Skip to main content

Privacy Notice: Library and Collections


Durham University’s department of Library and Collections provides a range of services to support teaching and research by members of the university, and by local, national and international learners and researchers. These services include:

  • access to digital, printed, archive, museum and art collections
  • access to online resources
  • engagement with the collections for members of the public.

In order to provide our services and to manage the collections in our care, Library and Collections processes personal data. Please read the privacy information below – Part 1 comprises Durham University’s Generic Privacy Notice and Part 2 comprises privacy information specific to the activities of Library and Collections.

You can also view the University's privacy notices for various categories of data subject in the Information Governance section of the website.

Part 1: Generic privacy notice

Durham University has a responsibility under data protection legislation to provide individuals with information about how we process their personal data. We do this in a number of ways, one of which is the publication of privacy notices. Organisations variously call them a privacy statement, a fair processing notice or a privacy policy.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

  • Why we collect your data
  • How it will be used
  • Who it will be shared with

We will also explain what rights you have to control how we use your information and how to inform us about your wishes. Durham University will make the Privacy Notice available via the website and at the point we request personal data.

Our privacy notices comprise two parts – a generic part (ie common to all of our privacy notices) and a part tailored to the specific processing activity being undertaken.

Data Controller

The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance webpages or contact Information Governance Unit:

Telephone: (0191 33) 46246 or 46103


Information Governance Unit also coordinate response to individuals asserting their rights under the legislation. Please contact the Unit in the first instance.

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer:

Kristina Holt

Head of Information Governance and University Data Protection Officer


Your rights in relation to your personal data

Privacy notices and/or consent

You have the right to be provided with information about how and why we process your personal data. Where you have the choice to determine how your personal data will be used, we will ask you for consent. Where you do not have a choice (for example, where we have a legal obligation to process the personal data), we will provide you with a privacy notice. A privacy notice is a verbal or written statement that explains how we use personal data.

Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time. Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you.

Accessing your personal data

You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access. You can find out more about this right on the University’s Subject Access Requests webpage.

Right to rectification

If you believe that personal data we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data.

Once we have determined what we are going to do, we will contact you to let you know.

Right to erasure

You can ask us to erase your personal data in any of the following circumstances:

  • We no longer need the personal data for the purpose it was originally collected
  • You withdraw your consent and there is no other legal basis for the processing
  • You object to the processing and there are no overriding legitimate grounds for the processing
  • The personal data have been unlawfully processed
  • The personal data have to be erased for compliance with a legal obligation
  • The personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites).

Once we have determined whether we will erase the personal data, we will contact you to let you know.

Right to restriction of processing

You can ask us to restrict the processing of your personal data in the following circumstances:

  • You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
  • The processing is unlawful and you want us to restrict processing rather than erase it
  • We no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim and
  • You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.

Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.


The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.

Making a complaint

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

Website: Information Commissioner’s Office

Part 2: Privacy notice for Library and Collections

This section of the Privacy Notice provides you with the privacy information that you need to know before you provide personal data to Library and Heritage Collections for the particular purpose(s) stated below.

Whom we collect personal data from

We collect personal data from the following groups of users and stakeholders:

  • Students of Durham University using library services and our collections or collections in our care
  • Staff of Durham University
  • Visitors to our attractions (Castle Tours, exhibitions and other cultural events)
  • Visitors using library services and our collections or collections in our care
  • Donors and owners of material on loan to us
  • Volunteers working on our collections and student/work experience placements.

The range of services and collections which we manage means that we process personal data for many different purposes as outlined below, but we do not collect or retain more data than we need. Please get in touch using the details at the end of this Privacy Notice if you would like more information about the personal data that we may hold about you.

Types of personal data collected and held by Library and Heritage Collections, method of collection and lawful basis for processing

We may hold personal data from you to provide the following services in connection with the university’s public task as laid down by law (the advancement of learning). In each case, we hold only as much data as is required to provide the service.

