It is the policy of University of California, San Francisco (UCSF) Library that the privacy of all users will be respected and protected in compliance with federal and state laws and University of California and UCSF policies and procedures. To the extent possible the UCSF Library also conforms to relevant professional standards, as enumerated, for example, by the American Library Association and the Medical Library Association.
The UCSF Library occasionally collects information from and about users and their interactions with UCSF Library services. The UCSF Library’s policy for personally identifiable information (PII) [1] is to: a) minimize its collection; b) to discard or anonymize it as soon as is practical; c) to secure and protect any personally identifiable information that is collected or retained; d) to prohibit its use for commercial purposes; and e) to advocate for, but not guarantee, similar protection by vendors and partners to whose services and content we may direct users.
The UCSF Library discloses personally identifiable information when required by search warrant or subpoena or if there is a substantiated reason to believe that violations of law or of University policies have taken place [2]; or when failure to act might result in significant bodily harm or significant property loss. All personally identifiable information connected to an individual’s use of UCSF Library services is considered confidential. This information includes, but is not limited to, address and other registration information, informational questions asked, and searches, displays, and downloads of content managed by the UCSF Library. This information, however, may be consulted and used by UCSF staff in the course of carrying out UCSF Library business.
The UCSF Library examines and may disclose various forms of non-personally identifiable information (e.g. aggregated usage statistics) when there is a business reason or agreement to do so.
This policy applies to all services offered by the UCSF Library. It may be reviewed and revised from time to time (in which case former versions will be made available). Contact the UCSF Library if you have any questions about the policy and the practices that support it.
Baseline supporting practices
The following practices in support of the UCSF Library’s privacy policy apply to all services directly managed and operated by the UCSF Library, except when noted in the privacy policy for that service (typically available from the service’s home page.)
- Limiting Access. Access to personally identifiable information is restricted to UCSF staff who need it to conduct UCSF Library business [3]. University policy (Business and Finance Bulletin RMP-8) prohibits University employees and others from “seeking out, using, or disclosing” personally identifiable information without authorization, and requires employees to take necessary precautions to protect the confidentiality of personally identifiable information encountered in the performance of their duties or otherwise.
- Permitted access. When personally identifiable information must be inspected, monitored, or disclosed by court order, subpoena, or University policy, the following shall apply:
- Authorization. Except in emergency circumstances, such actions must be authorized in advance and in writing by the University Librarian, or by a member of the Library Leadership Team designated by the University Librarian. Authorization shall be limited to the least perusal of content and the least action necessary to resolve the situation.
- Emergency Circumstances. In emergency circumstances – circumstances in which failure to act might precipitate harm, loss, or liability – any member of the Library Leadership Team may approve the least perusal of content and the least action necessary to resolve the emergency, immediately and without prior written authorization, but appropriate authorization must then be sought without delay.
- Compliance with Law. Actions taken shall be in full compliance with the law and other applicable University and campus policies. In particular, actions taken in regard to electronic communications, including e-mail, shall comply with the provisions of the University of California Electronic Communications Policy.
- Informing users. Except as required by law, users of UCSF Library systems and services are informed whenever personally identifiable information other than transactional information will be collected and stored automatically by the system or service.
- Retention. The UCSF Library retains personally identifiable information only so long as it is required for operational purposes. Where possible PII is discarded or anonymized within 60 days of collection.
- Securing systems. The UCSF Library implements and follows industry standard electronic security measures to secure the systems through which information is collected or stored. Security protections, and all other elements of the UCSF Library’s policy, extend to data copies and backups implemented for business continuity.
