Privacy

First things first: whether a school board trustee, superintendent, principal, teacher, substitute, or volunteer, everyone must abide by the requirements of FERPA, Education Law Section 2-D, and CPLR 4509, each of which restrict access to library user records.

FERPA restricts access to education records on a “need to know” basis, even for employees.

Education Law Section 2-D restricts access to confidential student information.

CPLR 4509 restricts access to library user records, including those of minors.

Of course, knowing the law is different than following it. Plus, the scenario presented requires consideration of an additional factor: the substitute is a parent who’s looking at their child’s information.

Under the Education Law and FERPA, a parent has a right to inspect their child’s education record, and that is often interpreted to include their school library records.[1]

But! The right to inspect a record is not the same as using employee access to view a record for personal reasons. Unless district policy says otherwise,[2] a school employee taking advantage of their employee privileges to specifically access their child’s records is inappropriate.

Most people—including many teachers—are unaware of the additional layers of protection for library user records in New York State. Substitute teachers assigned to a school library might be given minimal information, and if the library is using volunteers, there may be even more reason to be cautious.[3] For this reason, a posted sign at the staff computer(s) could help emphasize the law and your library’s policy.

Here is sample language:

Use of this computer is limited to checking out and returning students’ selections and answering student questions. Accessing student library records for personal reasons is prohibited by privacy laws and district policy. Confidentiality of library services is an important part of library ethics and our school library system’s policies. If you have questions about this policy, please see [Media Specialist].

Or, if you want to have a more light-hearted approach:

Thank you for helping out today!

Just a few things we have to say:

Library user privacy

Means there are things you cannot see.

We only use the computer system

To check out items and return them.

If a student makes an inquiry

We handle it confidentially.

Borrowing records, what’s checked out

Can’t be casually talked about.

If you have a question about this list

Please ask the Media Specialist.

So welcome to our library crew!

Service with ethics is what we do.

Whenever possible, discussing policy guidance and signage like this with a supervisor and/or building principal, so they can back you up in the moment, is a wise idea.

In 2026, standing up for privacy and respect for laws governing electronic access to data grows more critical every day. Care on this topic is a sign of professionalism.[4]

Many thanks to the member for a thoughtful and important question.

[1]^ For more information, see Patron Confidentiality in School Libraries.

[2]^ I can’t imagine a district policy allowing this, but I have learned to never say never.

[3]^ For more, see Adult and Student Volunteers in School Libraries.

[4]^ Is standing up for privacy with doggerel poetry a sign of professionalism? I’ll leave that up to you.

This is a very serious concern.

Use of such monitoring software (such as GoGuardian’s Beacon, Google’s Gaggle, and others) is growing rapidly.[1]

Each technology works differently, but the common function is constant monitoring of searches and content on student devices, to be alert for signs of potential danger.  When such potential signs are detected, both AI and real people are used to provide further assessment and intervention.

Deployed properly,[2] such software has been shown to be somewhat effective.[3]  But in New York State, as of January 22, 2025, it seems to have been deployed without much overt consideration[4] of a student’s right to confidentially use the school library.

A student’s right to privacy when using a school library is built into governing ethics, educational standards, law, and regulations.[5] It is often also assured by the policies of a particular school district.[6]

As is often the case with rapidly developing technology, it looks like the adoption of the tech may be outpacing the consideration of all relevant legal factors, including how such software will be programmed to not violate the private use of the school library for research and information access.

In the K-12 environment, this is a delicate balance.  While schools are allowed to access student education records[7] and library records[8] under particular circumstances, the wholesale monitoring of such records is a violation of the law and the ethics of library privacy. In addition, it is quite possible that students will research or access school library e-content that may “trip” the search terms, and, without a careful effort to exclude library searches and content, the software could yield a false positive… along with a privacy violation.

Where does this leave school librarians?

Since the way this plays out may change from software to software and from district to district, and different districts are in different phases of considering or using such software, it is hard to say. Below is an array of possible actions a school librarian can take to raise a concern:

This is an important—even vital—topic. While the goal of student device-monitoring software is laudable, improper deployment of such technology can be a disaster. Proper deployment should consider all privacy obligations owed to the students being monitored. While there is not one solution to such a consideration (because the technology will vary from product to product), such assurance is also vital.

