6 Survey Results: Executive Summary campus partners or externally to consortia however, the comments suggest an interest in engaging with both. Currently, libraries are inconsistent in whether they have a distinct data policy, staff documentation on data handling, and comprehensive internal training. This informs the recommendations set out below: • Libraries should put in place a schedule for reviewing and/or developing privacy and data management policies. This process should be handled by an informed and dedicated committee, office, or individual. Policies should be written in clear, concise, and understandable language. Wherever possible, actual systems or data types should be identified. Policies should include a revision history, approval process, and last reviewed date, as well as contact information for questions. Policies should link, as appropriate, to other governing documents, such as university policies, state and federal laws, and the ALA Code of Ethics. • Libraries should expand training on data handling best practices that goes beyond institutional FERPA and IRB training. Library staff would most benefit from training on underutilized data protection practices identified in the survey results, including: technical protections, like encryption, for both storage and transit processes for data minimization, including limiting data collection and retention times and anonymization strategies. Libraries commit to protecting the privacy of the information about their users and their information habits such commitments should also be applied to user data they keep and share. • As many projects are perceived to be for internal use only, the Institutional Review Board may not be contacted, even when the data are subsequently used for research. Similarly, many IRBs do not see data already collected as carrying potential for harm. Libraries should develop best practices for assessing the ethical and personal privacy risk to students internally, rather than relying on IRBs, regardless of whether they have immediate plans to disseminate findings from their work. • Libraries should be more transparent about their student learning analytics projects. Only one respondent provided a document outlining learning analytics projects, and it is unclear whether the document was ever publicly available. This transparency includes engaging with students to inform them about what data is collected about them and how it is used.