  • Borrowing rights for library users: we hold data supplied by you when registering as a visitor or from the university’s staff/student database, within our library management system, to manage loans, reservations, holds, fines and borrowing status. This is your library patron record and is also linked to your borrowing history, payment record (for fines and service charges), hold (reservation) requests and your own saved searches.
  • Access to our buildings and collections: we hold data collected at turnstiles (at Bill Bryson Library) or when you register to work with our research collections (at Palace Green Library, Oriental Museum, Ushaw College Library, 5 The College or the Museum of Archaeology), to maintain the security of our users and of the collections in our care. See also separate privacy notice for CCTV.
  • Access to our exhibitions and other visitor attractions and events: we hold data from you when you buy tickets or register for events, to manage access to the events.
  • Teaching and teaching support: names, emails and some photographs of staff and students in connection with delivery of teaching and processing of reading lists.
  • Other library services (Document Delivery Service, Open Access repository, Gold Open Access administration, management of Copyright licences, Study Room bookings, access to online resources, reprographics services, permissions to publish and enquiries and support services): data supplied by you or derived from your library patron record is used to manage these services. Some of this data is held to fulfil our contractual obligations to you, as well as for our public task.
  • Acquisition and management of collections: data is collected and retained in the course of acquiring, receiving on a temporary basis, lending out, cataloguing, disposal or withdrawal of our collections. This data is supplied by owners and former owners, by institutions to whom we loan books, archives and museum objects, from staff, students and volunteers cataloguing our collections or derived from information in the public domain and is retained in line with professional collections management standards.
  • Curating of exhibitions: data is collected from our stakeholders and lenders, in order to manage loans in and events related to each specific exhibition, to support touring exhibitions or for submissions to the Government Indemnity Scheme.
  • Family activities, schools learning events and other cultural engagement activities: data is collected from participants in our family and learning activities and from members of Durham Archaeology Explorers and World Heritage Site Youth Ambassadors, in order to run the events and to safeguard all who attend.
  • Feedback from users of our services and collections. We invite feedback or suggestions at most of our sites and events. If you wish, you can give us your name and contact details so that we can respond to your comments.
  • Photographs are taken at events for use in marketing and promotional material, subject to the consent of those present. Where appropriate, and for all events involving children, explicit consent will be obtained before any photograph is used. You may ask us to remove a photograph from our website at any stage if it features yourself.
  • Contact details for volunteers are collected and retained so that we can support voluntary work by staff, students and members of the public, for personal learning and satisfaction, to add value to our catalogues and exhibitions and to teach skills to those hoping to enter our professions or on allied courses of learning.
  • Some staff personal data is held within our disaster plans and shared with staff with ‘callout’ duties or on disaster recovery teams, to enable us to safeguard the collections in our care in the event of fire or other emergency.

We also hold contact details supplied by yourself, if you have opted in to receiving information in relation to the buildings, collections, exhibitions, family activities and other events. This data is held on the basis of your explicit and specific consent (for all data used in electronic marketing), or on the basis of our public task in publicising our collections, exhibitions and events (for data used only for postal marketing). If you are receiving this information, you may opt out at any stage by contacting us at

We hold data from across the university and other sources, that has been selected for permanent preservation for archiving purposes in the public interest, in line with our Collections Development Policy. The scope of our archives is summarised on our website. Many of the archives may include personal data which is retained and (where appropriate) made available for research, in line with the safeguards set out within s.19 of the Data Protection Act 2018. Object history files for our museum collections are retained on the same basis and subject to the same safeguards.

Data from membership forms for the Friends of the Oriental Museum (FotOM) or the Friends of Palace Green Library (FoPGL) is passed on to those groups or (for FoPGL) to Durham University’s Development and Alumni Relations Office (DARO), for membership and fundraising purposes. Personal contact details for invitees to the Luce Committee lecture and lunch are retained securely by the secretary to the Luce Fund Committee.

Donor names are sometimes advertised within our building or as part of our exhibitions, where this has been agreed as part of the donation or fundraising. Former owners of our collections (with vital dates and places of residence) are recorded within our public catalogues and on object labels to support learning and research.

How personal data is stored by Library and Heritage Collections

Any personal data in electronic format will be held on secure systems using university servers in line with Durham University policy and guidance. Where appropriate, additional password protection is used for files containing more extensive or sensitive data, to ensure that it is restricted to specific members of staff. No personal data will be held on unencrypted portable devices or USB sticks. Personal data in paper form is held within secure staff-only areas, and any data held for more than a few days is kept in locked cupboards or offices.

How personal data is processed by Library and Heritage Collections

We process the personal data listed above only in ways that are compatible with the purposes outlined, in line with Durham University’s Data Protection Policy.

Who Library and Heritage Collections shares personal data with

We collect or process personal data on behalf of the following organisations, in connection with the services noted:

  • Durham Cathedral, for providing research access to and reproductions from archive and manuscript collections owned by the cathedral but in our custody;
  • Friends of the Oriental Museum, for passing on membership application forms (from which no personal data is retained by us);
  • Study Group, for providing library borrowing services to International Study Centre staff and students at Queen's Campus.

