The MIT Libraries is committed to protecting your privacy and confidentiality when you visit or use services we provide. This privacy policy details how MIT Libraries handles the personally identifiable information (PII) of MIT students, faculty, staff, and other patrons of the MIT Libraries.<\/p>\n
Last updated: January 2025<\/em><\/p>\n <\/p>\n <\/p>\n MIT Libraries is committed to protecting your privacy and confidentiality when you visit or use services we provide. This privacy policy details how MIT Libraries handles the personally identifiable information (PII) of MIT students, faculty, staff, and other patrons of the MIT Libraries. PII is any piece of information that can be used by itself or linked with other information to identify an individual (a more full description of what we mean by PII is available \u200bin Appendix A\u200b<\/a>). This policy covers all aspects of the services offered to the MIT community by the MIT Libraries, including web platforms, online and print resources.<\/p>\n Many interactions with the Libraries or library resources result in data about you being recorded. This policy will let you know what may be collected, how it is used and protected, and when it may be shared. We try to collect only the information which is necessary to provide you with library services, and will give you as many options as possible to control your own data.<\/p>\n We do our best to safeguard your privacy as a user of our systems; however, there are also steps you can take to minimize the creation of personally identifiable information in your general online interactions. To learn more about your privacy generally, and find tools to help safeguard it, these resources are a good place to start: \u200bLibrary Freedom Project<\/a>\u200b, Electronic Frontier Foundation\u200b<\/a>, \u200bCookies and You<\/a>\u200b. The Libraries also maintain \u200bvisitor computers\u200b<\/a> with access to most library resources, which can provide a more anonymous access option.<\/p>\n Your privacy at MIT is also covered by the \u200bMIT Privacy Policy<\/a>\u200b, which this policy supplements, and \u200bMIT Policy 11.0 Privacy and Disclosure of Personal Information\u200b<\/a>. Legal protection of your privacy comes from a variety of laws (some of which, based on your citizenship, place of residence, and the type of information involved, may apply to your interactions with the Libraries) including: \u200bFERPA<\/a>\u200b, \u200bHIPAA<\/a>\u200b, Massachusetts \u200bregulations<\/a>\u200b and \u200bdata breach law<\/a>\u200b, the EU \u200bGeneral Data Protection Regulation<\/a>\u200b, and \u200bdata breach regulations of other US states<\/a>\u200b. The MIT Libraries\u2019 privacy practices and this policy have also been informed by many library standards and guides including those of the \u200bAmerican Library Association\u200b<\/a>, \u200bInternational Federation of Library Associations<\/a>\u200b, and the \u200bNational Information Standards Organization<\/a>\u200b. We encourage you to learn about and exercise your privacy rights!<\/p>\n The MIT Libraries tries to minimize the amount of personal information necessary to use library services. Many library services can be accessed without personal information being collected.<\/p>\n The patron data that the MIT Libraries do collect is classified using guidelines published by MIT\u2019s \u200bWritten Information Security Program (WISP)\u200b<\/a>, which determine how long it is retained and how it is stored. This classification places systems into categories of low, medium, or high risk. Information about this program, the risk categories, and required security steps can be found at infoprotect.mit.edu<\/a>\u200b. Low risk data is data which is already public or which wouldn\u2019t be harmful if released. High risk data is data which is subject to legal requirements or would cause serious safety, financial, or operational harm if released, and medium risk data is in between. The Libraries treat all information which identifies the intellectual pursuits of students – such as search logs and reference questions – as high risk, consistent with the MIT FERPA policy<\/a>\u200b. Any information related to unpublished research as well as identifying information paired with an MIT ID is generally categorized as medium risk or higher. Additional guidance on risk determinations for specific information comes from \u200bMIT Risk Management\u200b<\/a>.<\/p>\n Sections 2.1 through 2.5 below describe the sources from which we receive information about patrons. Generally, information at all risk levels may be received through all of these means.<\/p>\n Patrons provide information to the Libraries when they hand over their MIT ID to check out materials, search for materials via a web-based discovery tool like Search Our Collections, submit a web form, interact with Libraries staff directly or by chat or email, or attend Libraries events.<\/p>\n The tools used by patrons when using Library services provide certain information without the patron\u2019s intervention. An example of this type of information includes a computer\u2019s IP address, and the user agent string identifying the patron\u2019s web browser. This collection can occur when a patron accesses a website or web application maintained by the Libraries.<\/p>\n The Libraries receive information about patrons from other systems. This includes records from MIT, information received from \u200bTouchstone\u200b<\/a> (if a user logs into a library website), and payment transaction IDs from MIT\u2019s payment processor.