Thank you for an important question. “Ask the Lawyer” will be alert for further developments on this emerging topic.

This is a great question. Before we jump into it, let’s summarize the three types of faxing set out in the referenced article:

1. “Walk-up Faxing” (on a copper line)
2. “Virtual Fax” (it’s really email![1])
3. “Real-Time T.38 Fax Lines” (still e-mail, but with a better connection)

The “T.38” as a “best practice” intrigued me, so I dug in to see if there was any case law featuring it.

There is! And it digs into the capability of the T.38: [2]

Defendant further attacks Richard’s credibility by claiming that his testimony reveals his failure to understand the intricacies of fax technology. These critiques are frivolous. For example, defendant claims Richard’s credibility is undermined by his allegedly inaccurate testimony that: (1) MessageVision used only the T.30 protocol; and (2) a device such as MessageVision’s that uses the T.38 protocol cannot use the T.30 protocol. Even if defendant is correct that Richard’s testimony reflects his limited comprehension of fax technology—a proposition that appears to be dubious at best—defendant’s argument is contradicted by the fact that his own expert admits that T.38 converts to T.30 when a fax is sent using APX 1000.

Well then.[3]

So, with “the intricacies of fax technology” now established as a legal niche, let’s take the questions about faxing and regulatory compliance acronym-by-acronym.

• FERPA
• HIPAA
• SOX[4]

1. Libraries, Fax Lines, and FERPA

FERPA does not apply to public libraries, so we’ll discuss it in the context of school libraries.

Academic libraries at institutions that receive federal assistance have to follow the “Family Education Rights Privacy Act,” which (among many other things) restricts third-party access to education records.[5]

As an example: if I am a student at ABC College, I need to borrow something via an inter-library loan, and (for some odd, steampunky reason) the lending library will only receive loan requests by fax, FERPA could restrict third-party access to the request, if the request lists me (the student) by name as the borrower.[6]

In this case, the manner in which the fax is sent (copper, email, fancy T.38) does not matter. What matters is that either a) I consented for my FERPA-protected education record to be shared with a third party or b) inter-library lending is set up in a way that makes lending libraries (sorta) part of the institution under 34 CFR § 99.31.[7]

After that, the fax simply has to be sufficiently secure to get it from point A (the library) to point B (the other library) without disclosure to a third party.[8]

So that’s FERPA.

2. Libraries, Fax Lines, and HIPAA

HIPAA and other laws related to medical privacy are important and high-stakes; the fine for a HIPAA violation is $50,000 dollars.

Before we delve into this, aside from a hospital librarian or librarian serving a program providing health services, there is NO CIRCUMSTANCE under which a public, academic or public library should be engaging in a HIPAA-governed communication.[9]

What do I mean by “HIPAA-governed communication?” Here’s the type of information governed by HIPAA:[10]

Individually identifiable health information

The term “individually identifiable health information” means any information, including demographic information collected from an individual, that—

(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—

(i) identifies the individual; or

(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

If your library is not transmitting this type of information,[11] you can stop sweating about HIPAA, even if patrons are using your fax to send it, or (at an academic library) the health center on campus has to abide by it.

Now, if you are a library in a teaching hospital, etc., here is the deal: your institution needs to step up and provide you with 100% assurance that you have the right policies, technology, and practices to be compliant.[12] This includes assurance of a fax line that is secure, which can be any of the three solutions, so long as it is set up right and maintained properly.[13]

So that’s HIPAA.

3. Libraries, Fax Lines, and SOX

While the accountants who audit your library or larger institution may (rightly) hold themselves to the standard set by “Sarbanes-Oxley” (SOX), which was passed in 2002 to protect investors in publicly traded companies, SOX does not govern the data transmission practices of a public or academic library.

But the mention of SOX in the Forbes article referenced in the question intrigued me—it says, “Virtual fax... can be problematic if your business has certain regulatory compliance requirements to support (for example, HIPAA, FERPA and SOX).”

So, I took a look to see if there has been a SOX case involving an insecure fax... and there is!

