The University of Oregon Libraries affirms that privacy is an essential element of intellectual and academic freedom. For its core library functions, the Libraries subscribes to the Code of Ethics of the American Library Association, which states: “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” Oregon Revised Statute 192.502 (23) exempts from disclosure under open records law the records of a library, including: (a) circulation records, showing use of specific library material by a named person; (b) the name of a library patron together with the address or telephone number of the patron; and (c) the electronic mail address of a patron.
II. Commitment to Our Users’ Rights of Privacy and Confidentiality
This privacy statement explains the privacy and confidentiality expectations library users may have, the steps the Libraries take to respect and protect users’ privacy when using library resources, and how we deal with personally identifiable information that may be collected from our users.
1. Notice & Openness
Library users should be informed about the policies governing the amount and retention of personally identifiable information, and about why that information is necessary for the provision of library and other types of services. We avoid creating unnecessary records, we avoid retaining records not needed for the fulfillment of the mission and operations of the library, and we do not engage in practices that might place personal information on public view. Information we may gather and retain about current and valid library users includes the following:
- User registration information
- Circulation information
- Interlibrary loan information
- Electronic access information
- Other information required to provide library services
When users visit our website, we may automatically collect certain information, such as:
- Domain, country, IP address
- Browser, platform, resolution
- Entrance-exit pages, referrals
- Date, time
- Search terms and search engines
This is standard practice for websites, and is not used for any purpose other than to evaluate how we can design the site to best serve user needs.
2. Choice & Consent
If you wish to receive certain library services, we must obtain information about you in order to create a library account. If you are affiliated with UO, the Libraries automatically receives information from campus systems to create and update your main library account. When visiting the Libraries’ website, using overnight library access, and/or using our electronic services, users may be asked to provide their name, DuckID/e-mail address, and password (note that the Libraries has no way to view users’ passwords), university/library account number, phone number, and home address. Individuals may also choose to waive the right to keep their circulation records confidential. For example, other patrons may ask who has an item checked out and, if confidentiality has been waived, the Libraries will release only the name of the patron with the item checked out. (The confidentiality waiver is available at loan desks.)
3. Access by Users
Individuals who use library services that require the use of personally identifiable information may view and update their information. Users may view their personal information online or in person and request that it be updated if it is not correct. (For some services, corrections are made at the campus level if you are a UO affiliate.) Users may be asked to provide verification of their identity during these instances. The purpose of accessing and updating personal information is to ensure that library operations can function properly. Such functions may include notification of overdue items, recalls, reminders, etc.
4. Data Integrity & Security
Data Integrity: The data collected at the Libraries must be accurate and secure. We take reasonable steps to assure data integrity, including using only reputable sources of data, providing our users access to their own personal data, and updating data whenever possible.
Data Retention: We continue to protect personal information from unauthorized disclosure once it is no longer needed to manage library services. Information that should be purged or shredded at regular intervals designated by the Libraries includes personal information from reference interviews and instruction sessions, and circulation history regarding materials in our library collections. The Libraries retains confidential transcripts from virtual reference sessions, but the majority of those sessions involve anonymous users.
Tracking Users: In order to obtain premium access, we ask affiliated library visitors or website users to identify themselves by logging into our systems, and to reveal personal information if they wish to borrow materials, request special services, register for programs or classes, or make remote use of those portions of the Libraries’ website restricted to registered borrowers under license agreements or other special arrangements. Additionally, some library e-resource vendors may require users to create accounts to use their sites, but these accounts are not under the Libraries’ control. However, we regularly remove cookies, web-history, cached files, or other computer and Internet use records and other software code placed by users on our library computers.
Security Measures: Our security measures involve managerial and technical policies and procedures, and contractual agreements with system vendors, to protect against loss and the unauthorized access, destruction, use, or disclosure of user data. Our technical security measures to prevent unauthorized access include encryption in the transmission of data where possible, and storage of data on secure servers or computers.
