Online library catalogue data protection policy

The request was successful.

Dear North East Lincolnshire Council,

Your online public access catalogue for library services is not securing member details using encryption (i.e. an HTTPS web address). The effect of this is that anyone logging in to their account is giving away their login details to potential malicious parties. That in turn gives an intruder easy access to personal information within a library account, and potentially sensitive user credentials that the citizen may use for other services.

Please could you answer:

- What details you hold on a library member that are visible when that user is logged on to the public library site? This may include contact details, email address, loan history, billing history, etc.
- What (if any) advice is given to members of the public who may be concerned about this?
- Who (within the library service) is responsible for the data protection of member data? If no particular individual, this could be the head of library services.
- How often (if at all) the library catalogue is part of a security audit (e.g. an externally accredited penetration test)? This would either be arranged by the supplier (if a supplier hosted system is in place), or the local authority if the system is self-hosted.

Yours faithfully,

Dave Rowe

PPD - FOI, North East Lincolnshire Council

Dear Mr Rowe

 

I am pleased to acknowledge your request for information, which has been
allocated the reference number NEL/3157/1617.

Your request has been passed to the relevant department for processing and
you can expect your response within the 20 working day limit. If it will
take us longer than 20 working days to respond to you, we will inform you
of this and provide you with the expected date for receiving a response.

Further information about how we will deal with your Freedom of
Information requests is available on our website at:

[1]https://www.nelincs.gov.uk/council-infor....

Please feel free to contact me if you require any further information or
assistance quoting the reference number above.

 

Yours sincerely on behalf of North East Lincolnshire Council

 

Feedback Officer

 

 

show quoted sections

PPD - FOI, North East Lincolnshire Council

Dear Mr Rowe

 

Thank you for your information request, reference number NEL/3157/1617. I
wish to confirm that North East Lincolnshire Council holds the following
information.

 

Your online public access catalogue for library services is not securing
member details using encryption (i.e. an HTTPS web address).  The effect
of this is that anyone logging in to their account is giving away their
login details to potential malicious parties.  That in turn gives an
intruder easy access to personal information within a library account, and
potentially sensitive user credentials that the citizen may use for other
services.

 

Please could you answer:

 

What details you hold on a library member that are visible when that user
is logged on to the public library site?  This may include contact
details, email address, loan history, billing history, etc?

 

The following pages are visible when a member is logged on:-

My Inbox – Any system messages received.

My Stuff – Copies of book reviews written

My charges – payment history of fees and charges (no account information)

My loans – current items on loan with return dates

My reservations – current reservations

My profile – Name and address / Library account number/ preference for
contact (post, email, telephone)/ user name and email address (excludes
password and security question).

 

What (if any) advice is given to members of the public who may be
concerned about this?

 

None. No members of the public have ever expressed concern. Access is now
 being secured through a new certificate of encryption.

 

Who (within the library service) is responsible for the data protection of
member data?  If no particular individual, this could be the head of
library services.

 

Head of Cultural Services

 

How often (if at all) the library catalogue is part of a security audit
(e.g. an externally accredited penetration test)?  This would either be
arranged by the supplier (if a supplier hosted system is in place), or the
local authority if the system is self-hosted.

 

As this is a supplier hosted system we do not hold this information. The
systems were procured requiring compliance with all relevant International
 standards.

 

If you believe that your request for information has not been handled in
accordance with the Freedom of Information Act, you have the right to
request an internal review by the Council. Please be clear about which
elements of the Council’s response or handling of the request you are
unhappy with, and would like the Council to address during the internal
review process.  If following this you are still dissatisfied you may
contact the Office of the Information Commissioner. If you wish to request
an internal review, please contact me and I will make the necessary
arrangements.

 

Yours sincerely on behalf of North East Lincolnshire Council

 

Feedback Officer

 

show quoted sections