Summary of Policy
The McFarlin Library at the University of Tulsa is a staunch defender of intellectual freedom, patron privacy, and responsible use of patron data. McFarlin Library complies with minimum legal requirements to protect information about the resources and library use of patrons, but strives to protect patron information further, aiming to meet American Library Association, industry standards, and European Union General Data Protection Regulation (GDPR) standards for all patrons. McFarlin Library will not release information about your library utilization except to authorized parties and will take additional steps to protect your data from internal and external usage.
Your Right to Privacy
Privacy is essential to intellectual freedom, free speech, and academic discourse. "Privacy" is broadly defined as the right to be left alone, or freedom from interference or intrusion. In a library setting, this translates to privacy to utilize the library to research topics of your choosing without fear of your research topics, resources utilized, or presence in the library being reported except to authorized parties for legitimate reasons.
As a joint public-private academic library in the State of Oklahoma, McFarlin Library complies with Oklahoma statutes governing patron privacy, which state:
Any library which is in whole or in part supported by public funds including but not limited to public, academic, school or special libraries, and having records indicating which of its documents or other materials, regardless of format, have been loaned to or used by an identifiable individual or group shall not disclose such records to any person except to: Persons acting within the scope of their duties in the administration of the library; Persons authorized to inspect such records, in writing, by the individual or group; or By order of a court of law (65 OK Stat § 65-1-105 (2014)).
In other words, McFarlin Library will not release information about your library activities, library usage, books or materials checked out, or similar unless the release of information is needed by a library administrator, authorized parties, or court order.
While McFarlin Library serves a private university, the University of Tulsa and McFarlin Library participate in federally funded programs, such as Federal Student Work Study, and receive public funding in the form of federal grants and state funding for a portion of our library resources. As such, we are bound to the Oklahoma statute as our library is funded "in whole or in part by public funds".
As a student-serving university, the University of Tulsa and its departments, including McFarlin Library, is also bound by the Family Educational Rights and Privacy Act (FERPA). Under FERPA, McFarlin Library will not disclose information pertaining to educational information, student records, or personally identifiable information without express written approval from the student as outlined in the University of Tulsa's FERPA policy.
Some McFarlin Library users may also be protected by the European Union (EU) General Data Protection Regulation (GDPR). GDPR is a European law that established protections for privacy and security regarding "personal data" for individuals in European Economic Areas and some non-European Economic Areas. GDPR applies to any organization that operates within the EU and processes personal information. GDPR also applies to any organization outside of the EU that processes the personal information of individuals who are physically located in the EU, which either (i) offers goods or services to such individuals, or (ii) monitors the behavior of such individuals. The GDPR does not cover individuals by virtue of their citizenship, but their physical presence in an EU country. For example, personal information of an EU citizen collected at a U.S. location is not covered by the GDPR unless the controller or processor continue to monitor the EU citizen upon their return to the EU.
Under the GDPR, individuals have the right to request the erasure of their previously provided data or to inquire about the data that has been collected on them. Individuals requesting erasure of their personal data from McFarlin Library records should contact firstname.lastname@example.org. Please review the University of Tulsa's GDPR FAQs document for more information on how the University as a whole complies with GDPR guidelines.
Library Ethical Obligations
Outside of legal obligations to protect patron data, McFarlin Library strives to abide by patron privacy guidelines set forth by the American Library Association and the American Library Association's Library Bill of Rights. Per the American Library Association's Library Bill of Rights, section seven, "All people, regardless of origin, age, background, or views, possess a right to privacy and confidentiality in their library use. Libraries should advocate for, educate about, and protect people’s privacy, safeguarding all library use data, including personally identifiable information." The American Library Association affirms this right to privacy in the pursuit of free inquiry, stating, "All people, regardless of origin, age, background, or views, possess a right to privacy and confidentiality in their library use. When users recognize or fear that their privacy or confidentiality is compromised, true freedom of inquiry no longer exists. Privacy is essential to the exercise of free speech, free thought, and free association. Federal and state courts have established a First Amendment right to receive information in a publicly funded library. Further, the courts have upheld the right to privacy based on the U.S. Constitution." The American Library Association acts as the governing and advocacy group for all libraries in the North Americas, working with American libraries to establish common ethics for libraries to uphold, including the Library Bill of Rights.
University of Tulsa Data Gathering
Data Obtained by McFarlin Library
While McFarlin Library will not release data on personal library use and activities, our staff and library systems collect data about individual library usage manually, from library systems that automatically log information, and from library databases that automatically log information.
Manual data includes generic information collected by library staff regarding utilization of library spaces and services, such as attendance at library programs, instruction sessions, or one-on-one research appointments. This data is anonymized and staff record tallies of individuals, rather than individuals' attendance. For example, McFarlin Library staff collect room counts at the same times each day, but library staff only counts individuals in each space. In some instances, library staff may collect information regarding the degree level, course, or research topic in question, but no identifiable information is recorded.
