PN066 - Libraries Privacy Notice

Torfaen County Borough Council is committed to protecting your privacy when you use our services. This Privacy Notice is designed to give you information about the data we hold about you, how we use it, your rights in relation to it and the safeguards in place to protect it.

TCBC Service Area: Adults & Communities
Work area: Torfaen Library and Information Service
Contact Details: Stephanie Morgan - Tel: 01633 647673 / Melanie Smith - Tel: 01633 647676 (Health and Wellbeing)
Privacy Notice Name: Libraries

Data Controller: Torfaen County Borough Council, c/o Civic Centre, Pontypool, NP4 6YB

If you wish to raise a concern about the handling of your personal data, please contact the Data Protection Officer on 01495 762200 or email

This Privacy Notice covers users of the Torfaen Library and Information Service and explains how we deal with the personal information that you provide as a result of any interactions with us.

Who provides your data to the Council?

The personal information we process is provided to us directly by you if you visit (CCTV), have joined the library yourself, if you are enrolling a child as their parent or an official carer, or if you are engaging in a health related 1-1 with the Health and Wellbeing professional that requires follow up actions.


We also receive personal information indirectly from a child’s school (e.g. for Welsh Government initiatives such as the Every Child A Library Member project), but this will only ever be done with your prior consent.

How does the Council collect this information:

  • Paper, electronic and online forms
  • Website
  • Email
  • Telephone
  • Social media
  • Face to face contact
  • CCTV Live Recording Images

What information does the Council collect about you?

The Library and Information Service collects;

  • Contact Details: Full name/Address/Email/Telephone number
  • Date of birth and Gender
  • Records of items you have borrowed (your loan history) and book requests
  • Computer sessions (dates, times and browsing history)
  • CCTV video footage of your visit
  • Name, contact number, reading preferences, address and health/mobility information for users of our Library at Home service
  • Name, contact number, health and wellbeing for individuals requesting confidential 1-1 help and support from the Health and Wellbeing professional. This data is deleted from the database following a 3 monthly review
  • Children’s borrowing details for the Summer Reading Challenge
  • Comments and feedback concerning the Library service

Why does the Council process your personal data?

Under Article 6 of the UK General Data Protection Regulation (GDPR), the lawful basis we rely on for processing this information is:

  • (e) To perform a public task

Special categories of personal data

We collect the following special category data:

  • data concerning health and wellbeing status relating to the Health and Wellbeing 1-1 support service and Library at Home services

In relation to CCTV we may also collect:

  • personal data revealing racial or ethnic origin
  • personal data revealing religious or philosophical beliefs

We collect this under Article 9 of the UK GDPR.


Where we collect criminal data (if captured on CCTV) this is processed within the Council under Article 10 of the UK GDPR.

Who has access to your data?

Your data is shared internally only with the appropriate staff where it is necessary for the performance of their roles.

To enable us to provide a comprehensive range of services to you, your data will also be shared externally with organisations who perform library functions and services on our behalf. These third party service providers may use your personal information in order to assist the Library and Information Service, or to provide additional agreed services. All of our Data Processors are committed to ensuring that your personal information will be protected in accordance with data protection legislation:

  • Sirsi Dynix Library Management System
  • Bibliotheca self-service machines
  • Lorensbergs public PC booking system
  • Bolinda e-books service
  • OverDrive e-magazine service

We also share statistical data with Welsh Government and comments and feedback about our service with partner organisations involved, however this information is anonymised.

When you use the library equipment to access another organisation’s services such as shopping/email/membership accounts, you will need to familiarise yourself with their privacy policies regarding your data.

Apart from where previously stated, we do not pass your details to third parties unless we are lawfully required do so.

Is the Data transferred out of the UK?

Our service providers below transfer data outside of the UK and links to their privacy notices are included for your information:

Sirsi Dynix:




How does the Council keep your data secure?

The Council has internal policies in place to ensure the data it processes is not lost, accidentally destroyed, misused or disclosed. Access to this data is restricted in accordance with the Council’s internal policies and in compliance with the UK GDPR.

Data will be stored securely in;

  • The Council’s corporate network drive
  • Any paper records are stored securely until destroyed
  • CCTV system for a limited period
  • The Library Service databases listed above

Where the Council engages third parties to process personal data on its behalf, they do so on the basis of written instructions. These third parties are also under a duty of confidentiality and are obliged to implement appropriate measures to ensure the security of data.

How long does the Council keep your data?

The Council will hold your personal data (including CCTV) only for the period that is necessary and will follow organisational and Local Authority standards in this area. At the end of the retention period the Council will securely destroy or dispose of the data in line with retention schedules.

  • Membership data that has been inactive will be deleted after 3 years
  • Health and wellbeing data from confidential 1-1s is only stored for 3 months and then deleted

Are we making automated decisions/profiling with your data?


Your rights

You have a number of Rights you can exercise:

  • Access - to obtain a copy of your data on request
  • Rectification – to require the Council to change incorrect or incomplete data
  • Object, Restrict or Delete - under certain circumstances you can require the Council to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
  • Data portability – to receive and/or transmit data provided to the Council to other organisations (this applies in limited circumstances)
  • Withdraw your consent at any time (where consent has been given)
  • To know the consequences of failing to provide data to the Council
  • To know the existence of any Automated Decision-making, including profiling, and the consequences of this for you.
  • To lodge a complaint with a supervisory authority (Information Commissioners Office)

If you would like to exercise any of these rights, please contact: Stephanie Morgan, Team Leader Torfaen Library and Information Service, Cwmbran Library, Gwent Square, Cwmbran, NP44 1XQ Email:

The Information Commissioner can be contacted at: The Information Commissioner’s Office (Wales), 2nd Floor, Churchill House, Churchill Way, Cardiff, CF10 2HH. Telephone 0330 414 6421 or e-mail

Last Modified: 13/11/2023 Back to top