Here is what happened as told by Judge Denise Cote in Seybold v. Groenink:[14]

In October 2004, while the chairman of ABN’s Managing Board, defendant Rijkman Groenink, met with Federal Reserve Bank regulators in New York over the Eastern European transactions, he received a fax at the Ritz-Carlton Hotel concerning the results of an internal ABN investigation regarding Iran-Libya transactions. Groenink allegedly ordered his aides to destroy the report and to stop sending sensitive documents to the United States.

So, if you are at a library near a business school prepping students for stellar careers in international business... it may be helpful to show that we must all fax wisely.

Does this mean your library needs a T.38? No, but it does mean that asking questions and developing secure systems is important.

You may even want to do the research and see if you can fight to keep at least one copper line.[15] There is strength in having a diversity of technology.[16]

Thank you for an excellent question!

Update 7/23/2025: We received a followup question on this topic; read our answer here.

Not quite.

What this means is that so long as the information is being transmitted as a library service, and not as library business, it is not subject to HIPAA.

This means that when helping a patron send a fax to their doctors, library workers can handle the documents and even push the buttons on the fax machine without violating HIPAA.[1]

That said, may libraries put guardrails around workers’ handling of sensitive documents (banking and health being two of the major categories), regardless of whether such handling is “legal.” This is to protect workers from accusations of identity theft and invasion of privacy, as well as from the distressing by-products of reading patrons’ confidential information.[2]

Fax machines are not the most intuitive of technology, so there is a strong chance some patrons may ask for help.[3] In addition, the small buttons and other operational aspects of a fax machine can be a challenge for people with certain disabilities.

To enable assistance but protect workers, if a library wants to be able to help patrons with physical actions related to handling sensitive documents (faxing, copying, scanning[4]) there should be a clear reason, and protocol.

There are all sorts of options for this, but here is any example to post near a fax machine:

If you need physical assistance faxing a document:

1. Please let a library worker know.
2. The library worker will give you a folder.
3. Put your documents to be faxed in the folder.

NOTE: If your documents don’t fit in the folder, are stapled, or the pages are too creased to be faxed, the Library cannot assist. Please return when the document is in a condition to be faxed. To protect our workers, we cannot prepare your documents.

4. Keep the fax number handy!
5. Let us know when you are ready, and as time allows, a library worker will: load the pages, enter the fax number, stay with you as the pages are transmitted, and return the pages to the folder for you to take back.
6. Library workers are instructed to not review what is on the pages, and please do not ask them to. This is for everyone’s protection.
7. The library worker will hand you the fax transmission report.
8. If the fax fails, and we have time, we’ll help figure things out!
9. For your privacy, our fax machines do not retain a copy of what was sent after [#] hours.

This type of protocol can be modified as needed,[5] but the important things are: please don’t ask us to review your documents, and please don’t ask us to manipulate your documents.

But to be clear, the reason for a library to adopt these protections is to protect workers and to respect patron privacy, not to comply with HIPAA. And because of the labor involved, a library can simply say: due to privacy concerns, we cannot assist with faxing.

Thank you for seeking this clarification!

School libraries operate as part of a public school.[1] In New York’s public schools, volunteers who will work in curricular operations (classes, library, gym, etc.) need to be vetted per school district policy. These days that usually involves a background check, but it will vary from district to district.[2]

The privacy of a student’s school library records (borrowing records, library computer searches) are confidential under several laws:

• The Family Educational Rights and Privacy Act (FERPA)
• New York State’s Civil Practice Law & Rules (CPLR) Section 4509
• New York State Education Law Section 2-d

The issue has also recently become more complicated as students use school-provided technology which is not configured to abide by the confidentiality of library records.[3]

When volunteering at a school library, a parent volunteer ideally will not have access to students’ library records (just like they shouldn’t have access to grades). Instead, they should help re-shelve books, read aloud, or help minimize chaos when there is a large group in the library.

If the parent volunteer needs to help with check-outs, a statement like the one the member suggests is fine. To make things even more direct (but also upbeat), another version could be:

Thank you for volunteering at our library! As a reminder:

• Student media selections are confidential by law;
• Past borrowing is confidential by law;
• Student questions when using the library are confidential;
• If you suspect a safety risk, immediately alert the librarian or another school employee.