<\/p>\n We also receive aggregate data about the use of library resources when those resources are provided by third-party vendors, such as the number of total visitors to a third-party service or total download counts of specific content. This data is provided in aggregate and wherever possible in accordance with the \u200bProject COUNTER Code of Practice\u200b<\/a>, which does not allow us to identify individual users.<\/p>\n When a patron uses resources such as Search Our Collections, a unique identifier is generated for use by that application which is used during that particular access session. Use of library-provided computers and equipment, for example in the GIS Lab or at library access stations, may also generate use logs.<\/p>\n Security cameras are in place in certain locations within the libraries, including the 24×7 spaces in Barker, Dewey and Hayden Libraries, and the Distinctive Collections Reading Room. These cameras are in place for the safety and security of library users, collections, and equipment. Security camera data is only viewable by MIT Police. It is kept as long as MIT Police determine it is needed and MIT Police make the decision if footage should be reviewed or shared.<\/p>\n Gate counters are installed at each library entrance and 24×7 entrance to count aggregate visits, and entry to 24×7 spaces requires use of an MIT ID. Gate counters do not capture images of individuals but rather count the \u201cpeople-like shapes\u201d passing through. MIT Physical Security manages access to this data and provides the MIT Libraries with reports of total entries per day and time, on a monthly basis.<\/p>\n While accessing library services, you may end up leaving the websites maintained by the MIT Libraries and instead visiting sites maintained by third parties – for example, when you access subscribed journals or ebooks hosted on a publisher\u2019s website. Those websites may collect information about you, including through required or optional registration on their site, and will be governed by their own privacy policies. The MIT Libraries try to negotiate patron-friendly policies consistent with this privacy policy as part of their contracts with these third parties, so you may have privacy rights beyond those in their stated privacy policy. If you have questions or concerns about a particular vendor\u2019s privacy policy, you can contact us at \u200blibrary-privacy@mit.edu<\/a>\u200b.<\/p>\n Additional examples of third-party systems present in Libraries\u2019 services include:<\/p>\n The Libraries have public access computers in Hayden, Barker, Dewey, Rotch, and Lewis Music libraries, as well as the Department of Distinctive Collections Reading Room. Some computers are \u200bAthena Clusters\u200b<\/a> maintained by MIT IS&T, and require a Kerberos ID for access. Additional computers provide access for library patrons unaffiliated with MIT (Open Access computers) and at quick lookup kiosks; these computers do not require authentication, but have access to a limited subset of library electronic resources (based on our license agreements for that content). All of our public access computers delete user data daily, and data specific to your browsing session is deleted either when you close the internet browser (Open Access computers and quick lookup kiosks), or according to your account settings (when authentication is required).<\/p>\n If you are particularly privacy-sensitive, using the public access computers can provide an additional layer of anonymity to your use. Browsing activity on personal devices can sometimes be linked to you, \u200beven when you haven\u2019t volunteered your personal information<\/a>\u200b. Using a public computer reduces that risk, and you can consider further anonymizing yourself by using privacy-protective \u200btools and practices<\/a>\u200b.<\/p>\n User data categorized as high risk is only accessible to staff who need access to the information in order to perform the function for which it was collected – for example, if you contact the libraries for research help, library staff will use the information you provide in order to answer your questions and provide you with library resources, but will not disclose your research questions to anyone else. This includes others at MIT – so, for example, we will not share research questions identifiable to you with faculty and staff elsewhere at the Institute without your prior consent.<\/p>\n Data which is higher risk when directly associated with an individual user may become lower risk once de-identified (\u200bSection 7.3 describes our de-identification practices\u200b<\/a>), and handled accordingly. For example, de-identified records of reference questions are retained for continued staff use (assessment of our services, identifying frequent questions in order to develop additional resources, staff training) and are then treated as medium risk data. Medium risk data may be accessible to all Libraries staff, or may be limited to specific individuals or groups as appropriate.<\/p>\n Low risk data may be reasonably disclosed publicly by the Libraries. Low risk data includes information made public by the originator (for example submissions to an idea bank), and could also include aggregated, de-identified information, such as library statistics we report to the Institute. In general, even if the data is low risk, it will be de-identified before public release, unless you\u2019ve otherwise indicated that you are ok with public identification with the data. Low risk data may also be handled as if it were higher risk if stored alongside higher risk data.