Patron Data Privacy Policy

Hennepin County Library Board Policy

Purpose

The purpose of this policy is to communicate Hennepin County Library's (the Library) role and responsibility to safeguard patron data and to describe the obligations and constraints under which the Library operates.

Principles

• We value and advocate for patron privacy and confidentiality.
• We value intellectual freedom and a patron's right to open inquiry without having the subject of one's interest examined or scrutinized by others.
• We recognize that networked and digitized environments create new and ongoing challenges to safeguard patron data.
• We expect the Library to employ responsible and transparent data practices, stay abreast of developments in the field, and leverage its role as a national leader of library service to maintain patron data privacy standards in this rapidly evolving world.

Definition and Scope

For the purpose of this policy, patron data is defined as information that identifies a library patron or information that can be connected to a patron. It is a form of government data and is subject to federal law, Minnesota state statutes, and Hennepin County data governance policies and procedures.

Patron data includes, but is not limited to, information associated with borrowing library materials and requesting information, using the library's computers and wireless service, reserving library meeting rooms, and accessing downloadables and other resources via third party vendors.

Public Data

In the state of Minnesota, all government data including patron data is public unless it has been classified otherwise by statute or federal law.

Private Patron Data

The following patron data collected and maintained by Hennepin County Library (or those working under contract for the library) is private and may not be disclosed for other than library purposes.

1. Data that links a patron’s name with materials requested or borrowed
2. Data that links a patron's name with a specific subject about which the patron has requested
3. All data (other than the name of the applicant) provided as a part of a library card application.

Circumstances when private data may be released:

1. Patrons may access the data that is about themselves.
2. A library may release reserved materials to a family member or other person who resides with a library patron and who is picking up the material on behalf of the patron. A patron may request that reserved materials be released only to the patron.
3. Private data maybe disclosed to a parent or guardian of a minor or vulnerable adult. In the case of a minor, the library shall, upon request by the minor, withhold data from parents or guardians if the library determines that withholding the data would be in the best interest of the minor. Minnesota Administrative Rules 1205.0500 outlines the access procedures for a parent or guardian.
4. The Library may release private data pursuant to a court order.
5. The Library may be compelled to disclose private data pursuant to the USA PATRIOT Act.

(See also Minnesota Statutes 13.02, 13.05, 13.40 and USA PATRIOT Act section 215)

Collecting and Retaining Patron Data

The Library collects and retains patron data which is:

• Necessary for the provision and management of library services
• Needed to provide opt in library services that are desired by library patrons
• Required by federal law.

The Library informs patrons of the necessity, purpose, and intended use of requested data. It maintains data retention schedules, and conducts regular data privacy audits.

Networked and Digitized Library Environment

The library provides access to the Internet via its wireless network and by making its computers and other devices available to patrons. The Library does not monitor what patrons do while using the library's computers or other devices. It does not scrutinize sites patrons visit, documents they produce, transactions they make, or emails they create or view.

Patron library card numbers, and the location and time of patron logins are collected to manage the queues for using library computers. For wireless connections, the date and time of a wireless connection and the MAC address of the device that is connected through the wireless network is retained. The USA PATRIOT Act requires that this data be retained for a reasonable period of time.

The library's collection is also a part of the networked, digitized library environment. Patrons increasingly borrow library materials by accessing and downloading them via third party vendors. While vendors who are under contract with the Library are subject to the same federal and state data privacy laws as the Library, their compliance is subject to the ethics and integrity of those organizations. The Library actively works with third party vendors to support patron data privacy.

Handling and Disclosing Patron Data

Library staff and volunteers handle patron data in accordance with library administrative policy. Patron data that is public may be requested under the Minnesota Data Practices Act. The Library follows county procedures and responds to written data requests in a timely way.

Patron data that is private will not be disclosed except under the circumstances detailed under the "private patron data" section (above). The process for responding to requests for private patron data is detailed in library administrative policy.

The Library does not give, share, sell, or transfer patron data for commercial purposes.

Roles and Responsibilities

The Hennepin County Board of Commissioners appoints a Data Governance Officer who is responsible for developing, articulating, implementing, and managing the county's vision for organizational data management and data compliance practices in accordance with federal laws and state statutes. Each county department appoints a data steward who works with the Data Governance Officer and is accountable for the quality and use of the department's data.

The Library implements the Library Board policy and establishes library administrative practices and procedures that are aligned with county-wide policies.

Library staff and volunteers follow the Code of Ethics of the American Library Association and "protect each library user's right to privacy and confidentiality with respect to information sought or received, resources consulted, borrowed, acquired, or transmitted."

Library staff take annual data security training and play an active role educating and informing patrons about patron data privacy concerns especially as it relates to the digital environment.

Library patrons have the responsibility to safeguard their personal privacy, report lost library cards, manage their library account privacy settings, familiarize themselves with the privacy policies of the third party vendors they access, and be aware that the Library cannot protect the privacy of data that is transmitted to third parties via the Internet.

Associated Policies and Laws

This policy is subject to all federal, state, and local laws and policies including but not limited to:

• American Library Association. Code of Ethics
• Hennepin County. Data Practices Policy
• Hennepin County. Data Practices Requests
• Hennepin County. Privacy and Security Policy
• Hennepin County Library Administrative Policy. Handling and Disclosing Patron Data
• Hennepin County Library Board. Library Bill of Rights 
• Minnesota. Government Data Practices Act
• Minnesota. Administrative Rules 1205.0500. Access to Private Data Concerning Data Subjects Who Are Minors
• United States. Children's Online Privacy Protection Act
• United States. Electronic Communications Privacy Act
• United States. USA PATRIOT Act

Process

This policy is reviewed by the Library Director (or designee) and the Library's legal counsel every four years, or more frequently as needed. Recommendations are forwarded to a Library Board committee. The committee reviews and revises as necessary, endorses and advances to the full Library Board for approval.

Policy History

Next Review Date: 2026
Last Reviewed/Revised Date: 2022