Patron information is strictly confidential. It is for the use of library staff only; it can, of course, be divulged to the patron. Patron information is not to be given to non-library individuals, including parents, friends, professors, university administrators, police, FBI, university security staff, or the CIA. Only a court order can require the disclosure of patron records. The university librarian is responsible for compliance with such orders.
Needless to say UO’s proposed new policy (in full below) is a lot weaker:
When a violation of law or established policy is suspected, the Libraries reserves the right to electronically monitor its public computers and network, and/or reveal a user’s identity to institutional authorities and/or law enforcement.
Frankly, it reads as a post-hoc justification for Lim’s decision to disclose my circulation records to the administration. I told Lim I thought this would be problematic, and that she should at least consider having something concrete to take to the Senate about implementing the promises that were made to the Senate about general review of UO’s public records problems, or perhaps something about the documents that were *not* in UO’s Presidential Archives – e.g. athletics money deals – and therefore were lost to history (yes, I did mention Hillary Clinton).
FWIW, the RegisterGuard report on that Senate meeting is here.
… The UO’s new dean of libraries, Adriene Lim, told the gathered faculty on Wednesday that she considers an individual’s right to privacy to be a universal human right.
But she also said that Oregon public records laws “spell out types of records that should be public and available for scrutiny. I’d be the first one to advocate for that openness and transparency.”
Coltrane and Lim said the issue of transparency will be reviewed by university officials after Hershner Hunter completes its investigation. [UO M: I’ve made a public records request to Dave Hubin’s Public Records Office for the contract showing what UO’s Interim General Counsel Doug Park has asked HH to do. No response yet.]
The university will “try to increase openness and transparency as much as we can,” Lim said. Coltrane said he’d bring the university’s Office of Public Records to the table.
Harbaugh said Wednesday that that’s what he had in mind when he sought the presidential documents at the archive – after being thwarted by the public records office.
He said he had no intention of violating student privacy laws or damaging the university.
“I’m trying to make a point about the university’s obsessive secrecy, about how it functions, makes decisions and operates as a public agency,” Harbaugh said.
Thanks to several people for leaking this email and proposed policy to UO Matters. Page down to see how it evolves as it gets exposed to the light of day. It’s now circulating on the Senate listserv, and we will be taking steps to
a) ensure Dean Lim does not implement this policy without Senate approval, and
b) ensure Chuck Triplett is monitored, to prevent future attempts to subvert the Policy on Policies.
Still no information on how Lim will deal with public records that were removed from the Presidential Archives by Johnson Hall.
The UO Board reaffirmed the PonP just last week. Triplett didn’t waste any time breaking it:
Date: March 11, 2015 at 9:20:07 AM PDT
To: Adriene Lim
Dear ULC members,
Library faculty still have until March 16, 2015, to provide input and comments, but I wanted to share with you the latest version of the draft because it contains two new sections that were added last week: 1.) a section was added to address the security cameras we have in our Special Collections & University Archives area. These cameras are not new — they’ve been in place for a while, but the Libraries had not finalized a policy regarding them yet); 2.) a few sentences were added to address the privacy audit and compliance concerns that were raised at our last ULC meeting. When the policy is finalized, the Libraries will conduct an audit of systems and services to make sure that we are complying with our own policy.
If you have any final comments about this latest draft, please let me know by March 16, 2015. Thank you for your help with this.
Adriene Lim, Ph.D., MLIS
Dean of Libraries
Philip H. Knight Chair
University of Oregon Libraries
1299 University of Oregon
Eugene, OR 97403-1299
Note: After I sent this email to Lim and cced the Senate listserv, she sent out an email changing her mind and deciding to ignore Triplett, and send this policy through the regular PAC process, which will bring it to the Senate.
Here’s the policy in dispute:
Revised draft 3/9/15 – 11:44 am – Latest revisions highlighted in yellow
The University of Oregon Libraries affirms that privacy is an essential element of intellectual and academic freedom. For its core library functions, the Libraries subscribes to the Code of Ethics of the American Library Association, which states: “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” The courts have upheld the right to privacy based on the Bill of Rights of the U.S. Constitution. Oregon Revised Statute 192.502 (22) exempts from disclosure under open records law the records of a library, including: (a) circulation records, showing use of specific library material by a named person; (b) the name of a library patron together with the address or telephone number of the patron; and (c) the electronic mail address of a patron. This Libraries’ privacy and confidentiality policies are in compliance with applicable federal, state, and local laws.
- Commitment to Our Users’ Rights of Privacy and Confidentiality
- Notice & Openness
Library users have the right to be informed about the policies governing the amount and retention of personally identifiable information, and about why that information is necessary for the provision of library and other types of services. In all cases, we avoid creating unnecessary records, we avoid retaining records not needed for the fulfillment of the mission and operations of the library, and we do not engage in practices that might place personal information on public view. Information we may gather and retain about current and valid library users include the following:
- User registration information
- Circulation information
- Interlibrary loan information
- Electronic access information
- Other information required to provide library services
When you visit our Web site, we may automatically collect certain information. When you access our website, you can be seen by your IP address. If you’re unsure what this is, you can find out what is my IP online. Some data we collect:
- Domain, country, IP address
- Browser, platform, resolution
- Entrance-exit pages, referrals
- Date, time
- Search terms and search engines
This is standard practice for Web sites, and is not used for any purpose other than to evaluate how we can design the site to best serve your needs.