<\/p>\n Some Libraries records are required to be maintained as a permanent record of the Institute for insurance and security purposes. These records are only accessible to staff who need access for a legitimate purpose, as authorized by the head of the Libraries unit responsible for those records or if \u200brequired by law<\/a>. For example, access logs for the Distinctive Collections Reading Room are retained as permanent records in accordance with ACRL\/RBMS guidelines\u200b<\/a> and accepted archival practice. The permanent records of many MIT departments, labs, and centers (including the Libraries) enter the MIT Institute Archives as historical records once they are no longer actively in use, and may include PII. Access to archival records is governed by the \u200bInstitute Records Access Policy<\/a>\u200b.<\/p>\n MIT Libraries will share information with third-party vendors when vendors are used to provide you with library services. Some third-party vendors may be located outside of the United States. Information processed by third-party vendors on behalf of the Libraries will generally be governed by this Privacy Policy. Our library contracts generally require third-party services to maintain the same level of privacy and security over your information as the Libraries do.<\/p>\n For library services where you interact directly with a third-party platform requiring MIT authentication, MIT\u2019s authentication system will pass some information to the third-party vendor SSO in order to enable your access, as described in our Attribute Release Policy<\/a>. For third parties that have met the criteria for the \u200bInCommon Federation\u2019s Research and Scholarship category<\/a>\u200b, the information released is described by their policies. For other parties, we release only those attributes that are needed for that service – typically less than those available via InCommon.<\/p>\n Information about individual library patrons will not be made available to any agency of state, federal, or local government except pursuant to such process, order, or subpoena as may be authorized under the authority of, and pursuant to, federal, state, or local law relating to civil, criminal, or administrative discovery procedures or investigatory powers.<\/p>\n In the case of court orders or subpoenas for information about an individual, that individual will ordinarily be notified of the request as soon as possible, unless a court order prohibits such notification, e.g., the USA Patriot Act. Information requested by subpoena or court order may only be released by an authorized officer of the Institute. For the Libraries, the Institute\u2019s authorized officer is the Director of Libraries.<\/p>\n De-identified\u200b<\/a> data about the use of our collections may be shared externally. Such data generally describes the Libraries overall activities. An example of this are the statistics which we provide to the annual survey of the \u200bAssociation of Research Libraries<\/a>\u200b.<\/p>\n De-identified data about search terms entering our systems may be shared externally. This data may be used to understand search intent detection algorithms, including those using machine learning.<\/span><\/p>\n The Libraries use the data which we have collected for a targeted set of purposes. Primarily, we use this information to provide the services which you request (such as looking up the list of materials you have currently checked out, or allowing you to renew those items).<\/p>\n We also use the information we receive to improve our existing services (for example, to troubleshoot reported problems). We pursue these types of improvements using de-identified records wherever possible, although in some cases the work may involve access to records before that de-identification occurs.<\/p>\n The Libraries do not sell the information that we have collected to any other organization.<\/p>\n De-identified data may be used to <\/span>create training<\/span> sets for machine learning systems.<\/span><\/p>\n The Libraries retain the data we receive according to a life cycle that is informed by the data\u2019s risk classification and the operational need for that data. This life cycle starts when the information is recorded and is then in active use as long as it is needed (some information, if in frequent or continuous use, may therefore remain active for long periods of time). Information is defined as in active use while it is still needed for the purpose it was provided for.<\/p>\n Once the active need for the information has expired, we retain it for a specified period before it is deleted. These retention periods are informed by the risk category of the information and the ultimate disposition of Institute records is governed by records retention policies at MIT in accordance with \u200bMIT policy 13.4\u200b<\/a> and the records retention schedule of the MIT Libraries\u200b.<\/a><\/p>\n Data classified as high risk is, unless otherwise described below, retained by the MIT Libraries for 30 days or fewer after active use. For example, we retain logs of application use in order to monitor our programs for problems and optimize their performance via a third-party vendor, and this data is purged in their system after two weeks. General collections circulation records (records of what you check out) are kept for seven days before being de-identified.