Patron Privacy
Libraries can help protect patron privacy with patron category settings and system preferences that can either store or anonymize patron history. Pseudonymization is a tool offering additional privacy controls.
Patron Data
PII, Personally identifiable information, is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used to deanonymize previously anonymous data is considered PII.
When deciding what to store in Koha, it is best to think about what they should do to keep patron's data safe. If the information is necessary to the library but could be seen as too much data to be stored in Koha, this information could be stored outside of software and maybe in paper format and locked away.
Can Libraries Collect Year of Birth?
Date of birth is one field libraries can collect during patron registration, often to confirm patron identity, or in some cases, maintain a separate patron category based on age, as public libraries will often do. This field is not a default requirement in Koha, unless a library sets it to be in the BorrowerMandatoryField system preference.
Sometimes, libraries want to be able to collect enough information to distinguish patrons but not collect the full MM-DD-YYYY birthday. Unfortunately, the date of birth field requires all three pieces: month, day, and year, which Koha saves in the database in ISO format of YYYY-MM-DD. Anything deviating from that will be an invalid date and can cause system errors, so Koha has guardrails against being able to enter and save invalid dates.
A library can opt not to collect date of birth or simply not make it required, if they largely want to collect it but want patrons to be able to opt out of providing that information. As another option, a library otherwise requiring that field can come up with a standardized internal convention for those patrons, such as saving 01-01-1901 as a date of birth for very privacy-minded patrons, training their front-line staff accordingly. As a third option, if a library would like to collect year of birth for statistical purposes but don't need the rest of the date, they could consider setting up and using a patron attribute (or sort1 or sort2 fields if they are not already in use) instead of using the date of birth field, and that way they can use this data for reports later.
Patron Privacy Settings
Libraries can help protect patron privacy with patron category settings and system preferences. Koha manages patron privacy by automatically removing patron information from circulation history. At the patron category level, libraries can specify when circulation history is anonymized. System preferences control when and how staff and patrons can see patron reading history, holds history, and suggestion history. Circulation statistics are retained when patron history is anonymized.
Tutorial video: Monday Minutes: Privacy
Patron Categories
Default privacy settings can be assigned for each patron category. Default controls how long a patron’s checkout history is kept for new patrons. Note: changing this setting does not alter the privacy settings of existing patrons.
Default privacy options:
- "Never" anonymizes patron checkouts immediately on return
- "Forever" keeps patron checkout history indefinitely
- "Default" uses the amount of history kept is controlled by the cronjob batch_anonymise.pl. This cron job can be set to anonymize after a certain period, like 30, 180, or 365 days.
System preferences control whether patrons can independently choose to keep their reading history and holds history. If patrons are allowed to choose their privacy settings, these choices will override what is set at the patron category level. If a library sets a patron category to never keep history and an individual patron chooses to keep circulation history forever, that history is recorded and is visible to the patron and potentially to staff. See below for system preferences controlling visibility.
System Preferences
Click on any system preference to see full details in the Koha manual.
OPACPrivacy - When set to allow, patrons can choose their privacy settings for their reading history. This requires opacreadinghistory and AnonymousPatron.
opacreadinghistory - When set to allow, patrons will be able to see what books they have checked out in the past.
intranetreadinghistory - When set to allow, staff can view a patron’s checkout history if the library or patron has chosen to record it.
intranetreadinghistoryholds - When set to allow, staff will have access a patron's hold history if the library or patrons have chosen to record it.
AnonymousPatron - This setting assigns a number that will replace the borrower number when patron history is anonymized. This is used for anonymous suggestions, holds, and checkout history.
StoreLastBorrower - When set to store, staff will be able to view the last patron to return an item in the history section of an item record, even if a patron has anonymized their history. This setting is independent of opacreadinghistory and AnonymousPatron.
OPACHoldsHistory - When set to allow, patrons will see the list of their past holds on the OPAC.
EnableOpacSearchHistory - This controls whether patron OPAC searches are or are not kept.
What does this look like in the staff interface?
The Koha manual has examples of how staff will see patron circulation history and holds history if intranetreadinghistory or intranetreadinghistoryholds are set to "Allow".
What does this look like in the OPAC?
The Koha manual describes the patron experience of setting different privacy options, with screenshots.
If OPACPrivacy and opacreadinghistory are set to allow, patrons will have a section of their account called "Your privacy." This is where they can choose to keep or delete their history. More information and examples of what patrons see in the OPAC can be found in the following sections of the Koha manual:
Note: If a library has set the system preference StoreLastBorrower to "Store", the patron will also see a note about how this information is being stored in the library: "Please note, the last person to return an item is tracked for the management of items returned damaged."
