Access to Information and Protection of Privacy
Please use the Access/Correction Request form to make an information request of the library.
KFPL Statement of Policy
Access to Information and Protection of Privacy
1. Purpose
The purpose of this policy is to ensure that the Kingston Frontenac Public Library (the Library) complies with the Municipal Freedom of Information and Protection of Privacy Act, R.S.O., c. M.56. (MFIPPA) and Canada Anti-Spam Legislation S.C. 2010, c. 23 (CASL) by protecting an individual’s personal information and privacy in their transactions with the Library.
2. Scope
This policy applies to all personal information about individuals that is collected or received by the Library (including Board members, Employees, and volunteers) during the provision of public library service, including the administration, development, promotion and evaluation of library services, resources, programs, and spaces.
3. Definitions
The following definitions from MFIPPA and CASL are used in this policy.
- Personal information means identifiable information about an individual such as name, phone, address, email, date of birth, etc. and any correspondence between the individual and the organization which may or may not be confidential in nature. Exceptions and additional terms are defined in the legislation.
- Record means any record of information however recorded, whether in printed form, on film, by electronic means or otherwise.
- Spam means an electronic message sent without explicit or implied consent of the recipient.
4. Guiding Principles
The Library is committed to protecting the personal privacy of all Library users and will:
- comply with the principles and intent of MFIPPA, CASL, and other applicable legislation,
- limit the collection of personal information to what is necessary for the administration, provision, and promotion of Library services,
- treat information about an individual’s personal use of the Library’s collections, programs, services, or spaces as confidential, limiting access to employees who require it to perform their assigned duties,
- provide Library users with access to their own personal information to provide or decline consent, maintain accuracy, request clarification or challenge practices,
- state the purpose for collection of personal information and obtain consent for its use, except for consent implied by obtaining a library card,
- maintain a personal information bank index as set forth in MFIPPA.
5. Policy
5.1. Collection, Use and Retention of Information
Personal information about individuals will only be collected by the Library in accordance with MFIPPA, and will not be shared, used, retained, or disclosed for purposes other than for which it was collected, except with the consent of the individual or as required by law.
Personal information that is collected will be limited to what is necessary for the proper administration of the library, and the provision and promotion of services and programs.
- Obtaining a library card, attending a registered library program, or booking a library service or resource implies the individual’s consent to authorize the Library to collect and access personal information, including borrowing and transaction history, for the purpose of conducting Library business.
- Personal information related to items borrowed or requested by an individual, or pertaining to an individual’s on-line activity, will not be retained longer than is necessary for the provision of library services and programs.
- Voluntary registration for personalized services (e.g., borrowing history, Extension Services) implies the individual’s consent to authorize the Library to retain personal information about items borrowed or requested beyond the regular retention period.
The Library will provide the following information to the individual when personal information is being collected on behalf of the Library:
- legal authority
- principle purpose or purposes for use
- title, business address and telephone number of an official from the Library who can answer questions.
Personal information may only be obtained from the individual to whom the record relates, as required in MFIPPA, unless the individual authorizes another manner of collection. A parent or guardian may supply information about a child under 16 years of age, in their custody.
Personal records of individuals who have not used their cards in the previous three (3) years and do not have a balance owing are purged on an annual basis.
5.2. Disclosure of Information
The Library will not disclose personal information under its custody or control, related to an individual to any third party without obtaining consent to do so, subject to certain exemptions as provided in MFIPPA.
Situations where the Library will disclose this information include the following:
- The Library will disclose personal information to a parent or guardian of a child, under 16 years of age, whose names are recorded on the child’s patron record.
- The Library will disclose relevant personal information about an individual registered for Extension Services, to an authorized support person/family member, or staff of long-term care facilities, for the purposes of service delivery, authorized by the individual.
- The Library will disclose personal information concerning an individual to a third party who has been assigned supplementary card privileges (e.g., pick up of reserved materials) provided that the individual and the third party have indicated their agreement and the agreement has been recorded in the patron record. Use of the card does not allow access to other services and programs or access to information in the individual’s record.