<\/p>\n Data which is considered high risk when associated with a personal identifier such as your name or email address may be retained for longer than 30 days after being disassociated with PII if there is an ongoing need for their retention (for example, records of reference questions received by the libraries may be deidentified and retained in order to assess the ongoing reference needs of the MIT community and for staff training purposes). If such data could, in theory, be re-identified with a particular individual, it may be reclassified as medium risk, and treated accordingly. If such data would be impossible to re-identify (for example, aggregate use statistics of library resources), then it may be reclassified as low risk.<\/p>\n Medium risk data is retained no longer than 5 years after active use.\u200b \u200bLow risk data may be retained indefinitely or discarded according to Institute retention schedules.<\/p>\n Exceptions to the above-stated retention periods may be warranted in specific cases. If you have questions about the retention period of specific types of data, please contact us at \u200blibrary-privacy@mit.edu\u200b<\/a>.<\/p>\n Records which include financial information are retained, regardless of risk classification,<\/span> in accordance with MIT VPF Policy<\/a>.<\/p>\n Records of access to MIT Distinctive Collections and the Distinctive Collections Reading Room are maintained for security and insurance purposes, and may become permanent records according to the records retention and disposition schedule of the MIT Libraries<\/span>.\u00a0\u00a0<\/span><\/p>\n The Libraries protect the privacy of patron data through multiple avenues that are mutually reinforcing. First, we try to collect the most minimal set of information needed to provide the requested service. Second, we follow relevant security recommendations to ensure the security of the data that we do collect. Third, we discard your personal information as soon as possible and feasible.<\/p>\n The services that you request can sometimes be provided with little or no information that can uniquely identify you. Many resources grant access solely because you are connected via the MIT network. The only information known about you from this access method is the MIT-based IP address of your device. IP addresses are sometimes traceable back to an individual user by MIT IS&T, however that information is not transmitted to the Libraries or the third party website.<\/p>\n Other Libraries-provided services may require you to log in via \u200bMIT\u2019s Touchstone service<\/a> rather than connecting you automatically or having you log in directly to the website itself. This results in the website knowing less about you than if you had created an account on your own. For more information about how this approach can protect your personal information, please visit \u201c\u200bHow Shibboleth Works\u200b<\/a>.\u201d<\/p>\n Some records that reflect patron actions – such as event logs – get stored directly on the hardware that generates them. For example, the public-access computers in the libraries store their event logs locally. Following the path of minimal information, these records are discarded every time the computer reboots, and are not aggregated with any other data. Information from some Libraries\u2019 equipment such as computers in the GIS lab, may store data for longer periods, but still within the scope of this Privacy Policy.<\/p>\n The Libraries follow current recommended practices to ensure the security and integrity of the data that we collect, including relevant encryption standards and prompt updates to address system vulnerabilities. The extent of these practices is informed by the risk classification applicable for each type of data.<\/p>\n The Libraries also take care when selecting companies that provide the services which we use. When selecting vendors to contribute to our digital infrastructure, the Libraries require companies to comply with the same practices which we would follow when building a service locally.<\/p>\n Additionally, we avoid combining patron data unnecessarily. There is no single system of record for data about library patrons. For example, records about which items a patron has checked out are never combined with information about the web searches that the patron conducts, and both are kept separate from the reference questions that a patron asks.<\/p>\n We use cloud-based service providers, where appropriate, after vetting their storage procedures and security arrangements. For example, the Libraries chose Logz.io as a log analysis service after confirming that \u200bpatron data would not be accessible by Logz staff\u200b<\/a>.<\/p>\n When records need to be kept for reporting or analysis but no longer need to be identified with you, the Libraries take appropriate steps to remove that identification. The specific steps taken vary depending on how the records will be used as well as relevant best practices. These steps may include removal of values, the generation of aggregate summaries, or the deletion of the record. The timeframe over which this occurs is described in section 6\u200b<\/a>.<\/p>\n Some websites provided by the Libraries use \u200bcookies<\/a>\u200b to assist with certain functions. This includes, at times, cookies set by third parties. These cookies are used in accordance with relevant laws, which includes providing the option to opt-out of their use. Users can also disable cookies via their web browser settings or plugins.