Suffolk Community Libraries privacy notice

This privacy notice tells you what information Suffolk Community Libraries collects and uses, and your rights regarding your information.

General information

This privacy notice explains how Suffolk Community Libraries uses information about you when you contact us or use our services, and how we protect your privacy.

The processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) as amended by the Data (Use and Access) Act 2025, collectively referred to as data protection law.

Suffolk County Council is the controller for the personal information that is being processed. If you have any queries about how Suffolk Community Libraries is collecting or using your personal data, you can contact the service at library.help@suffolk.gov.uk

Contact details for the council’s Data Protection Officer and Compliance Manager can be found in the council’s corporate privacy notice, which is available on the council’s website.

What is personal data?

Personal data includes information about you, which can be used to identify you as an individual. Examples include:

  • Your name
  • Your date of birth
  • Your contact details
  • Your image

Special category data is the most sensitive type of personal data and includes:

  • Information about your health or any social care services that you may use
  • Information that could identify your racial or ethnic origins
  • Information that could identify your political beliefs
  • Information that could identify your religious or philosophical beliefs
  • Information that could identify your trade union membership
  • Genetic data
  • Biometric data (where used to identify you, e.g. use of fingerprints to access online services)
  • Information about your sex life, or sexual orientation

The types of personal data that we process and where it comes from

We collect a range of data which will be different depending on the service, event or activity you wish to access.

When you sign up for a library card, we collect details from your ID documentation including:

  • Your full name
  • Address including post code
  • Date of birth
  • Gender
  • Contact details

This can be updated at any time by either logging into your account online or by speaking to a member of staff.

Once you have a library card, we also collect your borrowing history.

When signing up for activities and events on our website or in a library we collect a range of data depending on the activity or event being run. This can include:

  • Your name,
  • address including post code,
  • date of birth,
  • gender
  • contact details.

Sometimes we will gather data on who is using our libraries, and we will engage customers with surveys. The information collected can include:

  • Name,
  • Age,
  • Address including post code,
  • Gender,
  • Ethnicity and other demographic data.

Some of our libraries have CCTV and staff use body-worn cameras which will collect static or moving images and audio data.

Why do we process your personal data?

When signing up for a library card we need to know who you are as you are entering a contract with us to provide library services. We use it to contact you about your account, such as when a reservation has arrived for you, and to work out any charges owing.

We also use your email address to contact you with information about any event(s) or activities you have signed up for, or if you have agreed to it, we will contact you about with news about Suffolk libraries, events and activities that may be of interest to you or book recommendations. You can opt out at any time by clicking unsubscribe at the bottom of any email you receive from us.

We need your age as some categories of stock have age limits and some activities available in libraries are aimed at specific age groups.

Age, gender and ethnicity also help us check we are reaching all sections of our communities and identify where we need to develop new services to attract underrepresented groups of users.

We run a wide range of events and activities across our libraries. Some are Suffolk Libraries run and from time to time we partner with other likeminded trusted organisations to provide events or activities that communities have shown interest in, or we feel communities could benefit from.

As part of these events or activities we may collect data for reporting purposes with the partner organisation(s) or to ensure we are reaching as many areas and communities as we can.

Our legal basis for collecting your information

Personal data

Under data protection law, Suffolk Community Libraries can only process your personal data if it is lawful to do so. Please see the details below of the lawful bases that we rely on for processing different types of personal data.

For processing personal data, we rely on the following lawful basis:

  • UK GDPR Article 6(1)(a) – where you have provided consent for us to process your information for a specific purpose:
  • for example, sending you electronic communications about events or other services that you may be interested in but that are not related to the management of your library account (direct marketing)
  • UK GDPR Article 6(1)(e) – where processing is necessary for us to perform a task which is in the public interest (public task), under the Public Libraries and Museums Act 1964

Right to withdraw consent

Where we rely on consent for marketing communications, you have the right to withdraw consent at any time, and these requests will be actioned no later than five working days of receipt.

If you would like to withdraw your consent, please contact library.help@suffolk.gov.uk.

Sharing your information

Suffolk Community Libraries may share your information with select, trusted partners, suppliers and funders who work with us or on our behalf to deliver our services, for statistical and analytics purposes or as part of our contract, but processing of this information is always carried out under our instruction.

We ensure the data is anonymised wherever possible, removing all identifiable information before sharing. We make sure they store the data securely, use it for its intended purpose only and destroyed when it is no longer required for the intended purpose.

If you have signed up for a library card your information is stored securely on our library information system which is operated on our behalf by Civica (our data processor). It is stored in the UK and will never be transferred out of the European Economic Area.

If you have agreed for us to contact you about Suffolk Community Libraries news, events, activities or recommendations Your name, address, date of birth, gender, phone number and email address and borrowing history is shared with our provider Patron Point (our data processor). Your data is held on their secure servers in Europe.

If we are running events or activities together with or without partner organisations we may use Microsoft Forms to gather the required information specific for that activity or event, which may be shared with the organisation providing the service or activity. It is also used to contact you with details of the event or activity and gather feedback after it. It is also used to help us monitor our performance and improve our services.

We may also share your information if required to do so by law or with a recognised competent authority under the following circumstances:

  • The detection and prevention of crime or fraudulent activity; or
  • To protect a child or vulnerable adult who are thought to be at risk; or
  • If there is a serious risk to the public or our staff.

Whether we intend to transfer your information to another country

We do not transfer any personal data to any countries or international organisations outside of the EU, the EEA (European Economic Area), or any other country that does not have an equivalent level of data protection to the UK.

How long do we keep your information?

We keep personal data for as long as we need it to fulfil the purpose that it was collected for, and in line with any statutory or locally determined retention periods. The retention of your information for this purpose is reviewed every six months.

Automated Decision making and profiling

Suffolk Community Libraries does not use automated decision-making processes or profiling in respect of your information.

Your rights under data protection law

Under data protection law, you have the right to request access to the information that we hold about you. If you would like to make a request to access your personal information, please contact data.protection@suffolk.gov.uk.

You also have other rights regarding your personal data. You can find out more information about these rights by looking at the council’s corporate privacy notice.

Your right to independent advice

If you would like independent advice on this privacy notice or other matters about how Suffolk County Council processes your personal data, including how to make a complaint, you can contact the Information Commissioner's Office at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113

Email: casework@ico.org.uk