RAQs: Recently Asked Questions

Topic: First Amendment Audits on Youtube - 09/26/2022
There are reports of first amendment audits happening in rural towns and villages. Public librarie...
Posted: Monday, September 26, 2022 Permalink

MEMBER QUESTION

There are reports of first amendment audits happening in rural towns and villages. Public libraries are limited public forums - how can we stop the filming, as quietly as possible without causing a social media frenzy.

 

WNYLRC ATTORNEY'S RESPONSE

For a person who hasn't run into this concept yet, a so-called "First Amendment audit" is an increasingly popular trend where people visit government buildings and demand access to information--along with the privilege to film on site--all in the name of the law, democracy and transparency.

As a lawyer and U.S. citizen, I am all for the law, democracy, and transparency.

The concern raised by the member is that so-called "First Amendment auditors" don't just pop by their local town hall to live out a civics lesson.  Most of these folks are "monetized", meaning they post their recordings on YouTube...for money.  And since nothing draws in viewers like controversy, in the quest to get tens of thousands of hits, "First Amendment auditors" often[1] swap law, democracy, and transparency for rhetoric, bullying...and borderline harassment.

How do these YouTubers[2] create this concern?  As can be seen in their videos, they often come out swinging: filming or streaming while walking around as if "casing" a civic building, knowing that for some workers, this will cause concern.  Further, if/when confronted about what they are doing (usually some version of "Can I help you?") the best YouTubers are masters at using standoffish nonchalance, or passive-aggressive behavior, to trigger suspicion and fear.

Sadly, however, it is sometimes the fearful or angry reaction of those being filmed (town clerks, other employees) that tips things into a legal quagmire...and creates "click-worthy" material.

While mainly focused on municipal buildings (town halls, village halls, etc.) a growing sub-set of "First Amendment auditors" are visiting public libraries. I'd put a link in to some of the more egregious examples that have been created in New York in the last year or two, but I don't want to make money for these folks (they are doing just fine without me).  Let's just say that when the YouTuber is able to hit all the right pressure points, they can really tick off a civil servant--including a librarian.

The frustrating thing is that this doesn't have to happen.

Libraries--even those wholly housed within a municipally-owned structure--are, as the member says, "limited public forums" meaning that the library gets to set policy and rules imposing reasonable, operationally-related parameters on speech ("speech" in First Amendment jurisprudence, includes the right to film and access information).

Among other things, this means that libraries can totally bar or limit filming to certain areas of the library.

Of course, such a bar or limit can't be arbitrary--it must be "rationally related" to the operational needs of the library.  But so long as there is a "rational relationship" between the policy and the needs of the library, such a bar can be enforced.[3]

This means that through policy, a library can decide that patron confidentiality, information access, and the library's overall service to the public require limiting recording and/or streaming on site--a rule that can be enforced just like rules to be quiet in certain rooms, to not eat in certain areas, and to not deface any of the books.[4]

This means that the confident swagger many YouTubers bring to their "audit" game can be met, in the field, with a series of rules restricting their behavior--something (from what I've seen) that many YouTubers are not emotionally nor intellectually ready to honor in the moment.  In other words, just because your policy is legal, doesn't mean a YouTuber will magically turn their camera off!

So enforcing such policy requires forethought...especially since most YouTubers know that if they can get in an argument with a librarian, they will double (or triple) their number of hits.

So, as the member asks: "[H]ow can we stop the filming, as quietly as possible without causing a social media frenzy?"

Here are 10 different tactics[5]:

Have a Policy

Have a policy regarding filming in the library, and make sure that any decision to bar filming is rationally related to library priorities such as protecting patron confidentiality, respect for employees, and smooth operations.[6]

Use Good Signage

However your library decides to exercise its rights as a limited public forum, once it is confirmed in a policy, use prominent and effective signage to inform the public about the rules.

Transparency through FOIL

Since claiming the right to film anywhere in a public library is only part of the YouTuber package, make sure your library has a clear policy and process for requesting library records through the New York State Freedom of Information Law (or "FOIL").[7]

Designated Non-Public Areas

All staff rooms, break rooms, and other areas not accessible to the public should be designated as "No Public Access", with appropriate means of securing the area.  Give your employees a place of refuge (and a place for private information to securely reside).

Select Your Library's Response and Non-Escalation Method

As we've discussed, if you argue with a YouTuber, you might as well just hand them money.

So, while there is no one "right" way to resist escalating a situation, each library should pick its own particular brand of how to keep interactions with YouTubers civil, non-confrontational, and above all very, very, very boring.

For those libraries that do allow filming (whether without restriction,[8] or with some limits), but want to be part of the narrative, I like the idea of chatty engagement about the library's mission, services, and budget (and fundraising).  After all, the YouTuber is there to get information...why not provide it?  Think of the YouTuber's visit as a chance to inform the public of the history of the library, to showcase its services, and alert the public as to how they can donate money to support special initiatives (this is a good reason to have a copy of the library's annual report on hand). If YouTube is helping to draw attention to your library, you might as well put your best foot forward!

For those libraries that don't allow filming, or restrict it to certain times/areas, ensuring that a person who is attempting to film in the library is aware of the duly authorized and posted policy is essential.  After that, if a person persists in violating the policy, a response is down to what enforcement method is selected and practiced, which can include a combination of:

  • Policy enforcement in the moment (using practiced security procedures);
  • Policy enforcement after the moment (the recording happens without confrontation, but there is a subsequent action for trespass, or other action under Code of Conduct);
  • Deliberate non-engagement with the YouTuber using pre-determined language ("It is against our policy for you to film in this location"; and/or "You do not have my consent to film me, I consider it harassing; please stop." said once, calmly.[9]);
  • Use of pre-determined, quiet withdrawal of most employees into employee-only areas.

Do not argue. Do not debate. 

And finally, it is important to acknowledge: for some library employees, the visit of a YouTuber can feel threatening (remember, many of these entertainers are trying to get a rise out of people). So as with any other interaction with the public, the clear message to employees must be: Safety First.  If employees are feeling threatened, they should withdraw using the same protocol in place for other safety concerns.[10]

Practice, Practice, Practice

Once there is a policy and clear, engaging signage, set aside time to train employees in the policy, and give them time to practice addressing YouTubers in a non-confrontational manner.  Use role-playing techniques (done right, this can be a fun exercise, even though the actual event might not be so fun).

Coordinate with Security

Not all libraries have private security, but for those that do, make sure they understand what is at stake when dealing with a YouTuber; include security personnel in the practice sessions (if time and budget allow). At the bare minimum, confer with the local police department to know what the response will be if the situation warrants intervention by law enforcement.[11]

Remember: YouTubers are Human, Too

I know it can be hard to recall when someone is pointing a camera in your face and wandering about your library looking like they are creating a map of its security vulnerabilities, but one thing I've learned from working with libraries who have lived through a "First Amendment audit"[12] is that very often the visitor is a member of the community.

In fact, some libraries have received calls from national groups in advance alerting them that a longstanding member of the community will be visiting to film!  (I suspect the "advance warning" was to create an adrenalin rush, but the library was able to use its long-standing relationship with the person to make it a positive interaction.)

So long as a library employee dealing with a YouTuber feels confident about their safety, thinking about the YouTuber as a person who is genuinely curious about your library, and treating them as just another patron on a quest for information, can help cut down on click-bait drama--and serve the mission of the library to provide access to information.

Maintaining that type of perspective is easier if the employee is:

          a) confident that they know the library's policy about filming in the library;

          b) confident that the policy is clearly posted;

          c) confident that the library is on solid legal ground;

          d) confident of how the library as a whole responds to Code of Conduct violations;

          e) confident that the library abides by the law governing access to information; and;

          f) confident about if/how to engage, because they have practiced techniques for positive interactions and non-escalation, and they know leadership will have their back.

And that is how a library can turn YouTube drama into a non-dramatic civics lesson. It is not fool-proof, because if a person is determined to enter a library and create a scene, they will create a scene. But with good policy and practice, a library and its employees won't contribute to it.

Thank you for a great question!

 



[1] I say "often" because there are some people out there who get this right--and if we are now getting our civics lessons on YouTube, I want to give credit when it is due.

[2] I will not call them "auditors". In my world, an "auditor" reviews your financials, and looks for holes in your fiscal controls.  I call them "YouTubers" or "person recording in the library" because that is a more accurate appellation.

[3] For more on that, see the training video and related materials from the Empire State Library Network's presentation, “Libraries and First Amendment Audits,” which are available through the links found here. This resource also spends a lot more time on the legal underpinnings of what I am summarizing in this "Ask the Lawyer"...so if you want more info on this topic, that's the place to go!

[4] In New York, it is also a crime to deface library books...but it can still also just be a violation of policy!

[5] I urge any library considering any of these to view the ESLN materials, and to discuss their selected tactics with their lawyer.

[6] A model policy is included in the ESLN materials.

[7] For more on that, see the Ask the Lawyer response found here.

[8] At the bare minimum, a policy barring filming of: other patrons without written consent, computer screens, the reference desk, and the circulation area(s) is wise.

[9] This can come in handy later, during efforts to remove a video or to pursue other consequences as a result of the behavior.

[10] If the library currently doesn't have protocols for this, a visit with local law enforcement, private security, or a consultant to develop them is a very high priority. This can go hand-and-and with an OSHA-style "Workplace Violence Prevention Policy."

[11] Only your library can determine what the trigger for calling law enforcement is.  This is something to be discussed and (yes) practiced.

[12] To hear from these libraries, check out the ESLN training materials I keep mentioning!

 

Tags: First Amendment, Policy, Privacy, Public Libraries, Safety

Topic: Interlibrary Loan Electronic Transmission Privacy - 07/26/2022
For an Interlibrary Loan Electronic Transmission (whether printed out and included with the item(s...
Posted: Tuesday, July 26, 2022 Permalink

MEMBER QUESTION

For an Interlibrary Loan Electronic Transmission (whether printed out and included with the item(s) or sent via electronic means) in a K-12 setting, can a student's name (the one ultimately borrowing the item) be used in the "receipt" or notification slip? Should a student's School ID number be used? Can both be used at the same time? Is it taboo to have a student's name in ANY electronic transmission?

 

WNYLRC ATTORNEY'S RESPONSE

This question comes at us from a school district public library and supporting Board of Cooperative Educational Services ("BOCES").

One thing I knew very little[1] about when I started doing "Ask the Lawyer" was school district public library systems.  These are systems coordinated through a regional BOCES, creating a network of library resources, governed by their own section of the New York Education Law (and regulations, and Regents rules).

Over the years, the existence and importance of school district public library systems has grown more and more obvious to me--to the point where now, if you are so unfortunate to be trapped in an elevator with me, I might tell you all about them from ground level to the 32nd floor.[2]

One thing I would mention, around floor 15 or so, is that school district public libraries (and systems) have to balance privacy and data security obligations from a wide array of different state and federal laws.  I have written on this before (see "Ask the Lawyer #67, #80, and #143), and won't re-hash that here, except to say: everything in those past answers impacts this question.

With those prior columns as background, the answers to the member's three questions are:

For an Interlibrary Loan Electronic Transmission (whether printed out and included with the item(s) or sent via electronic means) in a K-12 setting, can a student's name (the one ultimately borrowing the item) be used in the "receipt" or notification slip?

Yes, if the library's policy requires it for the "proper operation" of the library (CPLR 4509), AND if the school can assure that only those who need to see it (for the benefit of the student) will see it (FERPA) or the student has signed a FERPA waiver, AND if all the required measures for data privacy are in place (ED2-d).

Should a student's School ID number be used? Can both be used at the same time?

Yes, if the library's policy requires it for the "proper operation" of the library (CPLR 4509), AND if the school can assure that only those who need to see it (for the benefit of the student) will see it (FERPA) or the student has signed a FERPA waiver, AND if all the required measures for data privacy are in place (ED2-d).

Is it taboo to have a student's name in ANY electronic transmission?

No, but school district and BOCES systems creating and transmitting such records should always be confident that the use of the student's name is in a document generated and transmitted per applicable policy.

This is tougher than it sounds, since schools now have so many electronic systems facilitating record-making and communication--a situation compounded by online learning during the pandemic.  Further, the decision to use those systems might be driven by function and cost, with only secondary attention being paid to privacy, as addressed in "Ask the Lawyer" #67, #80, and #143.

Since this question is rooted in interlibrary loan, I'll end with an example.

Below is a partial screenshot from the demo screen of OPALS, a popular ILS used by school district libraries (and other types of libraries, too).

As you'll see, OPALS enables the "viewing of all the borrowers in an attending class...."

Screenshot from OPALS Demo Screen. Part of a drop down menu with options for SCORE, CD, Audio, and DVD. The number 10 and the date 2015-08-18 is listed for each option. Below the menu is text that reads Group Loan Transactions Option for lines of elementary borrowers. Circulation system has an option to pre-load student names and status for a selected homeroom/teacher, reducing transaction processing time by 50-75% - especially helpful, when district networks experience latency. Viewing all of the borrowers in an attending class makes lending more efficient, creating more time to spend with students to develop literacy and research skills.

There is nothing inherently wrong with this type of grouping of borrowers, so long as the district has addressed the various privacy obligations, and made sure the functionality and use of the system (in this example, OPALS) align with the school's approach and policies on privacy.

In other words, nothing should be left to chance.

So, with that, my ultimate answer--to all three questions-- is: any time a public school student's name is listed on a library record that leaves the bounds of the library (the "real" or virtual bounds), every unique way that happens (injury report, student discipline, interlibrary loan) should be covered by policy.

Now, let's consider how this issue looks "on the ground."  I poked around a bit, and while I found many interlibrary loan policies for school district library systems/BOCES in NY, I didn't find one that went so far into the weeds as setting terms for how/when to include borrower names on the routing slips (printed or electronic).

Chances are, that's usually more of a "standard operating procedure" thing, rather than something set by formal "policy."[3]

But with increasing interconnectivity between library other school systems, it might be worth formalizing in future interlibrary loan policies.  For instance, one sentence: "When effecting interlibrary loan, cooperating libraries shall mutually adhere to the other libraries' and systems' policies regarding borrower privacy"[4]  is a sample of how to add a quick reminder about this critical consideration.

Because as the member's questions indicate, we can never be too "in the weeds" on privacy.

Thank you for an important array of questions.



[1] Okay, actually, nothing.

[2] In this mythical trip up 32 floors, we are visiting Buffalo City Hall, which if you have never seen, is a must-visit location.

[3] New York is a big state!  I have no doubt there is a policy that does address this.  If your district has one, please send a link to info@losapllc.com and reference this RAQ.

[4] This is just sample language...no matter what you select, make sure your school district's attorney or BOCES system director reviews and approves any policy before it goes into effect!

 

Tags: CPLR 4509, Ed Law 2-d, FERPA, Loaning programs, Privacy, School Libraries

Topic: Historic Map with Private Properties - 07/26/2022
As part of a town bicentennial celebration, the committee wants to create a map of historic proper...
Posted: Tuesday, July 26, 2022 Permalink

MEMBER QUESTION

As part of a town bicentennial celebration, the committee wants to create a map of historic properties. There would be a description of the property noting its historic significance, the address, and ideally a photo. Many of the properties are privately owned. Do owners need to give permission for their property to be included? We would publish the address and describe the history of the property, but current owners' names would not be disclosed. We want to share history, but respect privacy. What legalities should we be aware of?

 

WNYLRC ATTORNEY'S RESPONSE

In addition to being something of a historic preservationist, I am also a design fan, and a booster for my adopted hometown of Buffalo NY.  This means I am on several social media groups that discuss:

  • Historic properties,
  • Design of both private and public buildings, and
  • Issues that impact the built environment (landscaping, planning, urban design).

On these groups, there is regularly a debate about the legalities, ethics, and diplomacy of taking pictures, providing information, and commenting in a public forum about privately owned property.

Issues that are frequently raised include:

  • Privacy
  • Safety
  • Harassment
  • Risk of a claim of defamation
  • Cultivating ill-will

The issue can also take on tension if a person lives in a home they prefer to not have considered "historic," which can place added pressure and actual legal restrictions on the owner of the home.

On the flip side, many who proudly own "historic" or otherwise noteworthy properties glory in their building's appearance and history.  These are people who not only want their structure listed in print and online resources, but carry a jump drive they can distribute easily to make sure the building is described properly.[1]

When it comes to the risks of listing historic properties in a printed or online resource, there are very few direct legal issues.  With the exception of certain high-security locations, it is not illegal in any way to publish information related to real property, its ownership, and its historic nature (or other significant factors).  In fact, although not everybody realizes it, such information is generally available to the public in the form of tax maps, real property deeds, and other information housed by a county clerk.

That said, and in answer to the member's question, legal concerns can arise if a resident or owner can attribute negative consequences directly to the listing. For instance, if a listing suggests that a property is open to the public, when in fact it is not open, a property owner could have legal recourse. Similarly, if a write-up is directly connected to resulting harassment or vandalism, there could be an allegation of legal responsibility[2]--although such allegations would not lead to liability unless a precise set of factors were present.[3]

The stakes can also be higher when the listing is the result of a formal publication by an actual entity, such as a local library, historical society, religious corporation, or not-for-profit corporation.  This is because such organizations typically have a larger platform to communicate from, and are also perceived as having "deep pockets,"[4] as well as insurance.  They are also more vulnerable to public criticism, since they depend on public good will.

How can an organization mitigate such risk?  Here are three steps:

Step 1. If your organization is going to publish a guide, check with the organization's insurance carrier to see if its insurance includes coverage for "advertising injury" and other claims related to publication. While not every "general liability policy" has this feature, it is a fairly common type of coverage, and any group that is regularly publishing brochures or pamphlets--or even listing information on its website--should consider getting coverage for allegations of defamation and copyright infringement.

2.  Early in the initiative, decide what the precise criteria is for inclusion in your directory[5], and if your directory of local historic properties will have an "opt out" for people who don't wish their property to be listed or depicted.

3.  Once the criteria and any option for "opt out" is determined, consider using a form to notify people of the directory, and to allow people to supply information about their property or to opt out.  For instance:

Dear NAME:

[Info about your organization, upcoming event, pleasantries, etc.]

The NAME is preparing a directory of local historic properties, including your historic property at ADDRESS.

The criteria for the listing in the directory are INSERT.  The listing will include the address, a photo taken from the street, and a brief history of the property.  We will ensure there is no automobile with a legible license plate or people in the image.

To personalize this initiative and add depth to our information, we would like to provide you with an opportunity to send us information about the property, including any work you have done to steward it over the years, and any photos or legacy information you may have.  You can send anything you like to INSERT ADDRESS.  By sending information, you are giving the NAME a license to adapt it for use in the directory (both print and online), only.

In addition, because we appreciate that not everyone will want to supply information or have a picture of their property included in the directory, we are providing an "opt out" of the photo depiction.  If you do not want a photo of your property included in the directory, please check the box below:

 Please do NOT include a photo of my property at ________________ in the directory.  I understand this "opt out" is a courtesy and information regarding my property is part of the public record.

The directory text will be finalized by DATE and we anticipate publication by DATE.  Therefore, to be able to include your materials or remove a photo, we appreciate your reply by DATE.

[nice things, etc.]

[signature]

If at all possible, the organization's attorney should review the final letter before it goes out, which will allow the organization to address any concerns specific to the project or the particular locality.

Thank you for submitting an interesting and sensitive question.  Respect for those who steward historic structures is important...as is celebrating the legacy they preserve.

Happy bicentennial!



[1] Woe betide your guide if a "coppice" is mistakenly called a "cornice."

[2] I have never heard of a directory of historic properties being used to "dox" (harass via release of private information) somebody, but I can imagine it happening.

[3] For example, if the write up said "This is the historic Bailey mansion.  Legend has it if you throw a rock through a window, your wish comes true.  Bring a rock and have at it!"

[4] As in, money to pay for damages.

[5] Is it on the state registry, federal registry, or considered "historic" due to a local designation?  Or are the criteria simply that the structure was built before a certain year, hosted a significant event, or was once owned by a noteworthy person?

 

Tags: Historical societies and museums, Privacy, Safety, Templates

Topic: Use of Meeting Room Space Question Mash-Up - 06/14/2022
We recently received 2 questions that raised related issues, so we've merged them in this &quo...
Posted: Tuesday, June 14, 2022 Permalink

MEMBER QUESTION

We recently received 2 questions that raised related issues, so we've merged them in this "Ask the Lawyer Meeting Room Question Mash-Up" RAQ.

Here is question 1:

"Students frequently meet in the library with tutors. This typically happens in the open areas of the library but also in a few small study rooms. These rooms are available to everyone, restricted only by number of people and available for 1 hour on a first come, first served basis. Individuals and groups may stay longer in a particular room if no one else is waiting for the space. Rooms are not available to book ahead of time.

Some of the tutors are likely charging for their time, though many are not (studying with friends or similar). We have always considered the library's service to the students as paramount over any benefit to the tutor but is this an allowable use of library space due to the possible inurement and aid to an individual?"

Here is question 2:

"I've just finished viewing the first amendment audit webinar.... Such a great resource. Thank you!! I was wondering about meeting spaces and the language we can use to protect patrons in areas that they have been reserved for private meetings (scouting group in the meeting room, deposition in a tutoring room, tutoring, tele-med sessions, supervised visits etc.)"
 

 

WNYLRC ATTORNEY'S RESPONSE

These meeting-room related submissions to "Ask the Lawyer" were inspired by two separate resources: the first one, an "Ask the Lawyer" RAQ on meeting room policies, and the second, an ESLN-sponsored training.

If you've read the questions, you know they will not have the same answer.  So, as recent viewers of the new Spider-Man movie may have asked,[1] why the mash-up?

Because the answers share the same foundation: the rules around community access to space.

The first question is based on a concern we addressed in the RAQ on meeting room policies.  Here is the part that inspired the question:

"No, there is no legal requirement for public libraries to limit access to space to non-profit organizations.

However, there IS a requirement for any "charitable" entity[7] in New York to not allow any of its assets to “inure” to any one individual, while non-association libraries have to follow an even stricter rule against "aid" to individual people or businesses as set by the NY Constitution (this is why a town library can't use funds to throw a big "bon voyage" party to celebrate a retiring employee, but its not-for-profit "Friends" can)."

The second question is asking for model language, within the framework of what is allowed, to protect the rights of those using the rooms.

So, like a webslinger arcing majestically from issue to issue, let's do this.

The First Question

Is a person using free resources at the library for personal gain violating the law against "inurements"?  Most likely: no.

The resources at public libraries can often serve as the first, critical building blocks of a small business.  A person wanting to research an idea, create a 3-D printing of a product prototype, select neutral ground to meet a potential investor, or offer compensated services (such as tutoring) can often find what they need--for free--at the library.

The dawn of the co-working space might be changing this for people who can afford to rent space in a co-working facility that will supply desk space, internet, and even a mailing address.  But for fledging entrepreneurs on a budget, the free resources and information provided by libraries can be essential.

And why doesn't such use of library resources for a business/personal gain risk tripping the bar on "inurements"?

Because the resource is available to the community equally, per library policy.  In the member's scenario, the library is providing first-come, first-served space suitable for, among other things: group work, a political discussion, or tutoring (with or without compensation).  The library is providing a place for people to sit and talk, so long as they arrive in time to gain access to a finite resource.

