University of York Library Data Protection Statement


  • Data Protection: information for users
    • Why we collect data
    • How your data are held
    • Disposal of data
    • Your responsibilities
    • Your rights and further information
  • Document status

Data Protection: information for users

The Library needs to collect and retain certain types of data, in various formats, about its current and past users in order to fulfil its functions as a provider of library and information services. In complying with the Data Protection Act 1998, this statement describes the purposes for which the information is collected and the Library’s obligations in processing this data.

Why we collect data

The purposes for which the Library may process your personal data (including sensitive personal data) collected during your association with the Library include:

  • the management of library accounts: for example, issuing readers’ tickets, and issuing, return and recall of loans;
  • crime prevention and the prosecution of offenders: for example, ensuring the security of our collections and the safety of our users through CCTV and other methods;
  • research: for example, finding out how we can improve our services, including by the automatic collection of data through the operation of the entrance and exit turnstiles;
  • promotion: for example, to inform you of service changes and projects;
  • personalisation of services which might be of particular use to you: for example, disability, support, advice and request services.

How your data are held

Your data are held securely, and are accessed only by those in the University who need to see them in the performance of their duties, and proportionately to those duties.

Your data are not disclosed to:

  • people in the University who do not have a legitimate reason to see them;
  • organisations outside the University without your consent unless exceptional circumstances apply or where the Library is required to do so by law or for the operation of your account. Where there are exceptional circumstances for disclosures of personal data without the prior consent of the data subject, the data subject will be informed of such disclosures.

Your data are held for appropriate periods relating to the original purpose of their collection. For example:

  • Borrowing and other account data are held for two years after your library membership expires, unless there are outstanding invoices or matters relating to a breach of the University Library regulations. In such circumstances relevant data may be held for a minimum of six years from the last action on the case.
  • Copyright data are held for a minimum period of six years and one day.
  • Entrance and exit data in a personally identifiable form are held for a maximum of 24 hours from their collection.

Disposal of data

Data are securely destroyed as follows:

  • Personally identifiable data retained for 24 hours are destroyed on a daily basis
  • Pseudo-anonymised data is retained in line with recommended retention schedules
  • Other data are destroyed by the end of the academic year following the expiry of the stated retention periods.

The University of York is registered as a data controller with the Information Commissioner’s Office and has publicly notified its uses of personal data in the public Register of Data Controllers. The University undertakes to maintain personal data in secure conditions and to process and disclose data only within the terms of its Data Protection notification.

Your responsibilities

Users are reminded that they have a responsibility to keep their information accurate and up-to-date. Please help us to do this by notifying us of any alterations to your address, personal details, or other relevant information.

Your rights and further information

Under the Data Protection Act 1998 you have a right to ask to see the personal information held on you by the Library (a fee of £10 will be charged). You also have the right to object to any use of your data that may cause you substantial or unwarranted damage or distress; and to require the correction of inaccurate data we hold about you.

Please contact the University Records Manager ( if you have specific questions relating to Data Protection, or for details of procedures relating to your rights as a data subject or responsibilities under the Act.

A copy of the University Data Protection policy and guidelines is available at the Data Protection Policy webpage.

Document status

Owner Information Directorate
Updated 14 December 2015 by Chris Webb
Review cycle Two years (alongside Library Regulations)
Date of next review

 January 2017 (for May-July University committees)