We appreciate your service and your respect for our students’ privacy rights!

For student volunteers, the same guidance applies; students should primarily assist with re-shelving, cleaning, and other tasks that don’t expose them to private information.

However, for students who are believed to be trustworthy, here is a notice:

Thank you for volunteering at our library!

As a student volunteer, it is important for you to know that the materials you and your classmates borrow are confidential. Please do not reveal what has been borrowed by other students; that would be against the law and against school rules, and it could require us to take disciplinary action. If you want to learn more about the privacy of student library records, please ask.

We appreciate your help in the library!

I do have to say, this overall issue throws my lawyer brain for a loop. School library records are actually confidential under more laws than other academic records, and I think it would be odd to have a student inputting grades—or helping other students see a teacher’s gradebook—on a volunteer basis.[4]

So, to make frequent use of either parent or student volunteers to check out books, a school library should also have a relevant policy, such as:

School Library Volunteer Policy

Adult Volunteers

To involve parents and community members in the operations of the school library, the library makes use of adult volunteers.

Adult volunteers are evaluated and confirmed as follows [insert school policy on volunteers].

Adult library volunteers must demonstrate the ability to understand that school library records are confidential and must be trained in the law and ethics that require confidentiality of school library records.

Adult library volunteers are distinguished by a badge worn during their service.

Student Volunteers

To familiarize students with the ethics, laws, and policies governing school library services, and to involve students in the operations of the library, the school library makes use of student library volunteers.

Student library volunteers must demonstrate the ability to understand that school library records are confidential and must be trained in the law and ethics that require confidentiality of school library records.

Student library volunteers are designated by a badge worn during their service.

Whenever possible, such a policy should be reviewed by a school district’s lawyer.[5]

Thank you for an important question!

Before we dive into this, a word of caution: sometimes “law firms” are not always what they seem.

Because I am writing this in 2025, you might assume I am starting with the caution because “deep fakes” are out there pretending to be lawyers, politicians, and your grandchildren stranded on the road in Arkansas.[1]

But actually, this has been a problem for a long time, even before someone could use PageMaker[2] to cobble up a fake law firm letterhead.

So, before a library (or any cultural institution) leaps into response mode on a “lawyer letter,” it is wise to do what the member is doing: exercise a little healthy skepticism.

In this case, it is good to verify that the firm and lawyer are real, and that the firm you’ve verified actually sent this.

Now, if there is any chance that the legal matter in question could involve a claim against your institution, it is wise for your lawyer to do this. I am not saying that to drum up work for my siblings at the bar,[3] but because the initial outreach to the requesting firm could result in providing information they are not entitled to, and it could put your institution at risk. Using your attorney to make the contact will reduce this risk.

The attorney can, at the same time, assess if the demand has teeth (as in, can the requirement to preserve the footage be enforced?), and advise on next steps. As part of that exercise, the attorney will evaluate this from the perspective requested by the member: patron privacy.

The first part of that evaluation is standing under the transparent elephant in the room: FOIL.[4] If a record is available under FOIL, a person doesn’t have to get a subpoena to demand a copy; they can just request the record, and the library has 5 business days to get them an initial response to the request.

Of course, FOIL is not a magic wand that brings immediate access to all records; there are all sorts of exceptions to what must be disclosed under it, and those exceptions include library user records.

This brings us to the next consideration: what your library has defined as “library user records.” While the law in New York governing the confidentiality of library user records[5] does not mention security footage, it allows libraries to include such records in their own definition. If a library’s “Confidentiality of Library User Records Policy”[6] lists security footage—or security footage in certain areas—as a “user record,” the content cannot be disclosed without a written release from the relevant patron(s), a court order, or a subpoena.

The next thing to consider is your library’s practice of retaining security footage. In New York, security footage can be FOILed, but there is no obligation for an agency to retain such footage unless there is a “potential legal use.” This “0 after no longer needed” retention period is set by the LGS-1, which is the master list of record retention terms for government agencies in New York.

Here is the LGS-1’s listing for security footage:

When developing a security footage/library user record policy, it is important to keep this non-existent retention period for boring footage in mind.[7]

Why is that important? If a request has been received for footage that is already deleted (because your library did not identify a need to retain it), the library has no ability to fulfill the request and has no culpability for not having the footage.