Manual data is recorded in paper format before being keyed into an online spreadsheet. A digitized copy of the paper document and the online spreadsheet is retained in perpetuity within McFarlin Library's internal digital storage, which is managed by the University of Tulsa's IT department and is protected by the University of Tulsa's firewall. Only authorized users have access to manual data files.
Library Systems Data
McFarlin Library relies on library systems to manage its circulation system, website, interlibrary loan and document delivery services, online catalog, and online user profiles within the online catalog.
Electronic Resources and Vendor Data
McFarlin Library often uses third-party vendors to supply access to our electronic resources and library systems. Some of these resources are discussed above, and many of the other resources are listed in the library's A-Z database list. Additionally, many of the library's serial titles are provided electronically through vendors, and all library-owned electronic books are provided through these vendors. If and when you choose to use such services, we may share your information with these third parties. Information shared with third parties is only as necessary to confirm your affiliation with the University of Tulsa and on behalf of McFarlin Library. We may display links on our website, in our resource guides, or within our online catalog that may take you to third-party services or content. By following these links, you may be providing personal information (including, but not limited to personal information such as your name, username, email address, and password) directly to a third party, to us, or to both.
By using these services, you acknowledge and agree that McFarlin Library and the University of Tulsa are not responsible for how third parties collect or utilize your information. Library users must understand that use of remote or third-party vendor resources limits the privacy protection that McFarlin Library and the University of Tulsa can provide.
Third-party service providers may collect and share your information, including:
We encourage you to review the privacy policies of every third-party website or service with whom you interact through our Library services. You can always choose not to use third-party websites or services if you do not accept their privacy policies.
The Library also suggests links to external websites that are not under contract or our direct control. In these instances, you are not required to give these sites your Library card or any other personally identifiable information in order to use their services.
All McFarlin Library vendors supplying electronic resources or other library services abide by their own company privacy policies. McFarlin Library reviews these policies during contract negotiation and strives to protect patron data under these legally-binding contracts. Many vendors abide by GDPR guidelines and McFarlin Library aims to negotiate improved patron privacy where possible. The library has incorporated use of anonymization features from OCLC's EZproxy, the intermediary between users and databases to ensure that only TU affiliates are accessing our resources. McFarlin Library has opted into EZproxy's Security Identifier, which pseudonymously identifies each individual patron through an alphanumeric string of characters, and attaches the pseudonym to requests completed through EZproxy, thus adding an extra layer of protection between users and third-party vendors. A new, unique Security Identifier is created by OCLC for each individual patron on the first of each calendar month, and the previous month’s Security Identifier is permanently deleted by OCLC after two (2) calendar months. OCLC and the authorized content provider only uses the Security Identifier for the purpose
of identifying potential compromised usage. This feature is only available with certain vendors at this time, so users understand that not all third-party use of library resources will be protected by EZproxy's Security Identifier.
Special Collections at McFarlin Library
As a predominantly outward-facing library for researchers, McFarlin Special Collections relies on many of the same systems and third-party vendors as McFarlin Library, but data collection practices and personally identifiable information storage differ. Circulation information in regards to the titles that Special Collections' users have reviewed are maintained for fourteen days in accordance with Sierra's circulation records retention policy. However, Special Collections' other patron records are retained in perpetuity, including patron records within Sierra and in a physical format in a secure area. Special Collections' patron information may also be located within its online finding aid system, ArchivesSpace, within internal notes, or within departmental historic documentation. Physical records are stored within a secure area while digital records are stored with best practice assistance from University IT.
McFarlin Library requires your full legal name, current contact information including phone number and email address, information regarding your affiliation to the University of Tulsa, and a TU ID number to provide library services to you. In rare instances, McFarlin Library may set up guest privileges for visitors to the library. Visitors will be asked to provide their full legal name, a TU ID number (if necessary), birthdate, current mailing address, phone number, email address, and a photo ID to access library resources.
Aggregate information on all library users includes:
More specified information is collected on certain groups of library users including:
Automatically collected data on users including:
Some user groups may have data retained in perpetuity regarding their use of the library, including:
McFarlin Library uses data manually or automatically generated to help inform library decision-making. Data containing personally identifiable information will only be used by authorized library administrators. Any data for external audiences is fully anonymized and you will not be identifiable by any data utilized for evaluation purposes. Anonymized McFarlin Library data produced for annual reports will be stored in accordance with the University of Tulsa's best practices for digital or physical file storage. Only authorized library staff members can access system data, aggregated data, and stored data.
Even if not protected by GDPR, McFarlin Library users can email email@example.com at any time to request more information about the data gathered on them and how it has been used or to request erasure of personal data gathered at the library level.
You can also contact McFarlin Library's circulation desk by calling +1 (918) 631-2871.