Thanks to several people for leaking this email and proposed policy to UO Matters. Page down to see how it evolves as it gets exposed to the light of day.It’s now circulating on the Senate website, and we will be staking steps to
a) ensure Dean Lim does not implement this policy without Senate approval, and
b) ensure Chuck Triplett is monitored, to prevent future attempts to subvert the Policy on Policies.
The UO Board reaffirmed the PonP just last week. Triplett didn’t waste any time breaking it:
From: Shelley Harshe <sharshe@uoregon.edu>
Date: March 11, 2015 at 9:20:07 AM PDT
To: Adriene Lim <alim@uoregon.edu>, …
Subject: Library privacy policy draft – latest version
Dear ULC members,
I’ve heard back from Chuck Triplett and he advises me that he doesn’t think our new Privacy Policy rises to the level of an “institutional policy.” This means that the draft would not need to go through more layers of review in the way that other institutional policies are reviewed. He thinks that, after we go through our library-level review, the policy can just be posted on our website.
Library faculty still have until March 16, 2015, to provide input and comments, but I wanted to share with you the latest version of the draft because it contains two new sections that were added last week: 1.) a section was added to address the security cameras we have in our Special Collections & University Archives area. These cameras are not new — they’ve been in place for a while, but the Libraries had not finalized a policy regarding them yet); 2.) a few sentences were added to address the privacy audit and compliance concerns that were raised at our last ULC meeting. When the policy is finalized, the Libraries will conduct an audit of systems and services to make sure that we are complying with our own policy.
If you have any final comments about this latest draft, please let me know by March 16, 2015. Thank you for your help with this.
Best regards,
Adriene
Adriene Lim, Ph.D., MLIS
Dean of Libraries
Philip H. Knight Chair
University of Oregon Libraries
1299 University of Oregon
Eugene, OR 97403-1299
Phone: 541-346-1892
Email: alim@uoregon.edu
Note: After I sent this email to Lim and cced the Senate listserv, she sent out an email changing her mind and deciding to ignore Triplett, and send this policy through the regular PAC process, which will bring it to the Senate.
Here’s the policy in dispute:
UO Libraries
Privacy Policy
Revised draft 3/9/15 – 11:44 am – Latest revisions highlighted in yellow
Introduction
The University of Oregon Libraries affirms that privacy is an essential element of intellectual and academic freedom. For its core library functions, the Libraries subscribes to the Code of Ethics of the American Library Association, which states: “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” The courts have upheld the right to privacy based on the Bill of Rights of the U.S. Constitution. Oregon Revised Statute 192.502 (22) exempts from disclosure under open records law the records of a library, including: (a) circulation records, showing use of specific library material by a named person; (b) the name of a library patron together with the address or telephone number of the patron; and (c) the electronic mail address of a patron. This Libraries’ privacy and confidentiality policies are in compliance with applicable federal, state, and local laws.
Commitment to Our Users’ Rights of Privacy and Confidentiality
This privacy policy explains your privacy and confidentiality rights, the steps the Libraries take to respect and protect your privacy when you use library resources, and how we deal with personally identifiable information that we may collect from our users.
Notice & Openness
Library users have the right to be informed about the policies governing the amount and retention of personally identifiable information, and about why that information is necessary for the provision of library and other types of services. In all cases, we avoid creating unnecessary records, we avoid retaining records not needed for the fulfillment of the mission and operations of the library, and we do not engage in practices that might place personal information on public view. Information we may gather and retain about current and valid library users include the following:
User registration information
Circulation information
Interlibrary loan information
Electronic access information
Other information required to provide library services
When you visit our Web site, we may automatically collect certain information, such as:
Domain, country, IP address
Browser, platform, resolution
Entrance-exit pages, referrals
Date, time
Search terms and search engines
This is standard practice for Web sites, and is not used for any purpose other than to evaluate how we can design the site to best serve your needs.
Choice & Consent
If you wish to receive some library services, such as borrowing or interlibrary loan privileges, we must obtain certain information about you in order to provide you with a library account. If you are affiliated with UO, the Libraries automatically receives personally identifiable information from campus systems to create and update your main library account. When visiting the Libraries’ Web site, using overnight library access, and/or using our electronic services, you may choose or be asked to provide your name, DuckID/e-mail address and password (although the Libraries has no way to review the password), university/library account number, phone number, or home address. Individuals may also choose to waive the right to keep their circulation records confidential. For example, other patrons may ask who has an item checked out and if confidentiality has been waived, the Libraries will release only the name of the patron with the item checked out. (The confidentiality waiver is available at loan desks.)
Access by Users
Individuals who use library services that require the use of personally identifiable information are entitled to view and update their information. You may view your personal information online or in person and request that it be updated if it is not correct. (For some services, corrections are made at the campus level if you are a UO affiliate.) You may be asked to provide verification of your identity during these instances. The purpose of accessing and updating your personally identifiable information is to ensure that library operations can function properly. Such functions may include notification of overdue items, recalls, reminders, etc. The Libraries will explain the process of accessing or updating your information so that all personally identifiable information is accurate and up to date.
Data Integrity & Security
Data Integrity: The data we collect and maintain at the Libraries must be accurate and secure. We take reasonable steps to assure data integrity, including using only reputable sources of data, providing our users access to their own personally identifiable data, and updating data whenever possible.
Data Retention: We protect personally identifiable information from unauthorized disclosure once it is no longer needed to manage library services. Information that should be purged or shredded at regular intervals designated by the Libraries includes personally identifiable information from reference interviews and instruction sessions, and circulation history regarding materials in our library collections. The Libraries retain confidential transcripts from virtual reference sessions, but the majority of those sessions involve anonymous users.
