Privacy Policy. Using oria.no without logging in. Logging in to use oria.no. Processing responsibility. Purpose of the processing

Transcription

1 Privacy Policy This Privacy Policy complies with the requirements stated in the Act of 14 April 2000 no. 31 relating to the processing of personal data ("Personal Data Act") and provides information about how your personal data are processed when you use the search service oria.no ("Oria"). Oria is a service based on the product Primo from Ex Libris. It interacts with the library system used at the institutions. Registration and storage of data like borrower information, loans and orders in the library system is regulated through the data processing agreement between BIBSYS and each institution regarding use of the library system and related search services. Using oria.no without logging in You can search the available data in Oria without logging in. It will not be possible to identify the user, but see also the chapter about exchange with third party systems. See also the section about visitor statistics and cookies. Logging in to use oria.no Processing responsibility The institution to which the student or employee in question belongs has the processing responsibility and has the main responsibility for personal data obtained and delivered to BIBSYS, which processes the data and is responsible for Oria and the library system. BIBSYS has the processing responsibility towards any third party that takes part in the processing. Purpose of the processing Using Oria, users can maintain loans and register/delete loan orders and document copies. These data are sent to and stored in the library system. To facilitate this, the user has to log in to the service and be identified as a borrower in the borrower index. Until December of 2015, you will need both your personal identification number and your Feide ID to log in. Following December of 2015, you will only need your Feide ID. Oria can store data about academic degrees and relevant disciplines. These data are used to provide a more relevant match list. Users can also choose to provide an alternative phone number and address as preferred contact information for s/sms from Oria. Oria facilitates the storage of bibliographic records and searches. These are associated with the logged-in user, in order for them to be used again later. Users may delete these whenever they want.

2 Which personal data are processed? When a user logs in, Oria receives and presents non-sensitive personal data about the user from the applicable library system. These data can include: Data type /optional Comment Name Address Phone number address Personal identification number Optional The institution has to get approval to use this information Feide ID Borrower ID Borrowed documents Active loans only Requested documents (reservations/orders) Active orders/reservations only These data (except the borrower ID) are not stored in Oria, but are retrieved from the library system, which receives the data from the user institutions. For students, the data are transferred from the National Student Database, whereas employee data are transferred from one of the institutions other data systems or updated in the library system by manual entry by library employees. Personal information and loan data are not visible for others than the identified user. The information might be shared with BIBSYS (and any sub-suppliers) for the purpose of troubleshooting or user support. Personal identification numbers will not be used after December Visitor statistics and cookies Oria temporarily stores bibliographic records and search history for the browser session, in order to provide improved user functionality. This information is deleted when the browser is closed. Certain actions (searches, facet selections, search function etc.) are aggregated and recorded for statistic purposes, but these data cannot be traced back to specific borrowers. BIBSYS uses Google Analytics to collect visitor statistics. The information sent to Google Analytics does not include the nature of performed searches, and IP anonymization is activated. Cookies are small text files that are stored in your computer when you visit oria.no. These files are used to collect visitor statistics and if you are searching in Oria from an unknown IP address to store the desired institution.

3 Personal data storage With the exception of the borrower ID, no personal data are stored in Oria. The borrower ID is used to associate saved searches and bibliographic records with the logged-in user. Storage of personal data in the library system borrower index is discussed in the data processing agreement between the institution and BIBSYS. The data are stored for as long as the borrower remains a user of the institution/library. The institution is responsible to maintain the borrower index. Loan/order history, i.e. information about closed loans, may be stored for a short period of time, but not longer than necessary, in order to complete the fulfillment of the loan/order, in compliance with the Personal Data Act (Personopplysningsloven (POL)) 28. Data processing agreements All institutions that use Oria to present loans/orders and My Page functions to their primary users have signed a data processing agreement with BIBSYS regarding the use of the Oria and library system services. Third party exchanges BIBSYS have signed agreements with the following data processors: Ex Libris Biblioteksystemer AS for the Common Library Database BIBSYS has signed a data processing agreement with Ex Libris related to the products Primo (Oria) and Alma (the library system). The exchange of borrower information with the Common Library Database enables the use of the nationwide library card Lånekortet. With Lånekortet, the user can use the same library card in all Norwegian libraries. Find description of Personal data processing for Lånekortet on this page: About Lånekortet Oria uses information from third parties (like Google and Amazon) to provide additional services that add value for the end user. Examples of such services is the collection of cover photos and statistics collection. This means that some information from the browser will be shared with the providers of this / these content / services. Where technical / practicable BIBSYS has added mechanisms to as far as possible reduce the amount of information that is shared with third parties. Some of these mechanisms are dependent on browser support. The most common browsers except Internet Explorer and certain browsers on mobile devices supports these mechanisms. Because Oria uses HTTPS is information not available to others. If you proceed to resources outside Oria (Proquest, Scopus or others), you are outside the library search service. Many of the databases the library subscribes to allow you to log in so that you can

4 save searches and receive notifications about new literature. If you do so, you allow the database to send you notifications via . If you do not log in, personal data that can be linked to you will not be saved. Security measures Login and identification Oria uses Feide to identify its users. During login, up to four information units (personal identification number, Feide ID, organization number, borrower ID) are sent to the library system, or related functions, to identify the user. The library system returns the borrower ID to Oria. Oria uses the borrower ID to identify the borrower. This borrower ID is stored in Oria and used to locate personal and loan data in the library system, as well as keeping track of stored searches, bibliographic records etc. How do we secure data? Oria uses HTTPS encryption, and this also includes the communication between Oria and the library system. Your rights Access You are entitled to know which of your personal data are recorded by BIBSYS and how these data are processed, cf. the provision in the Personal Data Act 18. All processing, including interaction with third parties, is regulated by Norwegian legislation. Corrections, deletions As a registered individual with BIBSYS, you are in certain instances entitled to request correction or deletion of your personal data, cf. the Personal Data Act 27 and 28. For instance, this can apply to data that are inaccurate and/or incomplete, or data that BIBSYS does not have the right to process. These requests are responded to free of charge, and no later than 30 days from the date of the request.

5 Who can I contact? These requests are responded to free of charge, and no later than 30 days from the date of the request. If you want to request information about the personal data registered to your name, access to or correction/deletion of your personal data, or if you have general questions about the processing of personal data, please contact the library at your institution. Changes to the Privacy Policy BIBSYS reserves the right to make changes to the Privacy Policy at any time. Any such changes will apply from the time when the updated Privacy Policy is published on this website. In the event of any differences, the Norwegian text should be counted as the authorized version.