(text intro) As a reader at the University of Namur Libraries, you share a certain amount of data.

Contexte

Pour la gestion de l'accès aux bibliothèques et à leurs ressources, l'Université de Namur traite des données à caractère personnel et utilise un système intégré de gestion de bibliothèque (SIGB) mutualisé avec l'UCLouvain et l'Université Saint-Louis Bruxelles (USL-B), aujourd'hui fusionnées.

Persons concerned by this information

The persons whose data are processed in their capacity as readers within the libraries of the Bibliothèque Universitaire Moretus Plantin (BUMP) and the Faculty of Law of the University of Namur (the "Libraries") fall into the following categories:

  • Students registered at the University of Namur
  • Staff members of the University of Namur
  • Readers of the libraries of L'UCLouvain and USL-B
  • Other persons requesting registration and access card (annual or for a limited period) to the Libraries or their resources (interlibrary loans)

Uses of reader data

The creation of a University of Namur Libraries reader profile and generation of the access card

Finalities and categories of data processed. The University of Namur uses the following categories of data for the creation of a Libraries reader profile opening the right to access the Libraries' premises and to borrow works under the conditions defined in its regulations:

  • General identification data (surname, first and middle names, photograph, contact details ...)
  • Identifiers assigned by the University of Namur (eID, student registration number ...)
  • Personal characteristic data (gender, date of birth....)
  • Reader category (external, student, staff member)
  • Entity affiliation or group membership data entitling to special access conditions (e.g. student from another higher education institution...)
  • Professional data (entity University of Namur and categories of staff members (department, faculty, services - for staff members...)
  • Academic data (reference to BAC/Orientation registration for students)
  • Data associated with the reader's card (card number, card type, start and end date of validity, QR code...)
  • Reader status data (active, deactivated, blocked ...)
  • Electronic identification data

This data is used for:

  • The creation and management of Library reader accounts
  • The creation and management of
    • Library access cards
    • access to various ancillary services (photocopying, printing, document scanning) and the management of related payments.
    • Management of access to resources available online
    • Management of access to computer resources available in the Libraries

Legal basis for processing. The University of Namur is entrusted with missions of public interest in teaching, research and services to the community. For the purposes of carrying out these missions, the University of Namur processes the data of members of all staff and students, as well as external persons who request it to open access to Library services (Article 6, (1), e) of the RGPD).

Persons with access to this data. The data is only accessible to IT staff and Library staff for issuing and creating access and cards. Some data is integrated into the SIGB as explained under point 2.

Duration of retention and deletion.Data is retained for as long as the reader is considered active and is deleted no later than 12 months after the end of reader activity.

Library access management at the Université de Namur, UCLouvain and USL-B

The Université de Namur, the Université Catholique de Louvain and the Université Saint-Louis Bruxelles collaborate to offer library users of the three institutions access to library premises and to the consultation and/or loan of works in their libraries.

For the technical management of resource user identification, the three institutions use a common integrated library management system (SIGB). Readers' data from the three universities is stored in this SIGB. Each of the Universities can access and use this data when a reader from one of the other two Universities requests an access card or a loan.

The operational use of the data is, however, the responsibility of each University itself (definition of reader status and granting of this status, encoding of loans and returns, definition of loan rules, procedures for notifying loan deadlines, management of non-return of works and imposition of overdue fines).

Finalities and categories of data processed.The three institutions jointly manage the SIGB in its technical aspects, in particular with regard to the connection and security system.

The primary purpose of the system is the creation and management of reader accounts valid in all three institutions.

Each of the universities uses the data contained in the SIGB under its own responsibility and according to their own operational rules for:

  • Managing the loans and returns of books from the three Universities
  • Managing overdue fines

The operation of the SIGB by the Universities covers:

1. The creation of a reader account. This involves importing the following reader data from the University's internal application into the SIGB:

  • General identification data (first and last name, contact details ...)
  • Identifier granted by the University
  • Personal characteristic data (gender, date of birth ...)
  • Data associated with the reader card (card number, expiry date)
  • Reader category (external, student, staff member)
  • Reader status
  • Data relating to the reader card (card number, card expiry date)

This data can be consulted by library staff at all three institutions to manage access to their library resources.

The deactivation or blocking of a reader's access implies the suspension of all library service in the three linked Universities.

Associated with this data is the borrowing data. The system processes the following data:

  • Copy record of borrowed work
  • Borrowing start date
  • Return date
  • Late delta
  • Fine amount
  • Fine amount paid
  • The date of payment

This data can be encoded and consulted by library staff at the three institutions to manage the borrowing and return of works.

Some of the data in the reader account can also be accessed online by the reader via personal identification codes.

