and processed according to the provisions of the Data Protection Act 1998”
  2. Be held only for specified purposes – the University is registered for lending and hire, education and training; and these cover all activities relating to the access and borrowing privileges of readers.  This also means that we can’t use readers’ data for purposes beyond this remit without their permission
  3. Be adequate, relevant and not excessive – we only gather the data we need for library purposes
  4. Be accurate and kept up-to-date – when a reader informs us of a change to their details, we must update their record promptly
  5. Not be kept for longer than necessary – The main University Card database holds records indefinitely as people may return for further study or employment.  However,  once a reader’s record expires, their record is deleted from the library’s database
  6. Be processed in accordance with the data subject’s rights – the data subject has the right to inspect the data we hold about them; and if they believe that something is wrong and/or that damage or distress is being caused, they have the right to prevent processing of data about them, to rectify, block or erase data and to sue for damage being caused
  7. Be kept secure – we must not disclose personal data to unauthorised persons.  Library staff are authorised persons because they are employees of the Data Controller.  Take care with the angle of computer screens at enquiry desks so that readers can’t see personal info about other people.  Don’t write passwords on notes kept by the computer.  Ensure filing cabinets containing personal data are kept locked.  Dispose of personal data securely (i.e. by shredding it).  If students occupy a staff area, switch off computers immediately.  It is good practice to lock computers [PC: Ctrl-Alt-Del and Enter] when not in use, even in staff-only areas
  8. Not be transferred outside the European Economic Area, unless the recipient country can ensure an adequate (equivalent) level of protection – for example, the USA does not have such provisions.  Take care over the location of your servers and cloud computing services.  If using a site like SurveyMonkey, you might choose to state that “this data will be processed in the USA”

Sensitive data

A step beyond personal data, sensitive data is defined as information relating to:

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs or similar
  • Trade union membership
  • Physical or mental health
  • Sexual life
  • Commission or alleged commission of any offence
  • Proceedings relating to any offence or alleged offence

Sensitive data may only be recorded with the explicit consent of the person. If the person has disclosed some of this information to any one person in the University, the whole University is deemed to know, even though the info is secret and therefore probably not being passed on.

Who’s who

Data controller: person who determines the purposes for which and the manner in which any personal details are or are to be processed

Data processor: any person (other than an employee of the data controller) who processes the data on behalf of the data controller

Data subject: an individual who is the subject of personal data

CCTV

Information captured by a closed-circuit television system counts as personal data.  People should know they are being recorded: have a notice displayed to let them know, with contact details in case anyone has any queries.

If a CCTV screen is on display to readers or other members of the public, it must be recording a view of the place where they are, not somewhere else.

You may only circulate images from CCTV to people who really need to know. Images may be passed to the police if they ask us to supply them.

Claims by data subjects

Data subjects can ask to see all our records relating to them – within 21 days, for a small admin fee. Therefore, only record what you are prepared for the data subject to see!

Only the data subject can ask, or their representative with written consent.  Only living people have rights under the DPA.  In supplying records, we must not breach others’ DPA rights.  Always refer to the University’s DP officer if in doubt.

See also: Libraries and the Freedom of Information Act

Digital Opportunity: A Review of Intellectual Property and Growth

Digital Opportunity, a review of Britain’s intellectual property law by Professor Ian Hargreaves, is published this month. The report concludes that the UK’s copyright laws are outdated and makes recommendations for a “clear change in in the strategic direction of IP [intellectual property] policy direction designed to ensure that the UK has an IP framework best suited to supporting innovation and promoting economic growth in the digital age. This change is modest in ambition and wholly achievable.”

Here is an extract from the executive summary [with some of my comments]:

The Review’s specific recommendations would support growth of the UK’s increasingly intangibles intensive economy. This requires:
• an efficient digital copyright licensing system, where nothing is unusable because the rights owner cannot be found [no more orphan works – hurrah!];
• an approach to exceptions in copyright which encourages successful new digital technology businesses both within and beyond the creative industries;
• a patent system capable of preventing heavy demand for patents causing serious barriers to market entry in critical technologies;
• reliable and affordable advice for smaller companies, to enable them to thrive in the IP intensive parts of the UK economy;
• refreshed institutional governance of the UK’s IP system which enables it to adapt organically to change in technology and markets.
If the Review’s recommendations are acted upon, the result will be stronger rates of innovation and increased economic growth. An economic impact assessment conducted by the Review team, and of course subject to the high degree of uncertainty inherent in such projections, estimates that this would add between 0.3 per cent and 0.6 per cent to annual GDP growth. The path laid down in this review would also, over time, mean that IP law, including copyright law, would become clearer and be observed by most people without controversy [the Report notes that millions of citizens are in daily breach of copyright for format-shifting e.g. ripping a CD onto a computer; and the resulting confusion about what is allowed and what is not risks that the law falls into disrepute].

I am delighted that the report advises that “copying should be lawful where it is for private purposes, or does not damage the underlying aims of copyright”.  I fully agree that these changes will “help to make copyright law better understood and more acceptable to the public”.
I really hope that the government will accept this report and implement its recommendations.

Do you remember this?

Image source: http://www.flickr.com/photos/csodaszar/283568892

If not, follow the image’s link to the Wikipedia article.

I love the “Home Sewing is Killing Fashion” parody 🙂