University Library

Policy on Data Privacy

Privacy is essential to several essential freedoms: speech, inquiry, thought, access, and association.  These intellectual freedoms are highly valued by University Library and embodied in the Code of Ethics of the American Library Association, our professional organization.  Data privacy and protection are also highly valued by the University and regulated under the Minnesota Data Practices Act (MnStat 13) and US Fair Information Practice Principles (FIPP).

The library offers a wide array of online services that require the library to verify that an individual is a member of the library or its service community (e.g., students, faculty, and staff of the University).  The verification may provide minimal identification (e.g., barcode or StarID) to the library or to third parties with which the library contracts; it do not provide any personal information that may be held in the library’s management system.  In reality, a complex set of factors, including a patchwork of federal and state laws and regulations, determines how information about library users is captured, stored, and used. 

This policy addresses data that University Library holds or captures in the course of its operations and services and uses in its assessments and research.

  • Personal Information. Access to personal information contained in library management and access systems is restricted to staff with demonstrated need to access.  Personal information is deleted within six months of leaving the University, unless there are outstanding unpaid bills for lost, damaged, or overdue materials.
    • Personal information includes addresses, telephone, email, and University identification numbers.  Such information is maintained for as long as an individual is associated with the University, either as a student or employee.
    • Personal information may be used for demographic purposes only.
    • Transaction data.  Access to transaction data, which includes all information that identifies an individual and the library materials borrowed or used, including through interlibrary loan, in print, and online, is strictly controlled.  Transaction data that contains an individual identifier, but no other personal information, is extracted monthly for ingest to the University’s data analysis systems, a separate secure and encrypted database.  The transaction record in library management and access systems is automatically deleted monthly.
    • Transaction data analysis.  An individual identifier is used to link transactions data to other University data for the purposes of use analysis.  The individual identifier is anonymized by converting to a randomized 128-character alpha-numeric sequence, which is changed weekly.  Access the University data is highly restricted; only anonymized reports of aggregate data are available for review.
    • Research studies.  All user surveys and research are conducted in a manner to assure responder’s anonymity.   Reports are compiled using aggregate data and anonymized to ensure personally identifiable information is removed.
    • User password data.  Patron access to their library transaction record is password controlled and externally authenticated through University systems.  No individual password information is stored in library management or access systems.  Sharing a StarID and password is strictly prohibited by University and Minnesota State policies.
    • Secure transmissions.  All communications with library management and access management systems occur using a secure HTTPS protocol.

Only authorized University Library employees with legitimate need to access information for work needs can access personal data stored in the library management and access systems.  Any misuse of personal patron data by a Library employee may result in discipline or dismissal.

The Dean of University Library will forward all requests from individuals, law enforcement, or other government officials, and all requests under applicable open records laws to the University’s Data Practices Act Compliance Officer and will consult with counsel as necessary regarding proper response.

Recommended by University Library Dean’s Advisory Council: April 5, 2017

Approved by the University Library Dean: April 5, 2017

To be reviewed in September 2018