The purpose of this policy is to communicate Hennepin County Library's (the Library) role and responsibility to safeguard patron data and to describe the obligations and constraints under which the Library operates.
For the purpose of this policy, patron data is defined as information that identifies a library patron or information that can be connected to a patron. It is a form of government data and is subject to federal law, Minnesota state statutes, and Hennepin County data governance policies and procedures.
Patron data includes, but is not limited to, information associated with borrowing library materials and requesting information, using the library's computers and wireless service, reserving library meeting rooms, and accessing downloadables and other resources via third party vendors.
In the state of Minnesota, all government data including patron data is public unless it has been classified otherwise by statute or federal law.
The following patron data collected and maintained by Hennepin County Library (or those working under contract for the library) is private and may not be disclosed for other than library purposes.
Circumstances when private data may be released:
(See also Minnesota Statutes 13.02, 13.05, 13.40 and USA PATRIOT Act section 215)
The Library collects and retains patron data which is:
The Library informs patrons of the necessity, purpose, and intended use of requested data. It maintains data retention schedules, and conducts regular data privacy audits.
The library provides access to the Internet via its wireless network and by making its computers and other devices available to patrons. The Library does not monitor what patrons do while using the library's computers or other devices. It does not scrutinize sites patrons visit, documents they produce, transactions they make, or emails they create or view.
Patron library card numbers, and the location and time of patron logins are collected to manage the queues for using library computers. For wireless connections, the date and time of a wireless connection and the MAC address of the device that is connected through the wireless network is retained. The USA PATRIOT Act requires that this data is retained for a reasonable period of time. It is currently retained for two months.
The library's collection is also a part of the networked, digitized library environment. Patrons increasingly borrow library materials by accessing and downloading them via third party vendors. While vendors who are under contract with the Library are subject to the same federal and state data privacy laws as the Library, their compliance is subject to the ethics and integrity of those organizations. The Library actively works with third party vendors to support patron data privacy.
Library staff and volunteers handle patron data in accordance with library administrative policy. Patron data that is public may be requested under the Minnesota Data Practices Act. The Library follows county procedures and responds to written data requests in a timely way.
Patron data that is private will not be disclosed except under the circumstances detailed under the "private patron data" section (above). The process for responding to requests for private patron data is detailed in library administrative policy.
The Library does not give, share, sell, or transfer patron data for commercial purposes.
The Hennepin County Board of Commissioners appoints a Data Governance Officer who is responsible for developing, articulating, implementing, and managing the county's vision for organizational data management and data compliance practices in accordance with federal laws and state statutes. Each county department appoints a data steward who works with the Data Governance Officer and is accountable for the quality and use of the department's data.
The Library implements the Library Board policy and establishes library administrative practices and procedures that are aligned with county-wide policies.
Library staff and volunteers follow the Code of Ethics of the American Library Association and "protect each library user's right to privacy and confidentiality with respect to information sought or received, resources consulted, borrowed, acquired, or transmitted."
Library staff take annual data security training and play an active role educating and informing patrons about patron data privacy concerns especially as it relates to the digital environment.
Library patrons have the responsibility to safeguard their personal privacy, report lost library cards, manage their library account privacy settings, familiarize themselves with the privacy policies of the third party vendors they access, and be aware that the Library cannot protect the privacy of data that is transmitted to third parties via the Internet.
This policy is subject to all federal, state, and local laws and policies including but not limited to:
This policy is reviewed by the Library Director (or designee), the Library's legal counsel and the Library Board Policy Committee at least every three (3) years. The Committee reviews and revises as necessary, endorses and advances to the full Library Board for approval.
Next Review Date: 2/2018
Last Reviewed/Revised Date: 2/25/2015
Previous Policy Dated: 11/30/2011