If the library retains the footage for a set time (for instance, 30 days) and then routinely deletes it, but a legitimate demand to retain the footage is received prior to the footage being deleted, the footage must be retained as having a “potential legal use.”

For this reason, it is important for public libraries with security systems to set a retention period for security camera footage and to ensure they are deleting the recordings exactly as required by the policy. This is because if a public library gets a request for the footage, and the library has the footage, it must be preserved, even if it is past its retention period… and even if it is regarded as a library user record.

Note that I say it must be “preserved,” not that it must be “disclosed.” Disclosure is only required after a library user grants their written permission or the library receives a subpoena or court order. Assessing when the library is compelled to provide the record is another job for the library’s attorney.[8]

Returning to the member’s question (“I would like to know what limitations and obligations we have in this civil matter with regard to patron privacy”), the answer is: the library cannot go wrong by assuming that the record cannot be disclosed without a subpoena or court order and not releasing it until the library’s attorney has assessed the matter and provided written advice.

Here are just a few of the variables that make caution and taking your time wise: 

• The “litigation hold” demand might not be legitimate;[9]
• The case could be settled in between the time the library gets the request and is ready to fill it;[10]
• The person the footage pertains to could attempt to “quash” the subpoena;
• A party could try to appeal the court order directing that the record be provided;
• If the footage is needed by the library user it pertains to, that person could sign a release, but there is no obligation on the part of the library to provide the record;
• The library may need to address footage that shows one or more other person(s) in the same frame as the person(s) to whom a subpoena pertains.

When a library director (or another lucky employee) receives a request like this, the best response is to draw a deep breath, call your board leadership and/or library system to develop a response plan,[11] or reach out to the library’s attorney.[12] If the footage that was requested still exists but is scheduled for deletion, it should be preserved immediately.[13] Other than that, nothing should happen quickly.

The good thing to remember is that no matter what, libraries in New York[14] are well-positioned to go to the mat for library user privacy—a notion that in 2025 may seem quaint but grows more important with every passing day.

Thank you for a great question. 

The concerns raised by the member are valid: absolutely, Artificial Intelligence (AI) OR real people can use published documents, including policies, to exploit a target.

What’s interesting is that this issue actually pre-dates AI; it emerged early in the Internet era, when (often nefarious) people would use information published on websites—along with other techniques—to exploit targets.

Here is a fictional example:

A business’s website includes its protocol for visitors, photos of the interior of its office, and its fiscal policy. A would-be thief we’ll call “Cooper” reviews the protocol, assesses the office interior, and uses the information to gain access to a manager’s office, where Cooper acquires the serial number of a computer. Coopers then calls that office, pretending to be IT (the serial number aids this impersonation) and gets a username and password for the business’s online banking system, which Cooper uses to access accounts described in the fiscal policy.

Poof! Money gone.

To guard against this, many businesses take a careful risk management approach to what they publish (and hopefully admonish people who put their passwords on Post-its).

However, anyone who reads the news knows that financial fraud based on social engineering and computer intrusion is only going up and artificial intelligence is helping with those attacks.

So, is it time to stop publishing public library policies and other documents?

No.

Published policies—even fiscal controls that set out the process for validating checks and the maximum amount of cash to keep in a safe—are not a skeleton key for hackers (AI or otherwise).

Of course, public institutions have always had to be careful about what information they make available. Staging areas and other resources for responding to terrorism and active shooters must be restricted to avoid exploitation by would-be attackers. Bank account numbers and other account-specific information should not be published. Computer passwords, the location of servers, and other sensitive information should be restricted. These considerations should be made in the drafting phase, not when the policy is ready for publication.

That said, because many of their records are FOILable,[1] public libraries should not rely on restricting access to them for security.

Rather, all public library workers and trustees with any part to play in data, financial, and physical security should be trained in the following:[2]

• Never to provide their password to anyone;
• Follow fiscal controls at all times;
• Follow all IT security rules at all times;
• Notify the IT provider in the event of a suspected data breach, virus, or attack;
• Never allow unauthorized people into restricted areas;
• Report lost keys immediately;
• Secure password lists;
• Never access sensitive information on personally owned devices (like the bank accounts username and password on a director’s cell phone);
• Immediately report and document all outside requests for system and/or fiscal information (passwords, location of servers, banking information);
• Remember that big hacks/ransomware attacks usually start with human failure (giving a password, leaving things logged in, loss of device).

