This Privacy Notice outlines how Canterbury Christ Church University (the Data Controller) collects, uses, and protects personal data in relation to library and learning resources. It applies to any individual who engages with resources and services offered by the Library Services team.
We are committed to handling your personal data responsibly and transparently, in accordance with the Data Protection Act 2018 and UK General Data Protection Regulations (GDPR) and any other relevant legislation. This notice is intended to ensure you are fully informed about how your personal information is used and the rights you have in relation to it.
You can access our Data Protection Policy here.
- 1) What personal information do we collect about you
- 2. How do we collect your information
- 3) How do we use your personal data
- 4) The lawful basis we use to process your data
- 5) Who do we share your personal data with
- 6) How long do we keep your personal data
- 7) How do we protect and store your personal information
- 8) The data controller and further information
1) What personal information do we collect about you
When you engage with the University in relation to library services, we collect and retain relevant personal data. This information is used for the purposes set out in Section 3 of this Privacy Notice.
We may process the following categories of personal data about you:
-
Contact details such as name, address, telephone number(s), email address.
-
Your Unique Identifier
-
Information about your use of Library collections, services and facilities;
-
Your financial transactions with the Library, including payment method
-
Enquiries made by you as a user of Library Services.
-
Records of email or other correspondence (including any notes made on your account)
-
We may also process special category data where it is relevant to your use of Library Services. For example, data relating to health, disability or other accessibility requirements.
For SCONUL Access members we collect personal data on:
-
Home institution
-
Level of study
-
Course
-
Home institution card number
-
Mode of study (full-time / part-time)
2) How do we collect your information
The University may collect your personal data through a range of methods and sources, depending on your relationship with us and the nature of our interaction. We may collect your personal information:
-
Directly from you – when you register to use our services, contact us or when you use our services.
-
Through automated technologies – when you interact with our learning platforms or other digital services. Through automated imports of relevant data from central University systems.
3) How do we use your personal data
The University may process your personal data for the following purposes:
-
For the continuous improvement of our services.
-
To create your library account.
-
To administer your membership(s), which may be by letter, email, phone or in person.
-
To give you the appropriate information, support and services.
-
To provide support services for users with disabilities.
-
For document delivery services.
-
For Electronic Resources Management (information about electronic records on hold or purchased).
-
To communicate about Library news and membership.
-
To ensure that all marketing communications you receive from us are relevant;
-
To ask you to take part in surveys related to Library Services.
-
To compile anonymous statistics and conduct research for internal and statutory reporting purposes.
-
To meet our responsibilities under equalities and health and safety legislation.
-
For archival purposes.
4) The lawful basis we use to process your data
Data protection law sets out reasons for collecting and processing your personal data. In this section, we outline the legal bases the University uses.
We will be processing your data under:
-
Article 6(1)(b) Contract "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"
-
Article 6(1)(e) Public Task "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller"
-
Article 6(1) (f) Legitimate Interests "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child"
We may process personal data under this legal basis for the continuous improvement of our services, including ensuring that the communications we send out to you are relevant.
Where we process Special Category Data, we will do so under the following legal basis:
-
Article 9(2)(g) Reasons of substantial public interest (with a basis in law)
We have an Appropriate Policy Document in place which records our processing in relation to Special Category Data and Criminal Offence Data. If you are a student, you may access the document here. If you are a member of staff, you may access the document here.
5) Who do we share your personal data with
We may share your personal data with trusted third-party service providers who act as data processors on our behalf. These partners are JISC Open Athens, Lyngsoe Library Solutions, Talis Reading List Systems and SirsiDynix who support with the delivery and operation of Library Services, such as providing a digital library platform. All third parties are required to handle your data securely and in accordance with data protection legislation.
We may also disclose your personal data where necessary to meet our legal or statutory obligations under the Data Protection Act 2018 and UK GDPR. This may include sharing information with government departments, regulatory bodies, funding agencies, or law enforcement authorities where disclosure is legally required.
Whoever we share your information with, we will only share what is relevant and necessary to perform the specific task or to meet our legal obligations.
6) How long do we keep your personal data
We retain personal data only for as long as is necessary to fulfil the purposes set out in this Privacy Notice, including to satisfy legal, regulatory, and contractual obligations. This includes our obligations under the Data Protection Act 2018 and UK GDPR.
|
Data |
Retention period |
Method of retention |
|
Personal details |
Students and Staff: 1 year after the expiry of your account Borrower membership: 1 month after expiry of account [unless there are debts or outstanding loans which can be held for up to 7 years.] |
Library management system [LMS] – (cloud-based). Sconul Access –on LMS and paper form. Borrower membership – cloud-based, Microsoft 365 applications Learning Skills Team tutorial bookings – Microsoft Bookings Learning Skills Team meetings, tutorials and actions taken – Microsoft Forms User feedback – Microsoft Forms |
|
History of borrowing library materials |
Students and Staff: 1 year after the expiry of your account Borrower membership: 1 month after expiry of account. [unless there are debts or outstanding loans which can be held for up to 7 years.] |
Library management system (cloud-based). |
|
History of charges/fines. |
Students and Staff: 1 year after the expiry of your account . Borrower membership: 1 month after expiry of account [unless there are debts or outstanding loans which can be held for up to 7 years.] |
Library Management System (cloud-based). Bills –Microsoft 365 applications (cloud-based). |
|
Fine appeals |
3 months |
Microsoft 365 applications (cloud-based). |
|
Online payments |
2 months |
Microsoft 365 applications (cloud-based). |
|
Records of emails or other correspondence |
3 months |
Microsoft 365 applications (cloud-based). |
|
Document Delivery |
7 years to comply with copyright regulations |
Microsoft 365 applications (cloud-based). |
When identifiable records are no longer required for the purposes set out in this Privacy Notice, they are either anonymised or securely disposed of according to our Confidential Waste Policy.
7) How do we protect and store your personal information
We are committed to safeguarding the personal data we process and have robust internal policies and controls to prevent unauthorised access, accidental loss, destruction, misuse, or disclosure of personal data. Access to personal information is strictly limited to authorised University personnel who require it for the performance of their duties in connection with library and learning services.
Where personal data is shared with third-party processors, such parties are contractually required to act solely on our instructions, implement appropriate technical and organisational safeguards, and comply fully with the requirements of the Data Protection Act 2018 and UK GDPR.
Canterbury Christ Church University is the Data Controller for this personal data.
Please click the link below to access further information regarding:
Version control
Title: Library Services Privacy Notice
Process Owner: University Librarian
Department responsible: Library Services
Date approved: 11th May 2026
Date of review: 11th May 2028
Date last amended: 11th May 2026