RUL 02.61.02 – Confidentiality of Library Records and Data

Authority: Senior Vice Provost and Director of Libraries

History: First Issued: August 31, 2007. Last Revised: October 19, 2007.

Additional References:
Information Security & Privacy Acknowledgement (ISPA) Form
NC State University Libraries Rules and Guidelines Website

Contact Info: Senior Vice Provost and Director of Libraries (919-515-7188)

1. Purpose

To specify when and how employees of the NC State University Libraries may disclose administrative records or data of the Libraries.

2. Confidentiality of Library User Records

2.1 Employees of the NC State University Libraries shall adhere to state law on user records, which provides:

G.S. 125-19 Confidentiality of Library user Records

(a) Disclosure—A library shall not disclose any library record that identifies a person as having requested or obtained specific materials, information, or services, or as otherwise having used the library, except as provided for in subsection (b).

(b) Exceptions—Library records may be disclosed in the following instances:

(1) When necessary for the reasonable operation of the library;

(2) Upon written consent of the user; or

(3) Pursuant to subpoena, court order, or where otherwise required by law.

2.2 Library staff may not disclose information about library users unless directed to do so by the Senior Vice Provost and Director of Libraries or the Office of General Counsel.

2.2.1 This prohibition includes names, identification numbers, telephone numbers, addresses, etc.

2.2.2 All such requests should be referred to the Senior Vice Provost and Director of Libraries.

2.3 When displaying and working with sensitive and confidential information on computers, staff will take all reasonable steps to ensure confidentiality.

2.3.1 Such information should not be visible to unauthorized persons.

2.3.2 Such information should not be left on computer or terminal screens when no longer in active use.

2.3.3 Staff who become aware of any breach or suspected breach of information security should promptly report it to their supervisor.

3. Computer Use Regulation

Employees of the NC State University Libraries must comply with NCSU REG08.00.02 – Computer Use Regulation.

4. Information Security Acknowledgment

4.1 Employees of the NC State University Libraries must adhere to the University Information Security Acknowledgment.

4.2 The Acknowledgement is Appendix C of NCSU REG08.00.03 – Data Management Procedures.

4.2.1 Employees may be required to sign the Information Security Acknowledgement.

5. Access to Administrative Data and Records of the Libraries

5.1 Persons with access to administrative data and records of the Libraries must:

5.1.1 Store the information under secure conditions;

5.1.2 Make every reasonable effort to ensure data privacy;

5.1.3 Use the data only as required within their position responsibilities; and

5.1.4 Not share IDs or passwords with other persons, including coworkers, unless otherwise authorized.

5.2 Persons with access to administrative data and records of the Libraries may not:

5.2.1 Alter restricted library or University data records or software without appropriate supporting documentation or authorization. For example, unless within their job responsibilities, staff may not modify circulation or patron records; change bibliographic records or acquisitions order records; or otherwise create or alter data records or software without authorization from their supervisor.

5.2.2 Access restricted library or University data records not associated with assigned duties or directly related to assigned tasks. For example, staff may not change or release the electronic mail of another individual without that individual’s permission; search data servers, file systems, or network resources for data or information not necessary to complete work-related tasks unless permitted by NCSU REG08.00.02 – Computer Use Regulation; or access or use administrative data resources or databases not necessary to complete work-related tasks.

5.2.3 Release suppressed, private, or confidential information without authorization. For example, staff may not reveal information from patron data records; disclose acquisitions agreements, subscription costs, or other contractual arrangements; divulge confidential personnel or financial information; or otherwise disseminate data records maintained by the Libraries without authorization from library administration.

5.2.4 Publicly discuss restricted University data records related to employees, students, or staff in such a way that an individual may be identified. For example, staff may not disclose any part of a patron record that may permit another person to identify a Libraries patron or to use the information to pose as a Libraries patron.

5.2.5 Disclose computer security passwords or other security safeguards. For example, unless otherwise authorized, staff may not share logon passwords with any individuals; disclose passwords to any individuals; or supply or facilitate unauthorized access and/or use of Libraries or University computing resources to any individual.

6. Violations

6.1 Violations of this rule are subject to disciplinary action, up to and including dismissal, under University personnel policies.

6.2 Violations of this rule may result in civil liability and/or criminal penalties under state and federal laws.