Confidentiality of Patron Records

Background and Scope:

The Temple University Libraries are committed to ensuring the privacy of all library users, including students, faculty, staff and guests.   This policy applies to all resources regardless of their format or means of delivery as well as to all services offered by the Libraries.    Several laws and policies govern and inform library policy and procedure  in this area.  These include

  • the  “Family Educational Rights and Privacy Act” commonly known as FERPA, which applies to records pertaining to current and former students of Temple University and in general prevents release of information without written consent of the individual.    
  • Pennsylvania Commonwealth Statute  24 P.S. § 4428, 2002, which mandates confidentiality of library circulation /use  records
  • Temple University  policies concerning  privacy and information security

In order to conform with these laws and policies we maintain strict user confidentiality and will not reveal the identities or  personally identifying information (“PII”)  of individual users or reveal what information resources they consult or services were provided those users  to any non-Libraries staff, individual, or entity without a court order or a valid subpoena, or under appropriate federal law.

 

Library Records:

Records of the borrowing and use of library information resources (a.k.a. library materials) and equipment are considered to be confidential,  as are the records of patron transactions of any type including, but not limited to reference interactions,  computer use logs, logs of Internet sites consulted, etc., as well as records of transactions regarding fees and fines.    For library purposes, this covers all records related to the circulation or use of ipads, digital cameras, and any other equipment loaned by the University Libraries as well as books and other formats of printed or electronic information available from the Libraries, including materials that are personally owned by a faculty member that have been placed on reserve for reading in a course or of special collections materials donated or on deposit at the Libraries.

In the event a borrower incurs a financial obligation to the library, for example, for having failed to return a borrowed item, these financial records are also considered PII. 

 

 

Collection and Security of PII

For certain defined business purposes the University Libraries  do collect PII which data are individually or collectively sensitive or confidential according to  current Temple University data classification.   Both sensitive information and confidential  information are  held in strict confidence and exchanged among library staff  or other University staff  only in relation  to the business purpose (i.e., on a need to know basis)  and only by appropriately secure means.  At all times PII  is to be secured in accordance with University policies and  for limited time periods defined by record retention  schedules. For example, the records of most circulation borrowing transactions are expunged and overwritten immediately upon  return to the libraries of the loaned items and thereafter are reflected only as anonymized statistics descriptive of overall borrowing patterns.   Records such as paper files of borrowing or use agreements not immediately expunged and destroyed  are held in secure locking conditions with limited access. 

 

Records containing PII which are scheduled for destruction shall be disposed of in accordance with University information security procedures.  Ordinarily this calls for paper records to be shredded and hard drives or other computer memory devices to be overwritten prior to  decommissioning or destruction. 

 

Access by Library and University Staff to PII

PII collected is made accessible only to those specific individual staff who need access to the information in order to conduct library business or who will be compiling and anonymizing data for statistical or assessment purposes. 

 

It is the policy of the University Libraries that employee access to PII data collected or viewable in the Libraries shall be reviewed annually by supervisors and the library administrator designated as the Privacy and Security Liaison (Richie Holland, Director of Administration) and reported annually to Temple University’s Privacy Officer in accordance with Temple’s comprehensive Information Security program (policy 04.72.11) .  

 

The Libraries designated Privacy and Security Liaison sends annual reminders to all library staff of the importance of maintaining confidentiality and charges library department heads to review these principles and privacy protocols with staff and student assistants in their respective departments. 

 

 

Disclosure of PII

Law Enforcement: 

Any request for patron information that library staff may receive from a law enforcement official should be  immediately and directly referred to the Office of University Counsel, 300 Sullivan Hall, universitycounsel@temple.edu, (215) 204-6524,  followed by notification to both the Dean of Libraries office and the cognizant library department head.      This applies to search warrants, subpoenas and other requests for information regarding our library users as well as an individual’s library records, etc.  This applies to all locations and all hours of service.   

 

Information will be disclosed to law enforcement officials upon court order or valid subpoena,  as determined by University Counsel,  or in compliance with appropriate federal law without prior notice.

 

Others, including Parents: 

Requests for patron information occasionally come from faculty or staff, other students, and parents.     While it is not unlawful to make such a request, it would be unlawful for library staff to provide patron information or information about library business without proper authorization.     

 

Examples of some typical questions that might be asked on the phone or at a service desk: 

 

“Can you tell me who has this book I desperately need to consult?  I will call them to arrange to quickly look at it.”     [Ans: “We are barred by state law from revealing who has borrowed our materials.”]

 

“Can you tell me who  is recalling my book?  I’d like to know who else is working in this subject area.  I’d like to know if it’s a colleague of mine.” [Ans: “We are barred by state law from revealing who is making use of our materials.”]

 

“I found a  book in the department lounge,   please tell me who has it  checked out so I can drop it  in their departmental mailbox . “   [Ans:   “Please return the book to the Library so that staff and take care of it confidentially.”]

 

Parents of students occasionally inquire about student’s library fees or Bursar accounts and may ask what else was checked out to their daughter or son.  [Ans: “We are barred by state law from revealing  any borrowing  history or  financial history to persons other than the borrower and therefore  you should have your child  come to the library so we can discuss this with him/her directly. “]

 

Instructors sometimes ask who in their classes checked out or viewed course reserves.  [Ans: “We are barred by state law from revealing any borrowing  history . “] 

 

Donors have on rare occasion asked who has used archival materials they have donated or deposited in our special collection.  [Ans: “We are barred by state law from revealing  who has used what library materials.“] 

 

In the event a parent or other agent of a student, former student, or alumnus  indicates that their child has authorized disclosure, the parent or agent should be directed to have the student produce appropriate FERPA permissions paperwork.  The Libraries do not independently keep such permissions since we have a blanket requirement for confidentiality imposed by State statute. 

 

 

 

Breaches of PII:

In the event a staff member detects an inadvertent disclosure or exposure of PII or discovers a deliberate disclosure of covered PII, either internal or external, the staff member(s) shall immediately report the data breach to the Libraries’ Privacy and Security Liaison (Richie Holland, Director of Administration) by completing an Library incident report form online. 

The Privacy and Security Liaison will consult with the Dean of Libraries, the University Privacy Officer and Human Resources if needed concerning appropriate corrective measures and any disciplinary measures if warranted should the PII breach have resulted from employee misconduct or negligence.   

The Libraries’ Privacy and  Security Liaison will report to the University Privacy officer all data breaches and resolutions/contacts as required in the annual risk and Compliance assessment instrument.

 

 

 

References:

Pennsylvania Statutes 24 P.S. § 4428, 2002

Temple University Policy 04.72.11 “Comprehensive Information Security Policy”  see  http://policies.temple.edu/PDF/83.pdf

FERPA “Family Educational Rights and Privacy Act 20 U.S.C. §1232g. 

Temple University Policy 03.20.11 “confidentiality of Student Records”  see:  http://policies.temple.edu/PDF/257.pdf

Michael Gebhardt, University Counsel, memo dated September 5 2014 concerning subpoenas  

 

History: 

Effective Date:  November 10, 2014

Last reviewed:  January 31, 2017