diff --git a/Koha/Virtualshelf.pm b/Koha/Virtualshelf.pm
index 437ef58bd1..9a8aa7a074 100644
--- a/Koha/Virtualshelf.pm
+++ b/Koha/Virtualshelf.pm
@@ -256,16 +256,21 @@ sub can_be_managed {
 sub can_biblios_be_added {
     my ( $self, $borrowernumber ) = @_;
 
-    my $patron = Koha::Patrons->find( $borrowernumber ) or return 0;
+    my $patron = Koha::Patrons->find($borrowernumber) or return 0;
     return 1
-      if $borrowernumber
-      and ( ( $self->owner == $borrowernumber && $self->allow_change_from_owner ) or ( $self->allow_change_from_staff && $patron->can_patron_change_staff_only_lists ) or ( $self->allow_change_from_permitted_staff && $patron->can_patron_change_permitted_staff_lists ) or $self->allow_change_from_others );
+        if $borrowernumber
+        and ( ( $self->owner == $borrowernumber && $self->allow_change_from_owner )
+        or ( $self->allow_change_from_staff           && $patron->can_patron_change_staff_only_lists )
+        or ( $self->allow_change_from_permitted_staff && $patron->can_patron_change_permitted_staff_lists )
+        or $self->allow_change_from_others )
+        and ( ( $self->public && C4::Auth::haspermission( $patron->userid, { lists => 'edit_public_list_contents' } ) )
+        or !$self->public );
     return 0;
 }
 
 sub can_biblios_be_removed {
     my ( $self, $borrowernumber ) = @_;
-    return $self->can_biblios_be_added( $borrowernumber );
+    return $self->can_biblios_be_added($borrowernumber);
     # Same answer since bug 18228
 }
 
diff --git a/installer/data/mysql/atomicupdate/bug_13888-Add-extra-list-perms.pl b/installer/data/mysql/atomicupdate/bug_13888-Add-extra-list-perms.pl
new file mode 100755
index 0000000000..3d1bfd9c7c
--- /dev/null
+++ b/installer/data/mysql/atomicupdate/bug_13888-Add-extra-list-perms.pl
@@ -0,0 +1,21 @@
+use Modern::Perl;
+
+return {
+    bug_number  => "13888",
+    description => "'Lists' permission should allow/disallow using the lists module in staff",
+    up          => sub {
+        my ($args) = @_;
+        my ( $dbh, $out ) = @$args{qw(dbh out)};
+
+        $dbh->do(
+            q{ INSERT IGNORE INTO permissions (module_bit,code,description) VALUES (20, 'use_public_lists', 'Use public lists') }
+        );
+        say $out "Added permission 'use_public_lists'";
+
+        $dbh->do(
+            q{ INSERT IGNORE INTO permissions (module_bit,code,description) VALUES (20, 'create_public_lists', 'Create public lists') }
+        );
+        say $out "Added permission 'create_public_lists'";
+
+    },
+};
diff --git a/installer/data/mysql/mandatory/userpermissions.sql b/installer/data/mysql/mandatory/userpermissions.sql
index 6252cbd20d..83808b97a2 100644
--- a/installer/data/mysql/mandatory/userpermissions.sql
+++ b/installer/data/mysql/mandatory/userpermissions.sql
@@ -146,9 +146,11 @@ INSERT INTO permissions (module_bit, code, description) VALUES
    (19, 'report', 'Use report plugins'),
    (19, 'admin', 'Use administrative plugins'),
    (19, 'configure', 'Configure plugins'),
+   (20, 'create_public_lists', 'Create public lists'),
    (20, 'delete_public_lists', 'Delete public lists'),
    (20, 'edit_public_lists', 'Edit public lists'),
    (20, 'edit_public_list_contents', 'Edit public list contents'),
+   (20, 'use_public_lists', 'Use public lists'),
    (21, 'edit_templates', 'Create and update club templates'),
    (21, 'edit_clubs', 'Create and update clubs'),
    (21, 'enroll', 'Enroll patrons in clubs'),
diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/header.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/header.inc
index cad6fa53e3..ece4850f85 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/header.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/header.inc
@@ -228,6 +228,9 @@
                         <li class="toplinks-mycheckouts">
                             <a class="toplinks" href="/cgi-bin/koha/circ/circulation.pl?borrowernumber=[% loggedinusernumber | html %]">My checkouts</a>
                         </li>
+                        <li class="toplinks-mylists">
+                            <a class="toplinks" href="/cgi-bin/koha/virtualshelves/shelves.pl">My lists</a>
+                        </li>
                     [% END %]
                     [% IF Koha.Preference( 'CookieConsent' ) %]
                         <li class="toplinks-myconsents">
diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc
index 702c4b9ecc..f5396703e7 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc
@@ -767,6 +767,11 @@
             Use administrative plugins
         </span>
         <span class="permissioncode">([% name | html %])</span>
+    [%- CASE 'create_public_lists' -%]
+        <span class="sub_permission create_public_lists_subpermission">
+            Create public lists
+        </span>
+        <span class="permissioncode">([% name | html %])</span>
     [%- CASE 'delete_public_lists' -%]
         <span class="sub_permission delete_public_lists_subpermission">
             Delete public lists
@@ -782,6 +787,11 @@
             Edit public lists contents
         </span>
         <span class="permissioncode">([% name | html %])</span>
+    [%- CASE 'use_public_lists' -%]
+        <span class="sub_permission use_public_lists_subpermission">
+            Use public lists
+        </span>
+        <span class="permissioncode">([% name | html %])</span>
     [%- CASE 'upload_general_files' -%]
         <span class="sub_permission upload_general_files_subpermission">
             Upload any file
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt
index ac7d8ba8df..7d6069fdb3 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt
@@ -91,9 +91,11 @@
                             </li>
                             [% END %]
 