Once people are availing themselves of library services, a library can't set further rules about the relationship between the parties; so long as their interaction remains within library policy (not disruptive, not in excess of established time limits, etc.). In other words, the relationship between the parties, or an activity that fits within authorized use, can't change the otherwise compliant use of the library space.

Where the member's scenario could get out of hand would be if:

  • The tutor starts advertising for services and uses the library as a business address;
  • The tutor starts "camping" (holding the space past established limits) in violation of the policy;
  • The tutor is an employee or independent contractor whose company specifically requires offering the services in the library;
  • The library has a policy against any compensated activity, whatsoever, being conducted on site.[2]

In each of the above examples, the service is exceeding the use generally available to any person using the library.  This is where the "inurement" can begin, and the use of public library resources for unambiguously private gain would begin.  But so long as no one is claiming or actually using the resource in excess of what is generally allowed, there is no issue.

The Second Question

Now that we've reviewed that "what applies to one must apply to all," we can turn to the other question: how can a library designate space used per policy and by reservation as "private," to avoid meeting crashers?[3]

Below this answer is listed a myriad of resources from the ALA[4] on this topic.  I urge readers to review these, as each one sets out important considerations on the use of library space.  But for now, we're dealing with this single, incremental question in the State of New York.

Once a library policy sets the terms of community access to private meeting space, here is language for signage at the entrance to the meeting space:

When reserved, this space is for designated users only.  To reserve this space, or to obtain a copy of the rules and contract for reservation, please visit [INSERT] or [INSERT].

A library can make this posted language as friendly ("This room is only for reserved events, and is private when in use.  Visit our circulation desk for more information!) or imposing ("Reserved, please do not enter without permission.") as it likes. The important thing is that the rules and terms of use are consistent with the law,[5] clearly established by a board-approved policy, and uniformly applied.

And there we go!

Thanks to both members for their insightful questions.

Additional Resources

For those of you who wanting more at the intersection of law, libraries, and meeting rooms, paralegal Klara in the LOSA[6] assembled this list of resources from ALA:

1. Meeting Rooms: An Interpretation of the Library Bill of Rights

- overview on library meeting rooms, suggestions for policies

2. Meeting Rooms Q&A

- includes standard definitions for terms included in policies

- lists what meeting room policies should cover

3. Guidelines for the Development of Policies and Procedures Regarding User Behavior and Library Usage

4. The Library's Legal Answers for Meeting Rooms and Displays

- an ALA eBook by Mary Minow, Tomas Lipinski, Gretchen McCord

- limited public forum vs. designated public forum vs. nonpublic forum

- lists legal cases relevant to library meeting rooms and exhibit spaces

5. OIF Blog - Library Meeting Rooms for All, by James LaRue (former director of the ALA Office for Intellectual Freedom)

 



[1] The answer to the Spider-Man part of this is of course obvious: because it’s a witty convergence of web-slingers.  Of course, as a Gen X nerd (b. 1973), I was a target demographic.  Well played, Marvel.

[2]Such a policy would be far too overbroad. If a paid babysitter takes the kids to the library regularly, would that be a violation?  If an accountant uses a library computer to check the tax code, would that be a violation?  If a professional writer uses the reading room every day to write/think/draft, would that be a violation?  That said, a policy against the sale or distribution of material items makes sense.

[3] Including those identifying as "First Amendment auditors"...a term I am loath to use.  I am a huge fan of the First Amendment, but those claiming to “audit” for it often demonstrate a less-than-fully developed familiarity with the Constitution. To me, people trying to film in a library while asking questions about budget, etc. are just "people who want to record in the library," and they warrant the same respect, and must follow the same rules, as other people who may want to record in the library.

[4] ALA is the national go-to for information on library matters, and we try not to replicate materials already available.  At "Ask the Lawyer" we deal with the legal nitty-gritty in New York, only.

[5] For more on that, see that meeting room RAQ at https://www.wnylrc.org/ask-the-lawyer/raqs/260

[6] "LOSA" = The Law Office of Stephanie Adams, PLLC.

 

Tags: Meeting Room Policy, Policy, Privacy, Signage, Templates

Topic: Posting working documents for open meetings - 04/25/2022
I just read your excellent answer about posting documents per the OML changes in advance of meetin...
Posted: Monday, April 25, 2022 Permalink

MEMBER QUESTION

I just read your excellent answer about posting documents per the OML changes in advance of meetings.

I think you are right on target.

My concern is to ask you to add to your questions for the COOG the following: Do working documents being shaped and edited at committee meetings need to be posted in advance of the committee meeting?

The Committee meeting is an open meeting. Let's say the policy committee is going to discuss a draft revision to a policy. Must we really post the draft revision prior to the meeting? The way our board works, the draft is likely revised several times over three or four policy committee meetings before it becomes part of a board packet for a full board meeting. My "gut" tells me that complying at that level would be overkill. A similar situation would be draft versions of a budget.

I think the public has an opportunity to see the documents in question before they are finalized at a full board meeting, so my instinct is that working documents would not need to be posted in advance. But that's not what a strict reading of the law itself and your posting tells me.

So, I am torn and would love clarification.

Lastly, I just want to compliment you on this service that you are providing. it is really great.


 

 

WNYLRC ATTORNEY'S RESPONSE

Thank you very much for your kind words!  And for submitting this question.

For "Ask the Lawyer" readers who don't follow the State's "Open Meetings Law" (the “OML”) with regularity, the new rules that the member is referring to are the revised Section 103(e) of the OML.  The "Ask the Lawyer" that the member refers to is "Availability of Open Meeting Documents".

In that RAQ, we discussed the extent of a library board’s new obligation to ensure that certain materials used during open portions of trustee meetings be made available at least 24 hours in advance...and how, if a library routinely uses its website, those advance copies should be posted on it.

Given the new requirements, Tim's question is a practical one: "Do working documents being shaped and edited at committee meetings need to be posted in advance of the committee meeting?"  In other words, if the document is in flux, and subject to change even during the meeting, must a copy be provided in advance?

In considering the answer, I of course checked the law and the latest commentary from New York's "Committee on Open Government" (the "COOG"), which is the arbiter of all things OML. However, since Tim mentioned checking in with his gut, I also checked in with mine.

To do that, I pictured myself as the attendee at a meeting of my city's[1] common council. I envisioned them discussing a policy on the agenda: the formation of a police advisory committee.[2] I then pictured myself checking the meeting packet that was put on the City's web site 24 hours prior to the public meeting, to see if a copy of the policy is in the packet.

Here are five scenarios of what happens:

Scenario 1: I check the packet: there it is! As the committee members discuss the proposed policy, I am able to meaningfully link their commentary to the written document.

Scenario 2: I check the packet: there it is! But then, the Chair of the meeting says "Before we begin, I would like to add that this morning I received a proposed new version of the policy for us to consider.  The new version adds a paragraph to the version that is in your packet.  That version was emailed to council members this morning." As the committee members begin to discuss the proposed policy, and the new paragraph, I am able to meaningfully link their commentary to the written document--except for the new paragraph.

Scenario 3: I check the packet: there it is! But then, the Chair of the meeting says "Before we begin, I would like to add that this morning I received a proposed new version of the policy for us to consider.  The new version adds a paragraph to the version that is in your packet.  That version was emailed to council members this morning, and I am going to ask the clerk to place a version in the video feed [in a way public attendees can see] as a courtesy." As the committee members begin to discuss the proposed policy, and the new paragraph, I am able to meaningfully link their commentary to the written document--even the new paragraph.

Scenario 4: I check the packet: there it is!  Twice?  Hmmm.  As the agenda item is called, the Chair of the meeting says "Before we begin, I would like to clarify that we have two versions in the meeting packet because two versions have been submitted for review and consideration at this meeting." As the committee members begin to discuss the proposed policy, and the two versions, I am able to meaningfully hear their commentary on the precise wording as they discuss intent, concerns, and possible revisions, although I have to toggle between versions to keep up.

Scenario 5: I check the packet: it's NOT there!  When the committee reaches that agenda item, the Chair of the meeting says "Because this policy is under review in various offices, who may submit changes before our next meeting, and there are a few versions under discussion, we haven't posted any version yet." As the committee members begin to discuss the proposed policy, and the different wording, I am unable to meaningfully connect their commentary to the writing they have based it on.

Checking in with my gut: in either "Scenario 2" or "Scenario 5," I might be irritated to the point where my gut might review the law to see--has the council followed the law?

And when my gut checks with the law, I see this commentary from the COOG[3]:

Image depicting screenshot from Committee on Open Government, titled Disclosure of Records Scheduled for Discussion at Open Meetings. Text reads: Shoshanah V. Bewlay, Executive Director, Committee on Open Government, Kristin A. O'Neill, Assistant Director, Committee on Open Government. Since 2012, Section 103(e) of the Open Meetings Law has required public bodies or agencies that host public bodies to make available to the public, within reasonable limitations, the records scheduled to be discussed during open meetings prior to the meetings. Until recently, the Open Meetings Law did not address how far in advance of a meeting such records were required to be made available. Effective October 19, 2021, Chapter 481 of the Laws of 2021 amended Section 103(e) of the Law to require that copies of records be made available to the public at least 24 hours before a public meeting, to the extent practicable. Records may be available for a reasonable fee and/or by posting them online. [Editor note: this next paragraph has a highlight of the second point and the word policies is circled in red]. The Law addresses two types of records: first, those that are not required to be made available pursuant to FOIL; and second, proposed resolutions, law, rules, regulations, policies (circled in red), or amendments thereto. When (red arrow) either is scheduled to be discussed during an open meeting, the law requires that they be made available to the public, to the extent practicable, at least 24 hours prior to the meeting.

Second screenshot of another section of the Disclosure of records scheduled for discussion at open meetings. Link to full text of this page is available in Footnote 3. Text reads: We emphasize that the potential obligation to make records available on request or online is limited to records that are "scheduled to be the subject of discussion" during an open meeting." If there is a basis for conducting an executive session, a portion of a meeting that may be closed, records scheduled [Ed. note: this section is highlighted] to be discussed during the executive session are not required to be disclosed. Further, if a proposed policy offered by the head of an agency, a mayor, a town supervisor, or a superintendent of schools was preceded by recommendations or opinions expressed by staff or members of a public body, those recommendations, opinions or similar materials fall outside the coverage of the amendment and need not be disclosed [Ed note: end highlight]. See FOIL Section 87(2)(g). Through the disclosure of records scheduled to be discussed during open meetings, the public may be better able to understand and appreciate the issues facing government. Interested and civic-minded citizens can offer information and points of view that can assist in improving the operation of government to the beenfit of our communities.

So with that, I answer the question ""Do working documents being shaped and edited at committee meetings need to be posted in advance of the committee meeting?" as follows:

Even if a policy is in draft form, or if multiple versions are under review, if it is on the agenda of a public meeting for discussion, the version or versions under review should be included in the meeting packet, to allow for meaningful public access to the materials.[4]

That said, recommendations, opinions, or similar materials regarding such policies under development do not have to be shared, and revisions not ready in time for posting (even if discussed at the meeting) do not have to be made available/posted in advance.

Thank you for a subtle and thoughtful question!



[1] The beautiful, if somewhat bedraggled by an industrial past, Buffalo NY.

[2] This was not a huge stretch, as that topic actually is under consideration by Buffalo as of April 2022.

[4] Although the law does not require it, when doing so, I strongly advise that the version include a header or some type of other indicia showing that it is a draft copy for review only, and the version date (of course, archivists and clerks?).
 

 

Tags: Board of Trustees, Open Meetings Law, Policy, Privacy, Public Records

Topic: Employee privacy and image use - 03/31/2022
My concern is about employee privacy and image use. Since it is so easy to take a picture these da...
Posted: Thursday, March 31, 2022 Permalink

MEMBER QUESTION

My concern is about employee privacy and image use. Since it is so easy to take a picture these days, and many employee meetings are happening over videoconference, what are the laws governing the use of employee images and materials generated by a library employer?   What stops the participants in an online meeting from taking and using screenshots of attendees?  I know that being a librarian often means working with the public, but when it comes to an employer using an employee's picture and other digital captures of their image, what does the law say?   Can an employee attending an online meeting be compelled to turn on their camera?

 

WNYLRC ATTORNEY'S RESPONSE

This is one of those questions that a thoughtful attorney, wishing to be thorough, could write a book about. However, "Ask the Lawyer" is not a book, so we'll see what I can do in about one thousand words!

To give some useful answers, and also stick within our word limit:

1.  If a library/employer needs to convene a meeting of employees and decides it will use videoconferencing tech to do so, and then states an expectation that all participating employees will turn their cameras on during the meeting, no law in New York bars such a requirement.

2.  If employees of a library/employer that requires, as a matter of policy, that participants in a video conference must turn their cameras on, decide to demand via a collective bargaining agreement, or through policy, that keeping a camera "off" should be an option for an employee, that could become a negotiated or policy-based term of employment.  But an employer could say "no" when this is asked/demanded (and then take the hit on employee morale and/or union relations).

3.  If a solitary employee of an employer who requires participants in a video conference to turn their cameras on decides being on-camera is unacceptable to them, and they request an exception to the rule, that is a reasonable request--but there is no obligation on the part of the employer to honor it (and in fact, special exceptions could cause issues...more on that in a bit).

4.  If an employee has a disability that prevents them from working effectively while on camera, that employee could request keeping the camera "off" as a disability accommodation, and the employer would have to consider the request per their disability accommodations policy (Based on the particular circumstances, this may or may not result in a decision to grant the requested accommodation).

5.  Now, with respect to the use of pictures: if an employer uses an employee's image--taken as either a photograph, a screenshot, or through any other means--for commercial purposes without the employees' permission, that could potentially be a violation of the law.  This is why employers who wish to use their employees' images in catalogs, advertising campaigns, and other publications as part of commercial operations should obtain written permission for such use.[1]

6.  Library/employers who wish to be proactive about protecting employee privacy, while also acknowledging that a library's workforce does often play a public role in their community, should use thoughtfully developed policies to find the balance between public relations and employee safety and privacy. A well thought-out and routinely re-evaluated use of a "Social Networking Policy," a "Media Relations Policy," and a "Branding and Promotions Policy"[2] can achieve this balance.

7.  And now, for some thoughts on how this all fits together.

[Clears throat, steps on soapbox]

There is no one right way to do any of the above-listed items, but because having a solid process that respects the privacy of employees is part of attracting, developing, and retaining a qualified and dedicated workforce--as well as promoting the operations of the library--it is important that a library/employer find the way that works for them.

On the employee side, for library employees who are concerned about their privacy, or about being compelled to turn a camera on, if at all possible, raising the issues gently with management prior to any type of crisis point is a good idea.[3] For libraries that are using name tags, or have specific policies related to employee safety/privacy, or use of cameras on site, any of those policies are good entry points for consideration of these issues.

Law aside, as a business owner, and as the participant in (now) more online meetings than I can count,[4] I have found that it is very important to set the norms for online meetings[5] so that employees know what the expectations are.

How is that done?  When convening a meeting, at least until a group knows what the norms are, it is good to give a few of the ground rules. For instance, a good set of opening ground rules could be:

 "Thanks everyone for gathering today. While we can't be together in person, it is good to be together for this important topic. For this meeting, cameras are optional, but we ask that if your camera is off, you use a picture of your face for ease of communication. This meeting is not being recorded, and we ask that you refrain from taking screenshots unless you ask first. If you have questions during the discussion, feel free to put them in the chat. Our note-taker today is [Person], and if you have items that you want to make sure end up in the notes, please put those in the chat as we meet. The notes for the meeting will go out by tomorrow."

Another example, very different but just as enforceable, would be:

Thanks everyone for gathering today.  While we can't be together in person, it is good to be together for this important topic. For this meeting, we do ask that you keep your camera on, so we are all using the same modes of communication. Also, so we have a good record of the information we'll review and the decisions we'll make, this meeting is being recorded. As a courtesy, please do not take a screenshot unless you ask first. If you need to make a comment, please raise your hand, and I as moderator will get you in the queue. We don't have a note-taker for today, so please make your own notes for any points to follow-up, or ask [Person] for the recording. As with all our meetings, the recording will be considered confidential and not for release to anyone who was not in attendance."

...and the combinations could go on.

By being thoughtful about the nuances of privacy and the norms for meetings, a library/employer can both set the tone for a graceful meeting, and also position themselves to proactively address any employee concerns about the chosen norm for meetings overall. This is particularly important if an employer is insisting that cameras be on at all times; while there may be compelling reasons for this type of rule, if a library/employer is relying on employees who are working from home, there may also be compelling reasons to give employees the option of attending with their camera "off"; a well thought-out and routinely expressed set of norms will help with compliance, will make sure exceptions to "camera-on" rules are not perceived by others as unfair, and will create space for feedback in case employees want to request that the rule or norm be changed.

Thank you very much to the member for a compelling set of questions that are very much of the times. As with all "Recently Asked Questions" posted on "Ask the Lawyer, we invite feedback on this one (sent to info@losapllc.com or through the "Ask the Lawyer" submission page).  This is an evolving topic, and I am sure many library council members out there have thoughts on this!



[1] For more on image rights, see the “Ask the Lawyer” here: https://www.wnylrc.org/ask-the-lawyer/raqs/49.

[2] There is no one name for this type of policy...some libraries call it "marketing," while others resist that label as too commercial-sounding.  If it didn't sound so cute, I'd say call it the "Who We Are and What We're Doing" policy, since that is really what it's for.

[3] I appreciate that not all employees are in situations where they feel empowered to raise this type of concern--gently, or at all. 

[4] In 2022, who can't claim this breadth of experience?  That said, because of my work, I have met with now hundreds of clients via telecon, so have seen a wide array of how business conduct online meetings.

[5] This is important for in-person meetings, too...but the norms may be a bit different.

 

Tags: Employee Rights, Image Rights, Policy, Privacy

Topic: Patron Privacy and Police - 11/18/2021
Local police walked through our Library earlier today with no explanation. Later on, we noticed 2 ...
Posted: Thursday, November 18, 2021 Permalink

MEMBER QUESTION

Local police walked through our Library earlier today with no explanation. Later on, we noticed 2 teens on premises, who we assume should have been in school. We thought the police may have been looking for them as truants, but that is not confirmed. The question is, if the police were to ask if we saw the teens, are we able to answer or is that considered a violation of patron privacy as it is with patron information and records?

WNYLRC ATTORNEY'S RESPONSE

There is no one right answer to this question, but there is a formula for any library to come up with its own, unique answer.

Here is the formula:

[Situation] x [Ethics + Law] / [POLICY/Precedent] = YES or NO

Let me break this approach down.  And trust me, I will give a clear reply to the member's question at the end of all this.

The formula starts with the situation.  In the scenario we have here:

"Local police walked through our Library earlier today with no explanation. Later on, we noticed 2 teens on premises, who we assume should have been in school. We thought the police may have been looking for them as truants, but that is not confirmed."

There is a lot that can be said about this description, but one important aspect of it is the library's care to not reach a conclusion about why the teens were at the library instead of school (while the member describes an "assumption," there is no action on that assumption).  And as noted, law enforcement was not called; rather they "walked through...with no explanation."

This situation is then multiplied by the combined factor of ethics and law.  Both the ALA and NYLA Codes of ethics emphasize patron confidentiality.  Meanwhile, New York's Civil Practice Law and Rules ("CPLR") Section 4509,[1] the state law requiring a subpoena or judicial order before a user's library records can be shared without that patron's consent, does not define "library records" other than to state that they include "personally identifying details."  This is why whatever the situation, ethics, and law are, the answer must be assessed under a library's policy governing patron records (while considering past applications of the policy, to ensure consistent application).

It is at this last factor--policy--where things can get complicated.  With the advent of (sorta) new technologies, the definition of "library records" is not just internet searches and checked-out materials.  It could be what a person printed on a 3D printer, or their image on a surveillance camera, or their use of library wi-fi.  None of these things, right now, are listed in CPLR 4509, but many library professionals would consider them to be library records.

The trick is making sure that when a library takes a position about library records (especially with regard to records that, at first glance, are not about library services, but more about security), it is supported by their policy.

Okay, I know I promised a "clear answer".  So let's re-state the question: "if the police were to ask if we saw the teens, are we able to answer or is that considered a violation of patron privacy as it is with patron information and records?"

Based on a fictitious library consulting a fictitious lawyer, here is one possible answer:

To the ABC Library:

You have requested legal advice regarding whether a library may provide a substantive answer in response to law enforcement enquiring about the presence of a patron in the library.

Your concern is that such a disclosure, based on the visual observations of library employees rather than written/recorded records, could still be considered a violation of patron privacy.  You confirmed that at the time of the inquiry, the library had no operational need to release any such information.

I have reviewed the library's policy on patron confidentiality, and based on the below clause, I advise to not release such information unless there is a subpoena or judicial order:

"Consistent with the ALA and NYLA Codes of Ethics, the ABC library considers any record or information that indicates an individual's use of library services and/or facilities to be a library record under CPLR 4509, unless specifically excluded[2] by this policy."

Therefore, I advise not providing such information without a subpoena or judicial order, unless the requestor accurately points out that a specific law requires it.

Thank you for trusting me with this question.

Very truly yours,

A. Hypothetical Lawyer, Esq.

Of course, as the "formula" at the start of this answer points out, the "situation" may vary from time to time.   And CPLR 4509 does leave room for mandatory disclosure "when otherwise required by statute." [3] Those are the times when a library may want to consult a local attorney to obtain quick advice in the moment.

Since this formulaic balancing of facts, ethics, legal obligations, and policy can be difficult to keep in mind,[4] it may be helpful to summarize it to library trustees, employees, and volunteers this way: “A patron's use of the library and our services are confidential.  If anyone asks about a patron using or being at the library, our standard reply is 'Since patron information is confidential, I need to refer you to [the Director].’”[5]

Thanks for a very thought-provoking question.



[1] As of November 12, 2021, here is the text of CPLR 4509: "Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute."

[2] What are examples of things to exclude?  If a library is in shared space with a shared security surveillance system, that should be excluded (unless the library has confirmed via written contract that the footage of the library will only be reviewed per the policy).  If the library has a snack bar or gift shop and wants to monitor the point of sale for theft, that could be excluded.  Security footage of a community room used by third-party groups (not individuals) under a space rental agreement is another possible example. 

[3] Such as FERPA. For more on this, see the “Ask the Lawyer” posted here: https://www.wnylrc.org/ask-the-lawyer/raqs/80

[4] Even lawyers need to look this stuff up sometimes.  Just like I don't have some of the finer points of the Domestic Relations Law at my fingertips, not all lawyers can recite the requirements of CPLR 4509.

[5] Or designated positions with regular training and/or adequate experience to appreciate the fine points of the library's policy.

Tags: Ethics, Patron Confidentiality, Policy, Privacy, Safety, Templates

Topic: Database Downloads and Confidentiality - 11/18/2021
Recently a question has come up at our academic library concerning patron privacy and the notifica...
Posted: Thursday, November 18, 2021 Permalink

MEMBER QUESTION

Recently a question has come up at our academic library concerning patron privacy and the notification to a patron (usually a student) concerning excessive downloading of content from databases in our collection. Our current practice has been to receive notification from the vendor about perceived illegal downloading. We then ask a member of our library IT team to investigate the situation, based on the information from the vendor. The contact information acquired by that IT staff member is then provided to the e-resource librarian. That librarian then contacts the individual via email, explaining the situation and indicating that such behavior must cease. Once that is done, the librarian notifies the vendor that the situation has been addressed, and there is no need to withhold access to the product from the campus. No personal identification of the user or student is provided to the vendor, nor distributed to anyone else. The question now: Is this process appropriate in resolving the misuse of a database, or does it violate the user’s/student’s privacy rights?