The account contains the following reader identification data:

  • First and last name
  • Gender
  • Date of birth
  • Main e-mail address
  • Legal address (except for staff members: address of the University which is their employer)
  • Card number
  • Card expiry date
  • Identifier assigned by the University
  • Category (external, student, staff member)

The following borrowing data ("borrowing history"):

  • The record of the copy of the book borrowed
  • The record of the copy of the book reserved
  • The start date of the loan
  • The return date
  • The amount of the unpaid fine (calculated by the system)
  • The expected return date

2. The creation of a loan history. A process for creating a borrowing history in which reader data associated with borrowings is not included is set up automatically. This borrowing history is updated daily and kept indefinitely, regardless of whether or not a borrowing history linked to a reader account is kept. This anonymized data can be used by the universities to manage borrowing (as a basis for adapting the content of the copy offer).

3. The management of security and connections to the SIGB and readers' accounts by the latter. Web connection to the SIGB is made via each University's authentication system, using the connection codes granted to the reader by the University.

The SIGB is hosted on European territory by UCLouvain, which ensures its security.

In this context, electronic identification data is kept for the purposes of managing secure access to data.

Legal basis for processing. Higher Education Establishments are invested with a mission of public interest to support teaching, research and services to the community (Article 6, (1), e of the RGPD) It is in this context and for the purposes of carrying out this mission that a library service is proposed.

For the needs of these missions intervene:

  • The processing activity linked to the creation of reader profiles and reader accounts (creation and management of a SIGB)
  • The data processing activity linked to the management of loans (restitution and imposition of fines) under the operational responsibility of each of the Universities

Persons with access to the data. Data are processed internally by library staff and university IT departments.

Retention and deletion periods.Minimum retention periods are defined according to the following criteria:

  • Personal data is kept as long as the reader has an active card in at least one of the Universities
  • By default, the borrowing history is kept for 1 year from the borrowing date. The reader can, however, activate the deletion of the history at any time via his/her account
  • Borrowing data is retained until the borrowing is closed by the return of a work and payment of the fine(s) recorded in the event of late return
  • A SIGB cleanup with data deletion is implemented at least once a year, and all reader data is deleted from the database :
    • For which there is no longer an active access card and for which there is no unclosed loan
    • For which there is no longer an active card and for which there has been an unclosed loan for more than 5 years at the date when the cleaning is carried out
    • The access logs to the SIGB are kept for one year
.

Managing compliance with library regulations

Finalities and categories of data. Access to the premises and use of the associated resources are subject to compliance with library regulations.

The University of Namur is likely to process reader data to act and enforce the sanctions provided for by these regulations in the event of failure to comply with them.

The categories of data processed in this context are as follows:

  • Personal identification data (surname, first name)
  • Detailed information on the violation observed (nature of the facts, date ...)
  • Date and author of the comment reporting the incident
  • Data relating to the sanction
  • Reader status (blocked or disabled)

Legal basis for processing. The University of Namur is entrusted with public interest missions in teaching, research and community services. For the purposes of carrying out these missions, the University of Namur processes readers' data to manage compliance with the Library Regulations, which govern the conditions of access to and use of Library services (Article 6, (1), e) of the RGPD).

Persons with access to data. Data can be accessed by members of staff of the University of Namur Libraries. When the reader is a student of the University of Namur, library regulations provide that behavior contravening these regulations may be referred to the Disciplinary Committee for possible sanction.

Storage and deletion period. Data are kept for one year after encoding and are automatically deleted on expiry of this period.

Managing the use of Library IT resources

Finalities and data categories. Access to resources, where applicable online, may involve the processing of readers' data when they use connections to the University's internet network as well as IT equipment made available to Library readers. In particular, access to third-party resources (documentation databases) may be subject to the use of the University of Namur's internet network or a Proxy server, which may involve the processing of data by the University of Namur in the process of accessing these services.

The University of Namur processes data to enable access to these resources and for the purposes of verifying the conditions of use of the resources, technical intervention, as well as to ensure compliance with the Deontological principles relating to the use of IT tools at the University of Namur.

The categories of data processed within the framework are:

  • Personal identification data (Last name, first name)
  • Identifiers assigned by the University of Namur (eId)
  • Access granted (Date of access and revocation, resources concerned ...)
  • Connection data (Logs ...)
  • Authentication data (Log in, passwords, password modification date, token, ...)
  • IP addresses
  • IT incident data (Data relating to incidents linked to the use of these resources)

It should be noted that the reader connects to third-party services (documentary resource databases) for which the University of Namur has obtained a license of use for the benefit of its readers, the operators of these databases process the data of users of their services under their own responsibility and according to their own personal data processing policies.

