Libraries service privacy notice

Brighton & Hove City Council is committed to protecting your personal information. As a data controller we have a responsibility to make sure you know why and how your personal information is being collected in accordance with relevant data protection law.

The primary laws which govern how Brighton & Hove City Council collects and uses personal information (known as “data”) about you are:

General Data Protection Regulation (GDPR)
Data Protection Act (DPA) (2018)

However, Libraries is also subject to other specific laws which define when and for what purposes it can use your personal data.

Why we’re collecting your data

In order for the council to fulfil its duties under the Public Libraries and Museums Act 1964 to provide library services throughout the city of Brighton and Hove we must collect and process personal and, occasionally, special category data.

Your information will be used to set up and manage your library account, including:

  • the collection of overdue fees
  • keeping a record of items you have on loan
  • records of any charges
  • letting you know when an item you have requested is available for collection
  • record of home delivery visits
  • computer booking details
  • printing account credit
  • transaction details

It may also include personal information relating to gender, ethnicity, language and any access needs such as hearing or visual impairment and difficulties with mobility. This is in order for us to provide adequate services in the interest of equalities, as well ensuring we are raising any safeguarding concerns.

We also use your data to manage activities and events delivered by us under the terms detailed in the booking forms. We may need to contact you about an event you have booked on or an activity you are engaged in. We will not use your data to contact you about other events. We may also process your data for health and safety purposes in relation to events and activities you may take part in. The lawful basis for us processing this type of information is for the performance of a contract.

Sometimes it may be necessary to use personal information for promotional and publicity purposes. This could include things using photos on social media, our website, or on signage, and we can also upload recordings of events online. Processing this type of data is done with the data subject’s consent, which will be sought when necessary.

Closed Circuit Television (CCTV) is operated in and around council properties. The purpose of the CCTV is for staff safety and crime prevention and detection. The data controller for CCTV in Jubilee Library is KIER, who manage the whole facility. For all other libraries the council is the data controller.

When we process your special category data we are doing so under substantial public interest. Please refer to Data Protection Act (2018), Schedule 1, Part 2, paragraphs 10 ‘Preventing and detecting unlawful acts’ and paragraph 18 ‘Safeguarding of children and of individuals at risk.’

The data we may collect

Personal data

  • contact details (including name, address, email address, phone number)
  • date of birth
  • financial details for purposes of receiving or making payments
  • employment details (when you apply for jobs or volunteering)

Special category data

  • physical or mental health details
  • racial or ethnic origin
  • gender and sexual orientation

Who we’ll share your data with

We are part of a consortium of libraries called SELMS (South East Libraries Management Services). We may share your joining information to allow borrowing from any library in the consortium. Other libraries will be able to see your personal data only if you choose to borrow something in person from a partner library or if you choose to pick up a reserved item from a partner library. Find out more information about SELMS.

Your data may be shared with Civica, who host our library management system and enable us to provide our service for you. We may occasionally share internally, with teams like Adult Social Care, if we have any safeguarding concerns.

Data that is shared is always done:

  • on a case-by-case basis
  • using the minimum personal data necessary to provide the service
  • with the appropriate security controls in place
  • in line with legislation

Information is only shared with those agencies and bodies who have a need to know or where you have consented to the sharing of your personal data.

We may use the information we hold about you to assist in the detection and prevention of crime or fraud. We may also share this information with other bodies that inspect and manage public funds.

Test and trace

In line with government guidance we will comply with test and trace protocol to provide customer information where necessary when customers have visited a library. This is personal data generated by logging onto a public PC, using self-service or with a transaction facilitated by a member of staff. Full details on GOV.UK.

Holding your personal information

We will not keep your data for longer than is necessary, subject to any legal obligations we have to retain the data. How long we keep it will vary according to the services you are involved with and the lawful basis for processing within those services.

The principles we use to determine how long your data will be kept include:

  • the type of services you received and whether you are still receiving them
  • whether we still are still under a legal obligation either to you or under UK Law
  • any standards and guidance set out by the various regulators for our functions
  • whether you have expressed a preference that your data be retained, for example exercising your right to restricted processing

Library management system data may be kept for up to 2 years from when your library membership was last active to meet audit requirements. However, if you have unreturned items or outstanding debt your data may be retained for 7 years.

If you are attending an event or activity you will be required to sign in. This information will need to be kept for 3 years. Likewise, photos will be kept for 3 years, unless consent is withdrawn in which case they will be removed as soon as possible. Please note, however, that photos will be removed from social media after 3 years, but once online we cannot control whether they are used for further purposes by those visiting the page. 

CCTV footage is normally held for 30 days and may be shared with the police for the prevention and detection of crime.

How your data will be stored

Your information will be stored on electronic databases.

Who can access your data

We will only make your information available to those who have a need to know in order to perform their council role.

How we protect your data

Examples of our security measures:

  • training our staff how to handle information securely and how and when to report when something goes wrong
  • we use encryption when data is being sent, meaning that information is scrambled so that it cannot be read without access to an unlock key. The hidden information is said to then be ‘encrypted’
  • where possible, data will be pseudonymised, meaning that your identity will be removed, so that work can be done without your identity being known by the people doing that work
  • control access to systems and networks to stop people who are not allowed to view your personal information from getting access to it
  • regularly test our technology and ways of working, including keeping up to date on the latest security updates (commonly called patches)

Transferring data outside the European Economic Area

Your information is not processed outside of the European Economic Area.

Your individual rights

In relation to your personal information you have the right:

  • to be informed – you have right to know about the collection and use of your personal data. We will inform you through our service-specific notices
  • of access – you can request to know what we hold on you along with an explanation for how it is used by making a “Subject Access Request”
  • to rectification – you have the right to ask us to update, amend or change your information if it is factually inaccurate or incomplete
  • to erasure – you have the right to ask us to delete your personal information where it can be shown that we no longer have a lawful basis to retain it or the information was collected on the basis of consent only and you have withdrawn your consent
  • to restrict processing – you have the right to request that we limit using your personal data for specific purposes if you do not believe we have a lawful basis for a particular purpose or where you consider the data to be incorrect. Upon receiving a restriction request, we are obliged to consider our use of the data and provide you with a response
  • to data portability – you can, in certain circumstances, ask us to provide you with the information you have supplied the council, where it was obtained on the basis of consent or performance of a contract

Automated decision making and profiling - we will tell you if we make an automated decision, including profiling, with your personal information. If we do this you have the right to ask us to make this decision manually instead.

How to get advice or make a complaint

Data protection contacts

If you wish to discuss any of your data protection rights, you can contact the Data Protection Team on 01273 295959 or by email at

Contact the council's Data Protection Officer 

Whilst we would prefer that you contact us first with any concerns that you might have, you can also contact the Information Commissioner’s Office. The ICO is the national regulator with responsibility for ensuring compliance with data protection.

Information Commissioner’s Office

You also have the right to lodge a complaint with a supervisory authority. Contact details for the ICO is stated below:

You can contact the ICO:

  • on their website
  • by telephone: 0303 123 1113
  • by post: Wycliffe House, Water Ln, Wilmslow SK9 5AF

This Privacy Notice will be subject to review when there is a change.