Indiana University Seal

Indiana University Libraries Privacy Policy LIB-01

Scope

All users of Indiana University Libraries.

Back to top

Policy Statement

I. Introduction

Privacy is essential to the exercise of free speech, free thought, and free association.  The Indiana University (IU) Libraries define the right to privacy as the right to open inquiry without having the subject of one's interest examined or scrutinized by others.  Confidentiality exists when a library is in possession of personally identifiable information about users and keeps that information private on their behalf.

The courts have recognized a right of privacy based on the Bill of Rights of the U.S. Constitution.  The state of Indiana guarantees privacy in its constitution and statutory law.   (See https://iga.in.gov/legislative/laws/2015/ic/titles/005/articles/014/chapters/003/ or http://www.ilfonline.org/units/confidentiality/).   IU Libraries' privacy and confidentiality policies are intended to comply with applicable federal, state, and local laws, as well as with any IU policies on privacy, including the Indiana University policy on Privacy of Electronic Information and Information Technology Resources;  a set of frequently asked questions to accompany this policy can be found at: http://protect.iu.edu/cybersecurity/policies/IT07/faq.  In addition, this privacy policy conforms to the requirements of the IU policy on Web Site Privacy Notices.

User rights--as well as our institution's responsibilities--outlined here are based in part on what are known in the United States as the five "Fair Information Practice Principles."  These five principles outline the rights of Notice, Choice, Access, Security, and Enforcement.

Our commitment to our users' privacy and confidentiality has deep roots not only in law but also in the ethics and practices of librarianship.  In accordance with the American Library Association's Code of Ethics:

"We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired, or transmitted."  (http://www.ala.org/advocacy/proethics/codeofethics/codeethics)

II. Applicability

This privacy notice applies only to the Indiana University (IU) Libraries and explains our practices concerning the collection, use, and disclosure of user information. Users’ information collected by the Indiana University Libraries will be used only as outlined in this privacy notice. 

Other units at the University may collect and use visitor information in different ways. Therefore, visitors to other University web sites and those who interact with University units and departments should review the privacy notices for those units or for the particular University web sites they visit. The IU Libraries are not responsible for the content of other web sites or for the privacy practices of University units or web sites outside the scope of this notice.

III. Indiana University Libraries' Commitment to Our Users' Rights of Privacy and Confidentiality

This privacy policy explains our users' privacy and confidentiality rights, the steps the IU Libraries take to respect and protect privacy, and how we deal with personally identifiable information that we may collect from our users.

1.  Notice & Openness

The IU Libraries affirm that our library users have the right of "notice" -- to be informed about the policies governing the amount and retention of personally identifiable information, and about why that information is necessary for the provision of library services.

The IU Libraries post publicly and acknowledge openly the privacy and information-gathering policies of the IU Libraries.  Whenever policies change, notice of those changes is made publicly available.  In all cases involving personally identifiable information, it is our policy to avoid creating unnecessary records; to avoid retaining records not needed for the fulfillment of the mission of the library; and to avoid engaging in practices that might place sensitive information on public view.

Information that the IU Libraries may gather and retain about current and valid library users includes, but is not limited to, the following:

Circulation Information
This includes all information that identifies a user as borrowing specific materials, including reserve materials.

Collection Development and Resource Management
This includes information regarding the request, purchase, transfer, and related collection management requests linked to individual users or groups of users (e.g., departments).

Electronic Access Information
This includes all information that identifies a user as accessing specific electronic resources, whether library subscription resources, electronic reserves, or other Web resources.

Interlibrary Loan/Document Delivery
This includes all information that identifies a user as requesting specific materials.

Library Surveys/Assessment Projects
This includes any information or data obtained by any IU library through surveys (group or individual interviews or other means) in support of assessment of services, collections, facilities, resources, etc., or in support of research related to library and information services.  Any data collected in the course of research is subject to additional review of privacy and confidentiality protections.

Reference/Research Consultations
This includes any information regarding the identity of library users, the nature of their inquiry, and the resources that they consult.

User Registration Information
This includes any information the library requires users (faculty, staff, students, or others) to provide in order to become eligible to access or borrow materials. Such information includes addresses, telephone numbers, and identification numbers.

Other Information Required to Provide Library Services
This includes any identifying information obtained to provide library services not previously listed.

2. Choice & Consent

This policy explains our information practices and the choices users can make about the way the IU Libraries collect and use this information. 

To provide borrowing privileges, we must obtain certain information about our users in order to provide them with a library account.  If users are affiliated with Indiana University, the library automatically receives personally identifiable information (name, address, e-mail address, status [as student, faculty, staff], identification number, etc.) in order to create and update their library account from the Registrar's Office (for students) or Human Resources (for employees).  When visiting our library's web site and using our electronic services, users may choose to provide their name, e-mail address, library card barcode, phone number or home address.

Users who are not affiliated with Indiana University have the option of providing us with their e-mail address for the purpose of notifying them about their library account.  Users may request that we remove their email address from their record at any time.

The IU Libraries never use or share the personally identifiable information provided to us in ways unrelated to the ones described above without also providing users an opportunity to prohibit such unrelated uses, unless we are compelled to do so under the law.  Our goal is to collect and retain only the information we need to provide library-related services.  The IU Libraries strive to keep all personally identifiable information confidential and do not sell, license, or disclose personal information without consent unless compelled to do so under the law or as necessary to protect library resources or conduct necessary library operations.

3. Access by Users

We attempt to fulfill all requests made by individuals who use library services that require the provision of personally identifiable information and to update their information through proper channels. Users may be asked to provide some sort of verification (e.g., PIN number, photo or network identification card, etc.) to ensure verification of identity.

