Information Security Policy

Policy Statement

In accordance with KRS 61.931-934, the Jessamine County Public Library will take precautions to ensure that personal information kept by the Library for any purpose is safeguarded from unauthorized access.

The Jessamine County Public Library will comply with best practices established by the Department for Local Government (as required in KRS 61.932). See Security and Incident Investigation Procedures and Practices for Local Governmental Units.

Point of Contact

Per the Department of Local Government’s guidance, a “Point of Contact” is designated by the Jessamine County Public Library to:

1. Maintain the Library’s adopted Information Security Policy and be familiar with its requirements;
2. Ensure the Library’s employees and others with access to personal information are aware of and understand the Information Security Policy;
3. Serve as contact for inquiries from other agencies regarding its Information Security Policy and any incidents;
4. Be responsible for ensuring compliance with the Information Security Policy; and
5. Be responsible for responding to any incidents.

The IT Manager is the Jessamine County Public Library’s Point of Contact for the purpose of adherence to Department for Local Government guidance on this issue.

Customer Information

The Jessamine County Public Library limits the amount of personally identifiable information it retains. Some information must be retained for the transaction of day-to-day business.

Most information related to customers is kept for the purposes of circulating materials and ensuring that responsibility is attributed to the correct person when an item is borrowed. This information is not publicly available and will only be shared with third-party vendors with whom the Library has contracted services and with law enforcement pursuant to lawful justification and process.

When a customer record is inactive for five (5) years and carries no outstanding debt (financial or in borrowed materials), the record is deleted from the Library’s computer system and is not archived.

Personal information about customers is primarily retained in electronic format. Anonymization of borrowing records takes place between 60 and 90 days following an item’s return so that log files cannot identify personal checkout history.

Staff Information

The Jessamine County Public Library retains information about its staff that is directly related to the work environment. Social security numbers, health information, and performance records are retained only as a part of standard human resources processes (such as payroll, retirement, or health insurance). This information is subject to records retention policies of the Commonwealth of Kentucky and the Jessamine County Public Library. Records will be retained and destroyed according to the records retention schedule.

Personal information about staff members is, in some cases, subject to the Open Records Act and will be shared with anyone properly requesting that information as specified by Kentucky Revised Statutes (61.870-61.884). Information protected from disclosure under the Open Records Act will not be shared with any outside agency for any purpose other than for the reason it was collected (e.g., to a payroll vendor for tax purposes).

Personal information about staff will be kept secured at all times in areas that are inaccessible to the general public and with limited accessibility by staff.

Security Measures

The Library does not share information with outside agencies for any reason other than the purposes for which it was collected. Third party vendors are required by KRS 61.932 to provide their own security measures to protect personal information.

The Library provides an internal, closed network for the collection and use of customer data. The network is inaccessible to the public and protected by multiple levels of security. Third party vendors may have access through encryption protocols. Always available or “persistent” remote connections by third party vendors are prohibited unless approved by the IT Manager as absolutely necessary for the proper functionality of a product or service.

Security Breaches and Notifications

If the Jessamine County Public Library becomes aware of a breach that would allow access to its network or devices used to store personal information, action will immediately be taken to close the network to all external traffic or to remove the device from the network.

The Jessamine County Public Library will notify vendors of their responsibilities to inform the library of any breach in their own systems exposing or compromising the security of personal information provided by the Library. Notification of such must conform to the requirements of KRS 61.932 and will include any reports of investigations that are conducted into the breach.

Contracts that are made or amended with the Library after January 1, 2015, must contain provisions to account for the requirements under KRS 61.932.

In the event the Jessamine County Public Library’s own computer network or data storage systems are breached, the Library will immediately take action to secure the network or system, to prohibit any off-site access, and to determine the extent of the data that was obtained by the unauthorized party. Where appropriate, the Library will notify any/all affected parties within the guidelines of KRS 61.933 or as directed in guidance from the Department for Local Government. Investigations following such a breach will be reported as required by the same statute.

Effective date: 05-20-2015
Last revised: 01-18-2023
Last reviewed: 01-18-2023