Tracking Users: In order to obtain premium access, we ask affiliated library visitors or Web site users to identify themselves by logging into our systems, and to reveal personal information if they wish to borrow materials, request special services, register for programs or classes, or make remote use of those portions of the Libraries’ Web site restricted to registered borrowers under license agreements or other special arrangements. Additionally, some library e-resource vendors may require users to create accounts to use their sites, but these accounts are not under the Libraries’ control. However, we regularly remove cookies, Web history, cached files, or other computer and Internet use records and other software code placed by users on our library computers.
Cookies: Users of networked computers will need to enable cookies in order to access a number of resources available through the Libraries. A cookie is a small file sent to the browser by a Web site each time that site is visited. Cookies are stored on the user’s computer and can potentially transmit personal information. Cookies are often used to remember information about preferences and pages visited. You can refuse to accept cookies, can disable cookies, and remove cookies from your hard drive. Our library servers use cookies solely to verify that a person is an authorized user in order to allow access to licensed library resources. We will not share cookies information with external third parties. Some library vendors may use cookies for their sites, but these cookies are not under the Libraries’ control.
Security Measures: Our security measures involve managerial and technical policies and procedures, and contractual agreements with system vendors, to protect against loss and the unauthorized access, destruction, use, or disclosure of user data. Our technical security measures to prevent unauthorized access include encryption in the transmission of data where possible, and storage of data on secure servers or computers.
Confidentiality and Staff Access to Personal Data: We will not disclose any personal data we collect from you during reference interviews, instruction sessions, or other activities to any other non-library party except where required by law, established institutional policy, system-related needs (i.e., third-party library service providers who have contractually agreed to maintain user confidentiality), or to fulfill the individual user’s service request. We permit only authorized library staff with assigned confidential passwords to access personal data stored in the Libraries’ computer systems for the purpose of performing library work. The Libraries do not sell or lease users’ personal information to companies, universities, or individuals.
Enforcement & Redress
The Libraries will not share data on individuals with external third parties, unless required by law or by way of formal contracts with third-party library system vendors who have agreed to maintain user confidentiality. Library users who have questions, concerns, or complaints about the Libraries’ handling of their privacy and confidentiality rights may file written comments with Library Administration. The Dean of Libraries will respond in a timely manner and may conduct a privacy investigation or review of policies and procedures. Only the Dean of Libraries and/or her/his designees are authorized to receive or comply with requests from law enforcement officers, as noted in formal policies and procedures. We will not make library records available to any agency of state, federal, or local government unless a subpoena, warrant, court order, or other investigatory document is issued by a court of competent jurisdiction and is in proper form. We have trained all library staff and volunteers to refer any law enforcement inquiries to library administrators and managers. In order to ensure that our library programs and services are enforcing this privacy policy, we conduct regular privacy audits of our systems and services protocols. (This highlighted section was added to address a comment made by a ULC member regarding enforcement and training relative to the new policy.)
Security Cameras
The UO Libraries operates security cameras for the purpose of creating a safer environment for all those who live, work, and visit campus. Use of security cameras enhances existing security measures, deters crime, and functions to protect personal safety and valuable materials and equipment. For more information about the use of security cameras and access to recorded images in the UO Libraries, please see the separate policy on this topic [URL pending].
7. Records Management
The Libraries manage a significant portion of the University’s non-permanent and permanent administrative records. For these functions, we adhere to the University’s Records Retention Schedule and established information security policies, along with the Association of Records Management and Administration’s Code of Professional Responsibility (http://www.arma.org/r2/who-we-are/code-of-professional-responsibility)
8. University Archives and Special Collections
The Libraries manage the University Archives which contains permanent historical records about the University, and Special Collections materials. In the context of managing and providing access to these materials, we adhere to the Society of American Archivists’ Core Values Statement and Code of Ethics for Archivists (http://www2.archivists.org/statements/saa-core-values-statement-and-code-of-ethics). The Libraries’ Special Collections and University Archives (SCUA) unit maintains a separate database and reference file that contain user-registration information, but this information is confidential and will not be shared with external third parties, except in specific, rare law-enforcement situations noted in Section 5.
Learning Management System
The Libraries manage the University’s learning management system and other enterprise educational technologies and systems. Policies governing these services and their usage include but may not be limited to:
Student Records Privacy Policy for Students (http://registrar.uoregon.edu/records-privacy)
UO Acceptable Use of Computing Resources Policy, (https://it.uoregon.edu/acceptable-use-policy)
Use of Email for Official University Communication Policy (http://policies.uoregon.edu/policy/by/1/01-administration-and-governance/e-mail-use-official-university-communication)
Guidelines for Official Mass Email, and the Information Security Program (http://policies.uoregon.edu/policy/by/1/01-administration-and-governance/email-guidelines-official-mass-email)
These policies are accessible via the UO IT Web site (https://it.uoregon.edu/acceptable-use-policy) and the University of Oregon policy library.http://policies.uoregon.edu/)
Violations of Policies and Laws Prohibited and Not Protected
Users must comply with established institutional policies and with the law while using the Libraries’ resources and services. Nothing in this statement prevents the Libraries from exercising its right to enforce established rules or policies; protect its facilities, network and equipment from harm; or prevent the use of the Libraries’ facilities and equipment for illegal purposes. When a violation of law or established policy is suspected, the Libraries reserves the right to electronically monitor its public computers and network, and/or reveal a user’s identity to institutional authorities and/or law enforcement. Staff members are authorized to take immediate action to protect the security of library users, staff, collections, data, facilities, computers, and the network.
Note: This policy has been adapted from the ALA Library Privacy Policy model,
http://www.ala.org/advocacy/privacyconfidentiality/toolkitsprivacy/libraryprivacy, and has been reviewed March 2015 by the ALA Office of Intellectual Freedom, in order to determine adherence to foundational library privacy principles.