So, are the member’s concerns valid? YES. Exploitive people can use AI to find, copy, and use your library’s policies in attempt to gain access to critical systems.

BUT, if the policies are not published, such people can look up public grant information, building records, or meeting minutes to make themselves sound legitimate for a different social engineering scheme. And if your policies are not available to your community, your library runs the risk of being accused of a lack of transparency.

Instead of restricting access to policies, libraries should develop policies that help prevent the library’s financial exploitation.

For example, a public library’s financial policies should prescribe appropriate internal controls and appropriate use of technology to verify transactions prior to them being irrevocable. For this, the newly released (2025) local government guidance from the New York State Comptroller is excellent.[3] This is mandatory reading for all public library treasurers, controllers, CFOs, accountants, bookkeepers, and directors.

In the same vein, IT policy should include either adequate internal resources to routinely update security and train employees, or a contract with a provider that provides the same assurance (for many public libraries, this is the role of the library system, and it is an increasingly complex and costly role).

While care in drafting policy is important, the essential elements of avoiding ransomware and other attacks are routine updates to security measures and routinely training of people to NOT BE FOOLED.

With the right training and adequate security, AI-powered or good ol’-fashioned hackers will have a tough time getting through, even if they try to use your own policy against you.[4] Train your people, and you don’t have to worry (too much) about training AI.

Now, if we want to talk about putting things behind a log-in to avoid misappropriation of content for the general good of society, that’s another story…

… for another “Ask the Lawyer.”[5]

Thanks for a great question!

Yes, we can talk about putting things behind a log-in to avoid misappropriation of content! Thank you for asking.

At the same time, we can (and must) talk about putting things behind a log-in to avoid problems with security, privacy, intellectual property, and data integrity.

Of course, by “things,” we mean “websites,” which are now a significant part of the services provided by libraries, museums, and archives.

Because websites perform a huge array of function, for purposes of this question, we are going to talk about library, museum, and archival websites that perform the following functions:

• Business information presentation (“About us,” “Our team,” “Policies,” etc.);
• Data repositories (archives and online collections);
• Searching the website and/or repository; and
• Integrated library systems services.[1]

Common website functions this question is NOT going to specifically cover are:

• Financial transactions (like donating to a museum over a website);
• Collaborative research (like crowd-sourcing a survey);
• Interactivity (for example, a social media site).

We’ll tackle those another day.[2]

Why am I narrowing the scope this way?

After 30 years of development,[3] libraries, museums, and archives use their websites as alternatives for their physical locations. The value of this—if it was ever in question—was shown during the COVID-19 Pandemic.

Because of this, such websites must be:

• Mission-focused;
• Consistent and reliable;
• Compliant; and
• Trusted.

Current trends in Internet activity show that the risks that were always present when operating and relying on a website are only getting starker. In addition to the operability risks flagged in the Library Journal article cited by the member, the risks posed to security, privacy and data integrity are significant, too.

Here is a short, fictional story that illustrates some of those risks, in combination with a few other factors:

***START OF SCENARIO***

The Scribe Museum is a beloved institution in Tinytown, New York. Tinytown is the birthplace of Daniel D. Scribe, who kept the minutes at the first meeting of an important civil rights organization.

The Scribe Museum is a solid limestone building that has the physical collection of the complete works of Daniel D. Scribe, and recently, it digitized its entire collection. The digital collection is hosted by another group, which subcontracts services to a cloud provider.

To preserve the physical collection while the building’s heating, cooling, and ventilation system is replaced, the Scribe Museum rents a temporary location and moves the archival material per established best practices.

The Scribe Museum’s website is www.scribemuseum.net, hosted by GoMommy.com. The digital collection is open to all. The website says “While our archives are safely off-site and our building is being given some TLC, peruse our digital collection! Civil rights are always open.” The Scribe Museum’s leadership is savvy and does not make the location of the relocated physical archives broadly known.

