To articulate Libraries’ policy and practice regarding patron (users) records management and retention.
It is the policy of the Pennsylvania State University Libraries that the privacy of all users, including employees, shall be respected in compliance with federal and state laws and professional standards of confidentiality. We maintain strict client confidentiality and will not reveal the identities of individual users or information related to their personal transactions to any non-Libraries' staff, individual, or entity without a court order or a valid subpoena, except under appropriate federal law. Additionally, it is the Libraries' policy that patron records containing personal information will be disposed of once the need for their original creation has ended, unless it is for archival purposes in compliance with the policies of the University, and state and federal law. This policy applies to personal business records and to the retention periods for those records. It applies to all records of patron transactions with the University Libraries regardless of their format, means of delivery, or location as well as to all records management services offered by the Libraries. This policy is intended to be supplemental to Policy UL-AD08 Confidentiality and Privacy of Patron Library Records.
The records of patron transactions with the University Libraries, regardless of their format, have a life span or life cycle in which they eventually become inactive or no longer support their original business or administrative purpose. Retention periods are extended beyond that expiration only to comply with minimum legal requirements or standard business practices of the University and University Libraries. Retention beyond the recommended time periods for disposal of inactive patron records requires justification and will be at the discretion of the Libraries' administration. This University Libraries' policy complies with the minimum standards set by University Policies AD35: University Archives and Records Management, and AD11: University Policy on Confidentiality of Student Records, and the General University Reference Utility (GURU) Appendices, General Retention Schedule (staff only) and Financial Document Retention Schedule: University Auditing Department Requirements (staff only), respectively.
Users' personal information associated with individual item circulation records is maintained in system history logs for the duration of the current retention period; no longer than three years. At the start of the fourth year the oldest data is purged from the system. Effective November 2014, circulation data related to past checkouts will be made available upon request of the account holder to only the account holder by library staff with access to the “User Charge History” feature in the circulation module.
All patron financial records such as, but not limited to, bills, fines, fees, credits, etc., will be maintained as long as the transaction is active, that is as long as the account is "open" substantiated by unpaid fees or unresolved claims and regardless of whether the patron is currently a registered borrower with the Libraries. Records of closed/paid accounts will be retained, without personal patron data or links to personal data if possible, for two years after the account is closed for auditing purposes. That is, after an account is closed, the records are retained for the current year plus one year. See: AD35: University Archives and Records Management, AD 11: University Policy on Confidentiality of Student Records, and the General University Reference Utility (GURU) Appendix, Financial Document Retention Schedule University Auditing Department Requirements, sec. C, Student Accounts Receivable (staff only).
All user files and logs of user transactions on the University and Libraries' computer systems are held to be confidential and will be kept as private as possible. [See: Policy UL-AD08 Confidentiality and Privacy of Patron Library Records] Logs of patron computer use such as, but not limited to, electronic mail, reference interactions, interlibrary loan transactions, databases consulted, Internet sites visited, etc., are covered by this policy. Disposition of computer use logs will occur at the end of each calendar year after a retention period of one year.
Any request for patron information that Libraries' staff may receive from a law enforcement official should be referred directly to the Dean's office immediately. All staff must follow the procedures contained in Guideline UL-ADG04 Staff Guidelines on Protecting the Confidentiality and Privacy of Patron Library Records. This applies to all requests for information regarding our library users as well as an individual's library records, etc. This applies to all locations and all hours of service.
Other Policies/Guidelines in this manual should also be referenced, especially the following:
Effective Date: November 23, 2004
Date Approved: November 23, 2004 (Deans/University Legal Counsel)
Last Review Date: August 2007