We also share the following personal data with the following organisations for the purposes stated:

  • Library patron records (see above) are shared with Durham Cathedral, St John’s College and St Chad’s College, to provide a unified service to members of the university and other registered users of the libraries concerned.
  • Researcher data is shared with UK Research and Innovation (UKRI) in connection with payments for Gold Open Access publishing.
  • Names are shared with other libraries when providing the Inter-Library Loan service (ILL), and emails with the British Library for their Secure Electronic Delivery service in connection with ILL requests.
  • With your consent, your name, barcode, borrowing status and expiry date are shared with any other college and university libraries which you choose to use under the SCONUL Access scheme.
  • With consent of parents or guardians, names and dates of birth of participants in Arts Award are shared with Trinity College London in order to administer the scheme.
  • Our partnership projects may require limited personal data to be shared, as outlined in separate privacy notices for those projects.
  • Data for lenders of objects for exhibitions may be shared with Arts Council England as part of applications to the Government Indemnity Scheme (an alternative to commercial insurance for museum objects).
  • Researcher names and contact details may be shared with owners of a relevant collection, where explicit consent is given by you or in order to provide a service (for instance, where collections cannot be copied or photographed without owner consent, or to request access to material that is otherwise subject to an embargo).

Suppliers of our library systems (Innovative and Ex Libris) have access to our servers to provide system support, subject to strict contractual safeguards to ensure the safe and confidential processing of personal data at all times.

Personal data is never sold on to third parties.

How long personal data is held by Library and Heritage Collections

Personal data is only held as long as required to support the services outlined above, except as outlined below. Please get in touch if you would like to enquire about our retention policy for any of the personal data which we hold about you.

  • Personal data related to the acquisition, disposal/withdrawal or loans of our archive or museum collections is retained indefinitely. Limited data relating to research or documentation of collections may also be held indefinitely (including names of former owners), where this is required for understanding the history of an object or collection.
  • Limited personal data related to the movement and production of our archive and museum collections may be retained indefinitely for archiving and research purposes, or for extended periods for security purposes.
  • Data collected for contractual, copyright or financial purposes may be retained for 7 years.
  • Borrowing data, and data on entry to the Bill Bryson Library, is retained long-term for statistical reporting, trend analysis and planning purposes.

Software limitations mean that some payment history and hold requests for existing library patrons cannot currently be deleted from our library management system. We have received assurances from our suppliers that issues within their system are being addressed, and meanwhile this data is held securely without further use by Library and Heritage Collections.

How to object to Library and Heritage Collections processing your personal data

If you have any concerns about what personal data we are holding from you or how we are processing it, or would like to object to specific processing or to ask us to restrict our processing, please contact the Director of Library Services and University Librarian by emailing

Visitors to our websites/webpages

When someone visits or our other websites, we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be transparent about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Use of cookies by Library and Heritage Collections

A cookie is a simple text file that is stored on your computer or mobile device by a website's server and only that server will be able to retrieve or read the contents of that cookie. Cookies allow websites to remember user preferences, choices and selections, such as what's in your shopping basket. Durham University also makes use of the Google Analytics service to understand how you navigate around our site.

Durham University does not use cookies to collect personal information about you.

For more information about the use of cookies on Library and Heritage Collections websites, see our Library Cookies Page. For more information about the use of cookies on Durham University's website, or to set your cookie usage preference, please see our Cookies Policy.

Use of personal data by publishers and other content providers

Library services such as the catalogue, Discover, and ConneXions provide links to published content from a number of third-party providers. To access commercial content it is necessary to enter your University username and password when off campus (and also on campus for a small number of services). Durham University does not share any personal data with third-party providers as a result of authenticating in this way, other than the information that you are a member of Durham University. A unique identifier is transmitted to the content provider, which can be used to detect returning users, but the provider does not have the means to trace this identifier back to you as an individual. Some providers may encourage or require you to supply them with additional personal data and you should acquaint yourself with the providers’ privacy statements if you wish to know what use is made of your data.

Changes to this privacy notice

We will review this privacy notice annually. It was last updated on 27 March 2019.

Further information

If you have any questions which you feel have not been covered by this Privacy Notice, please do not hesitate to email us or write to:

Director of Library Services and University Librarian
Durham University
Bill Bryson Library
Stockton Road