WNYLRC ATTORNEY'S RESPONSE

Questions that combine higher education, data access, and "terms of use" enforcement always give me a moment of sad reflection, as I remember Internet pioneer and activist Aaron Schwartz. It was an alleged overuse of an academic database at MIT in 2012 that lead up to his demise.[1]

While the circumstances in the Schwartz tragedy are different from the situation described here, both scenarios--and the care the member has taken in framing this question--illustrate the importance of considering what's at stake when an institution balances contract compliance, digital access, and privacy.

What's "at stake" here? The member's question combines concerns about:

  • Confidential use of library resources
  • Academic freedom
  • Intellectual freedom
  • Honoring the exclusion of certain academic and library actions from liability for copyright infringement
  • FERPA

Let's do a quick run-down of these critical areas:

In New York, the confidentiality of library services is protected by Civil Practice Law & Rules ("CPLR") section 4509, which states that library records indicative of the identity of a library user may only be accessed with that user's permission, or per a subpoena or court order. CPLR 4509 applies to private libraries within academic institutions as much as it does public libraries or those within school districts. It works hand-in-glove with the American Library Association's and New York Library Association's recitals of patron confidentiality in their Codes of Ethics.

In New York, the commitment of a higher education institution to academic freedom is reflected in various ways. An example is the American Association of University Professors' 1940 "Statement on the Principles of Academic Freedom"[2]: "Teachers are entitled to full freedom in research..."

In New York and throughout the nation, the commitment of libraries to collaborate with others to promote intellectual freedom and access to information is reflected the ALA Library Bill of Rights: "Libraries should cooperate with all persons and groups concerned with resisting abridgment of free expression and free access to ideas."

In New York and throughout the nation, certain academic and library actions that would otherwise violate copyright are excluded from liability for infringement. This exclusion is to ensure there is a clear and well-defined legal safety net for content accessed in furtherance of certain intellectual and academic freedoms.

And throughout the USA, the privacy of education records, including library records, is assured under the Family Education Rights Privacy Act" (FERPA).

Serving as a counterweight to all of these critical factors are an educational institution's obligations under federal law and regulation with regard to alleged copyright infringement, particularly the regulations found in 34 CFR §668. If I were to delve into that and describe all of those obligations here, this answer would be 50 times longer, but a good summary of what compliance in that regard looks like can be found in this sample policy from RIT: https://www.rit.edu/its/rit-response-copyright-infringement.  In short:  since 2008, federal law requires higher education institutions receiving federal financial aid and other federal benefits to be express enforcers and re-enforcers of copyright.[3]

Sitting astride of all of this is whatever notification commitments (and other responses)  a college or university library agreed to when it signed the license agreement with the database provider (I have reviewed many of these types of license agreements, and almost all of them have some form of notification action requirement, which can range from a warning as described by the member, to ensuring the immediate cutoff of access by an offender).  This means that in addition to the ethical, legal, and regulatory factors that have to be balanced in a question like this, we also have to consider obligations that are contractual.[4]

With all of these very important considerations now laid before us, let's review what the member is doing:  1) getting a notification of a possible terms violation from the provider, and then 2) using a firewalled[5] process to identify the user and alert them of the alleged violation, and then 3) assuring the vendor they have addressed the issue.  As asked by the member:  Is this process appropriate in resolving the misuse of a database, or does it violate the user’s/student’s privacy rights?

Here is my short answer: since the method of response described by the member shows there is a big firewall between the vendor and the institution (meaning: the outside party never learns the actual identity of the alleged violator), I believe so.  BUT: the only real way to ensure privacy is protected as it should be is to confirm that the information flowing between the library and the IT Department never goes any further...within the institution.

What do I mean by that? The information should never go to campus safety or security. Unless it is per a very clearly articulated procedure developed for the operational needs of the library, it should never go to the office responsible for student discipline. And it should certainly never go to an employer on campus, a faculty member, or an advisor.[6]

This caution is warranted because, although a library within a higher educational institution is not a separate business entity the way a chartered public library is an entity separate from the town or city that sponsors it, for purposes of an academic library's adherence to privacy ethics and laws, it should be considered a stand-alone entity. Information can flow into it, but information should not flow out, even to other departments, unless the flow serves the operational needs of the library, and verifiably goes no further.

This 'one-way flow" for user-associated academic library records is an easy goal to articulate, but in practice, it can be very difficult to assure. As systems within large and small institutions get more integrated in the interests of security and economy, so too is it more difficult to separate one type of information from another. However, when it comes to privacy and library confidentiality, because of the high stakes involving intellectual freedom, academic freedom, and student privacy, extra care and attention is warranted.

The care of the member in submitting this question and describing the careful process they are using is emblematic of the type of care that should be used at all times when safeguarding user confidentiality and privacy at a higher education academic library.

Thank you very much to the member for submitting such a careful question.

 

RIP, Aaron Schwartz.



[1] I say "led up to" rather than "led to" because while many believe the latter, the facts of the case clearly establish the former.

[3] I won't mince my words about that requirement: I don't like it. But I am not a member of Congress.

[4] And voluntary. This is why it is very important to read database licenses and to PUSH BACK on clauses that require draconian responses to alleged violations.

[5] By "firewalled," I mean that the vendor never knows the name or other identifying information of the alleged violator.

[6] Unless the student has signed a waiver. Then it can go to whoever has permission.

 

Tags: Academic Libraries, CPLR 4509, Ethics, FERPA, Privacy, Security, Students, Surveillance, Databases

Topic: Retroactive Background Checks - 11/03/2021
We have a school district public library board considering requiring background checks for new emp...
Posted: Wednesday, November 3, 2021 Permalink

MEMBER QUESTION

We have a school district public library board considering requiring background checks for new employees. They are concerned that they may be legally required to background check all current employees. Would there be any legal reason they would need to do so?

WNYLRC ATTORNEY'S RESPONSE

[NOTE: for background to this short answer, please see the much longer "Ask the Lawyer" https://www.wnylrc.org/ask-the-lawyer/raqs/205, that addresses the tightrope walk/legal minefields of employee background checks.]

So, does a school district public library[1] implementing a background check for new employees have to also check their current ones?

The answer is: no; barring an over-ruling requirement (such as a term in a union contract) a library board can implement a background check policy for all hires going forward, without imposing a "retroactive check" requirement for current employees. 

However, I would never advise that approach.  Here are three reasons why:

1.  Possible discrimination

A policy to only check the backgrounds of "new" employees could have a disproportionate impact on candidates on the basis of age, or gender, or race (to name a few).  By not checking everyone, an employer risks the appearance of (or actual occurrence of) illegal discrimination.

2.  Possible liability

Employee background check policies are implemented to reduce risk.  If an employer is using employee background checks to reduce risk, there should be a very good reason for not checking all employees (such as a union contract that bars it[2]), or the employer risks a claim of negligence.

3.  Worker relations

A work environment should be a place of high trust.  By subjecting one class of employees ("new" employees) to heightened scrutiny, in addition to the possible concern mentioned above in "1," it creates an unbalanced environment for trust.  This is bad for morale.

I appreciate that background checks can come with a cost, so minimizing their frequency is helpful.  I encourage any library implementing such a policy to check with their "Directors & Officers Insurance" carrier, since sometimes, carriers offer resources to defray and even pick up the costs of the check.

 

Thank you for a thoughtful question.

 



[1] Of course, if a school district public library is in a school (not a common scenario; school district public libraries are largely autonomous and separate from school district property), and if the librarians are on the payroll of the district, then they are already being background checked and fingerprinted, per the chart here: http://www.nysed.gov/educator-integrity/who-must-be-fingerprinted-charts.  Of course, this question pre-supposes that the board is setting the hiring policy, which means the library is autonomous.

[2] Just to be clear, a contractual obligation to not conduct criminal background checks should never be in a collective bargaining agreement!  However, some reasonable restrictions on the scope of such a check would be consistent with NY law and policy.

 

Tags: Employee Rights, Employment, Ethics, Hiring Practices, Management, Policy, Privacy, Risk Management, Safety, School Districts, Background Checks

Topic: Name Tag Policies - 10/22/2021
Our library is considering a name tag policy as part of our focus on patron service.  What ar...
Posted: Friday, October 22, 2021 Permalink

MEMBER QUESTION

Our library is considering a name tag policy as part of our focus on patron service.  What are the legal "do's" and "don'ts" of an employee name tag policy?

WNYLRC ATTORNEY'S RESPONSE

When it comes to the legal considerations of employee name tags, there are quite a few "do's" and just as many "don’ts."  I'll set them out below, with the legal rationale behind the guidance.

DO pick a legible font.

Accessibility matters.  Consult an ADA guide and pick a font that is easy to read.

For this reason, employee name-tags should not be hand-written.

DON'T require employees to wear name tags without a "Name Tag Policy".

As we'll see, some of the details of name tag use can get tricky.  A well-thought-out, board-adopted policy is the best way to ensure the policy covers all the required bases and is enforceable.

DO have a good reason to adopt the policy.

A name tag policy should not stand alone; it should be part of an overall approach to patron service.

DON'T adopt a “Name Tag Policy” solely because of the request of one patron.

Of course, a patron request could kick off a board's consideration of adopting such a policy, but again, employee name tags should be part of the overall approach to library operations.

DO memorialize the reason for the policy in the board minutes.

For example: "WHEREAS the board has found that easily identifying library employees by their first name or nickname promotes a positive experience for patrons, visitors, and vendors, and enhances initiatives to promote confidentiality and security...."[1]

DON'T demand that employees put their full name on the name tag.

This has to do with safety and privacy.  Most definitely, a board can determine that name tags may be part of the patron experience, and request that employees wear a badge that includes their name.  However, unless the policy sets out a reason why a full name is needed, full disclosure should not be required.[2]  Further, if an employee wants to use a nickname,[3] to further avoid identification outside of the workplace, that option should be considered.

DO consider that the format for the name tag include an employee's pronouns

This is just a nice thing to do, but is also a good way to document a practice of honoring the identity of employees in a way that is consistent with state and federal civil rights laws.

DON'T pass such a policy without thinking about your union (if there is one)

If there's a union, before you pass such a policy, get some legal input on the contract.  And even if there isn't a union, think about the requirement from the perspective of the employee experience.

DO require volunteers to wear name tags, if employees in similar situations are so required.

This goes back to documenting the reason for the name tag policy.  If the practice is that every employee working in patron-facing areas wears a name tag, patron-facing volunteers should, too.

 



[1] This is just an example.  There are many other reasons that a board may base its decision on.  The point is that the reasons should be genuine, and be documented.

[2] This one pains me because I tend to be a stickler for formality; upon first meeting someone, I would rather they call me "Ms. Adams" rather than "Stephanie" (which only strangers and my mother call me, since my nickname is "Cole").  So, if there is a library out there that wants to go formal "Ms. Adams/Mr. Adams/RP Adams," that's fine, too.  The point is: full names should only be displayed if it is determined they are necessary.

[3] Nicknames are okay, but DON'T let them detract from the professionalism of the workplace.  In one sexual harassment case, the manager of a bar used the nickname "Big Daddy" on his name tag.  It was found that this (and other actions of debatable taste) were not a legal violation, but as the judge dismissed the case, he commented that the behavior was "obnoxious and puerile" (see Urban v Capital Fitness, 2010 [EDNY Nov. 23, 2010, No. CV08-3858(WDW)]).  But of course, this was found to not be a violation in a bar, not a library.  And remember, things have changed a lot since 2010.

 

Tags: Employment, Policy, Privacy

Topic: Filling Out Forms for Patrons - 07/08/2021
We had a patron come in this past week who said that he couldn't see well and also couldn'...
Posted: Thursday, July 8, 2021 Permalink

MEMBER QUESTION

We had a patron come in this past week who said that he couldn't see well and also couldn't type or use a mouse, but he needed to certify Unemployment Insurance. He asked the staff member to login with his username and password and do this for him, and the staff member was, understandably, uncomfortable doing it.

I feel like patrons who divulge their personal data to us are doing it of their own accord and our privacy responsibility is to not share that information with others without the consent of the patron.

In this particular case, the patron was offering his information and consenting for us to enter it for him. As such, I don't think this violates any privacy agreement we have made as employees of the library.

The part that I worry about is, could this come back on an employee if they are doing a legal filing for a patron and the filing may be fraudulent? I am optimistic by nature and like to think people have good intentions, but the reality is, I know this happens. I wouldn't want to put an employee in a sticky legal position if they filed what might turn out to be a fraudulent claim for someone.

Do you know of similar situations in other libraries and what, if any, legal ramifications there might be for employees who could be caught in the middle of something like this?

WNYLRC ATTORNEY'S RESPONSE

At first glance, this question seems simple: what are the possible legal risks to a librarian helping a patron fill out a legal document?

But within this question lies another, slightly more complex issue: when does good customer service become an accommodation for a disability?

This "slightly more complex" consideration is brought up by this part of the member's scenario:  "We had a patron come in this past week who said that he couldn't see well...", potentially meaning: the patron could not access the library services (use of the computer and internet) without assistance, because of a disability.

Of course, not every visual limit is a bona fide disability (I have to take off my glasses to read these days, but that does not entitle me, by law, to an accommodation under the ADA).  However, a patron requesting help to access a library service due to "low vision" (meaning that patron cannot view the screen even with corrective lenses), is potentially requesting an accommodation.

This is because "low vision" can be "a physical or mental impairment that substantially limits one or more major life activities," (which is the ADA's definition of a disability).

For patrons with "low vision," an ADA accommodation can take many forms aside from a human-powered solution, including:

  • Ensuring computers have increased operating system font size with large-size computer monitors
  • Screen magnification software
  • Locator dots and/or large print keyboard labels for keyboard navigation
  • External computer screen magnifier[1]

What accommodations a library chooses to offer to someone needing an accommodation to access library services will vary based on that library's size, type, served population, and (of course) budget. [2]  For some libraries, the "human solution" will be the only one available...which creates dilemmas like the one shown in the member's question.

Okay, let's press "pause" on the ADA aspect (we'll come back to it) and return to the original, simple question: what are the possible legal risks of a librarian helping a patron fill out a legal document?

The risks, of course, are that if the patron is accused of fraud, identity theft, or any other illegal activity based on the form's contents, it could lead to complications for the library (and thus, potentially, the employee).

Of course, most types of crimes based on fraud, false personation, and identity theft turn on the awareness and intent of the involved parties. Basically--and this is a big paraphrase--so long as a person can show they had no awareness or intent to help with a crime, they will have a defense against such an accusation...especially if they are performing the action as part of a duty in their job description.

But how can a library avoid such accusations against its employees in the first place?  This is where we take the ADA aspect off "pause," and consider how a library's policies can set firm boundaries for good customer service, while also facilitating accommodations for disability.

How is that done? Many libraries already have a version of this approach, but here's my plain-language version of a policy:

Library employees are here to help patrons use library resources, but librarians and library staff may not interpret, provide guidance, or fill in forms for patrons.

Patrons who need assistance filling in a form or completing a document due to uncertainty about the content are welcome to ask librarians for help locating the instructions or contact information for assistance.

Patrons who need assistance filling in a form or completing a document on the library's computer or other resource as an accommodation for a disability, please alert the Director or [insert alternate, accessible means], so the Library may act on the request per the library's ADA policy.

So, to be clear, my answer to the member's overall question is: to avoid doubt, librarians should never help patrons fill out the answers on legal forms if the help is just part of good customer service.[3]   HOWEVER, librarians absolutely can read the content and type substantive answers on a patron's legal forms if the library decides (and documents) that it is providing the assistance as part of a reasonable accommodation for a disability.

When considering employee-powered assistance as a form of accommodation, part of evaluating the request must be consideration of how it can be fulfilled ethically.  For instance, a person providing an ADA accommodation as an ASL Interpreter must follow the Registry of Interpreters' Code of Ethics[4] (or other professional association).  A person providing an ADA accommodation as a "reader" for a person who is blind or has low vision should not offer guidance or commentary on the content--their role is limited to reading, and perhaps typing, based on verbal prompts from the accommodated party.[5]  A person typing because the library's only keyboard is inaccessible to the patron and the library has no dictation software should similarly only type as an accommodation, and not offer comment or guidance. [6]

Some libraries, looking at the range and requirements for certain types of human-powered accommodations, may decide they do not have the staff capacity to provide such resources.  Others will say (and support by well-developed policy): sure, we can do that, here's how.[7]

The important thing, no matter what the decision is, is to keep a record as to why a library employee (or contractor) would assist a patron with filling out and/or submitting a confidential or legal document.  Since the only reason should be as an accommodation, that reason should be documented in either the policy (for instance, if the library has a standard service) or as an ad hoc request.

Thank you for a very compassionate and thoughtful question.



[1] Many thanks as always to the "AskJAN.org" web site, which lists common disabilities and their accommodations, including the definition and accommodations for "low vision," found here as of June 28,2021: https://askjan.org/disabilities/Low-Vision.cfm.

[2] "Ask the Lawyer" has addressed the various types of libraries’ obligations under the ADA in other answers, such as https://www.wnylrc.org/ask-the-lawyer/raqs/65 and https://www.wnylrc.org/ask-the-lawyer/raqs/142.

[3] Assistance printing, formatting, duplicating, locating a hyperlink, and in general using library technology in furtherance of completing the form is okay.

[4] Found at https://rid.org/ethics/code-of-professional-conduct/.  Are there any libraries with in-house ASL interpreters?  That would be cool.

[5] The National Foundation for the Blind has a helpful article on this here: https://nfb.org//sites/default/files/images/nfb/publications/fr/fr35/1/fr350105.htm.

[6] This is why consideration of ADA access is so critical in procurement of library resources.   As you will see on most ADA-resource sites (like AskJAN.org), most accommodations these days are powered by technology.  Although some still rely on human action (for instance, reading aloud), most do not.  A library that factors these needs into procurement decisions (buying larger screens, or adaptable keyboards) will not only model a practical commitment to ensuring access, but will reduce the need for employees to be the mode of accommodation--lowering the risk of viewing and contributing to the completion and submission of confidential/legal documents.

[7] An example of the types of accommodations offered on the "larger budget" end of things can be seen at NYPL: https://www.nypl.org/accessibility.

 

Tags: Accessibility, ADA, Privacy, Accommodations, Patron Confidentiality, Service Desk Issues

Topic: Patrons Who May Be Potential Targets of Scams - 05/25/2021
Our library offers a variety of business services such as copying, scanning, emailing, and faxing,...
Posted: Tuesday, May 25, 2021 Permalink

MEMBER QUESTION

Our library offers a variety of business services such as copying, scanning, emailing, and faxing, and we also have staff on hand to assist patrons with these services. We often have patrons request assistance with scanning and emailing or faxing sensitive documents including checks (with banking/routing numbers), driver’s licenses, Social Security cards, or other financial/legal documents.

I am wondering:

a) What responsibility do library staff have to inform a patron if we think they may be in the process of communicating with and sending documents to a scammer? How do we protect our patrons from scams/fraud while also respecting their privacy?


b) How liable is the library/library staff if a patron is scammed after library staff use library resources to send documents/information that played into the scam, even at the patron's request?

WNYLRC ATTORNEY'S RESPONSE

This question tugged at my heart, because lawyers face issues like this, too.[1]

Maintaining confidentiality while addressing concerns that a person is being victimized creates terrible tension.  The need to maintain a trusting relationship, governed by professional ethics, makes the tension all the more acute.

It is those professional ethics, however, that will carry the day.

What is the basis of a librarian's obligation of confidentiality?  Confidentiality of library records is, of course, protected by state law,[2] but it starts in item "III" in the ALA Code of Ethics[3]:

III. We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.

But this issue also related to item "I" from that Code:

I. We provide the highest level of service to all library users through appropriate and usefully organized resources; equitable service policies; equitable access; and accurate, unbiased, and courteous responses to all requests.  [emphasis added]

So, here we are: iron-clad confidentiality, coupled with "unbiased" responses to all service requests.  From within those ethical boundaries, the member has asked:

  • If there is an obligation to protect a patron from a suspected scam;
  • How they can help even if there is not an obligation; and
  • Could the situation lead to liability for the library?

There are information management professionals far more qualified than I to discuss the professional nuances of these questions.  But from the legal perspective, and to address the legal questions about obligations, protection, and liability, here are my answers.

Question 1

What responsibility do library staff have to inform a patron if we think they may be in the process of communicating with and sending documents to a scammer?

Answer 1

There is no legal duty to inform a patron of this suspicion.  Further, I see nothing in the ALA Codes of Ethics that makes it an ethical duty of the profession. 

Question 2

How do we protect our patrons from scams/fraud while also respecting their privacy?

Answer 2

We have reviewed that there is no legal or ethical obligation to "protect" a patron in these circumstances, and there can even be concerns related to trust, confidentiality, and perceived bias that mean a librarian should keep their suspicions to themselves.

However, neither the requirement to be confidential, nor the obligation to provide services without bias, stop a librarian from doing what they do best: sharing information.  And nothing stops a library from pre-assembling a compilation of available resources the library can use to empower a patron to assess if they are being scammed.

Here is a scenario showing how such a "compilation" could be used:

PATRON: I need to print an email.

LIBRARIAN:  Sure, the computer in over here.  Let me know if you need instructions on how to print. 

PATRON:  Can you also help me find the email?  It has instructions to wire money.  It's from my grandson, Michael.  Normally I would ask his mother to help me but this is a real emergency and I can't tell her what's happening, it would just kill her.

LIBRARIAN: I am happy to help; there, it's printing. [pauses] You know, this request reminds me of something I read/heard about.  Do you want to know about it?

PATRON:  Sure.[4]

LIBRARIAN [searches for "bail the grandchild" scam]:  Here it is.[5]  [Retrieves list of information.] And here is a resource about who to call when there is a concern about the type of thing on this website. [Hands patron list of resources]

[end scene]

Here is a template for this type of "list of resources":

"Trust but Verify"

A guide to checking the legitimacy of

requests and correspondence.

Compiled by the [insert name of library].

 

Have you been told you suddenly owe money?

 

□ YES   □ NO

 

Has there been a request for account or personal information from a new or unusual source?

 

□ YES   □ NO

 

Has someone told you a family member is in danger?

 

□ YES   □ NO

 

Is someone pressuring you to make a quick decision about money?

 

□ YES   □ NO

 

Does something about outreach to you just not feel right?  Or does it seem "too good to be true"?

 

□ YES   □ NO

These days, scammers can pretend to be from the IRS, Social Security, or even your religious organization or family.

There are resources to help you let the good guys in, while keeping the bad guys out.  Here in [library location by county or municipality], the following resources can help you make the right call:

  • [Insert any local volunteer lawyer projects]
  • [Insert local bar association referral service]
  • [Insert any county or municipal resource]
  • [Insert other local resource]
  • [suggested link: Better Business Bureau (https://www.bbb.org/us/ny/buffalo)--which "Scam Tracker" search, or similar]

 

Free for anyone 55 or older, there is also:

https://elderjusticeny.org/resources/senior-legal-advice-helpline

1-844-481-0973

HELPLINE@ELDERJUSTICENY.ORG

Your banker, lawyer, or accountant will also be able to help you confirm the source of requests for wire transfers and other financial transactions.