- Other information. In the course of providing users with web-based services, the UCSF Library routinely collects and stores certain information which is generally not considered “personally identifiable.” We use this information on an aggregate basis to maintain, enhance or add functionality to our web-based services. It includes:
- the user’s Internet location, aka IP address (which, depending upon network configuration and practices, may or may not indicate a specific machine regularly used; as a precaution the UCSF Library anonymizes the machine-specific portion of the address per items #4 and #8 of this policy)
- which pages on our site the user visits
- the URL of the web page from which the user came to our site
- which software is used to visit our site and its configuration
- Google Analytics and other analysis tools. The UCSF Library primarily uses Google Analytics to capture and analyze web statistics. Google Analytics is a cookie-based [4] analytics program that uses cookies to track website activity. Google Analytics typically collects, at least temporarily, the following information: Network Location; Hostname; web pages requested; referring web page; browser used; screen resolution; date and time. No personal information is stored within cookies. Cookies can be disabled within a browser’s preference or option menu. The UCSF Library’s use of Google Analytics includes a standing request that Google anonymize the machine-specific portion of the user’s address and that Google cannot share usage data with anyone other than the UCSF Library. In cases where the UCSF Library uses other locally-operated or outsourced web analysis tools, the UCSF Library follows equivalent practice. For more information about Google Analytics, see the Google Privacy Center – Privacy Policy. You may choose to opt-out of having your website activity tracked by Google Analytics. To do so, visit the Google Analytics opt-out page and install the add-on for your browser.
- Privacy practice audits. No less frequently than every two years the UCSF Library examines and records the types of PII and usage information that it collects and confirms its compliance with its privacy policy and supporting practices. Results of these audits are available upon request.
Privacy protection limits
- End-user responsibility. Protecting privacy is a shared responsibility. When UCSF Library services require user identifiers and passwords, it is the user’s responsibility to use them responsibly, within the policies under which they were issued, and to protect them from misuse by others. Users should not share passwords with any third parties. If a user’s password has been compromised for any reason, it should be changed immediately.
- Referrals to external sites. UCSF Library’s web services may link to Internet sites and services outside the administrative domain of the library. The UCSF Library does not govern the privacy practices of these external sites. Users should read the privacy statements at these sites to determine their practices. When the UCSF Library contracts with vendors for access to online content, every attempt is made to include user information protections in the license agreement.
- Public Records. Records pertaining to the business of the UCSF Library, whether or not created or recorded on UCSF Library equipment, are University records subject to disclosure under the California Public Records Act, other laws, or as a result of litigation.
- Possession of University Records. UCSF Library employees are expected to comply with requests, properly vetted through University policies and procedures, for copies of records in their possession that pertain to the business of the University, or whose disclosure is required to comply with applicable laws, regardless of whether such records reside on University electronic communications resources.
- Unavoidable Inspection. During the performance of their duties, personnel who operate and support the UCSF Library’s IT infrastructure periodically need to monitor transmissions or observe certain transactional information to ensure the proper functioning and security of UCSF Library systems and services. On these and other occasions, systems personnel might observe personally identifiable information. Except as provided elsewhere in this Policy or by law, they are not permitted to seek out such information where not germane to the foregoing purposes or disclose or otherwise use what they have observed. Such unavoidable inspection of personally identifiable information is limited to the least invasive degree of inspection required to perform such duties. This exception does not exempt systems personnel from the prohibition against disclosure of personal and confidential information. Except as provided above, systems personnel shall not intentionally search electronic records or transactional information for violations of law or policy. However, as required by the University’s Whistleblower Policy they shall report violations discovered inadvertently in the course of their duties.
** We acknowledge and thank the California Digital Library UC Berkeley Library and other UC-based privacy statements from which we borrowed inspiration and wording.
[1] Personally identifiable information (PII) is any information that can be directly or indirectly associated with a known individual. Other types of information that the UCSF Library does collect are enumerated in the “Supporting Practices” section of the UCSF Library’s privacy policy.
[2] A substantiated reason to believe requires reliable evidence, as distinguished from suspicion, rumor, gossip, or other unreliable evidence.
[3] “UCSF Library business” refers to activities involved in the provision, maintenance, and management of UCSF Library systems and services provided to its patrons and staff. Troubleshooting user interfaces, making usage-based design decisions, and diagnosing problems with underlying technology infrastructure are all examples of UCSF Library business.
[4] A “cookie” is information stored on a workstation by a web server and used to customize a user’s interaction with the web. Some cookies last only for the duration of the session, while others are persistent and reside on a computer’s hard drive until the user deletes them or the computer is refreshed.