Approved by University Counsel: 2/13/2012
Approved by the Council of Head Librarians:2/17/2012
Privacy is essential to the exercise of free speech, free thought, and freeassociation. The Indiana University (IU) Libraries define the right toprivacy as the right to open inquiry without having the subject of one'sinterest examined or scrutinized by others. Confidentiality exists when alibrary is in possession of personally identifiable information about users andkeeps that information private on their behalf.
Userrights--as well as our institution's responsibilities--outlined here are basedin part on what are known in the United States as the five "FairInformation Practice Principles." These five principles outline therights of Notice, Choice, Access, Security, and Enforcement.
Our commitment to our users' privacy and confidentiality has deep roots notonly in law but also in the ethics and practices of librarianship. Inaccordance with the American Library Association's Code of Ethics:
"Weprotect each library user's right to privacy and confidentiality with respectto information sought or received and resources consulted, borrowed, acquired,or transmitted." (http://www.ala.org/advocacy/proethics/codeofethics/codeethics)
This privacy notice applies only to the Indiana University(IU) Libraries and explains our practices concerning the collection, use, anddisclosure of user information. Users' information collected by the IndianaUniversity Libraries will be used only as outlined in this privacy notice.
Other units at the University may collect and use visitorinformation in different ways. Therefore, visitors to other University websites and those who interact with University units and departments shouldreview the privacy notices for those units or for the particular University websites they visit. The IU Libraries are not responsible for the content of otherweb sites or for the privacy practices of University units or web sites outsidethe scope of this notice.
III. IndianaUniversity Libraries' Commitment to Our Users' Rights of Privacy andConfidentiality
1. Notice & Openness
The IULibraries affirm that our library users have the right of "notice" --to be informed about the policies governing the amount and retention ofpersonally identifiable information, and about why that information isnecessary for the provision of library services.
The IULibraries post publicly and acknowledge openly the privacy andinformation-gathering policies of the IU Libraries. Whenever policieschange, notice of those changes is made publicly available. In all casesinvolving personally identifiable information, it is our policy to avoidcreating unnecessary records; to avoid retaining records not needed for the fulfillmentof the mission of the library; and to avoid engaging in practices that mightplace sensitive information on public view.
Informationthat the IU Libraries may gather and retain about current and valid libraryusers includes, but is not limited to, the following:
This includes all information that identifies auser as borrowing specific materials, including reserve materials.
CollectionDevelopment and Resource Management
This includes information regarding the request, purchase, transfer, andrelated collection management requests linked to individual users or groups ofusers (e.g., departments).
Electronic Access Information
This includes all information that identifies a user as accessing specificelectronic resources, whether library subscription resources, electronicreserves, or other Web resources.
Interlibrary Loan/Document Delivery
This includes all information that identifies a user as requesting specificmaterials.
Library Surveys/Assessment Projects
This includes any information or data obtained by any IU library throughsurveys (group or individual interviews or other means) in support ofassessment of services, collections, facilities, resources, etc., or in supportof research related to library and information services. Any datacollected in the course of research is subject to additional review of privacyand confidentiality protections.
This includes any information regarding the identity of library users, thenature of their inquiry, and the resources that they consult.
User Registration Information
This includes any information the library requires users (faculty, staff,students, or others) to provide in order to become eligible to access or borrowmaterials. Such information includes addresses, telephone numbers, andidentification numbers.
Other Information Required to Provide Library Services
This includes any identifying information obtained to provide library servicesnot previously listed.
2. Choice & Consent
This policy explains our information practices and the choices users can makeabout the way the IU Libraries collect and use this information.
To provide borrowing privileges, we must obtain certain information about ourusers in order to provide them with a library account. If users areaffiliated with Indiana University, the library automatically receivespersonally identifiable information (name, address, e-mail address, status [asstudent, faculty, staff], identification number, etc.) in order to create andupdate their library account from the Registrar's Office (for students) or HumanResources (for employees). When visiting our library's web site and usingour electronic services, users may choose to provide their name, e-mailaddress, library card barcode, phone number or home address.
Users who are not affiliated with Indiana University have the option ofproviding us with their e-mail address for the purpose of notifying them abouttheir library account. Users may request that we remove their emailaddress from their record at any time.
The IU Libraries never use or share the personally identifiable informationprovided to us in ways unrelated to the ones described above without alsoproviding users an opportunity to prohibit such unrelated uses, unless we arecompelled to do so under the law. Our goal is to collect and retain onlythe information we need to provide library-related services. The IULibraries strive to keep all personally identifiable information confidentialand do not sell, license, or disclose personal information without consentunless compelled to do so under the law or as necessary to protect libraryresources or conduct necessary library operations.
