The SUNY Cortland Library is committed to protecting the privacy of its users. Our policies conform to the Code of Ethics of the American Library Association, which states: “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired, or transmitted.” Memorial Library does gather data about system and resource use for administrative purposes, however we do not track personal information unless users elect to provide that information; for example by submitting a question, requesting an item, registering for a service, etc. SUNY Cortland will not release personal information gathered or collected by the Library except to the extent required by law. For the purposes of this policy, personal information is defined under New York State Technology Law as “any information concerning a natural person which, because of name, number, symbol, mark, or other identifier, can be used to identify that natural person.”
Notice & Openness
We affirm that our library users have the right of "notice"—to be informed about the policies governing the amount and retention of personally identifiable information, and about why that information is necessary for the provision of library services.
We post publicly and acknowledge openly the privacy and information-gathering policies of this library. Whenever policies change, notice of those changes is disseminated widely to our users.
In all cases we avoid creating unnecessary records, we avoid retaining records not needed for the fulfillment of the mission of the library, and we do not engage in practices that might place information on public view.
Information we may gather and retain about current and valid library users include the following:
Information Collected Automatically
SUNY Cortland Library information systems gather and store certain information automatically when users browse the library web site, read pages, use the library's electronic resources, or download information. We use this information to track site and resource usage, monitor site performance, and generate aggregate statistics. We do not track or record information about individuals. Examples of information collected include:
Internet domain (.edu for educational accounts, .com for commercial accounts) and the IP address;
- Type of browser and operating system used;
- Date and time of access;
- Pages visited;
- Referring URL, if applicable;
- User status (faculty, staff, or student), if applicable; and
- User departmental affiliation
Information Provided Voluntarily
Collection Development and Resource Management
Purchase, transfer, and related collection management requests linked to individual users or groups of users (e.g. the Art Department) are deemed confidential reader information and not shared outside the Library. Within the Libraries, user names are temporarily attached to internal records and shared among relevant staff to facilitate notification of Library actions and follow-through.
Contracts and Licenses for Information Resources
Library Surveys/Assessment Projects
Information and data obtained by the Library or its units through surveys (group or individual interviews or other means) in support of assessment of services, collections, facilities, resources, etc., or in support of research related to library and information services, are considered confidential and will not be shared except in aggregations, to protect the privacy of individual participants.
Reference and research consultation services are confidential and information about individuals using these services will not be shared outside the Libraries. Library staff will not reveal the identity of library users, the nature of their inquiries, nor the information or sources they consult. Data about reference or research consultations may be recorded for management or assessment purposes only.
ALEPH Patron Information
ALEPH, SUNY Cortland's online system, stores personal information in patron records. This information is received directly from the ID system and includes personal name, address (permanent, temporary, email), telephone number, Cortland ID number, items currently checked out, fines/fees owed, and a history of fines/fees paid. Patron records are not deleted from the system and remain in online storage regardless of whether the individual represented has ceased to be affiliated with the University.
It is the policy of the Libraries that the privacy of all borrowers of library materials shall be respected. The Libraries will not reveal the names of individual borrowers nor reveal what books are, or have been, charged to any individual.
ILLIAD Patron Information
ILLiad, the library's online interlibrary loan system, stores personal information in patron records . This information is provided by library patrons when they set up an ILLiad account. It includes personal name, address (permanent, email), telephone number, department, Cortland ID number, current interlibrary loan requests, items currently checked out, fines/fees owed, a history of fines/fees paid. Patron records are not deleted from the system and remain in online storage regardless of whether the individual represented has ceased to be affiliated with the University.
Requestors of interlibrary loan and document delivery services receive the same protection in terms of confidentiality of their requests. In some cases, information about requests is shared with other library staff for collection development purposes; it remains confidential within the library.
Choice & Consent
This policy explains our information practices and the choices you can make about the way the library collects and uses your information. We will not collect or retain your private and personally identifiable information without your consent. Further, if you consent to give us your personally identifiable information, we will keep it confidential and will not sell, license or disclose personal information to any third party without your consent, unless we are compelled to do so under the law or to comply with a court order.