A person with a lot of free time decides that the Scribe Museum’s civil rights mission is too “woke.” They spend a few weeks patiently downloading the full archive in small tranches and then launch a bot attack to deny service by the website. They then modify the scanned documents to change them in small but nasty ways, create an alternate website at www.scribemuseum.not, and post them to various social media sites to disseminate.

The villain also hacks the Scribe Museum’s server and holds the content for ransom, gets access to and posts all their emails, and uses social engineering to find the physical location of the archive for some old-fashioned property destruction. They also deliver some pizza to every board member as a “message.”

***END OF SCENARIO***

Ugh. Just writing that out was... not fun.

So how can a library, museum, or archive use a log-in system to help avoid this scenario?

We have to face it head-on: there is no one way to avoid this type of scenario, including use of a log-in. Rather, libraries, museums and archives must use a combination of log-in, enhanced security, back-ups, intellectual property protections, and (most critically) train human beings to be safer, or as I call it, “harden the target.”

How does a library, museum or archive harden the target of its website?[4]

Several things:

First, a library, museum, or archive must consider the security and architecture of its website. Is it ready to withstand an attack? Is it set up to be resilient? What level of functionality must it have assurance of?

To answer these questions, the institution must consider—and deeply reconsider—the purpose of its website. Is the website just a directory service (“Get here,” “Accommodations,” “Admission,” etc.), or is the content a core service? Does all the content currently on it have to be there? If so, does the benefit of immediate access outweigh the risks?

After asking these questions, the institution must consider the information it puts on its “open-to all” part of the website, what it might want to put behind a log-in screen, and what should only be accessible after some human contact. For each level of access, the risk of it being compromised should be worth the benefit of having disclosed it.

As the article cited by the member points out, this change is viewed as an existential threat by many cultural institutions. But while it is certainly a big change, it is also a chance to reinvest in human connectivity in addition to evolving technology.

Here are examples of how this opportunity can benefit an institution:

Example 1: After assessing its mission and website, a museum posts only its essential “about us” information on its unrestricted webpages. Wanting the website to stay engaged and dynamic, it also regularly showcases 20 examples of its prime collection, unrestricted and with metadata, on its website and social media. It then allows standing access to search its full digitized collection with a free log-in. To obtain a log-in, a user provides information to authenticate them as a valid user and agrees to the “Terms of Use.” When logged in during open hours, the user also has the ability to live-chat with a real human at the museum, a position that was specifically designed and built into the budget while the website presence was updated.

Example 2: After assessing its mission and website, a library posts all its “about us” information on its unrestricted web pages. Library users with cooperative library system cards can log in to perform all functions on the integrated library system (catalog search, reserves, seeing what books they have checked out). The library also has a separate log-in for those who are interested in its Rare Books Room; that log-in page is accessible after a general page describing the special collection in broad terms. Users without a library card can also call the library to make an appointment to view the rare books.

Example 3: After assessing its mission and website, an author’s archive posts its mission, location, fundraising, and contact information on its unrestricted web pages. The archive is by appointment only, onsite or via videoconference. Except for a few teaser documents to showcase the scope of the archive, the digitized version of the archive is similarly accessible on-site only. The archive invests in people being on-site and using technology to connect with those who want to work with the content. Since the content is still protected by copyright, the archive also registers and takes steps to put the proper notation on digitized content.

Example 4: After assessing its mission and website, a public university with a digital repository of over 200,000 documents related to health and wellness decides that the mission of the repository is only served if the repository can be searched and accessed without a barrier (such as a log-in). The university works with its IT staff and contract provider to design and invest in a database structure that can withstand periodic high “demand” caused by bots or targeted attacks and has a back-up in the event the primary site is interrupted. The university also develops an AI tool to assess when times of high demand require added resources.[5] The university develops and registers a trademark for the repository and uses it in key areas of the service. Workers are also trained and scheduled to be available on-demand for people who need help with the database. Although the extra design and security add costs, it is decided that the added reliability merits the expense.

In each of these scenarios, the institution is using its mission to determine what needs to be freely online without the barrier of a log-in and what should be further restricted. Just as critically, the institution is considering how human talent fits in and how the institution keeps the resource secure and resilient.