<\/p>\n The MIT Libraries is committed to protecting your data, and providing you with transparent insight into how data about you is used and protected. To the extent we can, we minimize the data that is collected and stored about you, as described above. When we do store data about you, you have the right to:<\/p>\n If you would like to exercise these rights, you can contact us at library-privacy@mit.edu<\/a>\u00a0and we will facilitate your request to the best of our ability. \u200bAs described in this policy\u200b<\/a>, we don\u2019t retain your information in a centralized system, so information requests may be handled on a system-by-system basis. To the extent possible, we will provide data about you securely and in a common file format, and if you request data erasure or rectification, we will, to the extent possible, also notify any other recipients of the data of such changes. To protect the personal information we hold, we may also request further information to verify your identity when exercising these rights. Some requests may be covered not by the MIT Libraries privacy policy, but by MIT data protection<\/a> or a vendor\u2019s system. We will do our best to facilitate and direct your request appropriately.<\/p>\n Upon a request to erase information, we will maintain a core set of personal data to ensure we do not contact you inadvertently in the future. We may also need to retain some financial information for legal purposes, including US IRS compliance. In the event of an actual or threatened legal claim, we may retain your information for purposes of establishing, defending against, or exercising our rights with respect to such claim. De-identified data may also be retained, as described in this policy.<\/p>\n You can also contact MIT data protection by emailing \u200bdataprotection@mit.edu\u200b<\/a>.<\/p>\n The MIT Libraries will review and make any necessary updates to this policy and its implementation annually, or as necessary for changes in law or MIT policy. The policy is also subject to review by the MIT Audit Division. If a data breach is known or suspected, the Libraries will work with MIT\u2019s\u200b Infoprotect<\/a> \u200bpersonnel through their policies and procedures.<\/p>\n To maintain our compliance with this policy the MIT Libraries maintains an inventory of systems that contain information about patrons in order to keep track of what information is stored. As described in Section 2<\/a> each system is classified as containing high, medium, or low risk data and each risk category has an applicable checklist describing the activities required to be compliant with the Infoprotect guidelines. Each system has a designated technical owner who is responsible for ongoing application of best practices and compliance. The data inventory will be updated as necessary and at least annually. Additionally, the Libraries will periodically review systems and practices for privacy concerns and address new threats, controls, and expectations. Libraries staff who have frequent contact with patron data also receive privacy training, and are responsible for maintaining personal practices in compliance with this policy.<\/p>\n Any significant changes to this policy will be accompanied by a prominent notice on the Libraries websites. If you would like to receive an email notification of policy changes or if you have any questions, concerns, comments about your privacy through the MIT Libraries you can email \u200blibrary-privacy@mit.edu\u200b<\/a>. This policy shall apply from the date of approval and forward, although measures protective of your privacy may be applied retroactively to data currently in our systems upon approval.<\/p>\nTable of Contents<\/h2>\n
1.\u00a0 Introduction<\/a><\/h3>\n
2.\u00a0 Data collection<\/a><\/h3>\n
3.\u00a0 Who at MIT has access to the data we collect<\/a><\/h3>\n
4.\u00a0 Sharing data with third parties<\/a><\/h3>\n
5.\u00a0 What we do with your data<\/a><\/h3>\n
6.\u00a0 Data Retention<\/a><\/h3>\n
7.\u00a0 Data Integrity & Security<\/a><\/h3>\n
8.\u00a0 Cookies<\/a><\/h3>\n
9. \u00a0Your rights with respect to your data<\/a><\/h3>\n
10. \u00a0Accountability<\/a><\/h3>\n
Appendix A:\u00a0 Personally Identifiable Information Definition and Examples<\/a><\/h3>\n
\n1\u00a0 Introduction<\/h2>\n
2\u00a0 Data Collection<\/h2>\n
2.1\u00a0 Data provided directly by the patron<\/h3>\n
2.2\u00a0 Data provided by the software used by the patron<\/h3>\n
2.3\u00a0 Data provided by other systems<\/h3>\n
2.4\u00a0 Data generated by the Libraries<\/h3>\n
2.5\u00a0 Data collection by third parties<\/h3>\n
\n
2.6\u00a0 Public access computers<\/h3>\n
3\u00a0 Who at MIT has access to the data we collect<\/h2>\n
4\u00a0 Sharing data with third parties<\/h2>\n
4.1\u00a0 Authentication for your visit to a third-party site<\/h3>\n
4.2\u00a0 Government Requests for Library Records<\/h3>\n
4.3\u00a0 Non-personally identifiable information<\/h3>\n
5\u00a0 What we do with your data<\/h2>\n
6\u00a0 Data Retention<\/h2>\n
6.1\u00a0 Exceptions<\/h3>\n
6.1.1\u00a0 Financial Records<\/h4>\n
6.1.2\u00a0 Distinctive Collections<\/h4>\n
7\u00a0 Data Integrity & Security<\/h2>\n
7.1\u00a0 Minimal Information<\/h3>\n
7.1.1\u00a0 Library equipment<\/h4>\n
7.2\u00a0 Security Recommendations<\/h2>\n
7.2.1\u00a0 Using cloud services<\/h4>\n
7.3\u00a0 De-identification<\/h3>\n
8\u00a0 Cookies<\/h2>\n
9\u00a0 Your rights with respect to your data<\/h2>\n
\n
10\u00a0 Accountability<\/h2>\n
Appendix A: Personally Identifiable Information Definition and Examples<\/h2>\n