Indiana University Libraries Privacy Policy

Approved by University Counsel: 2/13/2012
Approved by the Council of Head Librarians:2/17/2012



Privacy is essential to the exercise of free speech, free thought, and freeassociation.  The Indiana University (IU) Libraries define the right toprivacy as the right to open inquiry without having the subject of one'sinterest examined or scrutinized by others.  Confidentiality exists when alibrary is in possession of personally identifiable information about users andkeeps that information private on their behalf.

Thecourts have recognized a right of privacy based on the Bill of Rights of theU.S. Constitution.  The state of Indiana guarantees privacy in itsconstitution and statutory law.   (See  or   IU Libraries' privacy and confidentiality policiesare intended to comply with applicable federal, state, and local laws, as wellas with any IU policies on privacy, including the Indiana University policy on Privacy of Electronic Information and InformationTechnology Resources  (;  a set of frequently asked questions to accompany thispolicy can be found at:  In addition, this privacy policy conforms tothe requirements of the IU policy on Web Site Privacy Notices:

Userrights--as well as our institution's responsibilities--outlined here are basedin part on what are known in the United States as the five "FairInformation Practice Principles."  These five principles outline therights of Notice, Choice, Access, Security, and Enforcement.

Our commitment to our users' privacy and confidentiality has deep roots notonly in law but also in the ethics and practices of librarianship.  Inaccordance with the American Library Association's Code of Ethics:

"Weprotect each library user's right to privacy and confidentiality with respectto information sought or received and resources consulted, borrowed, acquired,or transmitted."  (

II. Applicability

This privacy notice applies only to the Indiana University(IU) Libraries and explains our practices concerning the collection, use, anddisclosure of user information. Users' information collected by the IndianaUniversity Libraries will be used only as outlined in this privacy notice.

Other units at the University may collect and use visitorinformation in different ways. Therefore, visitors to other University websites and those who interact with University units and departments shouldreview the privacy notices for those units or for the particular University websites they visit. The IU Libraries are not responsible for the content of otherweb sites or for the privacy practices of University units or web sites outsidethe scope of this notice.

III. IndianaUniversity Libraries' Commitment to Our Users' Rights of Privacy andConfidentiality

This privacy policy explains our users' privacy and confidentiality rights, thesteps the IU Libraries take to respect and protect privacy, and how we dealwith personally identifiable information that we may collect from our users.

1. Notice & Openness

The IULibraries affirm that our library users have the right of "notice" --to be informed about the policies governing the amount and retention ofpersonally identifiable information, and about why that information isnecessary for the provision of library services.

The IULibraries post publicly and acknowledge openly the privacy andinformation-gathering policies of the IU Libraries.  Whenever policieschange, notice of those changes is made publicly available.  In all casesinvolving personally identifiable information, it is our policy to avoidcreating unnecessary records; to avoid retaining records not needed for the fulfillmentof the mission of the library; and to avoid engaging in practices that mightplace sensitive information on public view.

Informationthat the IU Libraries may gather and retain about current and valid libraryusers includes, but is not limited to, the following:

This includes all information that identifies auser as borrowing specific materials, including reserve materials.

CollectionDevelopment and Resource Management
This includes information regarding the request, purchase, transfer, andrelated collection management requests linked to individual users or groups ofusers (e.g., departments).

Electronic Access Information
This includes all information that identifies a user as accessing specificelectronic resources, whether library subscription resources, electronicreserves, or other Web resources.

Interlibrary Loan/Document Delivery
This includes all information that identifies a user as requesting specificmaterials.

Library Surveys/Assessment Projects
This includes any information or data obtained by any IU library throughsurveys (group or individual interviews or other means) in support ofassessment of services, collections, facilities, resources, etc., or in supportof research related to library and information services.  Any datacollected in the course of research is subject to additional review of privacyand confidentiality protections.

Reference/Research Consultations
This includes any information regarding the identity of library users, thenature of their inquiry, and the resources that they consult.

User Registration Information
This includes any information the library requires users (faculty, staff,students, or others) to provide in order to become eligible to access or borrowmaterials. Such information includes addresses, telephone numbers, andidentification numbers.