In order for current SUNY Cortland students, faculty, and staff to 'do business' with the Library -- that is, check out materials, request materials, access off-campus resources via the proxy server, etc. -- the Library maintains personal information about users in a variety of databases, including ALEPH, and ILLiad. The Library uses the information in these patron records only to interact with and provide service to library patrons. When visiting our library's Web site and using our electronic services, you may choose to provide your name, e-mail address, Cortland ID number, library card barcode, phone number or home address.
If you are affiliated with our university, the library automatically receives personally identifiable information to create and update your library account from the Registrar's Office (for students) or Human Resources (for employees).
You have the option of providing us with your e-mail address for the purpose of notifying you about your library account. You may request that we remove your e-mail address from your record at any time.
We never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above without also providing you an opportunity to prohibit such unrelated uses, unless we are compelled to do so under the law or to comply with a court order.
Access by Users
Individuals who use library services that require the function and process of personally identifiable information are entitled to view and/or update their information. You may either view or update your personal information online or in person. In both instances, you may be asked to provide some sort of verification such as a pin number or identification card to ensure verification of identity.
The purpose of accessing and updating your personally identifiable information is to ensure that library operations can function properly. Such functions may include notification of overdue items, recalls, reminders, etc. The library will explain the process of accessing or updating your information so that all personally identifiable information is accurate and up to date.
Data Integrity & Security
Data Integrity: The data we collect and maintain at the library must be accurate and secure. We take reasonable steps to assure data integrity, including: using only reputable sources of data; providing our users access to your own personally identifiable data; updating data whenever possible; utilizing middleware authentication systems that authorize use without requiring personally identifiable information; destroying untimely data or converting it to anonymous form.
Data Retention: We protect personally identifiable information from unauthorized disclosure once it is no longer needed to manage library services. Information that should be regularly purged or shredded includes personally identifiable information on library resource use, material circulation history, and interlibrary loan history. Information concerning a patron's borrowing patterns (items checked out from the collection; and borrowed via inter-library loan) are de-linked from individual item records and from the patron record after thirty days.
Tracking Users: We remove links between patron records and materials borrowed when items are returned and we delete records as soon as the original purpose for data collection has been satisfied. We permit in-house access to information in all formats without creating a data trail. Our library has invested in appropriate technology to protect the security of any personally identifiable information while it is in the library's custody, and we ensure that aggregate, summary data is stripped of personally identifiable information. We do not ask library visitors or Web site users to identify themselves or reveal any personal information unless they are borrowing materials, requesting special services such as email reference or interlibrary loan, or making remote use from outside the library of those portions of the Library's Web site restricted to registered borrowers under license agreements or other special arrangements. We discourage users from choosing passwords or PINs that could reveal their identity, including social security numbers. We regularly remove cookies, Web history, cached files, or other computer and Internet use records and other software code that is placed on our computers or networks.
Third Party Security: We ensure that our library's contracts, licenses, and offsite computer service arrangements reflect our policies and legal obligations concerning user privacy and confidentiality. Should a third party require access to our users' personally identifiable information, our agreements address appropriate restrictions on the use, aggregation, dissemination, and sale of that information, particularly information about minors. In circumstances in which there is a risk that personally identifiable information may be disclosed, we will warn our users. When connecting to licensed databases outside the library, we release only information that authenticates users as "members of our community." Nevertheless, we advise users of the limits to library privacy protection when accessing remote sites
Security Measures: Our security measures involve both managerial and technical policies and procedures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data. Our managerial measures include internal organizational procedures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Our technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of passwords; and storage of data on secure servers or computers that are inaccessible from a modem or network connection.
Staff access to personal data: We permit only authorized Library staff with assigned confidential passwords to access personal data stored in the Library's computer system for the purpose of performing library work. We will not disclose any personal data we collect from you to any other party except where required by law or to fulfill an individual user's service request. The Library does not sell or lease users' personal information to companies, universities, or individuals.
Enforcement & Redress
We authorize only the Library Director to receive or comply with requests from law enforcement officers; we confer with our legal counsel before determining the proper response. We will not make library records available to any agency of state, federal, or local government unless a subpoena, warrant, court order or other investigatory document is issued by a court of competent jurisdiction that shows good cause and is in proper form. We have trained all library staff and volunteers to refer any law enforcement inquiries to library administrators.