+                            [% IF ( CAN_user_lists ) %]
                             <li>
                                 <a class="icon_general icon_lists" href="/cgi-bin/koha/virtualshelves/shelves.pl"><i class="fa fa-fw fa-list-alt"></i>Lists</a>
                             </li>
+                            [% END %]
 
                             [% IF ( UseCourseReserves ) %]
                                 <li>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
index e82cf2f618..4a0d749579 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/shelves.tt
@@ -455,19 +455,25 @@
                                 </select>
                             </li>
                             <li>
-                                <label for="public">Public: </label>
-                                <select id="public" name="public" onchange="AdjustRemark()">
-                                    [% IF shelf.is_private %]
-                                        <option value="0" selected="selected">Private</option>
-                                    [% ELSE %]
-                                        <option value="0">Private</option>
-                                    [% END %]
-                                    [% IF shelf.is_public %]
-                                        <option value="1" selected="selected">Public</option>
-                                    [% ELSE %]
-                                        <option value="1">Public</option>
-                                    [% END %]
-                                </select>
+                                [% IF ( CAN_user_lists_create_public_lists ) %]
+                                    <label for="public">Public: </label>
+                                    <select id="public" name="public" onchange="AdjustRemark()">
+                                        [% IF shelf.is_private %]
+                                            <option value="0" selected="selected">Private</option>
+                                        [% ELSE %]
+                                            <option value="0">Private</option>
+                                        [% END %]
+                                        [% IF shelf.is_public %]
+                                            <option value="1" selected="selected">Public</option>
+                                        [% ELSE %]
+                                            <option value="1">Public</option>
+                                        [% END %]
+                                    </select>
+                                [% ELSE %]
+                                    <label>Public: </label>
+                                    <span>Private</span>
+                                    <input id="public" name="public" value="0" type="hidden" />
+                                [% END %]
                             </li>
                             [% INCLUDE list_permissions %]
                         </ol>
@@ -494,7 +500,9 @@
                 [% WRAPPER tabs id= "tabs" %]
                     [% WRAPPER tabs_nav %]
                         [% WRAPPER tab_item tabname= "privateshelves_tab" bt_active= 1 %] <span>Your lists</span> [% END %]
-                        [% WRAPPER tab_item tabname= "publicshelves_tab" %] <span>Public lists</span> [% END %]
+                        [% IF ( CAN_user_lists_use_public_lists ) %]
+                            [% WRAPPER tab_item tabname= "publicshelves_tab" %] <span>Public lists</span> [% END %]
+                        [% END %]
                     [% END # /WRAPPER tabs_nav %]
 
                     [% WRAPPER tab_panels %]
diff --git a/t/Koha/Auth/Permissions.t b/t/Koha/Auth/Permissions.t
index 76e3f26946..426b105855 100755
--- a/t/Koha/Auth/Permissions.t
+++ b/t/Koha/Auth/Permissions.t
@@ -167,9 +167,11 @@ subtest 'superlibrarian tests' => sub {
         'CAN_user_editcatalogue_set_record_sources'                 => 1,
         'CAN_user_editcatalogue'                                    => 1,
         'CAN_user_ill'                                              => 1,
+        'CAN_user_lists_create_public_lists'                        => 1,
         'CAN_user_lists_delete_public_lists'                        => 1,
         'CAN_user_lists_edit_public_lists'                          => 1,
         'CAN_user_lists_edit_public_list_contents'                  => 1,
+        'CAN_user_lists_use_public_lists'                           => 1,
         'CAN_user_lists'                                            => 1,
         'CAN_user_parameters_manage_accounts'                       => 1,
         'CAN_user_parameters_manage_additional_fields'              => 1,
diff --git a/virtualshelves/shelves.pl b/virtualshelves/shelves.pl
index badd78f995..c1f1dc7640 100755
--- a/virtualshelves/shelves.pl
+++ b/virtualshelves/shelves.pl
@@ -57,8 +57,14 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
 my $op      = $query->param('op')      || 'list';
 my $referer = $query->param('referer') || $op;
 my $page    = int( $query->param('page') || 1 );
-my $public  = $query->param('public') ? 1 : 0;
-my ( $shelf, $shelfnumber, @messages, $allow_transfer );
+my ( $public, $shelf, $shelfnumber, @messages, $allow_transfer, $allow_create_public_lists );
+
+# work out permissions once
+# this check is for the create list permission
+$allow_create_public_lists = haspermission( $loggedinuser, { lists => 'create_public_lists' } ) ? 1 : 0;
+
+# we want the user to be able to pick if public or private only if they are allowed
+$public = ( $query->param('public') == 1 && $allow_create_public_lists == 1 ) ? 1 : 0;
 
 # PART1: Perform a few actions
 if ( $op eq 'add_form' ) {
@@ -397,6 +403,7 @@ $template->param(
     print    => scalar $query->param('print') || 0,
     csv_profiles => [ Koha::CsvProfiles->search({ type => 'marc', used_for => 'export_records' })->as_list ],
     allow_transfer => $allow_transfer,
+    allow_create_public_lists => $allow_create_public_lists,
 );
 
 output_html_with_http_headers $query, $cookie, $template->output;