PURPOSE

The purpose of this policy is to ensure that Halton Hills Public Library (HHPL) protects the personal information and privacy of library users, and complies with applicable privacy legislation, including the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and Canada’s Anti-Spam Legislation (CASL).

SCOPE

This policy applies to all HHPL services where personal information is collected, used, shared, or stored. The Chief Librarian and CEO serves as the Privacy Officer for HHPL and oversees implementation of this policy.

HHPL collects personal information under the authority of Section 23(2) of the Ontario Public Libraries Act. Staff protect the privacy of all library patrons in keeping with MFIPPA, CASL, and other applicable laws.

Personal information is collected only as needed to deliver library services. Records about a library patron’s activity, such as borrowing history, program registration, or account use, are considered private and treated as confidential information.

DEFINITIONS

• Personal Information: Information that can identify an individual, including name, phone number, address, email, date of birth, or any correspondence with HHPL. Exceptions and additional details are outlined in MFIPPA.

• Record: Any information that is recorded and stored in any format, such as paper, electronic files, or audiovisual recordings.

DETAILS

Collection and Use of Personal Information

HHPL collects personal information to support the delivery, planning, and evaluation of library services. This may include collections, programs, digital resources, technology and internet access, room rentals, fundraising, and customer support.

Some services may require personal information even if a library card is not issued — for example, attending a program, making a donation, or reserving a space.

The library may also collect:

• Program registration data

• Comment forms or feedback

• Requests for reconsideration of materials

• Correspondence from patrons or the public

• Security camera images (used to support safety and security)

Letters or emails to the Library Board become part of the public record. If the correspondence is about a staff member or library property, it may be discussed in a closed meeting as allowed by the Public Libraries Act.

Consent

By signing up for a library card, registering for a program, or using a library service, patrons give implied consent to HHPL to collect and use their personal information for library business, including communications about their account, fees, holds, overdue items, donations, and program updates.

Possession of a library card or notice by another individual implies consent to pay fees or collect items on the patron’s behalf but does not provide access to personal records. Patrons can decline to provide personal information, but this may affect their ability to access some services.

Limiting Collection

HHPL collects only the personal information necessary to provide services. Collection is done using lawful means and is limited to what is needed for identified purposes.

Use and Disclosure of Personal Information

HHPL does not share or use personal information for any purpose other than its original intent, unless required by law or with the individual’s consent.

HHPL may share information with vendors, partners, or service providers delivering services on the library’s behalf. Third-party providers must follow their own privacy policies and obtain user consent where required.

Borrowing and account information will not be shared with others, except:

• With a parent or legal guardian responsible for a child under 16.

• With written consent from the cardholder.

• If required by law, such as through a court order.

• In compassionate circumstances, such as illness or injury, with approval from the Chief Librarian and CEO.

HHPL may inform the Library Board of such disclosures in general terms, without identifying individuals. Any legal costs related to fulfilling a request for information may be charged to the party making the request.

Commercial Electronic Communication

In keeping with CASL, email addresses collected by HHPL are only used for the intended purpose for which the patron has provided consent and will not be shared with any other individual or organization.

HHPL makes every effort to comply with CASL when commercial electronic messages (CEM) are sent. Patrons can provide consent at different times, such as during registration or through the library's website. All CEMs will include the library’s contact details and an option to unsubscribe.

Accountability

HHPL uses reasonable security measures to protect personal information against unauthorized access, collection, use, disclosure, or disposal. Patrons are encouraged to report lost or stolen library cards immediately to protect their personal information. All HHPL staff, Board members, and volunteers are required to follow this policy and comply with MFIPPA and CASL within the scope of their duties.

In the event of a privacy breach, the Chief Librarian and CEO or designate will:

• Contain the breach.

• Retrieve the information if possible.

• Assess severity and notify affected users.

• Report to the Information and Privacy Commissioner, if required.

• Investigate the cause and apply corrective action.

Retention and Disposal

HHPL retains personal information only as long as needed to provide or evaluate library services, unless a longer period is required by law. HHPL does not retain information about items borrowed, requested, or accessed online once it is no longer needed for operational purposes. However, patrons may choose to retain borrowing history in their account to support personalized service.

Information about holds is kept until fulfilled, cancelled, or expired. Inactive user records with no outstanding balance are deleted after three years.

If a patron owes fees or materials, their information may be sent to a collection agency. HHPL may also share this information with other libraries or pursue legal action if needed.

Accuracy

HHPL will keep personal information accurate, complete, and up to date as needed to provide services. Patrons are responsible for informing HHPL of changes to their name, address, or contact details.

Access

Individuals have the right to access their own personal information. Parents or legal guardians who are named on a child’s account may access the child’s information until the child turns 16 years old.

Requests for non-public records must be made in writing. The Chief Librarian and CEO will respond in writing, as required by MFIPPA. Fees will be applied according to MFIPPA.

Research

HHPL may share some limited information with outside researchers if they follow this policy and have the research approved by an ethics committee. HHPL will remove all identifiable personal information from the data before it is shared with an external research partner.

Privacy by Design

HHPL will integrate privacy best practices into the design of services, technology, spaces, and operations, following the principles of Privacy by Design.

RELATED DOCUMENTS

Municipal Freedom of Information and Protection of Privacy Act, R.S.O 1990 (MFIPPA) 

Canada’s Anti- Spam Legislation (CASL)

Information and Privacy Commissioner of Ontario – Privacy by Design