Privacy Policy

Introduction

Privacy is essential to the exercise of free speech, free thought, and free association. In the University Libraries at Western Michigan University (“the Libraries”), the right to privacy is defined as the right to open inquiry without having the subject of one's interest examined or scrutinized by others. Confidentiality exists when a library is in possession of personally identifiable information about users and keeps that information private on their behalf.

The Libraries' commitment to user privacy and confidentiality has deep roots not only in statutory law but in the ethics and practices of librarianship. In accordance with the American Library Association's Code of Ethics:

"We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired, or transmitted."

This includes, but is not limited to, reference questions and interviews, circulation records, digital transactions and queries, as well as records regarding the use of library resources, services, programs, or facilities.

University Libraries' commitment to our users rights of privacy and confidentiality

This privacy policy explains users’ privacy and confidentiality rights; the steps the Libraries take to respect and protect their privacy when using library resources, services, programs, or facilities; how the Libraries use personally identifiable information; and how that data is retained.

User rights—as well as the institution's responsibilities—outlined here are based in part on what is known in the United States as the five "Fair Information Practice Principles." These five principles outline the rights of Notice, Choice, Access, Security, and Enforcement.

I. Notice and openness

The Libraries' users have the right to be informed about the policies governing the extent and retention of their personally identifiable information and why that information is necessary for the delivery and management of library resources, services, programs, or facilities

The Libraries post publicly and acknowledge openly the privacy and information-gathering policies of this library. Whenever policies change, a notice of those changes will be publicly posted on the Libraries’ website.

The Libraries may retain some information about library use to improve services, track the use and possession of library materials, and to support University initiatives related to teaching and learning. Details on the types of information held, its intended purpose, retention schedule, and opt-out availability are available by request via the Dean’s office. The Libraries strive to gather only the minimum amount of information necessary to provide services and do not engage in practices that may place private information on public view.

Other Western Michigan University (the University) offices and units may also have privacy policies that broadly cover library use, such as security camera monitoring that would cover library spaces, or documentation related to human resources. In those cases, the University’s privacy policies will apply. The Libraries will assist library users in finding those policies on request, as part of their mission to protect privacy and provide reference services.

The University Libraries subscribe to hosted resources such as databases, electronic journals, and to externally hosted “cloud” based services. Private information is held only by partners where the Libraries’ have a contractual agreement that protects the confidentiality of the use of that information and data.

All library records and other information pertaining to an individual’s use of the Libraries’ resources, services, programs, or facilities are considered confidential. The Libraries permit only authorized staff to access personal data stored in library systems for the sole purpose of performing library work. The Libraries will not disclose any personal data to any third party except where required by law and does not engage in practices that may place personally identifiable information in public view.

II. Choice and consent

This policy explains the Libraries’ information practices and the choices users may make about the way the Libraries collects and uses their information. The Libraries will keep user’s personally identifiable information confidential and will not sell, license, or disclose personal information to any third party without the user’s consent, unless the Libraries are compelled to do so under the law or to comply with a court order.

Certain types of library resources and services require the Libraries to obtain information about users to create associated accounts – such as the library catalog and interlibrary loan services. Individuals affiliated with the University will automatically have their information shared from appropriate departments such as Registrar’s Office or Human Resources.

When visiting the University Libraries’ web site and using electronic services, users may choose to provide their name, email address, phone number or home address. Some electronic library resources offer personalized accounts for additional features, such as saving searches and organizing research materials in folders. Other resources require users to set up accounts with their University-provided email addresses to verify that they are WMU students or employees. In these cases, the resources will prompt users to set up accounts and notify users of how their information is used by providing terms and conditions or privacy policies. Depending on the options provided by each resource, users may have the opportunity to opt-in or out of data collection or email notifications.

III. Access by patrons

Individuals who use library services that require personally identifiable information are entitled to view and/or update their information. Users may either view or update their personal information online or in person. In both instances, users may be asked to provide verification to protect their identity.

Certain data is maintained by the University and is accessed using University systems outside of the Libraries. In cases where information is shared with the Libraries, any changes to the system of record will automatically update library systems. Examples include mailing addresses held by the registrar for students and by human resources for employees.

The purpose of accessing and updating user’s personally identifiable information is to ensure that library operations can function properly. Such functions may include notification of overdue items, recalls, or reminders. The Libraries will explain the process of accessing or updating user information so that all personally identifiable information is accurate and up to date.

IV. Data integrity and security

Data integrity

The data the Libraries collects and maintains must be accurate and secure. The Libraries take reasonable steps to assure data quality including:

• Using only reputable sources of data.
• Providing users access to their own personally identifiable data where uniquely held by the Libraries.
• Updating data whenever reasonably possible.
• Utilizing middleware authentication systems that authorize use without requiring personally identifiable information.
• Destroying untimely data or converting it to anonymous form.

Data retention

The Libraries protect personally identifiable information from unauthorized disclosure. Information that should be regularly purged or shredded includes personally identifiable information regarding the use of library resources, services, programs, or facilities.

Tracking users

Information about the types of information held, the intended purpose, retention schedule, and opt-out availability are available on request via the Library Dean’s Office. The Libraries have invested in appropriate technology to protect the security of any personally identifiable information while it is in library custody, and where possible, they ensure that aggregate, summary data is stripped of personally identifiable information.

Third-party security

The Libraries ensure contracts, licenses, and cloud service arrangements reflect our policies and legal obligations concerning user privacy and confidentiality. Should a third party require access to library users' personally identifiable information, our agreements address appropriate restrictions on the use, aggregation, dissemination, and sale of that information, particularly information about minors. In circumstances in which there is a risk that personally identifiable information may be disclosed, the Libraries will warn library users. When connecting to licensed databases outside the \WMU network, the Libraries release only information that authenticates users as "members of our community."

Security measures

The Libraries’ security measures involve both managerial and technical policies and procedures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data. Managerial measures include internal organizational procedures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through the use of passwords; and storage of data on secure servers or computers that are inaccessible from a modem or network connection.

Staff access to personal data

The Libraries permit only authorized staff to access personal data for the purpose of performing library work. The Libraries will not disclose any personal data collected from users to any other party except where required by law. The Libraries does not sell or lease users' personal information to companies, universities, or individuals.

V. Enforcement and redress

The Libraries will not share data on individuals with third parties unless required by law. The Libraries conduct regular privacy audits to ensure that all library programs and services are enforcing the privacy policy. Library users who have questions, concerns, or complaints about the Libraries’ handling of their privacy and confidentiality rights should file written comments with the Dean of University Libraries. The Libraries will respond in a timely manner and may conduct a privacy investigation or review of policy and procedures.

The Libraries authorize only the Dean of University Libraries or their delegate to receive or comply with requests from law enforcement officers. The Libraries confer with legal counsel whenever possible before determining the proper response. The Libraries will not make library records available to any agency of state, federal, or local government unless a subpoena, warrant, court order or other investigatory document is issued by a court of competent jurisdiction that shows good cause and is in proper form. The Libraries have trained all library staff and volunteers to refer any law enforcement inquiries to library administrators.