...Or you can ask a librarian to help you find a resource suited to a particular document or situation.  We can't tell you what's legit, but we can help you find the people who can.

Don't feel bad asking, even data security specialists have to "Trust, but Verify" these days!

A simple offer of information, and a plain-language resource like this can be a handy way to raise concerns without having to tell someone "You're being scammed." 

At the end of the day, not all patrons will be receptive to this offer of information, and not all patrons will believe they are being scammed--even if their story matches a scam-scenario. 

But no matter what the patron's reaction, by taking this approach, the librarian will have done the only thing the librarian is ethically obligated to do in this type of situation: provided unbiased services, and granted access to information, while maintaining the confidentiality of same.

Question 3

How liable is the library/library staff if a patron is scammed after library staff use library resources to send documents/information that played into the scam, even at the patron's request?

Answer 3

If the librarian suspects that the scenario could be an illicit scam, but doesn't know this is phishing, social engineering, or another type of activity that can lead to fraud, there is no responsibility for what happens next (unless the library has adopted an internal policy[6] stating otherwise, in which case there could be some employer-imposed consequences).

On the other hand, if the librarian somehow knows that the scenario is an illicit scam, and actively helps with the commission of what they know to be a crime, then yes, there could be liability.  But once such a scam is known, not merely suspected, this becomes a whole other question.[7]

A few more comments

Another aspect I want to address is if the librarian is concerned not that the person is being duped, but that they don't have the mental capacity to comprehend and/or remember they are being duped

People with Alzheimer's and other conditions impacting cognitive ability may rely heavily on an established routine of visiting their local library.  Further, people with that impairment still may be able to function independently for most aspects of their day. However, a librarian detecting a possible scam could be on the front line of a legitimate concern that they don't have the function to assess the situation.

There are too many permutations of this situation for me to give general guidance, except to say: if there is a concern that a person can be vulnerable to harm due to a medical condition or disability, but their condition is not so extreme that there is clearly a justification to call medical services, call an expert.

If the person is over 55, the Center for Elder Law and Justice is a great resource; they address these types of issues every day, and their hot line is there to help assess a situation and identify possible next steps.  If the person is not over 55, a good resource could be the local Social Services agency.

Conclusion

When it comes to this issue, my overall advice is to remember that as a resource to the community, library employees are there to provide access to information and resources, not to protect people from harm.  The good news is, by providing that access in a manner consistent with library ethics, library employees can help patrons protect themselves from harm.  And that is how a library can help stop a person from being scammed.

Speaking from experience, I can say that not every person will take information when it is offered.  There are times when the only comfort that can be taken from a situation is to know that you tried your best.  But by focusing on the ethics, and the provision of information, a librarian can help a person identify a scam, and avoid legal entanglements.

I wish you strength on this one.  Your patrons are very fortunate.



[1] And if there are any accountants, athletic trainers, or mental health counsellors who (for some reason) read an "Ask the Lawyer" column for libraries, museums, and historical societies, I bet it sounds familiar to them, as well.

[2] CPLR 4509

[3] Which is replicated in the New York Library Association Code of Ethics.

[4] Don't worry, we'll also address what you can do if the patron says "No, just help me scan my driver's license," and what to do if you are concerned the person doesn't have the capacity to make an informed decision.

[6] It is interesting to contemplate if there could be a policy for the use of information transmission equipment (phones, faxes, scanners, email, etc.) that included a provision that "Library employees who suspect a patron is falling prey to or contributing to a criminal enterprise must immediately report their concerns to the director for appropriate action under the relevant policy;" linked with a provision in a Code of Conduct "Patrons using library resources.”

[7] I struggled to come up with a scenario where the librarian knows the scam is on, but here goes: A librarian is a personal friend of Jeff Bezos.  A patron comes in and says Jeff Bezos wants to give $50,000.00 to the patron and 5,000 other lucky people; they just need to wire Jeff $5,000.  While helping to print the wire instructions, the librarian calls their friend Jeff Bezos to ask: "Hey, Jeff, are you giving fifty thousand dollars each to five thousand people?" at which point Jeff Bezos laughs and says, "No way, but can you believe some people are actually wiring me money?  Now I can repaint my third yacht.  Best scam ever.  Hey, want to go fishing?"  Now the librarian knows it's a scam; if they help in any way after that, they are arguably complicit.

Tags: Forgery and Fraud, Liability, Privacy

Topic: Security Surveillance Cameras - 05/06/2021
We are a municipal library and the building is owned by the county. The county will be installing ...
Posted: Thursday, May 6, 2021 Permalink

MEMBER QUESTION

We are a municipal library and the building is owned by the county. The county will be installing security cameras outside the library in multiple locations for safety reasons. These cameras will not be regularly monitored unless there is a reason to consult them. We will not be viewing the footage per a patron’s request. They will be maintained by our county facilities staff and consulted only in cases where a criminal act was committed.


I have two questions related to this.

1. What type of permanent notification do we need to post about the use of cameras?

 2. What major points do we need to ensure we include in our privacy policy?

WNYLRC ATTORNEY'S RESPONSE

Many libraries, for a variety of good reasons, have security cameras.  Some libraries control those recording systems; others do not.  But no matter how they get there, when cameras are in a library, the questions posed by the member are critical.

Here is why: every library in the State of New York is bound by ethics and law to safeguard patron privacy.  Those obligations start with the ethics of the American Library Association[1] and the New York Library Association,[2] assuring patron privacy; these ethics find legal teeth in New York Civil Practice Law and Rules[3] and the Public Officer's Law.[4]

At the local level, patron privacy is often reinforced in a library's ethics statement, bylaws, and policies.  The practical duties of patron privacy are found in job descriptions (particularly of directors and IT professionals), and in membership terms between libraries and systems.  And it is part of every new employees' on-boarding.[5]

Because librarians and library leadership are so aware of this privacy obligation, and because assurance of patron privacy is a key component of information access, protecting patron privacy is often referred to in the library community as nigh-unto-sacred duty. So sacred, in fact, that I have met more than one librarian willing to go toe-to-toe with law enforcement seeking unauthorized access to patron data.[6]

While it takes a certain type of gumption to stand up to law enforcement, it takes another type (equally critical, but not as concentratedly defiant) of gumption to think about patron privacy in the context of software, landlords, and security cameras.  One takes a willingness to take a stand in the moment.  The other takes a willingness to think about details, to leave nothing to chance, and to ask a lot of very specific, very persistent questions.[7]

Both of these types of gumption are critical to the modern librarian, but only one gives you an easily dramatic answer to the question "how was your day?"

We'll leave the dramatic aspect of this for another time.[8]  Below, please find a boring--but vital-- checklist of steps and language to help a library answer the questions posed by the member, when a landlord is using cameras trained on library premises:

Step 1: Assess what the library's lease says about security and use of cameras

For libraries with landlords (remember, your library has a landlord even if you only pay a token amount of rent,[9]) it is important to have a written lease. 

Why?  Because, among other critical things,[10] that lease can provide clarity about who provides the on-site security (including a camera system) and set the stage for how the landlord and the tenant will manage security-related details.

In this case, the member has clarified that the security system will be controlled by the municipal (county) landlord.  Here are the details posited by the member:

These cameras will not be regularly monitored unless there is a reason to consult them. We will not be viewing the footage per a patron’s request. They will be maintained by our county facilities staff and consulted only in cases where a criminal act was committed.

These details, upon which the library will base its own actions, should be confirmed in the lease.  Such confirmation should include, whenever possible, a marked survey or map of the property, showing the limits of the camera's line of sight.

Step 2:  Assess if the lease terms and security camera arrangements promote the privacy commitments of the library

Just a note: while a municipality may procure and install a camera system with the intent to only monitor it "in the event of alleged criminal activity," in my experience, there is no way to enforce such a restriction, and some risk that the use of the cameras could change over time.

For instance:

  • The recordings could be subject to disclosure under the Freedom of Information law;
  • The recordings could be accessed via subpoena in the event of an alleged personal injury or other civil claim;
  • The temptation for a town, city, or county to use the recordings internally (even for something as innocent as using them to check if a snowplow crew did a good job, or if a worker is arriving on time) might be hard to resist.

A library can't control this.  That said, when a camera system is installed, a library can request assurance that the municipality's internal policy, governing the cameras, include language:

  • Alerting the users of the system to the sensitivity of patron records at a library;
  • Confirming that the footage showing people entering and leaving the library is not regarded as a "library record" by either party; and
  • Confirm that under no circumstances should the security cameras enable recording of information reflecting patron use of services.[11]

Once a library performs these two steps, it can answer the member's two questions:

First question: What type of permanent notification do we need to post about the use of cameras?

Once the library has written assurance that the landlord's use of recording technology will not result in the creation or disclosure of a library record, it is up to the director and board if, or how, your library should alert the community.

Personally, as a patron, I would appreciate a "courtesy notice" such as: "Your library records are confidential.  Please know that while our landlord has security cameras in [ZONES], the library does not allow recording that could impact patron privacy inside the building."[12]

OR (if the library makes use of its own security cameras): "Your library records are confidential.  Please know that our landlord has security cameras in [ZONES] and may use those for security purposes, but any security camera record maintained by the Library that shows use of library services is considered confidential and is used for library purposes only."

Second question: What major points do we need to ensure we include in our privacy policy?

The privacy policy of the library, or in the alternative, the minutes of the board, should reflect the details and privacy safeguards confirmed through the two-step analysis above. 

For instance, after the analysis is done, the board can note in the minutes: "Regarding the landlord's use of outside security cameras: As of DATE, the Library's landlord, NAME, will have security cameras observing certain outdoor areas, including library property.  The Library has verified that its lease, and the landlord's internal policy, prevent the landlord's security cameras from generating or disclosing confidential library records.  The public will be notified as to where the cameras are recording, and that such recordings are not confidential library records."

I appreciate that this review/confirm process can be a bit clunky.  However, it is also an opportunity to alert a critical partner (a landlord, and sponsoring municipality) to the importance of library-patron confidentiality, and to assure the public that privacy is a priority.  By seizing the moment to confirm that privacy is being properly considered and enforced, a library not only assures its ethics and legal compliance, but can create an ally in that eternal (and important) fight.[13]

I hope this approach is helpful.

 



[2] As found in the NYLA Code of Ethics: " III. We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted."

[3] CPLR 4509 states: “Library records, which contain names or other personally identifying details regarding the users ...including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute.”

[5] If it's not, it should be.

[6] You guys are so cool when you do that.

[7] Like the member is, here.

[8] Actually, we address it here: https://www.wnylrc.org/ask-the-lawyer/raqs/26.

[9] Generally, this token rent is placed at $1/year.  Just once it would be fun to see a more random number, like $1.26/year.

[10] Such as insurance, hours of operation, emergency procedures, notification in the event of injury, protocol for repairs, capital improvements, etc...  For more commentary on this, see https://www.wnylrc.org/ask-the-lawyer/raqs/166 about having any MOU with a sponsoring municipal entity.

[11] If security cameras are aimed at a curbside pick-up location, the library should consider if the recording is a library record.

[12] Forbidding recording in a public library is a controversial topic, I know.  This language is written to address recording that can impact patron privacy.

[13] Hey, I managed to make careful attention to minutia sound dramatic!

 

Tags: Ethics, Municipal Libraries, Privacy, Law enforcement, Surveillance

Topic: Background checks and fingerprinting for new employees - 04/07/2021
My questions involve background checks for potential new employees, fingerprinting, developing pol...
Posted: Wednesday, April 7, 2021 Permalink

MEMBER QUESTION

My questions involve background checks for potential new employees, fingerprinting, developing policies, procedures, and best practices.

Do background checks, fingerprinting, etc., need to be done for all positions? Does it need to be posted in the job advertisement that there will be a background check for the successful candidate or all finalist applicants? Can the background check need to include a financial check and a legal check?

And tangentially, am I correct in my assumption library staff are not considered mandated reporters? Are there guidelines for this as well.

WNYLRC ATTORNEY'S RESPONSE

This...is a big question.  It's only three short paragraphs.  But it's BIG.

It's "BIG" because the risks of getting this topic wrong are immense--from not only the obvious risks involving legal concerns, but risks involving ethics, privacy, and the goal at the heart of the issue: safety.

It's also BIG because the phrase "background check" is not tied to a precise or static definition.  When someone says "background check" in the context of employment, here are just a few of the things it could mean:

  • Criminal background check
  • Credit check
  • Military service separation check (form "DD 214")
  • Motor Vehicle Records ("MVR") check
  • Transcript and education records check (including student disciplinary records)
  • Licensing/professional oversight body (medical board, bar association, etc.) check/confirmation of good standing
  • Civil litigation history review
  • Reference check
  • Previous employment verification
  • Social media/publications check

Each of these "checks" comes with a wide array of legal requirements--or typical legal cautions--governing its use.

For instance:

  • A criminal background check should only be used by an organization if it has an up-to-date "Criminal Background Check Policy," because in the state of New York, denying employment based on a criminal conviction requires the employer to do a precise analysis (of which the denied applicant can request a copy).[1]
  • A credit check should only be used by an organization if it has an up-to-date "Credit Check Policy" to ensure the regulations in the Fair Credit Reporting Act ("FCRA") are being followed.[2]
  • A MVR should only be used by an organization if it has an up-to-date "MVR Check Policy" that clearly sets out the types of moving violations and other records that would flag a basis for non-employment.[3]

For all types of checks, the institution using them should have a clear policy governing what jobs require them, and how such records are evaluated, maintained, and disposed of.

And finally: when developing, implementing, and routinely using any type of background check policy, an organization is wise to take care that it is not incorporating factors that can be shown to disproportionately negatively impact (i.e., discriminate against) a particular category of applicant.   

Okay, with all that off my chest, let's answer the actual questions.

First question:

Do background checks, fingerprinting, etc., need to be done for all positions?

The degree to which background checks and documentation of identity must be performed are governed by two things: what is legally required, and what the risk management practices of an institution dictate. 

These two factors mean that practices will vary from place-to-place.  A librarian working within a public school district in the state of New York will be subject to a criminal background check and must be fingerprinted[4] just as any other regular employee within their district. A librarian at a public or association library is not required by law to have a criminal background check, nor to be fingerprinted,[5] but an institution could decide, for risk management purposes, that a position requires that level of scrutiny for safety and security.  

Second question:

Does it need to be posted in the job advertisement that there will be a background check for the successful candidate or all finalist applicants?

There is no requirement in the law that a job advertisement has to disclose a background check in the job advertisement.  However, prior to obtaining and using any information from a third party whose business it is to provide background information, an employer must notify an applicant; this notice must be in writing and in a stand-alone format.  Further, before a negative decision is made based on such information, it must be disclosed to the applicant.  A good resource on this is the Federal Trade Commission,[6] but the third party provider, if they are a true professional, will provide the forms for each of these steps.

Now all that being said, it may be that some local hiring procedures or collective bargaining agreements require the disclosure of background checks in a job notice.  Further, some employers may want to disclose their intent to use a background check to avoid surprising candidates further into the process.  There is no bar to making such an early disclosure, but if given, such notices should be carefully drafted to avoid implying that those with arrests or criminal convictions[7] will not be considered for the position.

Third question:

Can the background check need to include a financial check and a legal check?

Yes, absolutely. A background check can include a credit check, a search for liens and other debt instruments, a review of criminal history, a consideration of driving record, and any combination of the items I listed at the top of this reply.  Just be careful: if your library or system relies on a third party to supply that information, it must follow the guidance from the Federal Trade Commission (see that link in footnote 6).

Okay, at this point, I have to re-emphasize: before using any type of check, a library should have a policy covering that type of check, and that policy should cover all check-specific legal compliance, as well as: when the check is conducted, how it is conducted, how the information is used, and how the documents related to it are disposed of/retained. [8]

When developing such a policy, a good rule of thumb for an institution considering any type of background check is to be able to clearly answer the question: "Why are we doing this check?"  While the reasons will vary, the answer should always relate to the essential functions listed in the job description, and the nature of your library.

For instance: if a position will create opportunities for a person to spend unsupervised time with vulnerable populations, a criminal background check and rigorous prior employer check is wise.  If a position requires a particular credential, verification of that credential makes sense.  And if you are hiring someone who will frequently have to drive the bookmobile, a motor vehicle records check is almost always imperative.

On the flip side: if a person is being hired for a job that doesn't require driving, a "current driver's license" should not be required. If a person will never have access to financial information or fiscal resources, a credit check is likely not necessary. And if a would-be library clerk has a DWI that is 20 years old--and no other criminal history--it is likely the conviction is not a basis to eliminate them from consideration.

Last question (and it's another biggie):

And tangentially, am I correct in my assumption library staff are not considered mandated reporters? Are there guidelines for this as well?

"Mandated reporters" is a legal term under Section 413 of the NY Social Services Law.  Professionals listed in that section are required to make a report when they:

 "...have reasonable cause to suspect that a child coming before them in their professional or official capacity is an abused or maltreated child, [OR] when they have reasonable cause to suspect that a child is an abused or maltreated child where the parent, guardian, custodian or other person legally responsible for such child comes before them in their professional or official capacity and states from personal knowledge facts, conditions or circumstances which, if correct, would render the child an abused or maltreated child."[9]

I have placed a list of the "Mandated Reporters" set by Section 413 below this answer. As you can see by reviewing the (long) list, library employees (unless their function also fits into one of the categories listed in 413) are NOT Mandated Reporters.

Of course, a library--or an institution that hosts a library--can decide and enforce via policy that its employees have an affirmative duty to report observed or suspected child abuse (or any abuse) that occurs on their property or in their programs.  Many insurance carriers actually require their insureds to have such a policy.[10]

[NOTE: If an employer has any type of "report abuse" policy, employees should be trained on how to make such reports no less than annually.  The average person can have a trauma response to witnessing abuse, which can impact their ability to report it, as well as negatively affect their well-being.  Routine training on how to recognize and report concerns, and experienced support for reporters, can help with this.]

Thank you for an important series of questions.

 

List of "Mandated Reporters" under Section 413 of the Social Services Law (also called "human services professionals[11]"):

...any physician; registered physician assistant; surgeon; medical examiner; coroner; dentist; dental hygienist; osteopath; optometrist; chiropractor; podiatrist; resident; intern; psychologist; registered nurse; social worker; emergency medical technician; licensed creative arts therapist; licensed marriage and family therapist; licensed mental health counselor; licensed psychoanalyst; licensed behavior analyst; certified behavior analyst assistant; hospital personnel engaged in the admission, examination, care or treatment of persons; a Christian Science practitioner; school official, which includes but is not limited to school teacher, school guidance counselor, school psychologist, school social worker, school nurse, school administrator or other school personnel required to hold a teaching or administrative license or certificate; full or part-time compensated school employee required to hold a temporary coaching license or professional coaching certificate; social services worker; employee of a publicly-funded emergency shelter for families with children; director of a children’s overnight camp, summer day camp or traveling summer day camp, as such camps are defined in section thirteen hundred ninety-two of the public health law; day care center worker; school-age child care worker; provider of family or group family day care; employee or volunteer in a residential care facility for children that is licensed, certified or operated by the office of children and family services; or any other child care or foster care worker; mental health professional; substance abuse counselor; alcoholism counselor; all persons credentialed by the office of alcoholism and substance abuse services; employees, who are expected to have regular and substantial contact with children, of a health home or health home care management agency contracting with a health home as designated by the department of health and authorized under section three hundred sixty-five-l of this chapter or such employees who provide home and community based services under a demonstration program pursuant to section eleven hundred fifteen of the federal social security act who are expected to have regular and substantial contact with children; peace officer; police officer; district attorney or assistant district attorney; investigator employed in the office of a district attorney; or other law enforcement official.

 



[1] This is why the phrase "Must have no criminal history" or the like must not be included on a job notice.  For more information on this, visit https://dhr.ny.gov/protections-people-arrest-and-conviction-records.

[2] More info on this further into the answer.

[3] For some employers, this criteria is set by the provider of the organizations’ automobile and/or general liability insurance; this is especially true for organizations that use "company" vehicles.

[5] Unless there is a very obscure local law I have been unable to find.  If you are aware of one, please email me at adams@losapllc.com.

[7] Or other categories protected by law.

[8] That's right: I put that in italics, bold, and underlined it!  An "Ask the Lawyer" first.  No organization should ever "wing" a background check--of any kind.  There is too much at stake.

[9] I know, there is a lot of room for interpretation in this language; when in doubt, seek guidance.

[10] I think of this as the "Penn State Victims Requirement."

[11] 18 NYCRR § 433.2

 

Tags: Employee Rights, Ethics, Hiring Practices, Management, Policy, Privacy, Safety, Risk Management, Background Checks

Topic: Archival materials, Privacy, and FERPA - 02/26/2021
My institution has a small number of documents in our archives related to previous graduate studen...
Posted: Friday, February 26, 2021 Permalink

MEMBER QUESTION

My institution has a small number of documents in our archives related to previous graduate students. Some are definitely educational records (transcripts, field placement evaluations). Then there are a) letters of recommendation received by the school or written by school faculty/administrators and sent to other schools, b) some correspondence between a student and the school/administration, and other items like c) copies of images or articles from student publications.

The documents span decades.   Most --- but not all--- of these former students are confirmed deceased. Most items in this small group of documents relate to alumni who were/are notable, but in widely varying degrees.

A few of these documents concern a famous alum, who passed away.  An outside researcher is asking about the documents related to that alum, and unfortunately, there are no surviving institutional access policies related to student records or unpublished correspondence in our archives. We want to respect copyright, FERPA, and the alum's estate.

For the educational records, I can't find clear guidance on how long FERPA access restrictions last, but other academic collections seem to allow access 50-75 years after the former student's death.

So, a few questions:

1) When should on-site access to historical educational records be allowed (if ever), with reference to FERPA? What about providing copies of historical educational records?
 

2) When should on-site access to unpublished, non-educational records related to former students be allowed, in reference to state and federal copyright and privacy laws, and possibly FERPA? What about providing copies of these documents?
 

3) Should we take a more risk-averse approach to high-profile alumni materials, or should our policies apply equally to all alums?

WNYLRC ATTORNEY'S RESPONSE

I am always fascinated by the transformation documents can undergo, simply by operation of law, circumstance, or time.  For instance:

  • Documents that are "education records" under FERPA can become simply "records," or "nothing" once the person to whom they pertain has died.[1]
  • Documents that are "private information" under New York's new(ish) SHIELD Act[2] are no longer controlled by the Act if the digital copy is swapped for a copy on paper.
  • Documents that use the "name and likeness" of a deceased performer, currently allowed, will be far more restricted when New York's new Civil Rights Law 50-f, which requires written permission for certain commercial uses, goes into effect on May 29th, 2021.[3]

And of course, documents can be "in" copyright, and "out" of copyright, or restricted due to medical content, or under terms of non-disclosure...restrictions that can shift based on any number of factors. 

An educational institution considering levels of access and use of student-related documents[4] has to consider not only these legal factors, but their unique policies.  Factor in fame,[5] and the stakes get even higher. 

Because of that complexity, I could muse/write/talk on this topic for hours.  But let's focus on the member’s specific questions:

1) When should on-site access to historical educational records be allowed (if ever), with reference to FERPA? What about providing copies of historical educational records?


If a former student is not deceased, there can be NO release of FERPA-protected education records to otherwise barred parties without written, dated consent.

