This notice sets out how UCL Library Services collects and uses the personal data of its external users, and why.
UCL Library Services (“we” “us”, or “our”) respects your privacy and is committed to protecting your personal data.
Please read this Privacy Notice carefully – it describes why and how we collect and use personal data and provides information about your rights. It applies to personal data provided to us, both by individuals themselves or by third parties and supplements the following wider UCL privacy notice(s):
- General privacy notice when you visit UCL’s website.
- Student privacy notice.
- Staff privacy notice.
- Research participants for health and care purposes privacy notice.
We keep this Privacy Notice under regular review. It was last updated October 2021.
2. About us
UCL Library Services supports learning, teaching and research at University College London (UCL) and consists of 16 libraries and learning spaces located across London, covering a wide range of specialist subjects.
UCL, a company incorporated by Royal Charter (number RC 000631), is the entity that determines how and why your personal data is processed. This means that UCL is the ‘controller’ of your personal data for the purposes of data protection law.
3. Personal data that we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you through automatic data feeds through UCL systems, online forms and email as well as in person at information points and issue desks. The personal data which we gather may include:
- Postal address.
- Email address.
- Phone number.
- Written signature.
- UCL username.
- Library number.
- UCL department or departmental affiliation.
- Access information in relation to disability.
- Library usage history, such as items borrowed and requested, room or laptop bookings.
- Responses to feedback requests.
For NHS staff, we may also collect your job title.
For SCONUL Access members, we will also collect your:
- Level of study.
- Home institution card number.
- Mode of study (full or part time).
4. How we use your personal data
Data Protection Legislation requires that we meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a "lawful basis" for the processing. The basis for processing will be as follows:
- Public task. The processing of your personal data may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
- Legitimate interests. The processing of your personal data may be necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or by fundamental rights and freedoms which require protection of personal data.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances (with associated legal basis in brackets):
- To register you as a client and to manage our relationship with you (public task).
- To provide you with access to our buildings (necessary for our legitimate interests - to allow us to provide our services to you).
- To provide our services, such as borrowing and requesting items, or booking rooms or laptops (public task).
- To provide you with access to e-books, electronic journals and databases (public task).
- To respond to your enquiries (public task)To manage reading lists (public task).
- To manage the deposit of publications required by open access policies of UCL or funders (necessary for our legitimate interests - to ensure we are correctly managing publications that are deposited).
- For the improvement of our services, including collecting statistics (necessary for our legitimate interests - to study how you use our products/services, to develop them, to grow our organisation and to inform our marketing strategy).
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We may also use anonymised data, meaning data from which you cannot be identified, for the purposes of:
- Service evaluation;
- Education and research; or
- Fundraising and promotional purposes.
Anonymised data may also be used in published reports or journals and at conferences.
5. Who we share your personal data with
Your personal data will be collected and processed primarily by our staff and UCL (access to your personal information is limited to staff who have a legitimate need to see it for the purpose of carrying out their job at UCL.). We may have to share your personal data with the parties set out below for the purposes outlined in section 4.
All users must comply with the Library Regulations. If you breach the Regulations, we may share your data with your UCL department, the UCL Alumni office, or your institution.
If we need to issue you with an invoice, we will share your data with the UCL Finance Division.
We routinely share personal data with Ex Libris Group, which supplies and hosts our library management system. Their Privacy Notice can be found online.
When using our electronic library services hosted by third party suppliers (including database lists, study space bookings and IOE LibGuides/LibAnswers), your IP address will be shared with them, and any personal data you may submit as part of the service.
6. International transfers
Sometimes our third party providers are based outside of the UK - this may involve transfers of personal data outside of the UK. Whenever we do this, to ensure that your personal data is treated by those third parties securely and in a way that is consistent with UK data protection law, we require such third parties to agree to put in place safeguards. This may include specific contracts approved for use in the UK which give personal data the same protection it has in the UK or other equivalent measures as required.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
7. Information security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have established procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
8. Data retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
We will keep your personal data according to the Records Retention Schedule.
9. Your rights
Under certain circumstances, you may have the following rights under data protection legislation in relation to your personal data:
- Right to request access to your personal data;
- Right to request correction of your personal data;
- Right to request erasure of your personal data;
- Right to object to processing of your personal data;
- Right to request restriction of the processing your personal data;
- Right to request the transfer of your personal data;
- Right to ask us not to use information about you in a way that allows computers to make decisions about you; and
- Right to withdraw consent.
If you wish to exercise any of these rights, please contact the Data Protection Officer.
Further information on these rights can be found within the wider UCL privacy notices listed above.
UCL has a Data Protection Officer. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact the Data Protection Officer at firstname.lastname@example.org, or by post:
Data Protection & Freedom of Information Officer
University College London
You can also contact UCL by telephone: +44 (0)20 7679 2000.
If you wish to complain about our use of personal data, please send an email with the details of your complaint to the Data Protection Officer so that we can look into the issue and respond to you.
You also have the right to lodge a complaint with the UK data protection regulator, the Information Commissioner's Office (ICO). For further information on your rights and how to complain to the ICO, please refer to the ICO website.