We are a consortia of 66 libraries. 1 library would like to use OrangeBoy to enhance their analytic understanding of the service area. OrangeBoy is requesting SQL access (read only) to our Sierra server. My questions are in part philisophical around patron privacy - Is there any control - I dont thinks so. In theory I would like to limit the extract to the patron information or transactions of that one library. I could ask for the queries that would be used and require they be limited, but In the end, it still feels like we would be surrendering our data with no real gaurdrails. What are others doing if anything regarding patron privacy and control?
So I’m in the process of updating this particular script, but we do have 2, soon to be 3 members using Orange Boy and for that are sending them data extracts limited to just those libraries. It limits the utility of the service a bit in a consortia depending on how finely you want to define a library’s particular patrons…we have ptypes generally based around residency that we’re using so patrons just over a town’s border who may prefer a location get missed…that sort of thing.
Laurie,
We ran into the exact same issue with a couple of members wanting to use OrangeBoy.
We wrote up an amendment to our overall Privacy Policy in the email section posted below.
Essentially, all the info they get is based on reports we give them, that are limited to the patron info of that library.
We won’t give SQL access to a firm that we do not have a contract with.
Phil
"
Email
Libraries collect email addresses for purposes directly related to library services. Electronic mail is sent, for example, to notify users when requested material is ready for pickup at the library, or when material has become overdue or billed. These email addresses are kept confidential.
Libraries may export email addresses related to their patrons only to email service vendors for purposes related to other library business and customer communications. Patrons must be able to opt out of these services when the communications are not related to billing and overdues. Libraries may provide interest information that is not title specific along with these email addresses to assist in message segmentation. This must be done on a report basis, and Minuteman may assist the library in developing and automating these reports on a schedule, for example to contact new cardholders. Minuteman will not allow such 3rd party vendors to access Minuteman information via queries into our database.
There is no guarantee of privacy for email that travels over the Internet between a user and the Minuteman Library Network. Users can remove their email address online, https://library.minlib.net/patroninfo/ or request that it be removed from their record by a library staff member.
Hi Laurie,
We use Innovative’s Hosted Polaris ILS along with OrangeBoy and LibraryIQ. We do not allow direct database access. When we consulted Innovative/Clarivate about access controls, they informed us that read‑only accounts are not restricted to specific tables or views. To maintain security and privacy as the priority, we generate our own data exports and deliver them to both platforms weekly using SFTP. This creates considerable overhead because we had to design SQL outputs that meet each vendor’s requirements and build the full scheduling and SFTP delivery pipeline. We are still refining the SQL for specific data needs and completing the SFTP automation.
In light of your concern, this is why we chose not to grant any third-party vendor SQL access. Once a vendor can see the full database, there is no practical way to limit access to only one library’s patrons or transactions. Even read‑only access provides broad visibility without meaningful guardrails. By producing and transmitting our own curated exports, we maintain full control over what data is shared and ensure that patron privacy remains protected. While this approach requires more internal work, it gives us clear boundaries and confidence that we are not exposing information beyond what we intentionally provide.
1 Like
Thank you - this is incredibly helpful Eric.
1 Like
That is just what I wanted to hear Phil. Thank you. I needed the reassuarance to demand exactly what you describe
We signed up with OrangeBoy back in 2021, subscribe to Savannah insights. It was a tool our director and our marketing manager wanted to have in place to do targeted newsletters, among other things. I expressed reservations about providing access that were echoed on this list due to the amount of and length of time they retain data, but ultimately it was decided to allow this to assist in our marketing efforts. Against my warnings, we provide SQL access (read-only and only allowing access from a specific IP address). You set them up as a user in Sierra Admin and that’s all you give them access to. I believe you can set it up so that you can feed them limited data via weekly/monthly create lists reports. Some other systems in IUG can explain what they do to make that happen.
Aside from our marketing person, I am not sure we really use this service to its potential. I look at the reports they provide, but their clusters (yes, that’s what they call them) seem somewhat dated, the way patrons are classified. Also, if you just look at your own checkouts, you can fall under a particular cluster because you happened to check things out one week for a grandchild, for example, but that’s really not the type of patron you are, and it takes a while to cycle you out of that cluster.
Now that they are owned by or merged with LSSI (the details escape me at the moment), you may want to get more privacy terms in place before signing with them. I had hoped we’d rethink the cost of this service vs. what we get (vs. what they get from us) when the LSSI thing first came out, but it has yet to be addressed.
We are a standalone system that also chose not to grant full read-only SQL access. We went a step further and decided we were not going to give OrangeBoy all the data fields that they requested, since some of their data requests fell outside the scope of what we were planning to use OrangeBoy for.
I’d recommend only sending the data that meets the needs of the library and the specific projects the library is planning with the vendor – not sending all the data that OrangeBoy requests. That means that we had to create our own queries and then send the data ourselves, but feel it is worth performing these tasks ourselves in order to keep unnecessary PII data from being collected by a third party.
2 Likes
Thank you for the scripts (I was gonna ask!) We do the same, so….this is a good start point for me to discuss with them. How do they get the reports, are you setup with an sftp server or is there another method?
Yeah they set up an sftp server with a different login for each of our members and the script just transfers files to it. In case it helps, here’s the equivalent script for LibraryIQ, that is just more current and written in the way I intend to rewrite the OrangeBoy script when I have the time.
2 Likes
Each agency of course can determine its own privacy/risk policy when it comes to all this. But it was bonkers to me that they somehow expected my database server to have a public IP address! I mean, in our environment, we use cloudflared tunnels, so our web servers don’t even have public IP addresses. In fact, if it weren’t for z39.50 and 3M SIP, we’d have NO public IPs.
I don’t know what terrifies me more, the fact that they made the assumption that is the way a lot of folks happen to operate or if that is in fact the way many organizations do operate.
We got their SQL, tweaked it around a bit to fix it, and then ship off the files to them via an SFTP process.
1 Like
Similar to others, we do not provide SQL access to Orangeboy. We have a script that extracts the information from our database and then, sends the files via SFTP.