Other Information Required to Provide Library Services
This includes any identifying information obtained to provide library servicesnot previously listed.

2.  Choice & Consent

This policy explains our information practices and the choices users can makeabout the way the IU Libraries collect and use this information.

To provide borrowing privileges, we must obtain certain information about ourusers in order to provide them with a library account.  If users areaffiliated with Indiana University, the library automatically receivespersonally identifiable information (name, address, e-mail address, status [asstudent, faculty, staff], identification number, etc.) in order to create andupdate their library account from the Registrar's Office (for students) or HumanResources (for employees).  When visiting our library's web site and usingour electronic services, users may choose to provide their name, e-mailaddress, library card barcode, phone number or home address.

Users who are not affiliated with Indiana University have the option ofproviding us with their e-mail address for the purpose of notifying them abouttheir library account.  Users may request that we remove their emailaddress from their record at any time.

The IU Libraries never use or share the personally identifiable informationprovided to us in ways unrelated to the ones described above without alsoproviding users an opportunity to prohibit such unrelated uses, unless we arecompelled to do so under the law.  Our goal is to collect and retain onlythe information we need to provide library-related services.  The IULibraries strive to keep all personally identifiable information confidentialand do not sell, license, or disclose personal information without consentunless compelled to do so under the law or as necessary to protect libraryresources or conduct necessary library operations.

3.  Access by Users

We attempt to fulfill all requests made by individuals who use library servicesthat require the provision of personally identifiable information and to updatetheir information through proper channels. Users may be asked to provide somesort of verification (e.g., PIN number, photo or network identification card,etc.) to ensure verification of identity.

4. DataIntegrity & Security

The data we collect and maintain at the library must be accurate andsecure.  Although no method can guarantee the complete security of data,we take steps to protect the privacy and accuracy of user data in the followingways:

Data Integrity: We take reasonable steps to assure data integrity,including: using only reputable sources of data; providing our users access totheir own personally identifiable data; updating data whenever possible;utilizing middleware authentication systems that authorize use withoutrequiring personally identifiable information; destroying untimely data orconverting it to anonymous form.

Data Retention:  We regularly review and purge personallyidentifiable information once it is no longer needed to manage library services.Information that is regularly reviewed for purging includes, but is not limitedto, personally identifiable information on library resource use, materialcirculation history, and security/surveillance tapes and logs.

The IU Libraries are committed to investing in appropriate technology toprotect the security of personally identifiable information while it is in thelibrary's custody.  The IU Libraries follow University policy for theretention of data, and access to data is restricted to a small number ofauthorized university computing personnel.  The IU Libraries postannouncements about the choice users make in signing up for customized orpersonalized services related to web and database services.

Services that Require User Login:  In-librarycomputers allow guest use of most library resources without logging in. Use of the full resources of the World Wide Web and of the full power of somesubscription databases requires that a user log on to the workstation, eitherwith his/her network ID and password or with a special guest account the userobtains from the library.  Data about which users were connected to whichmachine is collected, in accordance with University policy, and kept for alimited time with very limited access by staff.  Users of electronicresources that require authorization for their use are also asked to log inwhen they connect from outside the university IP address ranges.  The datakept from these transactions does not include information linking the user tothe resources to which the user connected or about searches completed andrecords viewed.

Cookies:  Cookies are usedby IUCAT to maintain the persistence of a default library search limit. These cookies are session cookies and are removed when the user exits thecatalog and closes the browser.  Some licensed databases also use cookiesto remember information and provide services while the user is online. Users must have cookies enabled to use these resources.

IULibraries' web sites provide links to other, non-university sites. IndianaUniversity is not responsible for the availability, content, or privacypractices of those sites. Non-university web sites are not bound by thisprivacy policy and may or may not have their own privacy policies.  We are,however, committed to working with vendors of library resources to findsolutions that respect the user's privacy and we include a review of theprivacy policy espoused by the vendor in purchasing decisions.  We provideusers with information about the risks of providing personally identifiableinformation so that they can make reasonable choices about use of personalizedservices from vendors of electronic library materials.  We discourageusers from choosing passwords or PINs that could reveal their identity, includingSocial Security numbers.  We regularly remove cookies, web history, cachedfiles, and other use records from library computers and networks.

