Library privacy notice

How Library and Learning Services handles your personal data

The University of Surrey is the “Data Controller” of your personal data. We are registered with the Information Commissioner’s Office (our notification number is Z6346945) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation.

Library and Learning Services (LLS) is part of University of Surrey. We have a named Data Protection Officer, Elizabeth Powis, who can be contacted via

One of our responsibilities is to tell you about the different ways we collect and use your personal data. This statement provides details about these uses. In addition to this statement, you may be given further information about the uses of your personal data when you use certain services offered by the University of Surrey.

What information do we collect from you?

Library and Learning Services holds and processes personal data about: 

  • Staff
  • Students
  • Visitors
  • Library Members
  • Alumni

The personal data we hold about you may include:

  • URN
  • Name
  • Email address
  • Level of study
  • Faculty
  • Department
  • Module Lead
  • Course name
  • Images
  • Enquiry details
  • Graduate Status
  • SCONUL status
  • Membership category
  • Phone number
  • Address details
  • Details of courses attended
  • Staff information
  • Job Title

We only collect the data we need and keep that data up to date.

We receive this data from you when you join the Library, apply for a campus card, complete a form, take part in a workshop or event, undertake or publish research or contact us.

We also receive data such as names, details of education, eligibility to take part in our services from third parties. These third parties are:

  •  Home University


Why do we collect this information?

The University collects only the data we need, and we keep the data up to date and only for as long as it is needed.

We collect your personal data in order to…

  • Provide a campus card that controls access to various parts of the campus (as updated by Estates) and that can be used as a University "ID card"
  • Grant access to the Library;
  • Allow legitimate use of the Library services including an inter-loan service with external libraries.
  • Link publication outputs with individual researchers
  • Book you onto an event or course;
  • Record attendance and outcomes;
  • Answer your queries;
  • Provide you with access to resources;
  • Contact you with regard enquiries or requests;
  • Approve Article Processing Charges;
  • Evaluate services and events;
  • Enable academics to update a reading list
  • Enable academics and students to use personalisation tools;
  • Collect relevant information to report to funders and University.


We take our obligations for data handling very seriously and it is therefore important for you to know the lawful basis for us processing your information:

We process data to ensure that we can carry out our public role as an educational and research establishment, meeting legal, moral, and contractual obligations as laid out in the University’s Charter including processing your registration and provision of your ID card.

We also process data to meet our contractual duties to you and provide you with access to Library, and University buildings, and Library resources and services as laid out in our contract with you.

We also process data in our legitimate interests to evaluate our services and events and to enable us to manage and respond to your queries. These legitimate interests are determined through an assessment made by weighing our requirements against the impact of the processing on you. Our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data. If you are interested in learning more about this legitimate interest assessment, please contact

We do not use the data we collect to make decisions about individuals or to analyse information on an individual level.

What do we do with your information?

The University processes personal data and special category data in accordance with data protection legislation and its own Data Protection Policy. We use your personal data in order to provide you with access to buildings, library services and resources. We analyse the effectiveness of our service at an aggregate level so that no individuals are identified from the data.

How long do we keep your information?

We keep your personal data for as long as it is required to perform its purpose or for as long as is required by law. These periods are defined in our retention schedules which are available by emailing the Information Compliance Unit.

Who do we share your information with?

Internally, we share your personal data with:

  • Estates & Facilities;
  • Academic registry
  • Accommodation Services;
  • Security (as necessary);
  • Planning and Strategy.

We do this in order to…

  • Provide access to buildings;
  • Link data to researchers;
  • Approve Article Processing Charges for publishing research outputs in journals;
  • Approve requests for training/events;
  • Identify users booking events/appointments/training;
  • Provide answers to queries;
  • Request inter library loans

We share your personal data externally with the following third parties …

  • 2CQR- Self-service kiosks that allow users to borrow and return material, via real-time look-up (no data is retained);
  • Clarivate, including Ex Libris, for Library systems (e.g., Alma, Leganto, Esploro)
  • Card exchange;
  • OpenAthens
  • TalisAspire – for reading lists;
  • British Library and other external libraries for inter-library loans.

We do this in order to…

  •  allow users to borrow and return material;
  •  Allow access to e-resources
  •  Provide new student cards.

What rights do you have in relation to the way we process your data?

As an individual whose data we process (a data subject), you have certain rights in relation to the processing. Find detailed information about your rights as a data subject.

You have the right to:

  • Withdraw your consent for us to process your personal data where we have relied on that consent as our basis for processing your data.
  • Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing.
  • Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete.
  • Have your data erased by us, although in certain circumstances we may not be able to do this. The circumstances where this applies can be found in the guide to data subject rights information.
  • Restrict the processing of your personal data in certain ways.
  • Obtain your personal data for reuse.
  • Object to certain processing of your personal data.

If you would like to exercise any of your rights, please visit our make a privacy request section.

If you wish to have your personal data or any survey responses destroyed, please contact the Library team.

Make a complaint

If you have any concerns about the way that we have handled your personal data please email the Data Protection team as we would like to have the opportunity to resolve your concerns.

If you are still unhappy, you have the right to complain to the Information Commissioner’s Office (an independent body set up to advise on information rights for the UK) about the way in which we process your personal data.

Data protection at Surrey