Policy on the Collection, Use, and Disclosure of Personal Information
(Rev. 09 February 2010)
Emory University Libraries recognize the importance of freedom of speech and of personal privacy of students, faculty, and other users of the libraries' materials. We endeavor to ensure the privacy of our users' communications, whether by face-to-face, telephone, email or other electronic means.
Use of library facilities whether in person or via computer may produce personally identifiable information (information which can be directly or indirectly tied to a specific person).Access to personally identifiable information1 is restricted to Library staff who need it to conduct Library business2. Personally identifiable information is never used for commercial purposes and is never revealed to a third party except as required and authorized by policy, law or to comply with a subpoena or court order only with the consent and advice of the University’s Legal Counsel. The Library is supported in these practices by national, state and local laws, as well as by University policies.
Except as required by law, users of Library systems and services are informed whenever personally identifiable information other than transactional information will be collected and stored automatically by the system or service. The Libraries retains personally identifiable information only so long as it is required for operational purposes.
The Library does not routinely inspect, monitor, or disclose records of electronic transactions for other than Library business purposes. The Libraries and University Policies prohibit employees and others from seeking out, using or disclosing such information without authorization, and requires employees to take necessary precautions to protect the confidentiality of personally identifiable information encountered in the performance of their duties or otherwise.
Library Web Sites
In the course of providing you with Web-based services, The Library collects and stores certain information automatically through our Web sites. We use this information on an aggregate basis to maintain, enhance or add functionality to our Web-based services. It includes:
- your Internet location (IP address)
- which pages on our site you visit
- the URL of the Web page from which you came to our site
- which software you use to visit our site and its configuration
This type of data is not personally identifiable.
Links to External Sites
The various University Libraries' web sites link to Internet sites and services outside the administrative domain of the libraries. Emory University Libraries does not govern the privacy practices of these external sites. Users should read the privacy statements at these sites to determine their practices. When one or more of the Libraries contracts with vendors for access to online content, such as journals and databases, every attempt is made to include user information protections in the license agreement.
A "cookie" is a piece of plain text stored on your computer by a Web server and used primarily to customize your interaction with the Web. Some cookies last only for the duration of the session, while others are persistent and reside on a computer's hard drive until the user deletes them or the computer is refreshed. As a matter of policy, cookies are erased from Emory University Libraries' public computers periodically throughout the year and at the beginning of each term.
Accessing personally identifiable information for other than Library business purposes
The Library shall only permit the inspection, monitoring, or disclosure of personally identifiable information for other than Library business purposes: (i) when required by and consistent with law, University policy, or campus policy; (ii) when formally requested by an authorized office of the University as part of an official security investigation; (iii) when failure to act might result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies, or significant liability to the Library, University, or members of the University community; or (iv) when there is substantiated reason to believe that violations of law or of University or Library policies have taken place or (v) to comply with a subpoena or court order only with the consent and advice of the University’s Legal Counsel.
When under the circumstances described above personally identifiable information must be inspected, monitored, or disclosed, the following shall apply:
Authorization Except in emergency circumstances, such actions must be authorized in advance and in writing by the Vice Provost and Director of Libraries, or by the Chief Technology Strategist. The Librarians' Council will be notified of each authorization made. Authorization shall be limited to the least perusal of content and the least action necessary to resolve the situation.
Emergency Circumstances In emergency circumstances -- circumstances in which delay might precipitate harm, loss, or liability as described in (iii) above -- the appropriate Librarian Council member may approve the least perusal of content and the least action necessary to resolve the emergency, immediately and without prior written authorization, but appropriate authorization must then be sought without delay. All members of the Librarians' Council will be notified of the authorization.
Compliance with Law Actions taken shall be in full compliance with the law and other applicable University and Library policies.
Compliance with a Subpoena or Court Order: Actions shall only be taken with the consent and advice of the University’s Legal Counsel.
Library Records: Records pertaining to the business of the Library, whether or not created or recorded on Library equipment, are University records subject to disclosure under Georgia Code § 24-9-46 or to comply with a subpoena or court order.
Possession of University Records: Library employees are expected to comply with requests, properly vetted through University policies and procedures, for copies of records in their possession that pertain to the business of the University, or whose disclosure is required to comply with applicable laws, regardless of whether such records reside on University electronic communications resources.
Unavoidable Inspection: During the performance of their duties, personnel who operate and support electronic communications resources periodically need to monitor transmissions or observe certain transactional information to ensure the proper functioning and security of Library systems and services. On these and other occasions, systems personnel might observe personally identifiable information. Except as provided elsewhere in this Policy or by law, they are not permitted to seek out such information where not germane to the foregoing purposes, or disclose or otherwise use what they have observed. Such unavoidable inspection of personally identifiable information is limited to the least invasive degree of inspection required to perform such duties. This exception does not exempt systems personnel from the prohibition against disclosure of personal and confidential information.
Except as provided above, systems personnel shall not intentionally search electronic records or transactional information for violations of law or policy. However, they shall report violations discovered inadvertently in the course of their duties to the Emory University Trust Line (www.finadmin.emory.edu/internalaudit/trustline.html).
Operators of Library electronic systems shall provide information about back-up procedures to users of those systems upon request.
1 Personally identifiable information is any information that can be directly or indirectly associated with a known individual. For example, all information contained in personnel, patron, and circulation files is personally identifiable.
2 Library business refers to activities involved in the provision, maintenance, and management of the Library's systems and services to its patrons and staff. Circulating books and journals, enforcing Library contracts, and troubleshooting problems with the Library's e-mail system are all examples of Library business. Trying to discover who used a Library workstation to issue a harassing message would typically not be Library business, however.
3 Substantiated reason to believe requires reliable evidence, as distinguished from suspicion, rumor, gossip, or other unreliable evidence.
** We would like to thank UC Berkeley for their clearly stated privacy policies. The policies expressed here are substantially based on those found at http://www.lib.berkeley.edu/AboutLibrary/privacy/index.html