- Choice & Consent
If you wish to receive some library services, such as borrowing or interlibrary loan privileges, we must obtain certain information about you in order to provide you with a library account. If you are affiliated with UO, the Libraries automatically receives personally identifiable information from campus systems to create and update your main library account. When visiting the Libraries’ Web site, using overnight library access, and/or using our electronic services, you may choose or be asked to provide your name, DuckID/e-mail address and password (although the Libraries has no way to review the password), university/library account number, phone number, or home address. Individuals may also choose to waive the right to keep their circulation records confidential. For example, other patrons may ask who has an item checked out and if confidentiality has been waived, the Libraries will release only the name of the patron with the item checked out. (The confidentiality waiver is available at loan desks.)
- Access by Users
Individuals who use library services that require the use of personally identifiable information are entitled to view and update their information. You may view your personal information online or in person and request that it be updated if it is not correct. (For some services, corrections are made at the campus level if you are a UO affiliate.) You may be asked to provide verification of your identity during these instances. The purpose of accessing and updating your personally identifiable information is to ensure that library operations can function properly. Such functions may include notification of overdue items, recalls, reminders, etc. The Libraries will explain the process of accessing or updating your information so that all personally identifiable information is accurate and up to date.
- Data Integrity & Security
Data Integrity: The data we collect and maintain at the Libraries must be accurate and secure. We take reasonable steps to assure data integrity, including using only reputable sources of data, providing our users access to their own personally identifiable data, and updating data whenever possible.
Data Retention: We protect personally identifiable information from unauthorized disclosure once it is no longer needed to manage library services. Information that should be purged or shredded at regular intervals designated by the Libraries includes personally identifiable information from reference interviews and instruction sessions, and circulation history regarding materials in our library collections. The Libraries retain confidential transcripts from virtual reference sessions, but the majority of those sessions involve anonymous users.
Tracking Users: In order to obtain premium access, we ask affiliated library visitors or Web site users to identify themselves by logging into our systems, and to reveal personal information if they wish to borrow materials, request special services, register for programs or classes, or make remote use of those portions of the Libraries’ Web site restricted to registered borrowers under license agreements or other special arrangements. Additionally, some library e-resource vendors may require users to create accounts to use their sites, but these accounts are not under the Libraries’ control. However, we regularly remove cookies, Web history, cached files, or other computer and Internet use records and other software code placed by users on our library computers.
Security Measures: Our security measures involve managerial and technical policies and procedures, and contractual agreements with system vendors, to protect against loss and the unauthorized access, destruction, use, or disclosure of user data. Our technical security measures to prevent unauthorized access include encryption in the transmission of data where possible, and storage of data on secure servers or computers.
Confidentiality and Staff Access to Personal Data: We will not disclose any personal data we collect from you during reference interviews, instruction sessions, or other activities to any other non-library party except where required by law, established institutional policy, system-related needs (i.e., third-party library service providers who have contractually agreed to maintain user confidentiality), or to fulfill the individual user’s service request. We permit only authorized library staff with assigned confidential passwords to access personal data stored in the Libraries’ computer systems for the purpose of performing library work. The Libraries do not sell or lease users’ personal information to companies, universities, or individuals.
- Enforcement & Redress
- Security Cameras
The UO Libraries operates security cameras for the purpose of creating a safer environment for all those who live, work, and visit campus. Use of security cameras enhances existing security measures, deters crime, and functions to protect personal safety and valuable materials and equipment. For more information about the use of security cameras and access to recorded images in the UO Libraries, please see the separate policy on this topic [URL pending].
7. Records Management
The Libraries manage a significant portion of the University’s non-permanent and permanent administrative records. For these functions, we adhere to the University’s Records Retention Schedule and established information security policies, along with the Association of Records Management and Administration’s Code of Professional Responsibility (http://www.arma.org/r2/who-we-are/code-of-professional-responsibility)
8. University Archives and Special Collections
The Libraries manage the University Archives which contains permanent historical records about the University, and Special Collections materials. In the context of managing and providing access to these materials, we adhere to the Society of American Archivists’ Core Values Statement and Code of Ethics for Archivists (http://www2.archivists.org/statements/saa-core-values-statement-and-code-of-ethics). The Libraries’ Special Collections and University Archives (SCUA) unit maintains a separate database and reference file that contain user-registration information, but this information is confidential and will not be shared with external third parties, except in specific, rare law-enforcement situations noted in Section 5.
- Learning Management System
The Libraries manage the University’s learning management system and other enterprise educational technologies and systems. Policies governing these services and their usage include but may not be limited to:
- UO Acceptable Use of Computing Resources Policy, (https://it.uoregon.edu/acceptable-use-policy)
- Use of Email for Official University Communication Policy (http://policies.uoregon.edu/policy/by/1/01-administration-and-governance/e-mail-use-official-university-communication)
- Guidelines for Official Mass Email, and the Information Security Program (http://policies.uoregon.edu/policy/by/1/01-administration-and-governance/email-guidelines-official-mass-email)
- Violations of Policies and Laws Prohibited and Not Protected
Users must comply with established institutional policies and with the law while using the Libraries’ resources and services. Nothing in this statement prevents the Libraries from exercising its right to enforce established rules or policies; protect its facilities, network and equipment from harm; or prevent the use of the Libraries’ facilities and equipment for illegal purposes. When a violation of law or established policy is suspected, the Libraries reserves the right to electronically monitor its public computers and network, and/or reveal a user’s identity to institutional authorities and/or law enforcement. Staff members are authorized to take immediate action to protect the security of library users, staff, collections, data, facilities, computers, and the network.
http://www.ala.org/advocacy/privacyconfidentiality/toolkitsprivacy/libraryprivacy, and has been reviewed March 2015 by the ALA Office of Intellectual Freedom, in order to determine adherence to foundational library privacy principles.