If the former student is known to be deceased—or the passage of time suggests they might be deceased—then the records are no longer protected by FERPA, and that restriction no longer applies.

But as the member points out, there are other considerations.

2) When should on-site access to unpublished, non-educational records related to former students be allowed, in reference to state and federal copyright and privacy laws, and possibly FERPA? What about providing copies of these documents?
 

This is an interesting question because unless the records we're talking about ("related to former students") only contain "directory information,”[6] then they are by definition "education records" under FERPA.[7]  That is because the FERPA is intentionally expansive.  So old bills, dusty admissions files, and antiquated (but often fascinating) "administrative" records, although not "educational," per se, are still barred from release by FERPA if they relate directly to a student.[8]

BUT, as this question implies, FERPA isn't the only thing that could bar or restrict access to old records.  Copyright, privacy laws, and general prudence are all good reasons to not release institutional records unless there is a policy and process for doing so (like a policy for sending transcripts to future employers), or your institution is compelled to release them (like a judicial order or subpoena).

So, while a student will always have access to their records under FERPA, both former students and third parties should by default be barred from access or obtaining copies to records they are not entitled to.

Which brings us to:

3) Should we take a more risk-averse approach to high-profile alumni materials, or should our policies apply equally to all alums?

Many, but not all, educational institutions have internal archives—not formal "Archives" they hold in trust for the public (like the W.E.B. DuBois papers at University of Massachusetts),[9] but rather, materials they regard as important pieces of their institution's history and identity, so deliberately retain.

For some, this may be a complex and far-reaching catalog of institutional history.  For others, it may be simply hanging onto every program for every graduation ceremony.  And of course, for many, it will be special handling of any material that is related to famous or noteworthy alumnae.

Whether formal and well-funded, or informal and not funded,[10] every educational institution's internal archive should have a policy that covers: 1) that the archive exists to transition material from "records" into "archives;" 2) how those materials are selected; 3) how those archival materials are to be preserved; 4) how the archival materials are used and accessed internally; 5) how the archival materials are used and accessed externally; 6) the ethical standards and institutional values being applied in the overall operation of the archive. [11]

If an educational institution has in-house records of such magnitude that they warrant being their own archive (for instance, the Eqbal Ahmad papers at Hampshire College), yes, the development of that archive could warrant its own separate policy.  In that case, unique care would have to be taken to consider not only FERPA, but privacy laws, copyright (the author of an admissions letter is the copyright owner of that admissions letter...not the institution the letter was sent to, even if the institution retains the only physical copy).  

All that said, the end result need not be "risk-averse," so much as "risk-informed:" carefully assessing all the compliance concerns and risks,[12] how does an institution create an archive that suits its stated purpose and conforms to institutional ethics?  Until an institution is confident it has reached the right answer, access to third parties should not be granted, and only need-to-know access should be granted to those within the institution. 

I would like to thank the member for this question, it is a good one.  And I think we may have reached a new milestone at "Ask the Lawyer"—a reply where the footnotes are as long as the reply!

Thanks.  I wish you a well-resourced and culturally rich archive, and continue positive alumnae relations.

 

 


[1] See letter of LeRoy Rooker, Director, Family Policy Compliance Office, U.S. Department of Education letter of Date, found at https://studentprivacy.ed.gov/sites/default/files/resource_document/file/LettertoConnecticutStateArchivistRegardingEducationRecordsMay2008.pdf as of February 10, 2021, re-affirming "that the FERPA rights of “eligible students” lapse or expire upon the death of the student based on common law of privacy rights."

[2] Text for this law can be found at: https://www.nysenate.gov/legislation/bills/2019/s5575.

[3] I am writing this on February 10, 2021. 

[4] This "Ask the Lawyer" answer does not address the issue of yearbook photos and student-generated art or academic work.  For that, see https://www.wnylrc.org/ask-the-lawyer/raqs/108 and https://www.wnylrc.org/ask-the-lawyer/raqs/91.

[5] What is "fame?"  It's a notion that is taking odd journeys these days.  As I said in footnote #3, I am writing this on February 10, 2021.  Jockeying with the impeachment proceedings for "fame" on the cover of today's digital New York Times: an article about a lawyer who appeared in virtual court as a cat.  I bet he can't wait for his 15 minutes to be over.

[6] "Directory information" includes, but is not limited to, the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.

[7] Here is the actual definition: "...those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution."

[8] There are exceptions to this, of course...one big one being the records of campus police.

[9] I value this archive because it has letters between W.E.B. DuBois and Mary Talbert, a Buffalo resident who was a stalwart organizer for civil rights and, on the side, historic preservation (she led the effort to save the house of Frederick Douglass).  I read her letters when I need a shot of pragmatic inspiration.

[10] Some "archives" exist because some wonderful employee couldn't bear to see institutional history thrown out, and they got permission to buy some boxes and put the "archives" in the storage closet. 

[11] The "Ask the Lawyer" from November 4, 2020 has more about ethical considerations for archival projects: https://www.wnylrc.org/ask-the-lawyer/raqs/178.

[12] For this question, "risk" is not just legal risk, but relational and reputational risk, too.  After all, it might be legal to share a harsh evaluation from a thesis committee related to the work of a long-dead student...but is there value in doing it?  (Of course, there might be).  Knowing why something is in the archive, and having full confidence in that reason, is just as important as preserving the record in the first place.

Tags: Academic Libraries, Archives, Copyright, Digitization and Copyright, FERPA, Privacy

Topic: Online posting of area drone pictures - 02/23/2021
One of our member libraries has asked me the following question: "We'd like to create ...
Posted: Tuesday, February 23, 2021 Permalink

MEMBER QUESTION

One of our member libraries has asked me the following question:

"We'd like to create an online catalog of drone pictures of our area. What do we need to consider? We know people are posting these pictures on Facebook, and we'd like to request permission to collect them all in a catalog on our website. Please let me know any technical issues or legalities we need to keep in mind. I think it's a good idea, but I don't know exactly how to implement it."

Are drone pictures copyright free as they are in other people's properties and cover large areas? Is it legal to post drone pictures without permission?

Thanks for any thoughts on this topic!

WNYLRC ATTORNEY'S RESPONSE

This is a cool idea—aggregating and cataloging drone shots.   Someone fifty years from now will be very, very grateful for that type of work!

But as the member points out, there could be some technical or legal issues, namely: copyright, privacy, and security.  How does the library make sure none of those concerns negatively impact the project?

Let's take those in order.

Legal Concern: Copyright

This one is pretty simple: with one exception, the copyrights to pictures taken by a drone are owned by the operator(s) of the camera, who usually (but not always) is the same person/people flying the drone.  They are never the property of the area photographed (unless the property owner is also the photographer).

What is the "one exception" to that ownership?  If the photographer is taking the drone images as part of their regular job,[1] the copyright will belong to their employer (for example: if the drone shot was taken by the photographer to illustrate a story in a newspaper).[2]

Once the library establishes the copyright owner, the only copyright-related impediment to including the images in the catalog would be if the owner had sold the copyright, or given someone else "an exclusive license," since that would mean they could no longer license the images to your library.  Other than those complications, with the right agreement,[3] permission and use should be simple.

 

Legal Concern: Privacy & Security

The "copyright" section, above, is fairly simple.  Things are a bit more complex when it comes to privacy and security.

There is a huge array of drone-shot content that I could see risking a violation of privacy or a threat to security.  Here are the most common I could rattle off at a cocktail party:

  • The risk of the images being the result of "Unlawful Surveillance,"[4] which is an “E” Felony in the state of New York.  "Unlawful Surveillance” is (among other things) taking a picture of a person dressing (or undressing) in a place where that person has a “reasonable expectation of privacy” (and they haven't agreed to pose for the picture);[5]
  • The risk of the images being a violation of a person's "right of publicity,"[6] which is using someone's image for commercial purposes without their written authorization.  For instance, if the images were found on a site where they were being used for a commercial purpose.
  • The risk of the images being the result of, or evidence of, trespass, harassment, and other criminal law violations that could result from a person deploying a drone over a residence, business, or area near an airport.

In addition to my "rattle it off" list, I did some research.  If we leave out the restrictions of reconnaissance and targeting drones, there is one other drone-related “no-no” to be wary of:

  • The risk that the images are the result of harassing sea otters.[7]

In most of these concerns, it is not the act of including the images in the catalog that would be the legal issue--but rather, that the images themselves could be proof of a legal violation.  We’ll address that more in the last section.

 

Legal Concern: FAA-restricted Areas

The Federal Aviation Administration’s rules for academic, hobbyist and other forms of non-military drone use are here:

https://www.faa.gov/uas/public_safety_gov/media/FAA_UAS-PO_LEA_Guidance.pdf

I won't re-hash them, but the FAA does not bar taking pictures—just flying at certain locations and times.[8]  However, all operators--whether hobbyists or professionals--have to avoid certain areas at certain times. 

The FAA maintains a list of those areas, as well as a list of designated recreational UAS flight zones, available here:

https://www.faa.gov/uas/recreational_fliers/where_can_i_fly/airspace_restrictions/

This was so cool, I looked up my part of the state:

FAA UAS Data Map of Western New York.

And now I know where not to fly the drone I don’t own.

 

Sample License for Use of Drone Pictures

Once you have confirmed that any drone shots your library would like to use are not: the result of or evidence of a crime, taken in forbidden air space,[9] or otter harassment, here is a sample license for securing permission to include them in an online catalog:

 

IRREVOCABLE, NON-EXCLUSIVE LICENSE

[NAME] ("Photographer"), an individual residing at [ADDRESS], and at least 18 years of age, hereby gives the [NAME LIBRARY] (the "Library") an irrevocable, non-exclusive, transferable license to use an image entitled [TITLE], a copy of which is attached hereto as "A" (the "Image"). The permission to use the Image includes unlimited use in any format now existing or later developed.

Photographer represents and warrants that the Image is their original work and that to the best of their ability to determine the rights of no individual or entity were violated by the creation of the Image.

In consideration of the rights granted herein, Library shall at all times credit Photographer with authorship and ownership of the photo as follows: This image is © [NAME], [YEAR], and is used by the [NAME LIBRARY] with permission from the photographer, who may be reached at [email address].

 

Signed by Photographer: _________________________.

 

Signed on behalf of the Library: ___________________________.

 

A Final Word on Getting "Permission"

This question was pre-packaged to consider issues of permission/legal concern related to images generated via drone, so I have structured it to give primary consideration of those issues.

However, I would be remiss if I didn't stress that when assembling an archive or image collection, worries about permission shouldn't always be a threshold consideration.

Why is that?  If a library or archive crafts the parameters of an image catalog around the purpose of that catalog—around why it is important to gather a certain type of content, within a certain range of criteria—permission might not even be necessary. 

Concerns about permission and legality should not prevent the assembly of a resource that has academic, documentary, or investigative value.[10]  And the more a collection or archive is shaped as a documentary, academic, or investigatory endeavor, the less the subject matter and content can pose legal concerns...or rather, the more protections[11] the project will be able to avail itself of.

Taking advantage of those exemptions starts with having a very clear scope for your project, a written set of ethics, and a statement of purpose for the endeavor. [12]

My takeaway in this final part of the answer?   If your project is of academic, historical, or social value, don't let lack of permission be a roadblock.  Instead, just like the member does in this question, set up a clear scope for your project, and then tackle any reservations head-on.  This will lay the groundwork for a strong archive or catalog.

 

Posterity will thank you.



[1] Head Photographer at "Drone Shot Weekly?"

[2] Here is the FAA guidance on media use of drones for newsgathering: https://www.faa.gov/about/office_org/headquarters_offices/agc/practice_areas/regulations/interpretations/Data/interps/2015/Williams-AFS-80%20-%20(2015)%20Legal%20Interpretation.pdf.  It’s interesting: even if using a small drone, such use doesn’t qualify for the “hobby” exception, and the drone should be registered.

[3] Do you need the “right agreement?” See the section of the answer called "Sample Agreement" for an example.

[4] NY Penal Law 250.45

[5] JUST TO BE CLEAR: I have 100% confidence that if a library comes across a creeper nude drone shot, they will not include it in an online catalog!  I am just being thorough.

[6] New York Civil Rights Law Section 50.

[7] Per 50 CFR 18.137: "Unmanned aerial systems or drones must not cause take by harassment of sea otters. Measures for avoidance of take may be required in an LOA, and may include maintaining a minimum altitude and horizontal distance no less than 100 m away from otters, conducting continuous visual monitoring by PSOs, and ceasing activities in response to sea otter behaviors indicating any reaction to drones."

[8] Thank you, THANK YOU to the member who sent this question.  Because of you, I got to read the FAA's guidance to local law enforcement for drone-related incidents, which includes this practical guidance "NOTE: Battery life is typically 20 to 30 minutes." 

[9] By the way, it might not be precisely forbidden for your library to post such images, just as a newspaper or academic publisher might reproduce them for purposes of news or scholarship.  But since those categories come with some higher risks (particularly of being told to cease and desist), it is wise to consider consistency with the purpose and ethics of your archive before including them.

[10] I am not saying to not consider them...just don't let them be project-killers.

[11] Such as fair use, journalism privileges, and recognition of the non-commercial nature of the use.

[12] Links to further "Ask the "Lawyer" content on this specific consideration (ethics as a key component to rock-solid archives) are here: https://www.wnylrc.org/ask-the-lawyer/raqs/172 and https://www.wnylrc.org/ask-the-lawyer/raqs/178.

Tags: Archives, Copyright, Ethics, , Privacy, Property

Topic: School library records retention - 01/21/2021
We got a question regarding how the new rules for records retention (the "LGS-1") impact...
Posted: Thursday, January 21, 2021 Permalink

MEMBER QUESTION

We got a question regarding how the new rules for records retention (the "LGS-1") impacts the retention of school library borrowing records.

Under the new LGS-1, how long must school library borrowing records be retained?  How does that impact BOCES, district, and school library records purging? 


 

WNYLRC ATTORNEY'S RESPONSE

Thank you for this question.  The LGS-1 is one of my favorite rabbit holes to explore.

I took a look at Schedule Item 596, which applies to "Borrowing or loaning records."  I have put a screenshot of the section, as it appears in the schedule as displayed on the NY State Archives web site: http://www.archives.nysed.gov/common/archives/files/lgs1.pdf

Screenshot of Schedule Item 596 on

As you can see in the screenshot, 596 fixes the retention period for borrowing or loaning records for school libraries as "0 years after no longer needed."

"No longer needed" is one of those phrases in the LGS-1 that renders the retention period variable.  This flexibility can be both helpful and frustrating, since a district, BOCES, or school library must determine, via policy, what "needed" means.

This can vary from place to place, but in all instances should be based on a determination of what is meant (for the district/BOCES/or school library) by "need," and then confirmed in a policy.

After that, best practice is always to purge records once their retention period is over, and for something as deeply connected to ethics, compliance and privacy as library records,[1] that is doubly true.  For school libraries, that retention period is zero, once the records are no longer needed.

Therefore: determining how long student library borrowing records are "needed" (something that may vary from library to library, district to district, BOCES to BOCES), and then purging the record as soon as possible,[2] is a good way to use the LGS-1 to enhance an institution's commitment to privacy.

 

Thanks to the member for bringing up this nuance.  These issues are at the crossroads of ethics, compliance and automation, and require continuous and careful attention to detail and resulting policy.

 

 



[1] Please see "Ask the Lawyer" here for a discussion of school library records, CPLR 4509, and FERPA.

[2] The LGS-1 encourages, but does not require, "the systematic disposal of unneeded records."

Tags: , Privacy, Records Management, Record Retention, School Libraries, LGS-1

Topic: Parent access to student Google accounts - 1/8/2021
As we transformed to fully/largely remote learning and pulled all student work and interactions on...
Posted: Friday, January 8, 2021 Permalink

MEMBER QUESTION

As we transformed to fully/largely remote learning and pulled all student work and interactions onto Google platforms, a question has arisen about the intersection between student privacy and parent access to student accounts. Currently, if a parent is given their child's google log in information, they will have access to far more than ever in the past. Because of authentication agreements, library records, database access, all stored documents, any Google classroom the student is enrolled in, classlists for those classrooms, comments from teachers, peer work on group projects...this is likely not an exhaustive list!


My 2 biggest areas of concern are 1) access to library check outs and 2) ability to see that a student is enrolled in a classroom for the Gay Straight Alliance (GSA) at the school and the entire class list of other members.


I am told by my administrators that FERPA allows for parents to be given student log in information. The RAQ, post "Topic: Patron Confidentiality in School Libraries - 5/6/2019" gave very good information but both the online aspect and the myriad of elements that are exposed with that single password compel me to seek more details. Thank you!

WNYLRC ATTORNEY'S RESPONSE

Thank you for this careful and thoughtful question.  As we rush to migrate education to online, the small details can get overlooked.  As the member writes, information that used to be safeguarded in physical files or with separate passwords is increasingly accessible via a "one-stop shop."

Depending on the type of information involved, any number of ethical, privacy, and legal concerns can be impacted.

In this question, the member focuses on two types of information: library records, and FERPA-protected "education records."

For library records, there is an overlap of legal concerns—an overlap that was thoroughly discussed in the 5/6/19 answer the member cites.  In that reply, we established that depending on how a school/school library is set up, parent/guardian access to this information might be allowed--but it’s a question that should never be left to chance (it should always be answered by a school’s FERPA and library privileges policies).

To that answer, and considering the spirit of the times, I'd simply add: any librarian out there, operating in elementary and secondary education, should be lauded when they raise privacy concerns.  Librarians should work with IT departments and procurement professionals to ensure data management and automation enable the separately governed access to a student's library records.  Even when access is legally allowed by a system, it is still good to emphasize the privacy of library records.

Here are several examples of how this can be done:

  • Including privacy considerations in “Requests for Proposals” (RFP’s) and quotes for automation and other data management software that will hold library or student records;
  • Training both library and IT staff to keep the division of different types of records with different access parameters at top of mind (“Remember, library records aren’t just protected by FERPA and ED 2-d”);
  • Ensuring that release and parental permission forms distinguish between and properly govern access to different types of records;
  • When making quick changes based on pandemic exigencies,[1] ensuring at least one person is tasked with assessing if the implementation conforms with applicable institutional ethics, policies, and privacy regulations.
  • Using deliberate awareness tools, such as a pop-up window that appears prior to enabling access to library files, saying "Student library records are confidential under state law.  Only properly authorized parties should view these records," is a good way to distinguish access to library information from other education records.[2]

For any educator reading this and thinking “Uh-oh,” if the horse is out of the barn, it is never too late to adopt some retroactive corrections.  When parental access is as plenary as the member describes, if there is a confirmed issue (such as access to one student’s enrollment records leading to access to all students’ enrollment records[3]) working with IT to address the specific utility hosting that information, and how it can be further locked down, is the only solution.

There will be times when addressing an issue like the ones raised by the member is simply not within the authority of the person concerned.  A concerned librarian or educator might even find themselves rebuffed when they try to ring the alarm! When that happens, it is time to kick it upstairs.  Each school should have a FERPA officer, and at least one senior administrator whose role is associated with enforcing a code of ethics or policies on privacy.  Concerns of this type are all appropriate to direct to such an administrator.

No one engineers a FERPA or privacy violation on purpose, but unwitting violations can happen when the learning environment has to change fast.  Being alert and ready to identify and correct concerns as soon as they emerge is critical.  Thanks for a solid question that shows how it's done.

 

 



[1] “Pandemic Exigencies” would be a good name for a heavy metal band.

[2] As discussed in that 5/6/19 answer, who "properly authorized parties" are can vary from school to school.

[3] This is indeed a possible violation.  FERPA §99.12 states "(a) If the education records of a student contain information on more than one student, the parent or eligible student may inspect and review or be informed of only the specific information about that student."

Tags: COVID-19, Privacy, School Libraries, Google, Students

Topic: Student photos on school library cards - 11/06/2020
Is it legal to print student photos with their names on their school library cards for circulation...
Posted: Friday, November 6, 2020 Permalink

MEMBER QUESTION

Is it legal to print student photos with their names on their school library cards for circulation use?

WNYLRC ATTORNEY'S RESPONSE

I didn't realize it in first grade, but a school library[1] is one of the first places a person experiences "the right to privacy" unmediated by a parent or guardian.

Think about it.  You go to the library and get to pick out whatever you want.  You check out books, and no one can tell you what to pick.  And aside from the person checking you out, no one has to see your selection; your records are private.

In the present day, this means that kids whose faces might be all over Facebook[2], who are attending school via computer, and who "turn off their screen," when they don't want people peeking into their home life during remote learning, still have a right to confidentiality when it comes to the library in their school. And one of the biggest symbols of that student-library relationship is their library card.

So, with all that hanging in the balance, what are the legal considerations of putting student pictures on school library cards?

As often happens in the highly regulated worlds of education, privacy, and information, the answer is: "It depends."

In this case, the factors "it depends" on are numerous; rather than itemize them, I'll summarize them with a few pointed questions:

Factor 1: What else is "on" the library card?

Depending what other information is on the library card, combining a student’s picture with it could increase the likelihood of a violation of FERPA[3], Ed 2-d, or school policy.[4]  For instance, if the card is used for not only swipe access, but access to grades, disciplinary records, and library records, also including a picture ID on it makes it sensitive, indeed.

Factor 2:  Who "owns" the library card?

Some schools, by policy, give out student identification cards, but use a school or district-wide policy to confirm that the card is simply "on loan" to the student (and must be returned at certain events, like suspension or expulsion).  Other institutions issue a card, and it becomes the student's property; this means that the card is more under that student’s control.[5]

While there is no requirement to do one way over the other, the school and library should confirm the ownership of the card in a policy, as this can impact the decision to mark the card with picture ID, as well as who has control over the card in the future.

Factor 3:  Why does the picture need to be on the library card?

Is the school so large that in order to ensure it provides library services to the right student, the card must have a photo ID?  Is it a security measure, perhaps to deter theft (of library cards, and therefore collection assets)?  Do students need to "swipe" into the library, with the library positioned to monitor that they are letting in a student who isn't supposed to be in class?  Or is the library card doing double duty as the student's general student ID?  Whatever the reason, it should be understood and clearly based in policy.  And if the reason has to do more with security at that school than the operations of the library, it is better that the function be performed by the student ID, not the library card.[6]

Factor 4:  Who will have the right or ability to view the library card?

If the library card is only required to be viewed by library staff, the inclusion of the photo is consistent with FERPA's and CPLR 4509's different but equally applicable privacy requirements.  But if a security guard, teacher(s), bus driver, or others all have to see the library card for different reasons (this relates to question number 3), or could use the card to access the student's library records, that raises the possibility of concerns.

Factor 5:  Is there a "stealth" reason for the use of the photo and name?

For some students, if they do not have documentation such as a birth certificate or social security card, a library card with a picture ID might be the most official "documentation" they have.  If a library or school is intending that their cards perform this ancillary function, this should be done with the awareness that third parties relying on the identification function still need permission for the school or library to comment on the content of the card (for students under 18, this means a waiver by parents or guardians).  However, that same student (or their parents/guardians) can choose to share their confidential education records or library records however they wish.

Okay, that's a lot of "factors," but what is the answer?

Having dragged you through all that, I will answer the member's very simple question:  Is it legal to print student photos with their names on their school library cards for circulation use?

The answer is "Yes."

