Library Services Privacy Notice
About this document
This Privacy Notice (Notice) explains how Library Services (the College, we, our, us) processes the personal data of our users.
Imperial College London students
Imperial College London staff
Retired Imperial staff
NHS Trust staff
Members of Imperial Incubator companies
Francis Crick Institute staff
Medical Research Council (MRC) Staff
Thrombosis Research Institute staff
Staff and students of local museums and colleges
Staff and students of higher education institutions eligible through the Sconul Access scheme
Members of the public
For the purposes of any applicable data protection laws in England and Wales, including the Data Protection Act 2018 (DPA) the UK General Data Protection Regulation (UK GDPR) and General Data Protection Regulation EU 2016/679 (EU GDPR), the College is the data controller of your personal data. The College has appointed a Data Protection Officer, who can be contacted via email at firstname.lastname@example.org, via telephone on 020 7594 3502 and via post at Imperial College London, Data Protection Officer, Faculty Building Level 4, London SW7 2AZ. For more information about the College's data protection policies and practices please refer to Data Protection.
Throughout this notice, “Imperial”, "we", "our" and "us" refers to Library Services at Imperial College London. "you" and “your” refers to our users as listed above who use or express an interest in using our services.
Information we hold about you
We may collect and process the following data about you:
- Contact details
- Date of birth (NHS staff only)
- College username
- Library number
- Department / department affiliation
- Course completion date (alumni)
- College joining and leaving dates (staff)
- Job title (NHS staff)
- Research section (MRC)
- Home institution (visitors)
- Access arrangements relating to disability
- History of library usage e.g. items borrowed and requested, room and workshop bookings
- Feedback responses e.g. from surveys and user studies
- Research Grant information (researchers submitting publications to Symplectic or applying for funding to pay open access fees)
How we collect information about you
We collect most of the personal information we hold about you:
- through automatic data feeds from College systems
- in person at the Abdus Salam Library Information Hub and campus library issue desks
- through our enquiry management system, email and chat widget
- via our online forms
- in the course of providing our services to you (e.g. history of library usage) or after we have provided services to you (e.g. feedback responses)
How we use the information we hold about you and legal basis for processing your data under GDPR
We need the information listed above (see Information we hold about you) primarily to allow us to perform our contract with you - on many occasions we will process your data to enable Imperial to meet its commitments to you e.g. those relating to teaching and assessment. In some cases we may use your personal information to pursue a legitimate interest of our own or those of a third party, provided your interests and fundamental rights do not override that interest. The “legitimate interest” is generally the interest of Imperial (or third party) in providing or supporting the provision of higher education. The situations in which we will process your personal information are listed below.
We use the information we hold about you:
- to give you access to library buildings
- to provide and administer library services e.g. borrowing and requesting items, booking rooms and workshops
- to provide you with access to e-books, e-journals and databases
- to respond to enquiries
- to manage academic reading lists
- to facilitate the deposit of publication details in preparation for the Research Excellence Framework (REF)
- to facilitate the deposit of publications as required by Imperial College London’s and research funders’ open access policies
- to gather usage statistics
- for the continuous improvement of library services
- organising events
- for the purposes of learning / data analytics we will analyse personal data in order to improve the experience for library users, enhance the effectiveness of the College’s learning, teaching and assessment activities, support the design and delivery of library services, and to further understand our community in order to improve engagement, access, diversity and support users better. Where we use personal data for these purposes, we will ensure that any published information is anonymised. Results will be presented as aggregate data, even if the underlying calculations depend upon matching data at individual level.
- to let you know about the services and resources that Library Services provide to NHS users (NHS user only)
Your personal data will also be processed by Library Services for compliance with any legal obligations or as part of the wider College’s public interest task. For example:
- to meet our legal obligations (for example, relating to child protection, diversity and gender pay gap monitoring, employment, health and safety, statutory reporting etc.)
- for the prevention and detection of crime, and in order to assist with investigations (including criminal investigations) carried out by the police and other competent authorities
- where a legislative requirement compels the College
Automated decision-making and profiling
We use pseudonymised log information on your remote access to our library journals (such as pseudonymised username, pseudonymised IP address, country, city, time and HTTP status) to build and deploy models to carry out machine learning and statistical analysis, the aim is to enhance existing log file analysis and therefore protect against cyber-attacks and fraudulent activities. The analysis will identify imperial accounts that may have been compromised, so that these accounts can be secured before Imperial is blocked from accessing the journals or third parties using the account for fraudulent activities such as journal theft and sending phishing emails.
The machine learning and statistical analysis will be used to look for non-standard patterns and behaviour, assign scores or probabilities to activity based on indicators of compromise, such as large volumes of downloads, connections from multiple countries and from multiple IP addresses. Alerts will be generated by the analysis and reviewed by a dedicated member of ICT security staff who has received appropriate training and support from our statistics team. If the staff believes the account has been compromised it will be secured (the staff has access to the identifying key for the pseudonymised dataset and will only use it for this purpose), which involves requiring password reset, session torn down and service desk logged. Our statistics team will use appropriate mathematical and statistical procedures, regularly check the algorithm for accuracy and bias and feed any changes back into the design process.
The legal basis for the processing activities is our legitimate interest to build and deploy models to carry out machine learning and statistical analysis for improving log file analysis, therefore protecting against cyber-attacks and fraudulent activity.
Change of purpose
We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
We may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Who we share your information with
All library users must comply with Library regulations. If you do not abide by our regulations we may share your personal data with your Imperial department, the Alumni Office, or your home institution. If we are required to issue an invoice for a missing item, your data will be shared with College Finance.
We may also use your data to provide library usage statistics to the College or your home institution.
We do not pass your data to third party e-book, e-journal, database, reference management software or booking service providers. Where a third party service provider requires you to create an account, your contract is with that provider and your data is stored by them, not by Imperial College London.
Where access to e-books, e-journals and databases is via UK Federation, OpenAthens or College username and password your data will be anonymous at the point of use of the third party service.
Your feedback may be used anonymously for marketing purposes.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Your rights as a data subject
You have the right to:
- withdraw consent where that is the legal basis of our processing
- access your personal data that we process (further details of how you can do that are set out below (see Access to the information we hold about you)
- rectify inaccuracies in personal data that we hold about you
- be forgotten, that is your details to be removed from systems that we use to process your personal data
- restrict the processing in certain ways
- obtain a copy of your data in a commonly used electronic form
- object certain processing of your personal data by us
Please see the Information Commissioner’s Office (ICO) for further information on the above rights. You may also contact Imperial’s Data Protection Officer for further information.
You have a right to complain to the ICO about the way in which we process your personal data.
How long we keep your information for
Your information is stored in line with the College’s retention schedule. Further information is available from the College Archives and Corporate Records Unit.
We will only retain your personal data for as long as necessary to fulfil the purposes we collect it for. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data (such as operational, contractual, legal, accounting or reporting requirements) and whether we can achieve those purposes through other means, and the applicable legal requirements.
Anonymous data from surveys and feedback exercises is retained for a longer period to aid year on year comparisons.
Access to the information we hold about you
For access to your library account sign in to Library Search. You will be able to see the contact information we hold about you and your borrowing history.
If you wish to request copies of the data we hold about you please contact us via ASK the Library
Data Protection Officer
Imperial has appointed a Data Protection Officer to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the Data Protection Officer at:
Imperial College London
Data Protection Officer
Faculty Building Level 4
London SW7 2AZ
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
Document last updated – February 2022