Confidentiality and Staff Access to Personal Data: We will not disclose personal data we collect from users during reference interviews, instruction sessions, or other activities to any other non-library party except where required for system-related needs (i.e., third-party library service providers who have contractually agreed to maintain user confidentiality) or to fulfill the individual user’s service request. We permit only authorized library staff with assigned confidential passwords to access personal data stored in the Libraries’ computer systems for the purpose of performing library work. The Libraries does not sell or lease users’ personal information to companies, universities, or individuals. (Note: This does not preclude the Libraries from sharing information with institutional authorities, however, when evidence would cause a reasonable person to believe that a violation of law and/or established institutional or library policies has taken place in its facilities or operations. See Section #10 for more details.)
5. Enforcement & Redress
We will not make library circulation records available to internal or external state, federal, or local government agencies that request this information from the Libraries, unless a valid subpoena, warrant, court order, or other investigatory document is presented and the University’s General Counsel determines the Libraries are required to comply. Library users who have questions, concerns, or complaints about the Libraries’ handling of their privacy and confidentiality rights may file written comments with Library Administration. The Dean of Libraries will respond in a timely manner and may conduct a privacy investigation or review of policies and procedures. Only the Dean of Libraries and/or her/his designees are authorized to receive or comply with requests from law enforcement officers, as noted in formal policies and procedures. We have trained all library staff and volunteers to refer any law enforcement inquiries to library administrators and managers. In order to ensure that our library programs and services are enforcing this privacy statement, we conduct regular privacy audits of our systems and services protocols. (Note: This does not preclude the Libraries from sharing information with institutional authorities, however, when there is substantial evidence for a reasonable person to believe that a violation of law and/or established institutional or library policies has taken place in its facilities or operations. See Section #10 for more details.)
6. Security Cameras
The UO Libraries operates security cameras for the purpose of creating a safer environment for all those who live, work, and visit campus. Use of security cameras enhances existing security measures, deters crime, and functions to protect personal safety and valuable materials and equipment. For more information about the use of security cameras and access to recorded images in the UO Libraries, please see the separate statement on this topic, http://library.uoregon.edu/policies/security_cameras.
7. Records Management
The Libraries manages a significant portion of the University’s non-permanent and permanent administrative records. For these functions, we adhere to the University’s Records Retention Schedule and established information security policies, along with the Association of Records Management and Administration’s Code of Professional Responsibility (http://www.arma.org/r2/who-we-are/code-of-professional-responsibility)
8. University Archives and Special Collections
The Libraries manage the University Archives which contains permanent historical records about the University, and Special Collections materials. In the context of managing and providing access to these materials, we adhere to the Society of American Archivists’ Core Values Statement and Code of Ethics for Archivists (http://www2.archivists.org/statements/saa-core-values-statement-and-code-of-ethics). The Libraries’ Special Collections and University Archives (SCUA) unit maintains a separate database and reference file that contain user-registration information, but this information is confidential and is not shared with external third parties, except in specific, rare law-enforcement situations noted in Section 5.
9. Learning Management System
The Libraries manage the University’s learning management system and other enterprise educational technologies and systems. Policies governing these services and their usage include but may not be limited to:
10. Violations of Policies and Laws Prohibited and Not Protected
Users must comply with established institutional and library policies and with the law while using the Libraries’ resources and services. Nothing in this statement prevents the Libraries from performing its duties in relation to: enforcement of established University or library rules or policies; compliance with legal obligations; protection of the Libraries’ facilities, network and equipment from harm; or prevention of the use of the Libraries’ facilities and equipment for illegal purposes. If evidence would cause a reasonable person to believe that a violation of laws and/or established institutional or library policies has taken place in its facilities or operations, the Libraries reserves the right to electronically monitor its public computers and network, and/or reveal a user’s identity to institutional authorities. Staff members are authorized to take immediate action to protect the security of library users, staff, collections, data, facilities, computers, and the network.
http://www.ala.org/advocacy/privacyconfidentiality/toolkitsprivacy/libraryprivacy, and was reviewed March 2015 by the ALA Office of Intellectual Freedom in order to confirm adherence to foundational library privacy principles. Policy was reviewed by UO’s Academic Affairs, General Counsel, Senate’s ULC, and Library Faculty and Officers of Administration during the 2014-2015 academic year. The Statement was finalized on August 6, 2015.