But!  If the library card will be used for anything more than "circulation use" within the library, it is wise to assess precisely what the card will be used for, root that purpose in well-developed policy that considers the above factors, and evaluate if the picture—which in this case, will be a FERPA-protected education record[7]—is needed at all.  The more the card is used for functions beyond the needs of the library, the more those functions should be achieved by a separate student ID, or in the alternative, schools should make sure that library information[8] is separate and isolated from other education records accessed by or listed on the card.

Thank you for an important question.

 



[1] It is important to note that a "public school library" is different than a public library, or an association library, or a college library.... but ALL are subject to CPLR 4509, the law making library records private.  And while they are different, a public school library, like the college library, is subject to FERPA.

[2] I used to be such a stickler about not posting any pictures of my kids on FB.  But the loving posts of other family members eventually wore me down.  Sorry, kids, I really tried.

[3] Photos of students maintained by their institutions, like an ID photo, are confidential education records under FERPA.  https://studentprivacy.ed.gov/faq/faqs-photos-and-videos-under-ferpa

[4] For instance, if the library card is also an all-purpose student ID that also functions as a key card or has lunch money on it, a policy should clearly separate those functions and there must be a clear protocol for voiding access when the card is reported lost.

[5] Just because the school owns the physical object doesn't mean they own the rights to the student's image.

[6] This is because, as written more thoroughly in Ask a Lawyer https://www.wnylrc.org/ask-the-lawyer/raqs/100, school library records are subject to both FERPA and 4509 rules of privacy.  Combining education record with library records can make it difficult to tease out the different ways the materials may need to be handled. 

[7] See footnote 3.  Yes, this is a footnote to send you to a footnote.

[8] Either in hard copy, on the card, or via digital access.

 

Tags: CPLR 4509, FERPA, Library Card Policy, Library Cards, Privacy, School Libraries

Topic: Asking COVID-19 symptomatic patrons to leave - 8/18/2020
In regards to COVID-19 when libraries do reopen, (and allow people in) is it advisable to ask cust...
Posted: Tuesday, August 18, 2020 Permalink

MEMBER QUESTION

In regards to COVID-19 when libraries do reopen, (and allow people in) is it advisable to ask customers to leave the public building if they are exhibiting any visible COVID symptoms? If so, are there benchmarks for how extreme symptoms should be or how policies should be worded? There are of course patron behavior policies in place allowing for the removal of anything disruptive, which can include noise or inappropriate behavior. There are some members of our leadership team who believe our safety reopening plan should include provision specifically mentioning symptoms of COVID-19 and the staff's/ library's right to remove them if symptoms are exhibited. There are other concerns that library staff are not medical professionals and we are not able to determine if a few sneezes and coughs are common colds, allergies or COVID. Attached is our library's current reopening plan.

WNYLRC ATTORNEY'S RESPONSE

As the member writes, it is very difficult to determine if some physical factors—coughing, a flush, seeming malaise—are in fact symptoms of COVID-19.  Confronting a patron with suspected symptoms can also lead to concerns impacting community relations, privacy, and the ADA.

A good Safety Plan addresses this concern, without requiring patrons[1] to be removed mid-visit from the library.

To position libraries to address the impact of patrons with suspected symptoms, New York's "Interim Guidance for Essential and Phase II Retail" (issued July 1, 2020)[2] states:

CDC guidelines on “Cleaning and Disinfecting Your Facility” if someone is suspected or confirmed to have COVID-19 are as follows:

  • Close off areas used by the person suspected or confirmed to have COVID-19 (Responsible Parties do not necessarily need to close operations, if they can close off the affected areas).
  • Open outside doors and windows to increase air circulation in the area.
  • Wait 24 hours before you clean or disinfect.
  • If 24 hours is not feasible, wait as long as possible.
  • Clean and disinfect all areas used by the person who is suspected or confirmed to have COVID19, such as offices, bathrooms, common areas, and shared equipment.
  • Once the area has been appropriately disinfected, it can be opened for use.
  • Employees without close or proximate contact with the person who is suspected or confirmed to have COVID-19 can return to the work area immediately after disinfection.  Refer to DOH’s “Interim Guidance for Public and Private Employees Returning to Work Following COVID-19 Infection or Exposure[3] for information on “close or proximate” contacts.  [4]
  • If more than seven days have passed since the person who is suspected or confirmed to have COVID-19 visited or used the retail location, additional cleaning and disinfection is not necessary, but routine cleaning and disinfection should continue.

[emphasis on "suspected" has been added]

In other words: your Safety Plan, as informed by the most recent guidelines, should leave nothing to chance.  By using this procedure, library staff are never put in the position of having to guess, ask, or consider if a patron's coughing, sneezing, or other behaviors are COVID-19...rather, the moment the possibility is "suspected," the Plan kicks into action.

Of course, if a patron is properly masked, some of the risk of exposure is limited, even if they are infected (this is why we wear masks and identify areas with six feet of clearance in the first place).  And if a patron removes their mask mid-visit, refuses to keep appropriate distance, or refuses to spray down equipment after using it,[5] THAT person can be asked to leave, simply as a matter of policy—whether they are exhibiting symptoms, or not.[6]

So to answer the question: no, it is not advisable to ask patrons to leave the public building if they are exhibiting any visible COVID symptoms, for exactly the reasons the member provides.[7]  Rather, it is required that your Safety Plan keep people distant from each other, and that the library be ready to address any real or suspected exposure as quickly and effectively as possible. 

That said, having signage that reads "Safety first!  Patrons who are concerned about transmission of germs can arrange curbside service by [INSERT]" is a great way to remind people that if they are having an "off" day, there are many ways to access the services of your library.

I wish you a strong and steady re-opening.



[1] This answer does not apply to employees and visitors like contractors, who must be screened.

[4] I note that the DOH's "Interim Guidelines" do not include guidance to staff with suspected (as opposed to confirmed) exposure.  If an employee feels they were exposed to a suspected case of COVID-19, however, that will impact their answers on their next daily screening, which will trip consideration of whether they can report to work.

[5] Or whatever other safety measures a library has identified.  It is inspiring to read the variety of tactics out there, as listed at https://www.nyla.org/covid-19-library-reopening-plan-database/?menukey=nyla.

[6] Another member raised this consideration in this "Ask the Lawyer" from earlier in July 2020: https://www.wnylrc.org/ask-the-lawyer/raqs/153

[7] Of course, if a patron is having a medical event and you have an immediate concern for their well-being, call 911.

Tags: ADA, COVID-19, Emergency Response, Policy, Privacy, Reopening policies, Work From Home, Public Health, Safety Plan

Topic: [2020 Pandemic Date Specific] Contact tracing and privacy in libraries - 5/28/2020
Given libraries are preparing plans to reopen, I am looking for a follow up to the 3/19/2020 quest...
Posted: Thursday, May 28, 2020 Permalink

MEMBER QUESTION

Given libraries are preparing plans to reopen, I am looking for a follow up to the 3/19/2020 question posted to Ask The Lawyer pertaining to being informed that an individual who has been confirmed to have COVID visited one of our libraries. (participated in a program).

With the new tracing protocols (COVID-19) required by Re-Open New York, what, if any, impact will there be on CPLR 4509? Will libraries be required to provide information and if so, to what extent? Currently we require a judicial subpoena in order to provide any information regarding a patron - including identifying if a patron has been in the library.

Your guidance is much appreciated.


 

WNYLRC ATTORNEY'S RESPONSE

The short answer

This answer is being written on May 28th, 2020.

At this time, in addition to Executive Order 202 issued on March 7, 2020 and declaring a state of emergency in New York through September 7th, 2020, there are 30 Executive Orders.

These Executive Orders create temporary modifications to a wide and ever-increasing array of state law and regulations. They have impacted elections, public health practices, landlord tenant relations, and countless operations of the New York State justice system.

However, as of this date, there has been no modification of section 4509 of the state Civil Procedure Law and Rules (“CPLR”), which, with only very limited exceptions, bars third-party access to a user’s library records.

Therefore, at this time, any library receiving a request from a third party for confidential library records, even if in relation to contract tracing efforts, should follow the same procedure they do for all other third-party requests: require a subpoena or judicial order.

 

The same answer, but with more information and analysis

I am grateful to the member for posing this question, because not only is it important to have clarity on this precise issue, it is important for information management professionals across the state of New York, including some of New York's most trusted information professionals — librarians — to be thinking about the impact and finer points of contact tracing.

So what is “contact tracing”?

The Centers for Disease Control describes contract tracing this way on their current COVID-19 response page[1]:

In contact tracing, public health staff work with a patient to help them recall everyone with whom they have had close contact during the timeframe while they may have been infectious.  Public health staff then warn these exposed individuals (contacts) of their potential exposure as rapidly and sensitively as possible.

After declaring COVID-19 a “communicable disease” as defined by the state’s Public Health Law, New York began using contact tracing to combat COVID-19.[2]  Local health departments led the way, organizing information and coordinating warnings within their jurisdiction, an initiative that inspired the previous question referenced by the member.

With the adoption of “New York Forward,” 30 contact tracers for every 100,000 residents is one of the express metrics[3] being used to establish when one of the state’s ten regions is ready to begin a phased reopening.  So, every region will be recruiting and deploying “tracers” to gather information and issue warnings to individuals who testing has confirmed have been exposed to COVID-19.

While emphasizing that such warnings must be issued “rapidly,” the CDC’s guidelines for contact tracing also emphasize privacy:

To protect patient privacy, contacts are only informed that they may have been exposed to a patient with the infection. They are not told the identity of the patient who may have exposed them.”

The State of New York, however, does not require this level of confidentiality in its laws regarding quarantine, notification of infection, and contact tracing related to most communicable diseases.  While the precise regulations governing the use of contact tracing to fight the spread of HIV require the consent of the patient, the regulations applying to COVID-19 do not have similar requirements.[4] Nor is such information regarded as protected health information (“PHI”) under HIPAA.

I am highlighting these considerations not to denigrate contact tracing, which has been documented as effective in combating pandemics. However, as of this writing, as reported by The New York Times, many in authority, or with credibility in the arenas of privacy and data security, have expressed serious concerns regarding the procurement and arrangement of the software and personnel that will be used in this massive public health initiative.

Caution about privacy, even during times of emergency, is a good thing.

With all that, the collaborative, community health-focused approach I outlined on March 19, 2020, in https://www.wnylrc.org/ask-the-lawyer/raqs/122 is one I continue to endorse.

In addition to that approach, here is a suggested reply in the event your library is contacted by a state-employed contact tracer, designed to work with your standard protocol for complying with 4509:

[After verifying credentials]

We know your work is critical to public health.  Please send us a written list of what you need, and we will work to obtain consent from our users, as required by CPLR 4509.  In the alternative, please ensure what you need is very thoroughly set forth in a duly issued subpoena or judicial order.  Our library will work to expedite your request as soon as we know we are authorized to do so.

 

One final point

After conducting the research set forth in this answer, it is my opinion that CPLR 4509’s assurance of the confidentiality of library records is not at odds with the current emergency measures our state is taking to protect lives and get our world back on track. 

First, it is critical to remember that under 4509, a person may give their written consent to disclosure.  Many people, upon learning they might pose a danger, will give their express and voluntary consent, if they have the capacity at the time.  That is their right, and there is no concern with your library contacting them to ask the question.

Second, if the need for confidential library records is truly critical, local board of health officials—and the tracers who will be helping their localities—can invoke the authority created by the public health law[5] to obtain duly authorized subpoenas. 

Unlike many other laws and regulations, CPLR 4509 can remain as written, while New York undertakes an unprecedented, massive effort to conduct contact tracing, and protect public health.  

Thank you for an important question.

 



[2] Since reporting new or unusual communicable diseases is also required, cases were probably also reported before March 7.

[3] These metrics are laid out in a graph found at https://www.governor.ny.gov/programs/new-york-forward.

[4] That section is 10 NYCRR 2.10, which states: “It shall be the duty of every physician to report to the city, county or district health officer, within whose jurisdiction such patient resides, the full name, age and address of every person with a suspected or confirmed case of a communicable disease, any outbreak of communicable disease, any unusual disease or unusual disease outbreak and as otherwise authorized in section 2.1 of this Part, together with the name of the disease if known, and any additional information requested by the health officer in the course of an investigation pursuant to this Part, within 24 hours from the time the case is first seen by him, and such report shall be by telephone, facsimile transmission or other electronic communication if indicated, and shall also be made in writing, except that the written notice may be omitted with the approval of the State Commissioner of Health.

[5] New York Public Health Law, Section 309.

Tags: COVID-19, CPLR 4509, Emergency Response, Privacy, Contact tracing

Topic: Usage of personal devices at risk of legal discoverability - 4/27/2020
When working from a remote location, and you do not have time or the technology to take work devic...
Posted: Monday, April 27, 2020 Permalink

MEMBER QUESTION

When working from a remote location, and you do not have time or the technology to take work devices with you, can using your private devices (cell phones, personal laptops,etc.) open your devices up to discoverability for any legal actions by the district or organization you are working for? An example would be using your personal phone for Zoom (if your laptop does not have the capability) for a CSE meeting or other business that may or may not contain sensitive information.

WNYLRC ATTORNEY'S RESPONSE

This is a great question.  An important question. And unfortunately, an all-too-infrequently asked question…

Because the answer is “YES.”

The risks and cautions and caveats related to use of employee-owned technology are endless, but here are the top five in my world:

  • Educators working with FERPA-protected information should not store it on their personal devices. 
  • Health professionals working with HIPAA-protected information should not store it on their personal devices. 
  • Librarians working with patron information should not store it on their personal devices. 
  • Any employee working with content restricted by contract should not store it on their personal devices.
  • Any employee handling sensitive data (HR, fiscal, trade secrets, business plans) should not store it on their personal devices.[1]

This is my education/not-for-profit/library top five, but I could go on and on.  And while the first layer of risk posed by this issue relates to legal compliance, privacy, and security, underlying those primary concerns is the risk that in the event of alleged non-compliance, or another legal concern, the employee-owned device the information is hosted on could be subject to discovery—even if it is personal property.

What is “discovery?”  Fancy lawyer talk for being subpoenaed or otherwise brought in as evidence.[2]

How does a library, museum, educational institution or archive—especially one operating ad hoc from home as a result of pandemic concerns--avoid these concerns?

Here is a 3-pronged solution:

Prong 1: know your data.

Every institution should know the information it stores, and sort it by sensitivity. From there, policy (or at least, “standard operation procedures”) should inform how such information is stored, and when/how it might get transmitted and stored (if ever) on a non-proprietary device.

Here’s an example based on the different types of information stored and transmitted by libraries:  The templates for the brochures about a library’s story hour will generally be regarded as much less sensitive than the files regarding employees or patrons.  So, while transmitting the story hour templates from an institutionally-owned computer to a personal machine might be okay, you would never transmit the payroll or employment history records that way.  Policy and training should support awareness of the distinctions, and while the brochure templates might occasionally need to be accessed on employee-owned tech, the more sensitive types never should be.

Prong 2: know your tech.

Every institution should ensure employees who must access and store information regarded as sensitive have a work-issued account and device(s).  An inventory of that technology should be maintained, so the institution is aware of precisely where the information stored on it will be.

Barring that (whether due to time or budget), networks and resources should be set up to filter out the security risk of content going to and from machines with less robust security.

Knowing your technology is set up to meet the demands of your institution’s more sensitive data is key.

But there’s one more thing…

Prong 3: Work to minimize risk, even if you can’t eliminate it.

Don’t let “perfect” be the enemy of “good.”

Stuff happens:

  • A presentation where suddenly you can’t access a work file, but engineer a work-around using a Gmail address;
  • An emergency situation where a sensitive file has to be opened on a home computer;
  • A jump drive with both your photos from a family trip, and proprietary information, is uploaded onto a personal laptop.

 

Everyone[3] has had an instance where convenience triumphed over security.  But that should be the exception, not the rule.

Even during times of emergency response and sudden adjustment (read: pandemic, or a crisis at the location of your organization), awareness of an institution’s data and technology can be used to minimize the exposure of more sensitive information to risky situations—even if sometimes, the end result is less than ideal.  Admitting your institution is not perfect just means that in less reactive times, it must use the budget process and long-range planning to further reduce the risk, as time goes by.

And that is how to reduce the risk of employee tech getting subpoenaed in the event there is a content-related legal claim.[4]

I am grateful the member asked this question, because particularly right now,[5] this is a really common issue (although it remains a serious issue in less panicky times). So common, in fact, that I call it the “chocolate in the peanut butter” question.[6]

Why is this legal concern named after such a delicious combo?  Because the imagery really isolates the problem.  When it comes to using employee tech, the convenience can be all too seductive.  It can be, in fact, deliciously easy.

One reason to avoid this, among many, is because that technology could be subject to discovery.

But good risk practices can minimize this risk (even if you indulge on occasion). When working from a remote location, if you do not have time or the technology to take work devices with you, use of private devices, if necessary, should only be for only the lowest-risk content.  Further, to minimize the risk of data loss, non-compliance, and security, such use should only be after a qualified professional has determined it can be done with no risk, and employees are trained to keep things confidential, and remove proprietary content after it is needed.[7]



[1] By “personal devices” I also mean personal email accounts, Zoom accounts, cell phones, tablets, laptops, DropBox folders, etc.  All content handled by employees for institutional purposes should be on institutional resources.

[2] How does “discovery” play out?  Lots of ways.  For instance, once I was defending a person whose personal laptop was subject to “discovery” in a civil case.  We didn’t surrender the laptop.  Normally, that might have posed a problem, but in this case, the laptop had been destroyed during a fight at a concert many years before.  We had to produce the old police report to show that the property really had been destroyed, and we weren’t just resisting discovery.

[3] Okay, this is hyperbole.  Hopefully it’s not “everyone” (I’m looking at you, hospitals, therapists, and the IRS).

[4] This answer does not contemplate the related but distinct issue of employer resources being use for personal purposes, or to harass others…which is the dark mirror of this issue.  But good practices in one regard will lead to good practices in the other!

[5] Largely unforeseen, 100% order to work from home impacting most businesses.

[6] …although when I am feeling dramatic, I call it “data bleed.”

[7] Bearing in mind the deleted content is often never truly deleted…and thus could still be subject to discovery!

 

Tags: COVID-19, Emergency Response, Employee Rights, Privacy

Topic: Unsealed overdue notices and FERPA - 4/3/2020
I am wondering if sending unsealed overdue notices to students in their classrooms is a FERPA viol...
Posted: Friday, April 3, 2020 Permalink

MEMBER QUESTION

I am wondering if sending unsealed overdue notices to students in their classrooms is a FERPA violation. The notices might appear face up on their desks or in their hands for other students to see. The prices of overdue materials are listed on our notices. Another issue - is calling a student's home and leaving a message stating that they have an overdue book and giving the price of the book a FERPA violation? Thank you.

WNYLRC ATTORNEY'S RESPONSE

What a difference a month makes.  When this question came in, my kids were in school, my staff was at the office…and I am willing to bet at least one person in that group had an overdue library book.

Now, of course, we are all home trying to “flatten the curve” of a global pandemic.  If we had overdue books before, they might be overdue for a bit longer.[1]

Despite a global shift in focus since this submission, it is still a good one, and the second question may be more urgent than ever.

The FERPA fundamentals impacting this question were addressed in an “Ask the Lawyer” last year: https://www.wnylrc.org/ask-the-lawyer/raqs/80.

With that as background,[2] here are my answers:

Is sending unsealed overdue notices to students in their classrooms a FERPA violation?

Unless there is a specific waiver or request for the information, unsealed notices distributed in classrooms risks both a FERPA violation, and a violation of CPLR 4509.

Sealing the notices so the contents can’t easily be seen by people who aren’t the students or their legal guardians is a good idea.

 

Is calling a student's home and leaving a message stating that they have an overdue book and giving the price of the book a FERPA violation?

Unless the student requests it, or a policy states that such a practice is for the proper operation of the library, a message reciting library records to a home phone answering machine risks a violation of CPLR 4509.[3]  If the student is under 18, it is not a FERPA violation—so long as the home answering machine is that of the child’s legal guardians—but as reviewed here, FERPA is not the only privacy law a school library in New York must follow.

Lost in a sea of law and regulations?  When considering the implications of FERPA and CPLR 4509 for a school library, seeking solutions that err on the side of privacy is always the safest course.   While applying the letter of the law can be frustrating, a default prioritization of privacy will almost always carry the day.[4]

Thanks for a thoughtful question.  At times of de-stabilization and change, focusing on the principles that guide us—like a commitment to providing access to information along with assured privacy—can bring calm.



[1] Many thanks to the Buffalo and Erie County Public Library for automatically renewing our books!

[2] Intricate, complex, and possibly unsatisfying background!

[3] I like this 2009 guidance from the New York Committee on Open Government on the nuances of CPLR 4509: https://docs.dos.ny.gov/coog/ftext/f17671.html

[4] If health and safety are in seeming conflict with privacy, that is a good time to do a quick check-in with a lawyer.

Tags: COVID-19, Emergency Response, FERPA, Privacy, Fees and Fines

Topic: Video and photography of students in an academic library - 2/13/2020
[I work at the library of a public university.] Every year we have requests from students in Media...
Posted: Thursday, February 13, 2020 Permalink

MEMBER QUESTION

[I work at the library of a public university.] Every year we have requests from students in Media Arts program to videotape in the library. They ask me to grant permission. I do not feel comfortable granting permission for others to be filmed.

Do students in the library have a right of privacy that would prohibit filming them as they go about their normal business in the library?

We would like to have a written policy.

The images would not be used for commercial purposes, just as an academic assignment.

 

WNYLRC ATTORNEY'S RESPONSE

When this question landed on my desk, I had recently watched a viral video[1] on YouTube about how some people have no "inner monologue".

The video explained, in plain and accessible terms, that there are people who, rather than internally narrate their world, don't have constant chatter in their heads.  They don't have an "inner voice."  Rather, their brains "map" their reactions to the world, and those reactions are only put into words through vocalization.

The reason the video went viral is because for those of us with a strong inner monologue, the idea of living without one was mind-blowing.

My brain was still wrestling with this concept ("You mean there is no narrator in your head?  None??"), when I read the member's question.

And when the question hit my brain, just like that, I got it.

When I read this question, I didn't hear the words, but I saw the answer.  I couldn't articulate it, but it was there: a Venn Diagram of overlapping legal concerns,[2] "mapped out" in my head, just like the video described: CPLR 4509; FERPA; NYS Image Rights Law.

Only after I had mapped out that diagram in my head could I unpack the details and start to compose.

So, before we delve into the question, I want to thank the member for inspiring a bit of neuro-diverse-empathy in yours truly.  Our brains are endless mysteries; it's good to occasionally see ourselves differently.

And with that, here is my "(Academic) Library Right to Privacy Venn Diagram," unpacked and articulated, and, per the member's request, set out in a "Policy" format, ready to customize for your academic library.

(NOTE: Why are there TWO policy templates?  Because people may have a context-specific first amendment right to film in a public library or the library at a state university, while at a private academic library, only the rules of the institution will apply):

[PRIVATE COLLEGE/UNIVERSITY NAME] Policy on Academic Library Privacy

 

Related Policies:

 

[FERPA Compliance Policy,

Student Code of Conduct,

Employee Handbook,

Patron Code of Conduct,

Campus Guest Policy,

Institutions' Data Security Policy]

 

Version: DRAFT FOR CUSTOMIZATION

Passed on:  DATE

Positions responsible for compliance

FOR USE IN PRIVATE COLLGES AND UNIVERSITIES

POLICY

The state of New York provides that library records containing personally identifying details regarding the users of college and university libraries ("Patron Records") shall be confidential, except to the extent necessary for the proper operation of the library.

