Libraries: destroying borrowing and member data
A library processes more sensitive data than it seems: members' name and address, the loan history, fines and payment data, reservations and the data of young members. What someone reads can say something about belief, health or political preference, which makes the loan history sensitive by nature. Part falls under the tax retention obligation, part should precisely be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.
The quick answer: the financial administration you keep for seven years for the tax retention obligation. The loan history you minimise and delete as soon as a book has been returned and no fine or dispute is in play. Data of youth members you handle with extra care. What may go disappears confidentially and with a certificate.
Why reading behaviour is sensitive
A library feels like an innocent place, but the loan history says surprisingly much. What someone reads can reveal something about belief, health, sexual orientation, political preference or a personal situation. That makes the link between a member and a borrowed title sensitive by nature, even though it contains no medical or financial detail. A leaked loan history can affect someone in a way that goes beyond an ordinary customer database.
The GDPR requires storage limitation, and with reading behaviour that weighs heavily. Do not keep the loan history longer than necessary for the loan itself, and break the link between member and title as soon as the book has been returned. Only if a member explicitly wants to keep their own loan history is there a ground to keep it longer.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the end of the membership or the loan.
| Part | Starting point | Period |
|---|---|---|
| Financial administration | Tax retention obligation | 7 years |
| Member administration | While membership runs | + short period |
| Loan history | Sensitive, storage limitation | break link after return |
| Fine and collection data | Until settlement | purpose-bound |
| Youth-member data | Minors, extra protection | as briefly as possible |
| Reservation and requests | While there is a purpose | clear out afterwards |
Use this as a guideline, not a final legal ruling. Set the exact periods in your own privacy policy. The tax side is in the 7-year tax retention obligation.
Loan history: break the link
The most sensitive part is the loan history. By default you should break the link between a member and a returned title as soon as there is no longer a reason to keep it, such as an outstanding fine or a reservation. That way you do not keep a years-long reading profile of your members. If you want to offer members the option to keep a loan history themselves, that is a choice by the member with consent, not something you keep by default.
Also watch out for paper lists and printouts that end up at the desk or in a binder. They contain the same sensitive link and should be destroyed confidentially afterwards, not into the paper bin.
Youth members and fines
Many libraries have youth members, and data of minors enjoys extra protection under the GDPR. Handle their member files extra carefully, do not keep them longer than necessary and destroy them carefully. Fine and collection data you keep until the claim has been settled, and clear out afterwards. An old file with a fine in a child's name is exactly the kind of data you do not want left lying around unmanaged.
How to handle it in 6 steps
- Split the data into administration, member administration, loan history and fines.
- Break the loan history as soon as a title has been returned and there is no longer a reason.
- Treat youth-member data separately and do not keep it longer than necessary.
- Assess fine data for settlement and clear it out afterwards.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Member data is destroyed confidentially, because it may contain a sensitive loan history and data of minors. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old member-administration computer or backup belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Member data to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping the loan history by default. Break the link after return, unless the member chooses otherwise.
- Seeing reading behaviour as ordinary data. What someone reads is sensitive by nature.
- Keeping youth-member data too long. Data of minors needs extra protection.
- Throwing away unshredded. A member list with loan history on the street is a reportable data breach.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long may a library keep borrowing data?
You keep the loan history as briefly as possible. As soon as a book has been returned and no fine or dispute is in play, the link between member and title should disappear, unless the member explicitly wants to keep a loan history. The financial administration falls under the seven-year tax retention obligation.
Why is reading behaviour sensitive information?
What someone reads can say something about belief, health, sexual orientation or political preference. That makes the loan history sensitive by nature, so you should minimise it and not keep it longer than necessary.
Do extra rules apply to youth members?
Yes. Data of minor members enjoys extra protection under the GDPR. Do not keep it longer than necessary and destroy it carefully, especially where a loan history or fine record is attached.
How do I destroy member data in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
A library manages data that reveals more than it seems, because what someone reads is sensitive by nature. Keep the administration seven years, minimise the loan history and break the link after return, and handle youth-member data with extra care. What may go you have destroyed confidentially with a certificate as proof. That way you protect the reading freedom and privacy of your members.
Read also: museums: destroying donor and ticket data, political parties: destroying member data, religious organisations: destroying member registers and the GDPR retention periods cheatsheet.
Have member data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.