Collection, Use, and Disclosure of Electronic Information
(last rev. September 22, 2008)
Freedom of speech and privacy are essential in maintaining and upholding academic freedom. The UC Berkeley Library respects and upholds the privacy of transactions and communications, whether electronic, paper, telephone, or face-to-face.
Access to personally identifiable information1 is restricted to Library staff who need it to conduct Library business2. Personally identifiable information is never used for commercial purposes and is never revealed to a third party except as required and authorized by policy or law. The Library is supported in these practices by national, state and local laws, as well as by University policies.
Except as required by law, users of Library systems and services are informed whenever personally identifiable information other than transactional information will be collected and stored automatically by the system or service. The Library retains personally identifiable information only so long as it is required for operational purposes.
The Library does not routinely inspect, monitor, or disclose records of electronic transactions for other than Library business purposes. The Library adheres to the University policy (Business and Finance Bulletin RMP-8) that prohibits University employees and others from "seeking out, using, or disclosing" personally identifiable information without authorization, and requires employees to take necessary precautions to protect the confidentiality of personally identifiable information encountered in the performance of their duties or otherwise.
Library Web Site
In the course of providing you with Web-based services, The Library collects and stores certain information automatically through our Web site. We use this information on an aggregate basis to maintain, enhance or add functionality to our Web-based services. It includes:
- your Internet location (IP address)
- which pages on our site you visit
- the URL of the Web page from which you came to our site
- which software you use to visit our site and its configuration
This type of data is not personally identifiable.
The Library's web site links to Internet sites and services outside the administrative domain of the library. The UCB library does not govern the privacy practices of these external sites. Users should read the privacy statements at these sites to determine their practices. When the Library contracts with vendors for access to online content, every attempt is made to include user information protections in the license agreement.
A "cookie" is information stored on your workstation by a Web server and used to customize your interaction with the Web. Some cookies last only for the duration of the session, while others are persistent and reside on a computer's hard drive until the user deletes them or the computer is refreshed. As a matter of policy, cookies are erased from UC Berkeley Library public computers at the beginning of each day.
Accessing personally identifiable information for other than Library business purposes
The Library shall only permit the inspection, monitoring, or disclosure of personally identifiable information for other than Library business purposes: (i) when required by and consistent with law, University policy, or campus policy; (ii) when there is substantiated reason to believe3 that violations of law or of University, campus, or Library policies have taken place; or (iii) when failure to act might result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies, or significant liability to the Library, University, or members of the University community.
When under the circumstances described above personally identifiable information must be inspected, monitored, or disclosed, the following shall apply:
- Authorization. Except in emergency circumstances, such actions must be authorized in advance and in writing by the University Librarian, or by an Assistant/Associate University Librarian or Director designated by the University Librarian. Authorization shall be limited to the least perusal of content and the least action necessary to resolve the situation.
- Emergency Circumstances. In emergency circumstances -- circumstances in which delay might precipitate harm, loss, or liability as described in (iii) above -- any Leadership Team member may approve the least perusal of content and the least action necessary to resolve the emergency, immediately and without prior written authorization, but appropriate authorization must then be sought without delay.
- Compliance with Law. Actions taken shall be in full compliance with the law and other applicable University and campus policies. In particular, actions taken in regard to electronic communications, including e-mail, shall comply with the provisions of the University of California Electronic Communications Policy.
- Public Records. Records pertaining to the business of the Library, whether or not created or recorded on Library equipment, are University records subject to disclosure under the California Public Records Act, other laws, or as a result of litigation.
- Possession of University Records. Library employees are expected to comply with requests, properly vetted through University policies and procedures, for copies of records in their possession that pertain to the business of the University, or whose disclosure is required to comply with applicable laws, regardless of whether such records reside on University electronic communications resources.
- Unavoidable Inspection. During the performance of their duties, personnel who operate and support electronic communications resources periodically need to monitor transmissions or observe certain transactional information to ensure the proper functioning and security of Library systems and services. On these and other occasions, systems personnel might observe personally identifiable information. Except as provided elsewhere in this Policy or by law, they are not permitted to seek out such information where not germane to the foregoing purposes, or disclose or otherwise use what they have observed.
Such unavoidable inspection of personally identifiable information is limited to the least invasive degree of inspection required to perform such duties. This exception does not exempt systems personnel from the prohibition against disclosure of personal and confidential information.
Except as provided above, systems personnel shall not intentionally search electronic records or transactional information for violations of law or policy. However, as required by Business and Finance Bulletin G-29, Procedures for Investigating Misuse of University Resources, they shall report violations discovered inadvertently in the course of their duties.
- Back-up Services. Operators of Library electronic systems shall provide information about back-up procedures to users of those systems upon request.
1 Personally identifiable information is any information that can be directly or indirectly associated with a known individual. For example, all information contained in personnel, patron, and circulation files is personally identifiable.
2 Library business refers to activities involved in the provision, maintenance, and management of the Library's systems and services to its patrons and staff. Circulating books and journals, enforcing Library contracts, and troubleshooting problems with the Library's e-mail system are all examples of Library business. Trying to discover who used a Library workstation to issue a harassing message would typically not be Library business, however.
3 Substantiated reason to believe requires reliable evidence, as distinguished from suspicion, rumor, gossip, or other unreliable evidence.