To safeguard this right, the [NAME] library will observe the below protocols.

No Patron Records, including but not limited to circulation records, computer searches, information requests, inter-library loan requests, or duplication requests, shall be disclosed, unless 1) upon request or consent of the user; or 2) pursuant to subpoena, court order, or where otherwise required by statute.

The use of security footage showing access to library resources (computers, collection materials, duplation technology) is considered to be a Patron Record.  NOTE: As authorized by law, the Library may release such records incident to promoting proper operation of the library.

No recording of library users by any third parties is authorized on the premises without the filmed individual's express consent.  This includes recording for academic, professional, or social purposes.

To the extent Patron Records overlap with FERPA-defined education records, the Library shall interpret the law to provide maximum assurance of the privacy of the library user, while also reserving the right to promote the proper operation of the library.

 

 

[PUBLIC COLLEGE/UNIVERSITY NAME] Policy on Library Privacy

 

Related policies:

[FERPA Compliance Policy

Student Code of Conduct

Employee Handbook

Patron Code of Conduct

Campus Guest Policy

Institutions' Data Security Policy]

Version: DRAFT FOR CUSTOMIZATION

Passed on:  DATE

Positions responsible for compliance

 

FOR USE IN PUBLIC COLLEGE AND UNIVERSITIES

POLICY

The state of New York provides that library records containing personally identifying details regarding the users of public college and university libraries ("Patron Records") shall be confidential, except to the extent necessary for the proper operation of the library.

In New York, libraries at state, county and municipal institutions may have specific status under the Open Meetings Law and various civil rights laws, but such status does not eliminate their obligations under CPLR 4509, nor limit patrons rights to access services without fear of that record being accessed by another.

To safeguard this right, the [NAME] library will observe the below protocols.

No Patron Records, including but not limited to circulation records, computer searches, information requests, inter-library loan requests, or duplication requests, shall be disclosed, unless 1) upon request or consent of the user; or 2) pursuant to subpoena, court order, or where otherwise required by statute.

The use of security footage showing access to library resources (computers, collection materials, duplation technology) is considered to be a Patron Record.  NOTE: As authorized by law, the Library may release such records incident to promoting proper operation of the library.

Individuals or representatives from the media who wish to make recordings in the unrestricted areas of the library must adhere to the following rules:

  • To record students or patrons generating Patron Records (conducting internet searches, retrieving materials, using materials, checking out books, requesting information at the Reference Desk, etc.), the patron's permission must be obtained in advance; for minors, the written permission of their guardians or parents must be obtained;
  • Recording of the Circulation Desk(s) or Reference Desk(s) is forbidden if the area is staffed and serving patrons;
  • Recording and/or requesting permission from patrons and students must not disrupt normal operations of the library.

To avoid inadvertent violation of these rules, individuals or representatives from the media who wish to make recordings in the library may, but are not required, to discuss their projects with the Director; however, neither the Director nor staff can give permission to waive this policy or give permission to record patrons or students.

Conduct that would be barred by any other policy is not legitimized by the presence of a recording or transmitting device; this includes harassing patrons or staff, or any behavior that violates the rules of the institution.

To the extent Patron Records overlap with FERPA-defined education records, the Library shall interpret the law to provide maximum assurance of the privacy of the library user, while also reserving the right to promote the proper operation of the library.

 

Now, before I go, just a few words on working with these policy templates.

First and foremost, while templates can be a great starting place (and these are designed to inspire generative conversation), they should NEVER be adopted without a thorough analysis and scrubbing by your institution.

For instance, a public or private academic institution could already have a campus-wide policy on filming people.  Or, on the flip side, the institution could have a strong Media Communications or Film department that relies on being able to send students out onto the campus for filming; a policy like this, with no warning, could cause an unnecessary confrontation.[3]  Policies within smaller units at a big institution can cause inconsistency and friction that can be hard to anticipate, unless you bring in some colleagues to pass the policy with.

So before passing a policy based on a template I've provided, here is who I suggest should be on an academic institution's "Library Privacy Policy Collaboration Team," and why:

The Director of the Library (I trust the reason why is obvious), and at least one staff member (the staffer will provide an in-the-trenches perspective; plus, collaborating on that policy is great training for following that policy).

The Director of Campus Safety/Security/Police.  Why?  Because 1) they might have to help enforce the policy; and 2) it is important that they understand the privacy obligations of the library.  Further, at a public institution, they will likely be a ringer who understands the nuances of "quasi-public" space (for first amendment concerns[4]).

The Dean of Students: Why?  Because 1) they might have to help enforce the policy; and 2) it is important that they understand the privacy obligations of the library are for the benefit of the students.

The Director of IT: Why?  Because 1) it is important that they understand the privacy obligations of the library; and 2) they must ensure those obligations are supported by the institution's current and future information technology.

A student government rep: Why?  Because 1) it is important that students have a voice in policies that are meant for their benefit; and 2) students can help articulate the reasons and importance of policies in ways their peers can relate to.  Bonus reason: participating will look good on their apps for grad school!

The institution's lawyer and/or compliance director: Why? Basically, you want the person who keeps an eye on all the rules at your institution, to make sure they are harmonized and are consistent with each other.  Institutional policymaking cannot be done in isolation.

Optional, but a gold-star member: your institution's Family Rights Education Act (FERPA) compliance officer (for a discussion on how FERPA and library privacy obligations interact, see https://www.wnylrc.org/ask-the-lawyer/raqs/67.).

And, in the case of this member's question: the Chair of the Media Arts Department: because as you meet, you can explore setting up ways for the film students to get the permission and image releases they need, in a way that supports their projects but respects the rights of others…skills they will need in "real life."

Okay, I can hear some of you (in my inner monologue!) saying: that's a huge meeting!  Do I really need to convene all those people?

Based on my experience as an in-house counsel at a University (ten years or so), my answer is: YES.

Why?  Because you don't want your first discussion about privacy with Campus Safety to take place when they ask you for the internet search records of a student who was reportedly making a weapon in his dorm room.  You don't want your first discussion about privacy with the Dean of Students to occur when they demand to know if a student was in the library at the time they are accused of driving drunk across campus.  You don't want your first discussion about privacy with a student rep to be when a "first amendment auditor"[5] shows up at your public university campus.  And you don't want to jeopardize your relationship with the IT Director by finding out she set up security cameras you don't know about.

And most critically: Privacy, security and safety on any college/university campus are a collaborative effort, and your library deserves special consideration within that effort.  Why?

No other space on campus has your precise mission and obligations.[6]  A team that knows and supports that mission, and those obligations, can be a great asset.

This is true whether your library's commitment to access and privacy is fully articulated by the team members' constant inner monologues, or is simply hard-wired into the "maps" in their heads.[7]

By jointly working on a policy, and paying attention to the details, either is possible.

Thanks for a great question, and best wishes for developing a strong, coordinated, customized policy!

 



[1] You can enter the rabbit hole here: https://youtu.be/u69YSh-cFXY I hope it's still there!

[2] NY CPLR 4509, FERPA, Civil Rights Law §50, the first amendment, 20 U.S.C. 1011(a), and a bunch of laws on trespass, Public Officers Law, etc.

[3] I'm a lawyer, so I am very happy about the concept of "necessary confrontation," but I like to save people time and stress whenever possible.

[4] This is not the place to dissect the first amendment's impact on public college/university libraries (see next footnote), but for the record, the "Higher Education Opportunity Act" emphasizes that ALL higher education institutions should be a place for "the free and open exchange of ideas."

[6] That said, an on-campus Health Services facility, Campus Counseling, Records, or other place with confidentiality obligations will have similar needs that might be instructive.

[7] I would like to apologize for any painful pseudo-science in this "Ask the Lawyer."  Stupid viral videos.

Tags: Policy, Privacy, Academic Libraries, First Amendment, Image Rights

Topic: Emergency contact information for children attending library programs - 11/12/2019
My question is: do public libraries have any legal obligation to collect emergency contact informa...
Posted: Tuesday, November 12, 2019 Permalink

MEMBER QUESTION

My question is: do public libraries have any legal obligation to collect emergency contact information for children (age 17 and under) attending library programs without a parent or caregiver present/on the premises? Our library is located on the campus of a school district, and we have access to the school district's library automation system, in addition to our own, so we could easily and quickly locate contact information for the parents/caregivers of children who attend our programs in the event of a medical or other type of emergency situation. We already have an unattended minor policy as well. Our Library Board wants to make sure that we are in compliance with both Federal and New York State law on this issue. Thank you.

WNYLRC ATTORNEY'S RESPONSE

This question is rather like asking an astronautical engineer: When on a spacewalk, are there any safety procedures specifically related to securing my helmet as I exit the airlock? 

Such a question could inspire an initial reaction like:  Safety concerns?  In SPACE???  Blazing comets,[1] the safety concerns start the moment you blast off!

But upon reflecting on the actual question, the calm, composed answer might be: “To ensure integrity of the pressure garment assembly, double-check the neck-dam’s connection to the helmet’s attaching ring.”[2]

Lawyers get this way addressing questions related to children and liability.  Our first reaction is to think about everything that can go wrong.  But then we calm down and focus on the specific issue at hand.

So, here is my calm, composed answer to the member’s very specific question:

There are two potential instances where a public library offering a program for unaccompanied minors might be obligated by law to collect emergency contact information.

FIRST INSTANCE

If the program the library is hosting is a camp required by law to have a “Safety Plan,” applicable regulations arguably require that the library gather the child’s emergency medical treatment and contact information.[3]

SECOND INSTANCE

If the library is paying a child performer as part of an event, the law requires that the library must collect the child performer’s parent/guardian information before the performance.[4]

Other than the above instances, while such a practice may be required by an insurance carrier,[5] a landlord, or event sponsor, there is no state law or regulation that makes collecting emergency contact information a specific requirement of a public library.

I do have two additional considerations, though.

FIRST CONSIDERATION

 “Emergency contact” information provided by the parents/guardians, in a signed document drafted expressly for your library, is generally the best course of action when welcoming groups of unaccompanied minors for events not covered by your library’s usual policies. 

I write this because Murphy’s Law (which is not on the bar exam, but remains a potent force in the world) will ensure the one time there is an incident at your youth program, the district’s automation system will be down.

Which brings us to the….

SECOND CONSIDERATION

Libraries and educational institutions sharing automation systems must make sure that such data exchange does not violate either FERPA (which bars educational institutions from sharing certain student information), or CPLR 4509 (which bars libraries from sharing user information).

Emergency contact information maintained by a school is potentially a FERPA-protected education record.[6]  If FERPA-protected, it is illegal for any third party—such as a public library—to access it unless there is an agreement in place with certain required language AND the library’s use of the information is in the students’ “legitimate educational interests.” [7]

Of course, given the right circumstances, meeting these criteria is perfectly possible.  In fact, such agreements can be a routine part of a school’s operations.   But just like with a space helmet before leaving the airlock, its best to confirm that everything is in place before you take the next step.[8]

Thanks for a thought-provoking question.

 

 



[1] I imagine aeronautical engineers swear like the rest of us, but I like to image they sound like characters Golden Age comic books.

[2] Thanks, NASA.gov!

[3] I know this question isn’t really about camps, but libraries do host them.  And since the NY State Health Department’s template for a licensed camp’s “Safety Plan” includes eliciting emergency contact/treatment info, I have to include this consideration. For a breakdown of what types of camps requires licenses, visit https://www.health.ny.gov/publications/3603/

[4] This is a requirement of Title 12 NYCRR § 186-4.4. Since the library would also need said child performer’s license to perform, this requirement would not likely be missed!  I also appreciate that this example is on the far side of what this question is actually about.

[5] Call your carrier to check.  They may even have preferred language for your library to use when crafting registration documents.

[6] The definition of “education records” under FERPA (and its many exceptions) is here: https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:1.1.1.1.33#se34.1.99_13.  Interestingly, a student’s name, phone number, and address—three critical components of an emergency contact form—are potentially not FERPA-protected “education records” as they may be considered “directory information” if specifically listed in a public notice from the school, as required by FERPA Section 99.37. FERPA violations can turn on these small details!

[7] What language is that? Under FERPA Section 99.31, an educational agency or institution may disclose such information to another party (like a library on its campus) if that party is: 1) performing a function for which the school would otherwise use employees; 2) the library directly controls the contractor’s use and maintenance of the records; and 3) the contractor is required to not further disclose the records.  This formula can also be found in the link in footnote 4.

[8] Who says that simile can’t make a second appearance?!

Tags: FERPA, Policy, Privacy, CPLR 4509, Public Libraries

Topic: Patron Confidentiality in School Libraries - 5/6/2019
Is a parent or guardian allowed to access the titles of books that that their child(ren) have chec...
Posted: Monday, May 6, 2019 Permalink

MEMBER QUESTION

Is a parent or guardian allowed to access the titles of books that that their child(ren) have checked out from the school library?

Are school administrators allowed to access the titles of materials a student checked out?

Are school safety officers and Student Resource Officers (“SRO’s”) allowed to access the titles of materials a student checked out?

WNYLRC ATTORNEY'S RESPONSE

In the state of New York, library records linked to the names of users can only be disclosed:

1) upon request or consent of the user;

2) pursuant to subpoena or court order; or

3) where otherwise required by statute.

Therefore, the strong default answer to the member’s questions is “NO.”

This strong default position is based on New York Civil Procedure Rules (“CPLR”) 4509, which states:

Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute.

[emphasis added]

But when it comes to the records of minors at a school serving minors, after this omni-present strong default, there are some additional factors to consider.

FACTOR #1

Does the school condition library privileges on express parent/guardian access to library records?

Under CPLR 4509’s first prong (“consent of the user”), some libraries may condition library use by a minor on permission to share library records with parents/guardians. 

This condition is not invisible or automatic; it would need to be in the cardholder agreement signed by the student, or in a written school policy passed by the school board.  It must be clear, and in writing.

There is much vigorous debate about what level of parent/guardian access it is appropriate to condition library privileges on.[1]  But since such conditioning is allowed by the law, setting the appropriate balance between privacy and access is the job of the library and its leadership.

The bottom line on this factor? If a school library has an express, written policy allowing it,[2] and if that policy also complies with the school’s obligation’s under FERPA (see below), a list of titles checked out may be disclosed  to parents in conformity with CPLR 4509.

FACTOR #2 

Does the school regard library records as “education records” under FERPA?

The member’s questions warrant three considerations vis-à-vis FERPA (“Family Education Rights Privacy Act”), a country-wide law which applies to any educational institution receiving federal aid.

First FERPA consideration: Are the school’s library records accessible as “education records” under FERPA?

Because it is famous for protecting privacy, people generally think of FERPA as a bar—not a means—to information.  But FERPA expressly allows parents and guardians of students under 18 (unless the minors are attending a higher ed institution) to “inspect” “education records,” and, under the right circumstances, allows disclosure of education records to school administrators. 

A list of titles borrowed from a library, if maintained in a way that meets FERPA’s definition of “education records” could be subject to such inspection and disclosure. 

So let’s look at that definition:

[Information]

(1) Directly related to a student; and

(2) Maintained by an educational agency or institution or by a party acting for the agency or institution.[3]

That’s a broad definition!  But several categories of information are exempted from it, including:

 (i)  records of instructional, supervisory, and administrative personnel and educational personnel ancillary thereto which are in the sole possession of the maker thereof and which are not accessible or revealed to any other person except a substitute;[4]

Under this exception, school library records, if kept in a certain way (with only the librarian, or “substitute,” having access to the records, and the information not linked to or accessible to others, including the student), are arguably exempt from FERPA. 

What’s the take-away, here?  It is possible—but not a uniform rule—that school library records are “education records” under FERPA.  Determining if they are should be part of a school’s annual FERPA notice and policy work, and should be a consideration when a school library considers automation options. 

Second FERPA Consideration: If a school determines their library records DO qualify as “education records,” does a school administrator, safety officer, or SRO[5] have a right to access them under FERPA?

Even if the library records at a specific school qualify as “education records,” when it comes to school administrators, there are only two instances where disclosure is allowed.

The first instance is created by FERPA regulation §99.3.  It allows “… disclosure … to other school officials…[if the disclosure is in the student’s] legitimate educational interests.” 

With regard to a request for a list of borrowed library books, this means there must be a direct, pedagogical reason to disclose that particular list to that particular administrator, safety officer, or (if their contract has the right provisions) external personnel.  To determine if those individuals’ access is in the students “legitimate educational interests,” consideration of the unique circumstances is required, but it comes down to: how does this serve the student?  

The second instance is created by FERPA regulation §99.36.  This regulation allows an educational agency or institution to “disclose personally identifiable information from an education record to appropriate parties… in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals.

Under extraordinary circumstances, this exception could be cited to justify disclosure of education records to an administrator, safety officer or SRO addressing a concern about immediate health or safety. 

But the circumstances warranting the disclosure would need to be—as I say—extraordinary.  Congress and the U.S. Department of Education want this to be a very narrow exception tied to imminent threats:

The Department has consistently interpreted this provision narrowly by limiting its application to a specific situation that presents imminent danger to students or other members of the community, or that requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individuals. [6]

Such a “health/safety” analysis—especially if used to justify disclosure of library records—will be highly fact-specific.  Whenever possible, it should be done in consultation with the school’s attorney, with careful consideration of the precise circumstances and any relevant policies (by the way, this is the kind of “now or never/critical” question school attorneys cancel meetings to research and answer promptly).

Third FERPA consideration: if a school determines their library records are “education records,” CPRL 4509 may still bar parent access under FERPA.

And finally, there is also a possibility that even if a school’s library records are “education records,” under FERPA, library records in New York schools are barred from being shared (without consent) with parents/guardians by CPLR 4509. 

I base this on §99.4 of the FERPA regulations, which states:

An educational agency or institution shall give full rights under the Act to either parent, unless the agency or institution has been provided with evidence that there is a court order, State statute, or legally binding document relating to such matters as divorce, separation, or custody that specifically revokes these rights.[7]

In New York, we have just such a “State statute:” CPLR 4509.  When it was adopted, its role was described as follows:

The New York State Legislature has a strong interest in protecting the right to read and think of the people of this State. The library, as the unique sanctuary of the widest possible spectrum of ideas, must protect the confidentiality of its records in order to insure its readers' right to read anything they wish, free from the fear that someone might see what they read and use this as a way to intimidate them. Records must be protected from the self-appointed guardians of public and private morality and from officials who might overreach their constitutional prerogatives. Without such protection, there would be a chilling effect on our library users as inquiring minds turn away from exploring varied avenues of thought because they fear the potentiality of others knowing their reading history.[8]

Those are some stirring words about privacy.  They show what the Assembly’s intent was when CPLR 4509 was passed. 

That said, this potential conflict between CPLR 4509 and FERPA has not been tested in a court of law.[9]  This position is not something a school should  adopt or rely on without consultation with their own attorney, as part of their annual FERPA notice and policy work.

But it is definitely something to consider.

Final FERPA Consideration: how to resolve a FERPA question when state and federal law conflict.

The good news in all this 4509/FERPA complexity is that FERPA itself anticipates this type of conflict and resulting concerns.  FERPA Regulation §99.61 states:

If an educational agency or institution determines that it cannot comply with the Act or this part due to a conflict with State or local law, it shall notify the Office within 45 days, giving the text and citation of the conflicting law.

In other words, the U.S. Department of Education knows schools will be wrestling with these issues!  A school that makes a good-faith determination of non-disclosure under FERPA (always with the advice of their attorney) can follow this policy for reporting a conflict.  The USDOE will write you back, even if your concern is policy-driven or hypothetical.

Conclusion

Since school libraries—which are legally distinct from libraries at colleges and universities—are specifically named in CPLR 4509, there is no doubt that 4509’s strong bar on disclosure applies to schools where minors are in attendance, while the law is silent about access of guardians/parents to their children’s library records.

The best way for a school library and its leadership to handle these questions is in advance, by having a policy that respects student/family rights, and the operations of the library. 

A good school library “Confidentiality of Library Records” policy will protect student privacy, educate students about their right to privacy, coordinate with the school’s position under FERPA, consider student and employee well-being, and position the library to operate properly. 

Creating such a policy is an exercise in staff teamwork and aboard responsibility.  Considering the complexity of the different factors at pay, I urge school librarians and their leaders to review these considerations with their own attorneys, and to work with their boards to adopt policies that reflect the legal position and the educational priorities of their institutions.

Thank you for these important questions.

 


[1] I am not going to provide a citation for this; the arguments are easy to find, and extensive.  For the record, I’ll say: I am not a fan of any third-party access other than what is needed to ensure remuneration for lost items. 

[2] Because school is a place where young people should be learning to value and protect their rights to privacy, I don’t suggest this lightly, but it is feasible.

[3] Authority: 20 U.S.C. 1232g(a)(4)

[4] 20 USCS § 1232g (a)(4)(2)(b) [NOTE:  The cited law and its companion regulation vary; the regulation adds language that the records is a ‘personal memory aid.” But the law does not have this “personal memory aid” language, and laws trump regulations, so this interpretation is feasible.

[5] For those of you reading this who are not in primary or secondary education, in New York, an SRO’s are “commissioned law enforcement officers who are specially trained to work within the school community to help implement school safety initiatives as part of the school safety leadership team.”  Source: New York State Education Department at http://www.p12.nysed.gov/sss/documents/FrameworkforSafeandSuccessfulSchoolEnvironments_FINAL.pdf

[7] If there is ever a case based on this line of argument, it may come down to a missing Oxford comma, since I imagine there would be a contention that the “state statute” also needs to related to “divorce, separation, or custody,” but given that there is no comma after “binding document,” that is not how it reads. Grammar, like privacy, is important.

[8] Mem. of Assemblyman Sanders, 1982 NY Legis Ann., at 25.

[9] But there is some commentary by the New York Committee on Open Government that supports this reading of the Regulation 99.4 (opinion FOIL AO 11872).

 

Tags: Privacy, FERPA, Academic Libraries, Policy

Topic: Does FERPA regulate student publications and exclude them from being digitized? - 4/2/2019
We received two grant applications for projects involving the digitization of high school student ...
Posted: Tuesday, April 2, 2019 Permalink

MEMBER QUESTION

We received two grant applications for projects involving the digitization of high school student newspapers/magazines. The schools have given permission for these materials to be made available on a historic resource-focused, free database.

When our board was reviewing these grant applications, it was brought up that sharing student publications may not be possible under FERPA regulations. The board was concerned that these student publications might be considered educational records, which under FERPA would be subject to restricted access. If FERPA applies to these materials, they could not be uploaded and made accessible via an online database, and consequently would not be eligible for grant funding.

Does FERPA regulate student publications? Are there any other legal reasons student could not be made available freely in an online repository?

Thank you!

WNYLRC ATTORNEY'S RESPONSE

It took me 4 cups of coffee to figure out how to reply to this question!  And it’s not because I didn’t know the answer. 

FERPA is the “Family Rights Privacy Act.”  It bars disclosure of students’ “education records.”

“Education records” (like grades, disciplinary reports, attendance) are defined by FERPA as records:

               (1) Directly related to a student; and

(2) Maintained by an educational agency or institution or by a party acting for the agency or institution.

