Library Practices on the Collection, Use, Disclosure, Maintenance, and Protection of Personal Information

Introduction

As reflected in the Privacy Policy of Emory University Libraries, the Libraries recognize the importance of protecting the personal privacy of all its users, whether in person or online. Use of library facilities and materials, whether in person or online, may produce personally identifiable information (information which can be directly or indirectly tied to a specific person).

Access to personally identifiable information1 is restricted to employees of the Libraries who need it to conduct library business2. Personally identifiable information is never used for commercial purposes and is never revealed to a third party except as required and authorized by policy, law or to comply with a subpoena or court order only with the consent and advice of the University's Office of General Counsel. The Libraries retain personally identifiable information only so long as it is required for operational purposes.

The Libraries do not routinely inspect, monitor, or disclose records of electronic transactions for other than library business purposes. The Libraries and University Policies prohibit employees and others from seeking out, using or disclosing such information without authorization, and requires employees to take necessary precautions to protect the confidentiality of personally identifiable information encountered in the performance of their duties or otherwise.

Library Websites

In the course of providing you with web-based services, the Libraries collect and store certain information automatically through our websites. We use this information on an aggregate basis to maintain, enhance or add functionality to our web-based services. It includes:

  • your internet location (IP address)
  • which pages on our site you visit
  • the URL of the webpage from which you came to our site
  • which software you use to visit our site and its configuration

This type of data is not personally identifiable.

Links to External Websites

The various libraries' websites link to internet sites and services outside the administrative domain of the Libraries. The Libraries do not govern the privacy practices of these external sites. Users should read the privacy statements at these sites to determine their practices. When one or more of the Libraries contracts with vendors for access to online content, such as journals and databases, every attempt is made to include user information protections in the license agreement.

Cookies

A "cookie" is a piece of plain text stored on your computer by a web server and used primarily to customize your interaction with the web. Some cookies last only for the duration of the session, while others are persistent and reside on a computer's hard drive until the user deletes them or the computer is refreshed. As a matter of policy, cookies are erased from the libraries' public computers periodically throughout the year and at the beginning of each term.

Web Analytics

The Libraries use web analysis tools, including Google Analytics, to capture and analyze web statistics. Google Analytics is a cookie-based analytics program that uses cookies to track website activity. The Libraries also maintain local logs of web activity for statistical assessment using Webalyzer and other log analysis tools. These tools, including Google Analytics, typically collect the following information: network location; hostname; webpage(s) requested; referring webpage; browser used; screen resolution; size of data transferred; date and time. No personal information is stored within cookies. Cookies can be disabled within a browser's preference or option menu. For more information about Google Analytics, see Google Privacy Policy.

Accessing Personally Identifiable Information for Other Than Library Business Purposes

The Libraries shall only permit the inspection, monitoring, or disclosure of personally identifiable information for other than library business purposes:

(i) when required by and consistent with law, University policy, or campus policy;
(ii) when formally requested by an authorized office of the University as part of an official security investigation;
(iii) when failure to act might result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies, or significant liability to the Libraries, University, or members of the University community; or
(iv) when there is substantiated reason to believe that violations of law or of University or library policies have taken place; or
(v) to comply with a subpoena or court order only with the consent and advice of the University’s Office of General Counsel.

When under the circumstances described above personally identifiable information must be inspected, monitored, or disclosed, the following shall apply:

Authorization

Except in emergency circumstances, such actions must be authorized in advance and in writing by the Dean and University Librarian, or by the Director of Library Technology and Digital Strategies. The Library Cabinet will be notified of each authorization made. Authorization shall be limited to the least perusal of content and the least action necessary to resolve the situation.

Emergency Circumstances

In emergency circumstances—circumstances in which delay might precipitate harm, loss, or liability as described above—the appropriate Library Cabinet member may approve the least perusal of content and the least action necessary to resolve the emergency, immediately and without prior written authorization, but appropriate authorization must then be sought without delay. All members of the Library Cabinet will be notified of the authorization.

Compliance with Law

Actions taken shall be in full compliance with the law and other applicable University and library policies.

Compliance with a Subpoena or Court Order

Actions shall only be taken with the consent and advice of the University’s Office of General Counsel.

Privacy Limits

Library Records

Records pertaining to the business of the Libraries, whether or not created or recorded on library equipment, are University records subject to disclosure under Georgia Code § 24-9-46 or to comply with a subpoena or court order.

Possession of University Records

Employees of the Libraries are expected to comply with requests, properly vetted through University policies and procedures, for copies of records in their possession that pertain to the business of the University, or whose disclosure is required to comply with applicable laws, regardless of whether such records reside on University electronic communications resources.

Unavoidable Inspection

During the performance of their duties, personnel who operate and support electronic communications resources periodically need to monitor transmissions or observe certain transactional information to ensure the proper functioning and security of library systems and services. On these and other occasions, systems personnel might observe personally identifiable information. Except as provided elsewhere in this Policy or by law, they are not permitted to seek out such information where not germane to the foregoing purposes, or disclose or otherwise use what they have observed. Such unavoidable inspection of personally identifiable information is limited to the least invasive degree of inspection required to perform such duties. This exception does not exempt systems personnel from the prohibition against disclosure of personal and confidential information.

Except as provided above, systems personnel shall not intentionally search electronic records or transactional information for violations of law or policy. However, they shall report violations discovered inadvertently in the course of their duties to the Emory University Trust Line.

Back-up Services

Operators of library electronic systems shall provide information about back-up procedures to users of those systems upon request.

Contact Information

If you have any questions about our privacy policies or practices, please contact the Administration Office of Emory University Libraries at 404-727-6861.

Notes

  1. Personally identifiable information is any information that can be directly or indirectly associated with a known individual. For example, all information contained in personnel, patron, and circulation files is personally identifiable.
  2. Library business refers to activities involved in the provision, maintenance, and management of library systems and services to its patrons and staff. Circulating books and journals, enforcing library contracts, and troubleshooting problems with the library e-mail system are all examples of library business. Trying to discover who used a library workstation to issue a harassing message would typically not be library business, however.
  3. Substantiated reason to believe requires reliable evidence, as distinguished from suspicion, rumor, gossip, or other unreliable evidence.