Security Measures: Our security measures involve both managerialand technical policies and procedures to protect against loss and theunauthorized access, destruction, use, or disclosure of the data.  Ourmanagerial measures include internal organizational procedures that limitaccess to data and prohibit those individuals with access from utilizing thedata for unauthorized purposes.  Our technical security measures toprevent unauthorized access include encryption in the transmission and storageof data; limits on access through use of passwords; and storage of data onsecure servers or computers that are inaccessible from a modem or networkconnection.

Staff access to personal data: We permit only authorized Library staffwith assigned confidential passwords to access personal data stored in theLibrary's computer system for the purpose of performing library work. The IULibraries will not disclose any personal data collected from users to any otherparty except where required by law, to report a suspected violation of law orUniversity policy, or to fulfill an individual user's service request. We donot sell or lease users' personal information to commercial enterprises,organizations or individuals.

5.  Children

This site is not directed to children under 13 years of age,does not sell products or services intended for purchase by children, and doesnot knowingly collect or store any personal information, even in aggregate,about children under the age of 13. We encourage parents and teachers to beinvolved in children's Internet explorations. It is particularly important forparents to guide their children when they are asked to provide personalinformation online.

6.  Use of Third PartyAnalytics Software

Website developers and owners review usage data on their web pages to identifyresources that are being used and to evaluate the provision of information onthe site and the effectiveness of the organization and design of thatinformation.  This usage data is providedby traditional packaged software and by third-party services. The IU Librariesonly use third party analytics software from reputable organizations that havestrong privacy policies.

Web sites provided by the IU Libraries may use GoogleAnalytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer,to help the website analyze how users use the site. The information generatedby the cookie about your use of the website (including your IP address) will betransmitted to and stored by Google on servers in the United States. Googlewill use this information for the purpose of evaluating your use of the website,compiling reports on website activity for website operators and providing otherservices relating to website activity and internet usage.  Google may alsotransfer this information to third parties where required to do so by law, orwhere such third parties process the information on Google's behalf. Googlewill not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on yourbrowser; however please note that if you do this you may not be able to use thefull functionality of IU Libraries websites and linked electronic resources.

IU Libraries that use data from Google Analytics and otherthird-party software providers use such data in the aggregate and do not associateuse of any web page or any resource with a particular computer or a particularuser.

By using IU Libraries' websites, you consent to theprocessing of data about you by Google and other providers of usage data in themanner and for the purposes set out above.

7. Enforcement & Redress

The IU Libraries will not make library records available to any agency ofstate, federal, or local government unless required to do so under law or toreport a suspected violation of the law.  Nor will we share data on individualswith other parties including faculty, staff (including library staff except inthe performance of their assigned duties), parents, students, campus security,and law enforcement personnel, except as required by law or University policyor as needed to perform our University duties.

Library staff are to refer all requests for confidential user records to theappropriate Library Dean or Director or their designate. Only the LibraryDean/Director or designate has authorization to receive and respond torequests from law enforcement or other third parties.  The Dean/Directorwill forward all requests from law enforcement or other government officials,all requests under applicable "open records" laws, to UniversityCounsel, and will consult with counsel regarding the proper response. Each library within Indiana University will develop written procedures tocomply with this policy.

We conduct regular privacy audits in order to ensure that all library programsand services are enforcing our privacy policy.  Library users who havequestions, concerns, or complaints about the library's handing of theirpersonally identifiable data should file written comments with the director ofthe library in question.  We will respond in a timely manner and may conducta privacy investigation or review our policy and procedures.

If youfeel that the IU Libraries are not following this stated policy andcommunicating with the Libraries does not resolve the matter, or if you havegeneral questions or concerns about privacy at Indiana University, pleasecontact the University Chief Privacy Officer, 812-855-8476 or

Last Reviewed: 03/2014