That is the entirety of the definition, from which many things—like names, team participation, dates of birth—are then excluded.[1]

The punishment for a FERPA violation is loss of ability to qualify for federal funds…a scary prospect for any school.  A FERPA violation also comes with a heavy dose of self-correction and shame, as an institution must fix whatever caused the problem, and often, send out letters of correction/apology.

With ten years as an in-house attorney at a university under my belt (and thus, a ten years’ worth of “FERPA Fear” in my brain), the minute I read this submission, I thought: Pshaw, no student newspaper or magazine is an education record under FERPA!  These grants are fine.

That was at cup #1.  But as I started cup #2, I thought: But why are these grants fine?  Why is no student newspaper or magazine an education record under FERPA?  Technically, they could meet the definition.

And those cocky ten years in higher ed were giving me no reason for my answer. 

For a lawyer, an answer without reasoning is no answer at all.  So I kept sipping (and researching). 

As I settled into cup #3, I reviewed some FERPA case law.   But although this were fun to revisit, by the time I was brewing cup #4, I realized: This is not telling me why a student newspaper or magazine doesn’t meet the definition of “education record” under FERPA.

It was only when I re-read FERPA’s definition for “disclosure” that I could back up my instinctive answer with actual legal reasoning. 

Remember, FERPA bars “disclosure” of student education records.  As it says in 20 U.S.C. 1232g(b)(1) and (b)(2)):

"Disclosure" means to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records by any means, including oral, written, or electronic means, to any party except the party identified as the party that provided or created the record.  [emphasis added]

As I sipped gratefully at cup #4, there was the answer: if any student newspaper or magazine has content in violation of FERPA, the violation happened the minute it rolled off the presses…not when the content was published to a larger audience. 

It’s a bit metaphysical (or perhaps ontological) but bear with me: Re-publication in the way the member’s question describes—while arguably making an original violation bigger—cannot create a violation where there was none before. In other words, if FERPA-protected educational records were already “disclosed” via a student newspaper or magazine, allowing other people (students, parents, advertisers) unauthorized access to education records, there was already was a violation, back when the content was first published.  And if protected records aren’t already disclosed, the re-publication won’t be a forbidden disclosure, now.

To illustrate this, here is a hypothetical.  Let’s say that in 1991, the New Hartford High School newspaper (the Tattler!) printed all of my grades (without my permission).  That would have been a FERPA violation, about which I could have complained to the U.S. Department of Education.

Fast-forward to 2019.  Let’s say the Tattler ends up on New York Heritage, where everyone could then see that during the first Iraq war, I was a very strong scholar in English and History, but things were…a tad lacking in Math. 

While that would be a continuation of the old FERPA violation, it would not be a new violation (even if I was just seeing it for the first time).  And while I could still conceivably make a complaint to the USDOE, asking them to ask the school to work with New York Heritage to take it down, my options to do so would be limited, since there is no private cause of action or right to sue under FERPA. 

So, while I cannot “clear” unseen content for FERPA violations (remember my Tattler scenario), I can say that a new FERPA violation will not be caused by posting already-published material on New York Heritage.

In that same spirit, I will now address the other question the member asks:  Are there any other legal reasons student [publications] could not be made available freely in an online repository?

I wish I could just say “No,” and everyone could not worry about this at all.  But we must never underestimate the creativity of lawyers and plaintiffs in finding new ways to threaten legal action!  If the content of a particular student newspaper or magazine is scandalous or allegedly harmful enough, an attorney could try to frame a claim around some type of defamation or personal injury action.  And of course, when publishing content, there is always a potential claim based on copyright or trademark….even if that claim turns out to be bogus.

But these cautionary words are based on highly speculative scenarios.  There is no outright bar on sharing student publication content the way there is for disclosing grades, health information, and attendance-related records.  And because the digitization of student publications creates a useful array of otherwise ephemeral material, and can be a valuable snapshot of a culture at a particular place in time, there are  strong legal defenses for the digitization and publication of them by not-for-profit entities.[2]

To position a student publication digitization project to stand up to legal threats, a solid understanding and articulation of why the project has academic, social, and/or historic value, and a clear ability to show there is no “for-profit” motive, are fundamental.  By thinking through a digitization project, establishing its social value, and documenting its adherence to professional and scholarly ethics, it is easier to defend making the material freely available—and searchable. 

The good thing about grant funding is that the application and reporting process often builds these analyses right into the project. 

Thanks for this stimulating question!

 


[1] The whole list of exclusions is in the regulations found here: https://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf. It does not specifically exclude publications.

[2] I could write a book, or at least a very long, heavily footnoted legal brief on these defenses, but for purposes of this response, you can trust they are there.

Tags: Privacy, FERPA, Digitization and Copyright

Topic: FERPA and NYS Privacy Laws - 1/9/2019
We have a question that relates to the intersection of New York state level library privacy laws (...
Posted: Wednesday, January 9, 2019 Permalink

MEMBER QUESTION

We have a question that relates to the intersection of New York state level library privacy laws (https://www.nysenate.gov/legislation/laws/CVP/4509) and FERPA. Our campus has a newish system that is attempting to correlate student actions and activities with academic success and retention. As such, it could be helpful to include things like visits to the writing center, appointments with academic advisors, and also library activities, such as whether a class came in for a library information literacy session or whether a student made an appointment for a library one-on-one consultation. FERPA lets institutions share academically related information within certain bounds.

We are wondering what the privacy balance is here given that the information would stay in-institution, but not in-library. Here's what we are considering doing:

1) Noting in the system which classes had a library session(s). Within the system, that would identify individual students within those classes.
2) putting an opt-in statement on our one-on-one research appointment form and if the student consents, then providing to system the student name, appointment date/time, and course that the help was for (but not anything about the specific content of the appointment).

Have we crossed any lines here? Do we even need the opt-in statement? Is this something clear or fuzzy/grey? What should we be considering that we haven't thought of? Thanks.

WNYLRC ATTORNEY'S RESPONSE

Depression.  Burn-out. Dissatisfaction. Lack of connection.  Lack of money. Lack of parking.

These are just some of the reasons students give when they choose to leave—or are forced to leave—their college or university before graduating. 

Many times, these reasons snuck up on them, although in hindsight, they could be seen: a pattern of missing classes, a downward trend in grades, maybe even dropping out of clubs and other campus activities.  And almost always, after a student leaves (often in tears) faculty and staff, coaches and friends, are left wondering: could they have done more[1]?

No matter what events led up to it, for each such incident of student “attrition,” the stakes are high: student loans, a sense of failure, the end of a career dream, and perhaps even a medical condition that went untreated while the student struggled on their own.

But what if the clues could be seen earlier?  What if the downward spiral could be stopped?

Fueled by increasing technological capabilities, many institutions of higher education are developing cross-campus, inter-sector systems to do just that: hoping to correlate the warning signs and fight student attrition through early intervention.  Using a variety of commercially available and home-programmed tech, they are tracking everything from dining hall meals, to class attendance, to visits to the gym.  These factors, as well as comments from concerned faculty or staff, are then routinely assessed and cross-checked for red flags. 

Because libraries are increasingly hosting classes and providing adjunct space for group work, it makes sense that such a system would consider tracking library usage.  After all, it can be a good sign that a student is just getting out of their dorm room!

But there is a tension within this well-meaning system.  College is where young adults journey to find their independence and privacy; promoting this maturation is part of a college or university’s purpose. Further, a net of privacy laws constrains the easy sharing of certain types of information.  But knowing the painful consequences of unchecked student struggles, many institutions work hard to find the right blend of metrics and policies to be able to intervene. 

Part of this hard work is finding the right path through that net of privacy laws.  As the member writes, the biggest privacy law of all, FERPA,[2] does allow such inter-departmental sharing,[3] and even parental notification about safety concerns, when the time is right.  It does this through both application of the law, and “FERPA waivers.”

But in New York, FERPA is not the only privacy rule to apply[4] to these information-sharing systems.  As the member states, New York’s Civil Practice Laws and Rules (the “CPLR”) §4509 (“4509”) also governs a student’s records—at least, their library records.  And it sets the bar high.

4509 is a short law where every word matters, so it is worth quoting in full here: 

Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute. [emphasis added]

As you can see, “college and university libraries,” even though they are part of larger institutions, are clearly covered by this law.

So how does 4509 impact the member’s question?

First, every library (academic or not) should have a clear sense of what it regards as “library records.”  As can be seen in the statute, the term is not precisely defined (“including but not limited to” leaves a lot of room for argument!).  Some of the obvious ones are listed in the law (circulation records, database searches, copy requests) but unnamed others could be just as vital to privacy (use of a 3-D printer, security footage covering the circulation desk, and in the member’s example, the use of research appointments).   And still others activities that use the library may or may not apply (classes conducted in the library, but not part of library programming, are arguably excludable).

To protect the records as required by law, a library must know precisely what records it must protect.  This is why, just like a public or association library, a college or university library should have a “Privacy of Library Records” policy clearly showing where it draws the line. Such a policy should also have a “subpoena response protocol,” so the library can train staff on how to receive internal and external third-party demands for information. 

And in a perfect world, this college or university “Privacy of Library Records Policy” should be known and supported by the institutional officer who oversees the library (a Provost or Academic VP).  This officer’s authority, from time to time, may be needed to ensure the policy is respected by campus safety officers, student disciplinary administration, and any other department that might want library records in service of another institutional purpose.  Librarians should not hold the 4509 lines alone!

Now, back to the member’s scenario.  Once a library knows precisely where it “draws the line” on library records, the member’s instinct is right: any access to information that falls within the institution’s definition of “library records” should be either denied, or allowed only as the law requires: via a signed consent from the user/student.

I know, just what every student wants—to fill out another form!  But these 4509 consents, just like a “FERPA Waiver,” are not only mechanisms to ensure legal compliance, they are a chance to educate students about their right to privacy. 

For instance, the consent form (I imagine it would be a digital click-through on a password-protected student account, but it could be a paper form) could say:

“The privacy of library records is protected by the law in New York State (CPLR 4509).  Your enrollment in the [SYSTEM NAME] will ask the library to disclose certain library records that are protected by this law.  As a library user at an library in New York, you have the right to keep your library records private.  A list of what [LIBRARY NAME] considers to be library records is here [link to policy].  If you would like to consent to the [NAME OF LIBRARY] sharing your library records with only [SYSTEM], please check the below consent:

[ ] I am at least 18 years of age, and consent to the limited sharing of my library records for purposes of sharing the information with the [SCHOOL NAME] [SYSTEM].  This consent does not allow sharing my library records, even within the school, for any other purpose.  No consent to share the records with external entities is give. 

I understand I will need to renew this consent every fall semester, and that I may revoke this consent at any time.

Of course, there is no legal requirement for annual renewal, but it is worth considering.  A year is a long time in the life of the typical undergraduate student, who may enter college with one set of civil rights values, and leave with another. With an annual renewal, the library not only complies with the law, but educates the student about their privacy rights on an annual basis.

So, to address the member’s final questions:

Have we crossed any lines here?

No.  By thinking about this issue during the planning phase of the system, you are making sure the lines are bright and well-defined.

Do we even need the opt-in statement?

You could call it that, but I recommend calling it a “4509 Consent.”  That would build awareness of this important law in our future leaders (and librarians).  Of course, as a lawyer, I may be biased as to how important that is (but it’s really important!).

Is this something clear or fuzzy/grey?

Not so long as your library has a clear and routinely evaluated policy defining what it regards as “library records.”  This can be tough at an integrated institution, where so much information technology crosses through different sectors.  But it should be done.

What should we be considering that we haven't thought of?  

I think you should consider buying yourself a nice cup of coffee or tea for doing your part to support a commitment to personal privacy in the United States of America and State of New York.  Unlike in the European Union, our privacy currently risks death by a thousand cuts.  Every bit of armor counts. 

Thanks.

And thank you.



[1] I was a general counsel at a university for ten years…even as the in-house lawyer, I had a few of these moments.

[2]  The “Family Education Rights Privacy Act,” a federal law often blamed for institutions not telling families about students’ struggles sooner. 

[3] If this answer were to address those bases, it would be about ten pages longer, so we’ll just assume the system in this scenario complies with all the regulations and guidance listed here: https://studentprivacy.ed.gov/audience/school-officials-post-secondary.

[4] Neither is CPLR 4509.  These systems have to navigate HIPAA, state health and mental health laws, and depending on what they do, even PCI and defamation/libel concerns.

Tags: , Policy, Privacy, FERPA, Academic Libraries

Topic: Posting Patron Images on Facebook; When is an image release required? 8/22/2018
Are libraries legally required to obtain photo releases from all patrons (children's parents, ...
Posted: Wednesday, August 22, 2018 Permalink

MEMBER QUESTION

Are libraries legally required to obtain photo releases from all patrons (children's parents, teens, adults), even if we don't name those patrons before publishing photos to our social media accounts and/or press releases?

WNYLRC ATTORNEY'S RESPONSE

This is a huge question.  To answer it, let’s start with where the mania over image releases comes from.

New York Civil Rights Law, §50, states:

A person, firm or corporation that uses for advertising purposes, or for the purposes of trade, the name, portrait or picture of any living person without having first obtained the written consent of such person, or if a minor of his or her parent or guardian, is guilty of a misdemeanor.

In this age where every “click” and post is potentially monetized (and thus “advertising”), this rule is tough to advise on.  If I post a picture of my sister on Facebook, and her smiling face helps Facebook get attention for a sidebar advertisement, can she fulfill a threat made back in 1987 to get me in “sooooooooo much trouble?”  Not quite.  But if I create an ad for an event to be held at my law firm, and I use someone’s image without permission, that could be problematic.

The next layer of concern could come from Facebook itself.  As they say in their “Terms,” users may not:

do or share anything:

  • That violates these Terms, our Community Standards, and other terms and policies that apply to your use of Facebook.
  • That is unlawful, misleading, discriminatory or fraudulent.
  • That infringes or violates someone else's rights.

[emphasis added].

So, if my sister alleges that I have “violated her rights,” by posting her picture, am I risking my Facebook account, too?

A lot of this comes down to how Civil Rights Law §50 is being applied these days.  As of this writing, I did not find any case law where simply posting an image to Facebook violated §50.  Further, recent case law gives insight into what the courts will consider to be “advertising.”

“Under Court of Appeals precedent, the statute is to be narrowly construed and strictly limited to nonconsensual commercial appropriations of the name, portrait, or picture of a living person. A use for advertising purposes has been defined as a use in, or as part of, an advertisement or solicitation for patronage.” [1]

This sounds helpful, until you starting thinking that, in the world of Facebook, everything is only one degree from being an advertisement.  So how does a library post photos of patrons using their library without losing sleep at night?

The 2013 case of Leviston v. Jackson is instructive.  In Leviston, a woman sued the rapper 50 Cent for posting a sex tape (not made for commercial use) featuring her on his unmonetized web site.  During his testimony, 50 Cent stated that he posted the video to antagonize an opponent in a rap war.  During his testimony, 50 Cent admitted that rap wars are conducted in part to test the mettle of different rappers, and to bring attention to the combatants.  The judge, seizing on this admission that rap wars are in part for “attention” (of the commercial variety) refused to dismiss the Plaintiff’s claim.

So, if your public library is at war with the association library across town, or fighting a budget battle, and you would like to post pictures of patrons claiming “Our Books Our Bigger!” your library should get written image releases.   If, however, your not-for-profit library is simply publicizing “new hours!”, the person whose image you use would have a very weak claim (if they had a claim at all).

That said, in general, it is a good practice for libraries to get image releases whenever possible.  First, you never know when you might snap the perfect picture to illustrate why a new resources or a bigger budget would really help your mission.  Second, asking for permission to use a person’s image will emphasize your library’s respect for personal privacy and patron confidentiality.  And finally, by memorializing permission to use an image, you reinforce the patron’s connection to the library…and generate a great record for the archivist who will be trying to catalog your photos in 2118!

Thank you for your question.

 



[1] Leviston v. Jackson.

 

Tags: Policy, Privacy, Image Rights, Trademarks and Branding, Social Media

Topic: Assisting Patrons with Altering Legal Documents - 8/10/2017
It has come up at our Reference meetings that patrons are using our technology to alter documents ...
Posted: Thursday, August 10, 2017 Permalink

MEMBER QUESTION

It has come up at our Reference meetings that patrons are using our technology to alter documents such as doctor’s notes (extending days of medical excuse, for example) and our staff is increasingly uneasy about assisting patrons with this. We try our best to ignore what people have on the screen but sometimes they ask for our help with altering scanned documents, and it's impossible to pretend we don't see what they are doing. We are uncomfortable telling patrons we decline to help them based on ethical reasons, because that would show admitting we have read what is on the screen. We are somewhat concerned about liability and potential obligation to report illegal activity. What are some ways we can shield staff from having to help patrons commit fraud?

WNYLRC ATTORNEY'S RESPONSE

Wow.  There is really just no hum-drum day for librarians, is there?

Okay, let’s take this in stages.

First, the member’s question starts with the premise that the alteration of certain documents is illegal.  That premise is correct.   And although there are any number of crimes such alteration could be (depending on the type of document), here in New York, the catch-all term would be “Forgery.”  

Forgery[1] is a crime that comes in many degrees, but whatever degree, it involves the act of falsely making or altering a document (meaning the forger invented it wholly, or—as in the scenario—somehow manipulates or alters the original).  However, it is important to note that a critical element of Forgery, no matter what degree, is the intent to defraud, deceive, or cause injury.

Second, the member raises the concern that, if library staff assist a patron who turns out to be a forger, they could risk being implicated in the crime—or feel an obligation to report what they have seen.  While I found no case law addressing this precise scenario, these are valid concerns.   

We’ll start with some good news: for staff to be (legally) implicated, they would have to be aware of the forger’s criminal intent.  In other words, the staff would have to know that the person was planning to defraud, deceive, or cause injury; the mere suspicion would not make them part of a crime[2].  

That said, if the content visible on the screen makes it difficult to ignore a crime in progress (for instance, the manipulation of child pornography) or the possibility of imminent harm to another (someone changing the checkboxes on a Power of Attorney, for example), both library operational integrity, and staff well-being, may require removing personal service, removing privileges, and/or alerting law enforcement.

Unfortunately, after looking at case law, guides from the ALA, and numerous policies in the field, I could find no graceful way for staff to simply discontinue service, without telling a patron why.  Since staff assistance is in many ways as much of a right (once it is routinely provided) as access to your collection and technology, withholding it without a clear basis is a due process concern (for public libraries) and a professional ethics[3]/best practices concern (for private libraries).

That said, I can offer the following steps to making sure staff are ready to address this difficult situation: 

First, every employee and volunteer assisting patrons should have the phrase “service to patrons, in accordance with established policies and procedures” in their employee handbook, job description or volunteer letter (the wording doesn’t have to be precisely this, but the requirement of staff to follow library policies should be express).

Second, an institution providing access to “maker equipment” (computers, scanners, 3D printers, recording devices, tools, etc), should have a posted, public policy forbidding use of library equipment for illegal activity.  Something like:

 “Use of library equipment for illegal activity is forbidden. Examples of illegal activity include  but are not limited to: manipulating illegal content, engaging in forgery (falsely altering documents), gaining unauthorized access to other computers or networks, and 3D printing of illegal devices.  Staff assisting you, who suspect illegal activity, are authorized to discontinue assistance, and the library may discontinue your library access and contact law enforcement.  Patrons using technology to alter official or signed documents should be aware that such activity may be perceived as potentially in violation of this policy.”

As with any library policy impacting access and privileges (including staff assistance), such a policy should have an established procedure, and at least one level of appeal.[4]

Third, staff and volunteers should be trained[5] on how to withdraw service while honoring the rights of patrons.  A very simple policy (coordinated with current bylaws and other institutional policies before implementation[6]), such as the generic one below, could assist with balancing staff well-being with patron rights:

POLICY

It is the policy of the library that, to promote the integrity of operations, and the well-being of staff, use of library equipment and staff services in furtherance of illegal activity is forbidden.  

Staff concerned that a patron’s use of library technology may violate the law shall withdraw their services and/or patron access to the technology, per the below procedure.

In making this policy, the library re-affirms that unless authorized by law, patron records, including those generated by the use of technology, are confidential, and that users of the library technology have a right to privacy. 

In making this policy, the library re-affirms that all patrons are entitled to excellent service and access, and that such service and access shall not be removed without due process.

PROCEDURE

A staff member identifies a potential violation, withdraws from the patron, and consults a supervisor to confirm that withdrawing service and/or access is appropriate.

If the supervisor, upon further assessment, agrees that the use violates the policy, and that withdrawing service and/or access is appropriate, the supervisor will initiate the removal, and provide in writing to the patron:

On [DATE], your access to [/SERVICE/TECHNOLOGY] was removed, on the basis that the use was barred under our posted policy (copy enclosed).  This removal may be appealed by sending a letter of appeal to [PERSON], at [ADDRESS] by [DATE].   The library respects your privacy and does not require you to appeal or to provide any further information regarding this matter, unless you choose to do so.

If an appeal is filed, the [PERSON TO WHOM APPEAL IS DIRECTED] shall consult leadership and legal counsel as needed, and shall notify the patron, in writing, as to the result of the appeal within [#] business days.

If there is concern that IMMINENT HARM may be caused by patron use of technology, staff shall immediately alert XXXX, who shall determine if law enforcement must be called, or if there are any additional immediate action take, per governing procedures.

I am sorry to not have a more graceful solution, but I cannot advise that staff simply withdraw services and not return to the patron.  I have designed the above generic policy to provide a “uh-oh” moment for the patron, when they can remove themselves from a situation, and the supervisor can choose to not pursue the matter further.  This is a delicate dance on the tightropes of confidentiality and operational integrity.

Further, I have added the final clause in bold so the person in charge at the time is reminded to use the “buddy system” when it comes to making tough calls about safety, inferring criminal intent, and assessing imminent harm.  These are decisions that, whenever possible, should not be made in isolation. 

This balancing, giving a situation time to breath, and due process, are the best way to shield library staff while honoring library principles.  I hope you don’t have to use it too often!  But with more and more people relying on libraries for service beyond the traditional quest for information, I suspect more institutions will be addressing this issue.



[1] NY Penal Law 170.00

[2] Of course, a prosecutor can pursue criminal charges if they believe they can prove such awareness…and they can try and prove it by using knowledge of the content.  And for certain documents, merely altering them is a crime.  So erring on the side of caution is wise.

[3] At the heart of this question is staff who don’t want to be implicated in wrongdoing, but honor their professional ethics, including the obligations to:

 

·        Provide the highest level of service to all library users, and accurate, unbiased responses to all requests for assistance;

·        Distinguish between personal convictions and professional duties;

·        Strive for excellence via use of professional skills;

·        Protect each patron’s right to privacy and confidentiality;

  

[4] This is advised by the ALA at http://www.ala.org/advocacy/intfreedom/guidelinesforaccesspolicies, and of course is required for municipal institutions.

[5] As part of this training, staff should be alerted to the library’s policies about any signs of activity posing a risk of imminent harm (which may be a result of illegal activity).

[6] This coordination is critical.  Please don’t use any model language without considering your full suite of bylaws, manuals, policies, and procedures already in place.

 

Tags: Policy, Privacy, Forgery and Fraud, Ethics, Patron Confidentiality

The WNYLRC's "Ask the Lawyer" service is available to members of the Western New York Library Resources Council. It is not legal representation of individual members.