Legal basis for processing. The University of Namur has a legitimate interest in being able to manage access to its IT resources and equipment and in being able to ensure the security of the data that results from the application of the principles of security and responsibility provided for by the RGPD (Article 6, (1), f of the RGPD).

Persons with access to the data. Data can be accessed members of the support teams (BUMP IT cell and Service Informatique Universitaire).

Storage periods. Storage periods are a function of organizational considerations (for managing access rights according to reader status (staff member, student, external)), security (incident detection and remediation) and legal (period during which the University of Namur may be held accountable for data access).

Access control and attendance

Purposes and categories of data. The University of Namur controls access to users of Library premises in order to manage access to Library premises and resources, on the one hand, and to ensure the safety of goods, people and premises, on the other. The Université de Namur also uses access data to communicate, after anonymization, attendance indicators for its premises to Affluences (www.affluences.com).

The categories of data processed within the framework are:

  • Card identifier
  • Date and time of entry and exit
  • Location (library concerned)
  • Gantry used and type of gantry.

Legal basis for processing. The University of Namur has a legitimate interest in being able to manage access to its premises and Library resources and to work towards the safety of persons, property and premises (Article 6, (1), f of the RGPD).

Persons having access to the data. Data can be accessed by members of the support teams (BUMP IT cell). The data may also be communicated to University of Namur security managers or members of the security service, to responders (police, judicial authorities, ...) in the event of an incident impacting personal safety (identification of persons remaining in the building (in the event of a fire, for example) or in the event of an offence.

Storage period. Data are rendered anonymous 31 days after collection (deletion of the link to the person, but retention of the group, course and entity).

Statistics

Finalities and categories of data. The University of Namur produces statistics relating to the use made of its infrastructures and resources. The aim of these statistics is to be able to identify improvements that can be made in terms of service provision in all its aspects (accessibility of resources and premises, number of copies of works, ...) as well as to assess needs in terms of resource allocation (personnel, investment, ...).

The categories of data processed within this framework are all those processed by the University of Namur. However, two data anonymization processes are implemented on a perennial basis: data relating to borrowings (borrowing history) and access logs to premises.

Legal basis for processing. The University of Namur has, as part of the exercise of its missions, an obligation to implement a quality approach (Article 6, (1), e of the RGPD). It is in this context that the analysis of data to acquire a better knowledge of the activity and needs related to the infrastructures of its libraries is included.

In some cases, the production of statistics is part of a cooperation between higher education establishments within the Commission des Bibliothèques et Services académiques collectifs de l'ARES (Académie de Recherche et d'Enseignement Supérieur) and within the Bibliothèque Interuniversitaire de la Communauté française de Belgique under the aegis of the Conseil des Recteurs des universités francophones de Belgique (CRef).

The processing of data for statistical purposes is based on a legitimate interest of the University of Namur to be able to fulfill its commitments to these bodies and, where applicable, to enable the implementation of inter-university missions and work related to the provision of library services in higher education institutions (Article 6, (1), f of the RGPD).

Persons with access to the data.For the purposes of the anonymization process, the data is processed by the BUMP statistics manager.

The point of contact for the exercise of users' rights is the University that issued them the access card or opened a right of access to the documentary resources of other universities.

The management of disputes, complaints and debt recovery

Purposes and categories of data. In the event of disputes, complaints or unpaid sums, the University of Namur is likely to process readers' data for the management of its litigation and the recovery of its debts.

The categories of data processed are potentially all of the above-mentioned categories of data, depending on the nature of the dispute, complaint or the need to establish the identity of the debtor and the components of its debt.

Legal basis for processing. The University of Namur has a legitimate interest in being able to manage its litigation and, where applicable, assert rights in a pre-litigation or litigation framework (Article 6, (1), f of the RGPD).

Persons with access to data. Depending on the case, data may be communicated to Library managers, the financial department, external collection consultants or services, and more generally to third parties involved in legal or administrative proceedings in the event of a dispute (damage, theft, failure to return works, ...).

Duration of retention. Data is retained until the end of the proceedings or the dispute is closed. Insofar as the dispute involves accounting operations, this data is kept for the legal retention period.

Reader account and access to document data

Readers who have an active reader account can log in to it and access their descriptive data and document resource usage data via the Université de Namur Catalog tool.

Contact point for libraries

The contact point for readers with regard to their rights under the RGPD or for any other questions relating to data processing is the University that issued the reader's card.

As regards the University of Namur:

For the BUMP: direction.bump@unamur.be

For the Faculty of Law library: virginie.marot@unamur.be

Data Protection Officer of the University of Namur: dpo@unamur.be