4. Data Integrity & Security

The data we collect and maintain at the library must be accurate and secure.  Although no method can guarantee the complete security of data, we take steps to protect the privacy and accuracy of user data in the following ways:

Data Integrity: We take reasonable steps to assure data integrity, including: using only reputable sources of data; providing our users access to their own personally identifiable data; updating data whenever possible; utilizing middleware authentication systems that authorize use without requiring personally identifiable information; destroying untimely data or converting it to anonymous form.

Data Retention:  We regularly review and purge personally identifiable information once it is no longer needed to manage library services. Information that is regularly reviewed for purging includes, but is not limited to, personally identifiable information on library resource use, material circulation history, and security/surveillance tapes and logs.

The IU Libraries are committed to investing in appropriate technology to protect the security of personally identifiable information while it is in the library's custody.  The IU Libraries follow University policy for the retention of data, and access to data is restricted to a small number of authorized university computing personnel.  The IU Libraries post announcements about the choice users make in signing up for customized or personalized services related to web and database services.

Services that Require User Login:  In-library computers allow guest use of most library resources without logging in.  Use of the full resources of the World Wide Web and of the full power of some subscription databases requires that a user log on to the workstation, either with his/her network ID and password or with a special guest account the user obtains from the library.  Data about which users were connected to which machine is collected, in accordance with University policy, and kept for a limited time with very limited access by staff.  Users of electronic resources that require authorization for their use are also asked to log in when they connect from outside the university IP address ranges.  The data kept from these transactions does not include information linking the user to the resources to which the user connected or about searches completed and records viewed.

Cookies:  Cookies are used by IUCAT to maintain the persistence of a default library search limit.  These cookies are session cookies and are removed when the user exits the catalog and closes the browser.  Some licensed databases also use cookies to remember information and provide services while the user is online.  Users must have cookies enabled to use these resources.

IU Libraries’ web sites provide links to other, non-university sites. Indiana University is not responsible for the availability, content, or privacy practices of those sites. Non-university web sites are not bound by this privacy policy and may or may not have their own privacy policies.  We are, however, committed to working with vendors of library resources to find solutions that respect the user's privacy and we include a review of the privacy policy espoused by the vendor in purchasing decisions.  We provide users with information about the risks of providing personally identifiable information so that they can make reasonable choices about use of personalized services from vendors of electronic library materials.  We discourage users from choosing passwords or PINs that could reveal their identity, including Social Security numbers.  We regularly remove cookies, web history, cached files, and other use records from library computers and networks.

Security Measures: Our security measures involve both managerial and technical policies and procedures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data.  Our managerial measures include internal organizational procedures that limit access to data and prohibit those individuals with access from utilizing the data for unauthorized purposes.  Our technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of passwords; and storage of data on secure servers or computers that are inaccessible from a modem or network connection.

Staff access to personal data: We permit only authorized Library staff with assigned confidential passwords to access personal data stored in the Library's computer system for the purpose of performing library work. The IU Libraries will not disclose any personal data collected from users to any other party except where required by law, to report a suspected violation of law or University policy, or to fulfill an individual user's service request. We do not sell or lease users' personal information to commercial enterprises, organizations or individuals.

5. Children

This site is not directed to children under 13 years of age, does not sell products or services intended for purchase by children, and does not knowingly collect or store any personal information, even in aggregate, about children under the age of 13. We encourage parents and teachers to be involved in children's Internet explorations. It is particularly important for parents to guide their children when they are asked to provide personal information online.

6. Use of Third Party Analytics Software

Web site developers and owners review usage data on their web pages to identify resources that are being used and to evaluate the provision of information on the site and the effectiveness of the organization and design of that information.  This usage data is provided by traditional packaged software and by third-party services. The IU Libraries only use third party analytics software from reputable organizations that have strong privacy policies.

Web sites provided by the IU Libraries may use Google Analytics, a web analytics service provided by Google, Inc. (“Google”).  Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.  Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.  You may refuse the use of cookies by selecting the appropriate settings on your browser; however please note that if you do this you may not be able to use the full functionality of IU Libraries websites and linked electronic resources. 

IU Libraries that use data from Google Analytics and other third-party software providers use such data in the aggregate and do not associate use of any web page or any resource with a particular computer or a particular user.

By using IU Libraries’ websites, you consent to the processing of data about you by Google and other providers of usage data in the manner and for the purposes set out above.

7. Enforcement & Redress

The IU Libraries will not make library records available to any agency of state, federal, or local government unless required to do so under law or to report a suspected violation of the law.  Nor will we share data on individuals with other parties including faculty, staff (including library staff except in the performance of their assigned duties), parents, students, campus security, and law enforcement personnel, except as required by law or University policy or as needed to perform our University duties.

Library staff are to refer all requests for confidential user records to the appropriate Library Dean or Director or their designate. Only the Library Dean/Director or designate has authorization to receive and respond to requests from law enforcement or other third parties.  The Dean/Director will forward all requests from law enforcement or other government officials, all requests under applicable "open records" laws, to University Counsel, and will consult with counsel regarding the proper response.  Each library within Indiana University will develop written procedures to comply with this policy.  

We conduct regular privacy audits in order to ensure that all library programs and services are enforcing our privacy policy.  Library users who have questions, concerns, or complaints about the library's handing of their personally identifiable data should file written comments with the director of the library in question.  We will respond in a timely manner and may conduct a privacy investigation or review our policy and procedures.

If you feel that the IU Libraries are not following this stated policy and communicating with the Libraries does not resolve the matter, or if you have general questions or concerns about privacy at Indiana University, please contact the University Chief Privacy Officer, 812-855-8476 or privacy@iu.edu.

Back to top

History

This policy went into effect on December 22, 2003 and was last revised on February 1, 2012.

The latest revision was approved by University Counsel (2/13/2012) and the Council of Head Librarians (2/17/2012).

Back to top