Full privacy notice

We collect a range of data which will be different depending on the service, event or activity you wish to access:

• When you sign up for a library card, we collect details from your ID documentation including your name, address including post code, date of birth, gender, contact details.  This can be updated at any time by either logging into your account online or by speaking to a member of staff. Once you have a library card, we also collect your borrowing history.

• When you sign up for a Discover More account we collect the following details: name, address, phone number, your interests, library preference, social situation preference, preferred travel distance to events, your bookmarked events, your attended events, personalisation questionnaire responses, demographic details (age range, employment status, gender identity, household structure, primary carer, disabled, accessibility needs, ethnicity, religious affiliation).

• When you donate through our website, information collected may include contact and account information such as name, email address, physical address, location data, phone number, social media information, standard web log entries that contain an IP address, cookies (first party, third party, session, persistent, and flash), web beacons, page URL and timestamp.

• When signing up for activities and events on our website or in a library we collect a range of data depending on the activity or event being run.  This can include e.g., name, address including post code, date of birth, gender and contact details.

Sometimes we will gather data on who is using our libraries and we will engage customers with surveys.  The information collected can include – name, age, address including post code, sex, ethnicity and other demographic data.

When using our website we collect cookies (see Cookie Policy).

Some of our libraries have CCTV and staff use body-worn cameras which will collect static or moving images and audio data (see CCTV and Body Worn Camera Policy).

We only collect the minimum amount of information required to provide the service you are using or to comply with our contracts with funders and service providers.

When signing up for a library card we need to know who you are as you are making a contract with us to provide library services. We use it to contact you about your account, such as when a reservation has arrived for you, and to work out any charges owing.

We also use your email address to contact you with information about any event(s) or activities you have signed up for, or if you have agreed to it, we will contact you with news about Suffolk Libraries' events and activities that may be of interest to you or book recommendations. (You can opt out at any time by clicking unsubscribe at the bottom of any email you receive from us).

We need your age as some categories of stock have age limits and some activities available in libraries are aimed at specific age groups.

Age, gender and ethnicity also help us check we are reaching all sections of our communities and identify where we need to develop new services to attract underrepresented groups of users.

When donating through our website we need the financial information outlined above to document the transaction as required under HMRC and Charity Commission rules.

We run a wide range of events and activities across our libraries.  Some are Suffolk Libraries run and from time to time we partner with other likeminded trusted organisations to provide events or activities that communities have shown interest in, or we feel communities could benefit from. As part of these events or activities we may collect data for reporting purposes with the partner organisation(s) or to ensure we are reaching as many areas and communities as we can.

Suffolk Libraries takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by our employees and employees and contractors in the proper performance of their duties.

Any third parties we use to provide a service on our behalf are held to a high standard and we ensure they have adequate security systems and processes in place to ensure your data is held or processed in accordance with their contract with us and in accordance with their obligations under Data Protection Act 2018.

We train all our employees on their role and responsibilities of processing and protecting personal data. We have security provisions in place with our IT system provider to ensure personal data is secure, such as firewalls, anti-virus software and security profile settings.

Suffolk Libraries does not share your personal information with organisations so they can contact you for marketing purposes. Nor do we sell any information about your web browsing activities.

Suffolk Libraries may share your information with select, trusted partners, suppliers and funders who work with us or on our behalf to deliver our services, for statistical and analytics purposes or as part of our contract but processing of this information is always carried out under our instruction. We ensure the data is anonymised wherever possible, removing all identifiable information before sharing.  We make sure they store the data securely, use it for its intended purpose only and destroyed when it is no longer required for the intended purpose.

If you have signed up for a library card your information is stored securely on our library information system which is operated on our behalf by Civica (our data processor) It is stored in the UK and will never be transferred out of the European Economic Area.

If you have signed up for a Discover More account, your information is stored securely. Data will be stored on a secure cloud based server using AWS in the UK and will never be transferred out of the European Economic Area. Databases used within Discover More and hosted on AWS will be encrypted at rest.

We may occasionally release to a third party an anonymised copy of our borrower data with all the names, addresses and card numbers removed for analysis. This is to help us monitor our performance and improve our services.

If you have agreed for us to contact you about Suffolk Libraries news, events, activities or recommendations Your name, address, date of birth, gender, phone number and email address and borrowing history is shared with our provider Patron Point (our data processor). Your data is held on their secure servers in Europe.

If we are running events or activities together with or without partner organisations we may use a providers such as Survey Monkey, Google Forms or Microsoft Forms to gather the required information specific for that activity or event, which may be shared with the organisation providing the service or activity.  It is also used to contact you with details of the event or activity and gather feedback after it. It is also used to help us monitor our performance and improve our services.

Suffolk Libraries uses Fundraise Up as an online donation platform. All Personally Identifiable Information (PII) is encrypted. Financial information such as banking information or credit card number, name, CVV code or date of expiration, is collected and stored by a third-party payment processor Stripe. Financial information is not stored by Fundraise Up.

We may also share your information if required to do so by law or with a recognised competent authority under the following circumstances:

• The detection and prevention of crime or fraudulent activity; or

• To protect a child or vulnerable adult who are thought to be at risk; or

• If there is a serious risk to the public or our staff.

Consent

In some cases, we will only use your personal information where we have your consent, for example:

• Sending you electronic communications about your account, events or activities or updating you about our services

• Donating to Suffolk Libraries via our website

• When you sign up for events and activities

Contract

We need to use data you provide us to fulfil a contract with you, or example:

• When you sign up for a library card to borrow books and resources from the library

Legal Obligation

We need to use some data you provide us where we have a legal obligation, for example:

• Dealing with complaints and claims,

• HMRC for financial transactions, or

• For complying with guidance from the Charity Commission.

Legitimate interest

This means that the reason we are using your information is because there is a legitimate interest for Suffolk Libraries to process it to help us ensure we are utilising public funds effectively and providing the best service to our communities.

Whenever we are to process your Personal Information under the ‘legitimate interest’ lawful basis we make sure that we consider your rights and interests before proceeding.

You have various rights in respect of the personal information we hold about you – these are set out in more detail below.

Access to your personal information: You have the right to request access to a copy of the personal information that we hold about you, along with information on what personal information we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can make a request for access free of charge.  Please make all requests for access in writing and provide us with evidence of your identity.

Right to object: You can object to our processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.  Please contact us as noted above, providing details of your objection.

Consent: If you have given us your consent to use personal information you can withdraw your consent at any time.

Rectification: You can ask us to change or complete any inaccurate or incomplete personal information held about you.

Erasure: You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.

Portability: You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.

Restriction: You can ask us to restrict the personal information we use about you where you have asked for it to be erased or where you have objected to our use of it.

No automated decision making:  Automated decision-making takes place when an electronic system uses personal information to make decisions without human intervention.  You have the right not to be subject to automated decisions that will create legal effects or have a similar significant impact on you, unless you have given us your consent, it is necessary for a contract between you and us or is otherwise permitted by law.  You also have certain rights to challenge decisions made about you.  We do not currently carry out any automated decision-making.

 Please note, some of these rights only apply in certain circumstances and we may not be able to fulfil every request.

If you wish to exercise any of these rights, you can do so by contacting privacy@suffolklibraries.co.uk.

If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance by contacting us at privacy@suffolklibraries.co.uk.

Alternatively, you can contact the Information Commissioners office at https://ico.org.uk/concerns/.