Library services privacy notice

This notice sets out how the University Library Service deals with personal information of people who:

• join the University Library Service as a Community member
• use our Walk in Access to Electronic Resources service.

Identity and contact details of the Data Controller

As a Data Controller, Cardiff University is legally responsible for processing your personal data in accordance with Data Protection legislation. This notice may be updated from time to time to ensure continued compliance with current legislation and to reflect best practice.

The University is registered as a Data Controller with the Information Commissioner's Office (ICO) to process personal data. Reg no Z6549747.

What personal information do we collect about you?

The following information is currently collected if you join the library as a Community member:

• your name, address and contact details, including email address and telephone number
• your home institution or organisation (if applicable)
• information relating to your borrowing history and any charges paid/owing
• ID photograph*

The following information is currently collected if you use the Walk in Access to Electronic Resources service:

• your name, address and contact details, including email address and telephone number
• your home institution or organisation (if applicable)
• information relating to your use of the service

*Your photograph will be used, where necessary, for the purposes of identifying you in the course of the University’s legitimate business, and will appear on your University ID card. Appropriate provision will be made for those wishing to cover their face for religious reasons.

What is our legal basis for processing your personal data?

There are a number of legal ways in which we can process your data, the most relevant include:

(1)  By joining the library or using the Walk in Access to Electronic Resources service, we will be required to collect, store, use and otherwise process information about you for any purposes deemed necessary for the purpose of entering into or for the performance of your contractual agreement with the University.  See UK GDPR Article 6(1)(b).

(2)  If we intend using your details for marketing purposes, sending newsletters or information about our services, the University will obtain consent from you. See UK GDPR Article 6(1)(a).

(3)  Processing of your personal data may also be necessary for the pursuit of our legitimate interests or by a third party’s legitimate interests - but only where the processing does not fall within our core public function, is not unwarranted and will not cause a prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. See UK GDPR Article 6(1)(f).

(4)  Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.

For what purposes will your information be used?

• to administer your library account (1)
• to provide you with alerts about your library account (e.g. requests that are ready for collection, reminders to return items you have borrowed, account summary information) (1, 3)
• to send you renewal information when your account is due to expire (3)
• analysing usage of library resources (3)
• to comply with our licence agreements with electronic resource publishers/suppliers (4)

Who will have access to your data?

Employees within the University will have access to your data if they need to do so to perform their roles within the University. Only members of staff who need access to relevant personal data will be authorised.

Any disclosures that the University makes will be in accordance with Data Protection legislation and your interests will always be considered.

How long your information will be held?

Cardiff University will retain your personal information in line with the University Records Management Policy and Records Retention Schedules, specifically Resource management (Information resources management records retention schedule).

Security of your information

Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Information about you in electronic form will be subject to password and other security restrictions, while paper files will be stored in secure areas with controlled access. You can find out more by referring to the University Information Security Policies.

Some processing may be undertaken on the University’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the University’s behalf will be bound by an obligation to process personal data in accordance with data protection legislation.

Your rights

Further information on your rights can be found on the University website.

Under Data Protection legislation you have a qualified right to a copy of your personal data held by the University. Any request for such a copy should be made to the Data Protection Officer under a Subject Access Request.

If we are relying on your consent to receive marketing information you have the right to withdraw this consent at any time. If you wish to withdraw your consent you should be able to so by unsubscribing to emails via the link included in the last email you received or by contacting the department of the University who contacted you directly.

How to raise a concern or complaint

If you still have queries, concerns or wish to raise a complaint details of how you can contact the University data protection officer and Information Commissioner’s Office are available on our data protection page.