3. Access by Users
We attempt to fulfill all requests made by individuals who use library servicesthat require the provision of personally identifiable information and to updatetheir information through proper channels. Users may be asked to provide somesort of verification (e.g., PIN number, photo or network identification card,etc.) to ensure verification of identity.
4. DataIntegrity & Security
The data we collect and maintain at the library must be accurate andsecure. Although no method can guarantee the complete security of data,we take steps to protect the privacy and accuracy of user data in the followingways:
Data Integrity: We take reasonable steps to assure data integrity,including: using only reputable sources of data; providing our users access totheir own personally identifiable data; updating data whenever possible;utilizing middleware authentication systems that authorize use withoutrequiring personally identifiable information; destroying untimely data orconverting it to anonymous form.
Data Retention: We regularly review and purge personallyidentifiable information once it is no longer needed to manage library services.Information that is regularly reviewed for purging includes, but is not limitedto, personally identifiable information on library resource use, materialcirculation history, and security/surveillance tapes and logs.
The IU Libraries are committed to investing in appropriate technology toprotect the security of personally identifiable information while it is in thelibrary's custody. The IU Libraries follow University policy for theretention of data, and access to data is restricted to a small number ofauthorized university computing personnel. The IU Libraries postannouncements about the choice users make in signing up for customized orpersonalized services related to web and database services.
Services that Require User Login: In-librarycomputers allow guest use of most library resources without logging in. Use of the full resources of the World Wide Web and of the full power of somesubscription databases requires that a user log on to the workstation, eitherwith his/her network ID and password or with a special guest account the userobtains from the library. Data about which users were connected to whichmachine is collected, in accordance with University policy, and kept for alimited time with very limited access by staff. Users of electronicresources that require authorization for their use are also asked to log inwhen they connect from outside the university IP address ranges. The datakept from these transactions does not include information linking the user tothe resources to which the user connected or about searches completed andrecords viewed.
Security Measures: Our security measures involve both managerialand technical policies and procedures to protect against loss and theunauthorized access, destruction, use, or disclosure of the data. Ourmanagerial measures include internal organizational procedures that limitaccess to data and prohibit those individuals with access from utilizing thedata for unauthorized purposes. Our technical security measures toprevent unauthorized access include encryption in the transmission and storageof data; limits on access through use of passwords; and storage of data onsecure servers or computers that are inaccessible from a modem or networkconnection.
Staff access to personal data: We permit only authorized Library staffwith assigned confidential passwords to access personal data stored in theLibrary's computer system for the purpose of performing library work. The IULibraries will not disclose any personal data collected from users to any otherparty except where required by law, to report a suspected violation of law orUniversity policy, or to fulfill an individual user's service request. We donot sell or lease users' personal information to commercial enterprises,organizations or individuals.
This site is not directed to children under 13 years of age,does not sell products or services intended for purchase by children, and doesnot knowingly collect or store any personal information, even in aggregate,about children under the age of 13. We encourage parents and teachers to beinvolved in children's Internet explorations. It is particularly important forparents to guide their children when they are asked to provide personalinformation online.
6. Use of Third PartyAnalytics Software
Website developers and owners review usage data on their web pages to identifyresources that are being used and to evaluate the provision of information onthe site and the effectiveness of the organization and design of thatinformation. This usage data is providedby traditional packaged software and by third-party services. The IU Librariesonly use third party analytics software from reputable organizations that havestrong privacy policies.
IU Libraries that use data from Google Analytics and otherthird-party software providers use such data in the aggregate and do not associateuse of any web page or any resource with a particular computer or a particularuser.
By using IU Libraries' websites, you consent to theprocessing of data about you by Google and other providers of usage data in themanner and for the purposes set out above.
7. Enforcement & Redress
The IU Libraries will not make library records available to any agency ofstate, federal, or local government unless required to do so under law or toreport a suspected violation of the law. Nor will we share data on individualswith other parties including faculty, staff (including library staff except inthe performance of their assigned duties), parents, students, campus security,and law enforcement personnel, except as required by law or University policyor as needed to perform our University duties.
Library staff are to refer all requests for confidential user records to theappropriate Library Dean or Director or their designate. Only the LibraryDean/Director or designate has authorization to receive and respond torequests from law enforcement or other third parties. The Dean/Directorwill forward all requests from law enforcement or other government officials,all requests under applicable "open records" laws, to UniversityCounsel, and will consult with counsel regarding the proper response. Each library within Indiana University will develop written procedures tocomply with this policy.
If youfeel that the IU Libraries are not following this stated policy andcommunicating with the Libraries does not resolve the matter, or if you havegeneral questions or concerns about privacy at Indiana University, pleasecontact the University Chief Privacy Officer, 812-855-8476 or firstname.lastname@example.org.
Last Reviewed: 03/2014