- The Library may release relevant personal information to a company acting on its behalf for the collection of Library property or unpaid fines or fees.
- The Library will release information as required under the authority of the Child, Youth and Family Services Act, 2017, S.O. 2017, c. 14, Sched. 1.
- The Library requires any contracted service provider that may have access to personal information (e.g., integrated library system provider) to sign a confidentiality agreement.
5.3. Electronic Communication
The Library will ensure that all electronic messages clearly identify the subject of communication, the Library’s email address and contact information, and identify Kingston Frontenac Public Library as the sender.
Obtaining a library card implies the individual’s consent to authorize the Library to send electronic notifications regarding personal borrowing, transaction activities, services and programs using their preferred method. The Library will provide options for individuals to opt out or unsubscribe from the service or change their preferences at any time.
5.4. Accountability
The Library uses reasonable security measures to protect against risks such as unauthorized access, collection, use, disclosure, or disposal of personal information. Measures include administrative, physical, technological, and operational safeguards that are appropriate to the nature and format of personal information.
The Chief Librarian/CEO is responsible and accountable for documenting, implementing, enforcing, monitoring, and updating the Library’s privacy and access compliance.
- All Library staff will be made aware of their obligations under MFIPPA and this policy. Training will be provided to the appropriate staff responsible for the administration and application of this policy.
- Failure by staff to comply with this policy may result in disciplinary action up to and including termination of employment.
Library users should report any lost or stolen library cards immediately to reduce the potential for unauthorized access to their records and protect their information.
5.5. Unauthorized Disclosure / Privacy Breach
Any Library employee who becomes aware of an unauthorized disclosure of a record in contravention of this policy has a responsibility to ensure that the Chief Librarian/CEO and other appropriate staff are immediately informed of the breach.
Once a privacy breach has occurred (e.g., loss, theft, or inadvertent disclosure of personal information) immediate action must be taken to control the situation.
- The Chief Librarian/CEO will identify the scope of the breach and take steps to contain the damage (e.g., determine if unauthorized access to the system has occurred, retrieve copies of recorded information, etc.).
- The Chief Librarian/CEO will inform the Information and Privacy Commission and, if applicable, notify affected parties whose personal information was disclosed.
- The Chief Librarian/CEO will conduct an internal investigation into the matter to review the circumstances surrounding the event as well as the adequacy of existing policies and procedures in protecting personal information.
5.6. Accuracy
All personal information collected shall be as accurate, complete, and up to date as is necessary to fulfill the purpose for which it is collected.
Library users are responsible for communicating changes in personal information such as name, address or contact information to maintain the accuracy of their information.
If recorded personal information about an individual is identified by staff to be inaccurate or incomplete, the Library will initiate corrective efforts.
5.7. Access to Information
Access to general records about Library operations will be provided to the public, subject to the provisions of MFIPPA.
- Library Board agendas and minutes, annual reports, policies, and a variety of other information will routinely be made a matter of public record through Library’s website and publications.
- Access to recorded personal information about a particular individual will be provided to that individual, upon verification of identity and subject to the exemptions outlined in MFIPPA.
- Requests for access to general records and recorded personal information should be directed to the Office of the Chief Librarian/CEO.
- Payment of a fee may be required and will be assessed and collected in accordance with MFIPPA regulations.
6. Related Policies
Video Surveillance Policy
Records Management Policy
7. Authorities
Municipal Freedom of Information and Protection of Privacy Act R.S.O.1990, c. M56
Canada Anti-Spam Legislation S.C. 2010, c.23
Child, Youth and Family Services Act, 2017, S.O. 2017, c. 14, Sched. 1
Public Libraries Act, R.S.O. 1990, c. P.44
8. Document Control
Original Policy Date: February 2014 (previously entitled Patron Privacy)
Last Reviewed: 2024 January
Changes made: see report to Board dated January 31, 2024
Next Review: 2028 January