Privacy notice for Library users
Keele University is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It applies to all Library users.
Keele University is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.
This notice applies to Library users, including students, visitors, and staff. This notice does not form part of any contract to provide services. We may update this notice at any time.
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
For our students, you should also refer to our main student privacy notice at https://www.keele.ac.uk/privacynotices/
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection.
We may collect, store, and use the following categories of personal information about you:
Personal contact details such as name, title, addresses, telephone numbers, and email addresses, As a user of the Library we will store and use further information which we will collect from you or from other parties or will be generated by your activities as a Library user. This may include information about your use of our Information Systems, and will include data on what items you have borrowed from the Library, any fines paid/owing, training received.
We may also collect, store and use more sensitive personal information about your health, including any medical condition, disability or other special needs where this is relevant to your use of the Library.
We typically collect personal information about students and University staff via automated imports of relevant data from central University systems. Information about other Library users, such as NHS members and users of the Special Collections and Archives, is normally collected by the use of paper registration documents.
We will collect additional personal information in the course of Library activities throughout the period you are registered with us.
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform the contract we have entered into with you (or in preparation of that contract).
- Where we need to comply with a legal obligation.
- Where it is needed as a key part of our core tasks as a Library (these will be tasks in the public interest for our official purposes as a public body).
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (where we are processing your data for purpose outside our public tasks as a publically supported university)
- Where you have explicitly agreed to a particular use of your data (consent)
We may also use your personal information in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else’s interests).
Situations in which we will use your personal information:
- To deliver Library facilities and support services to you.
- To communicate effectively with you by post, email and phone regarding your Library account and transactions.
- To operate security for the prevention/detention of crime (including CCTV).
- To support your training requirements.
- To compile anonymous statistics and conduct research for internal and statutory reporting purposes.
- To fulfil and monitor our responsibilities and obligations under equalities, immigration and health and safety legislation.
- To enable us to contact others in the event of an emergency.
If you fail to provide personal information:
If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our students).
Change of purpose:
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
”Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances:
In limited circumstances, with your explicit written consent.
Where it is required in the public interest, such as where we are complying with our legal obligations, for equal opportunities monitoring, for preventing or detecting unlawful acts, protecting the public against dishonesty, preventing fraud, counselling, or the provision of insurance.
Where it is needed for preventative or occupational medicine, or for public health reason and subject to appropriate confidentiality safeguards.
Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your vital interests (or someone else’s interests) and you are not capable of giving your consent; or where you have already made the information public.
We may use your particularly sensitive personal information in the following ways:
- We may use sensitive information to assess and manage support services for users with disabilities and special needs.
Do we need your consent?
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
We may have to share your data with third parties, including third-party service providers.
We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your personal information outside the EU.
If we do, you can expect a similar degree of protection in respect of your personal information.
The Library may share your personal data with third parties such as:
- Companies or organisations providing specific services to, or on behalf of, the Library. This includes the Library Management system and cloud-based systems supporting the university's service provision
- On occasion and where necessary in accordance with the law, the police and other law enforcement agencies.
- NHS members or those registering on behalf of an external organisation may also have their data disclosed to their employer in cases where there are matters relating to breach of the University regulations. The details of users registering under reciprocal access arrangements may be disclosed to the co-operating library.
Other than to the above, the Library will not divulge data to third parties relating to your Library loans or status at the University. This includes other people undertaking loan renewals or paying fines on your behalf, which can only be undertaken if you have previously given written consent to permit this via an approved route.
Student data may be shared in accordance with the main student privacy notice.
How long will you use my information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We will delete the information we hold within 12 months of ceasing to be a member of the library unless you have outstanding Library issues such as fines or unreturned loans, in which case we will hold your information for a maximum of 2 years. For substantial debts some of your data may be held for up to 7 years. Inter-Library loan documentation will be retained for a maximum of 7 years to comply with copyright regulations. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
You have a number of rights with regards to how we process your information including access, correction, erasure and restriction.
Full details of these rights and how to exercise them can be found at https://www.keele.ac.uk/informationgovernance/yourdata-yourrights/
Data Protection Officer
The University has appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Changes to this Privacy Notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.