Pseudonymization
There is a pseudonymization feature in Koha that gives us a way to tell Koha to store a lot more data about our transactions and to do so in a way that cannot be connected back to a specific patron. The system preference Pseudonymization under Patrons and Security is turned off by default. A library can enable this feature and then also specify what data to keep.
Turning on this pseudonymization feature will not change anything about the data processed in the issues, old issues, and statistics tables within Koha. However, for each transaction you perform, Koha will also record data in the new pseudonymized_transactions table.
Further description can be found under the pseudonymization group of system preferences in the Koha manual.
Batch Anonymize
The cron in Koha that is called Batch Anonymize removes borrower numbers from circulation history so that the stats are kept, but the patron information is removed for privacy reasons. For a library to anonymize patron data, a few things will need to be set up in Koha.
Set Up
First, there is a system preference called AnonymousPatron. This system preference needs to be filled out so the patron’s history is not stored at the specific patron level but instead is saved to an ‘anonymize patron’. If your library does not have a patron defined as the ‘anonymous patron’, you will want to create one and then add the borrower number of this patron into the system preference. If this system preference is not filled out, the cron will not run.
Next, your library will need to determine which patron categories will have their patron history anonymized. Within the patron category set up (found in Admin), a library can choose three different privacy settings.
Default: Default privacy means that the patrons in this category will be affected by this cron and the library will determine how long the / how often the cron (batch anonymize) will run.
Forever: If a library category was chosen to retain patron history, this can be set at Forever and the Batch Anonymize cron will ignore these patrons.
Never: The last option would be to set a patron category to Never, which would tell Koha to anonymize checkouts on return.
For the patron categories that are set to Default, the Batch Anonymize cron can be set up to run daily and will pick up patron history that is older than X number of days. The library can choose the number of days the patron history is kept prior to being removed from the system.
Cronjob
This is an example of the cron line run that would remove patron history (set to default in the patron category) after 5 days:
cronjobs/batch_anonymise.pl --days 5
#$KOHA_CRON_PATH/batch_anonymise.pl --days 365 > /dev/null
What's the Difference Between Last Returned By and Last Borrower?
On the history portion of item details pages, 'Last Returned By' is saved by the system preference StoreLastBorrower. 'Last Borrower' and corresponding 'Previous Borrower' come from circulation history in old_issues.
The system preference StoreLastBorrower exists to help circulation staff track down who may have last had an item where damage or missing parts are discovered after return, especially with anonymization in play. This preference grabs the borrowernumber of the last account that had the item checked out, storing it in another table, items_last_borrower, and displaying the card number. Many libraries, mindful of privacy, have some degree of anonymizing transactions, whether that is letting patrons set their own privacy settings, anonymizing all checkouts on return as a default, or even only keeping checkout history for a few days before anonymizing. This process overwrites the last borrower stored in the old_issues table from the borrowernumber of the patron to that of the account set as the anonymous borrower by the AnonymousPatron system preference. (In our partner sites, this is usually one of the first few system accounts created as part of the default suite of accounts.)
In the following screen shot, you can see that 'Last Returned By' shows a card number, while the Last Borrower displays as anonymous, due to account privacy settings.
Without StoreLastBorrower on, a librarian trying to reach the previous borrower of that item would not be able to find out who had the item because the privacy on that account was set to anonymize on return.
Currently, StoreLastBorrower does not have a process by which it is eventually anonymized, though an enhancement is working its way through the Koha community to do so.
Related Articles
GDPR and Koha
The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. GDPR has not been implemented as a law in the United States, however, ...Setting Up Patron Clubs in Koha
In this Koha Tutorial we will show you the new feature in Koha for Patron Clubs. This features adds the ability to create clubs in which patrons can enroll. It is particularly useful for tracking summer reading programs, book clubs, etc. Permissions ...Patron Passport Plugin for Koha
This plugin is available on the ByWater Solutions GitHub site, and currently needs to be configured by a ByWater team member. The plugin configuration does not live in the staff interface, but on the backend where it is not accessible to partners. ...Managing Patron Accounts
Koha has many options and tools for managing patron accounts. Customize the Patron Registration Form Libraries can customize which patron fields display on the form, which fields are mandatory and which fields are collapsed within the patron detail ...Patron Notes and Messages
Notes and messages on patron accounts can be staff facing or patron facing. As of 24.05, custom emails can be generated from patron accounts. Using and customizing notes and messages is documented in the Koha manual. Internal notes and messages OPAC ...