Here at the end of 2025, it is really, truly time to take a long, hard look at what is freely available on websites.

Just like the Internet changed the world in the 90’s, AI and its ability to warp the Internet is changing the world in the 2020’s. Wise institutions will use this as an opportunity to review their mission, assess their needs, and “harden the target” by structuring their online presence and policies to meet the needs of the present. The good news is that a key part of that is investing in people.

Thank you for a great question!

This submission has it all—attention to detail, a blend of law and policy, and a reference to a past ATL.[1]

It also shows what’s at stake for libraries when we ask these two questions: who “owns” all that data on an ILS? Who sets the terms of cardholder access?

As the members questions point out, uncertainly about these issues can cause complications

Before we jump into the details, there is a critical take-away: while there is no one right answer to these questions, every library and every system should know their particular answers.

To make this answer as helpful as possible, we’ll spend a little time on why there is no single right answer to this issue. After we review the “why,” we’ll review the spectrum of approaches. And after all that, I’ll provide a diagnostic form so your library or system can assess where it stands.

The “Why”

Why is there “no one right answer” to who owns ILS data and who sets the terms of cardholder access? Because the law and its regulations give library systems and members infinite flexibility on those topics.

That flexibility means there is no prescribed model of ILS.[2] Instead, the law[3] simply conditions certain state aid on a system having “an automation program to support bibliographic control and interlibrary sharing of information resources of member libraries, and to coordinate and integrate the automated system or systems of such member libraries consistent with regulations of the commissioner.”

Those “regulations of the commissioner” state: “The plan of each public library system shall provide for coordination of the reference and interlibrary loan programs and functions of the public library system with the approved plan of the reference and research library system of which it is a member.”[4]

That’s it. There are no laws or regulations saying how that must be done.

Because of that, the “rules” of an ILS and its impact on cardholder access come from charters,[5] bylaws, contracts, and policy—all of which are set by a system’s board of trustees and then accepted by the member libraries.

This approach has led to there being a spectrum of ILS policies in New York State.[6]

Let’s explore this spectrum.

The ILS Spectrum

Library systems are formed to offer “improved and expanded”[7] library service.

To qualify for certain state aid under Education Law Section 273(d), systems must implement an “automation program to support bibliographic control and interlibrary sharing of information resources of member libraries, and to coordinate and integrate the automated system or systems of such member libraries consistent with regulations of the commissioner…”

How a system meets those requirements is up to the system. To illustrate how differently systems can do that, here is a range of solutions:[8]

One system puts major rules for ILS right in its bylaws, including that all ILS contracts and policy must be approved by the board. This is an “ILS by Bylaws and Board” model.[9]

Another system has bare-bones bylaws, but ILS policy, pricing, and contracts can only be approved by the board of trustees. This is an “ILS by Board Only” model.

Another system wants more “on the ground” input, and it wants that input to have power. It creates a council to assess ILS policy, pricing, and contracts, and those things can only be changed by the board of trustees after approval by the council. This is a “Two-Step Approval ILS Policy” model.

Another system finds bylaws and policy revision cumbersome and puts all the terms for the ILS in an “ILS Participation Contract” that must be approved by the system board and then by the board of each participating library. This is an “ILS by Contract” model.[10]

Another system wants to have ongoing stability, so it puts part of the ILS process in the bylaws, some in board-approved policy, and then outsources more mutable aspects (like pricing and desired tech functions) to a committee (or committees). The system believes in the power of shared governance, so it asks another group (usually of directors) to assess ALL changes to policy before approval by the board. And finally, it uses an annual contract process to confirm pricing and updated security measures. This is an “ILS By Everything” model.

See what I mean about diversity?[11] And these five models only illustrate a broad range of approaches; within this range, any number of permutations exist.[12]

Where your Library/System Stands

All this diversity and flexibility means it can be tough to sort out answers to the questions raised by the member:

• Who “owns” all that data on an ILS?
• Who sets the terms of cardholder access?

To answer them—because as was said at the beginning, no matter what the answer is, it must be clear—it is helpful to review certain documents while asking certain questions.

Here they are:[13]

And that’s it!

Who “owns” all that data on an ILS? It depends, but the rights and obligations of ownership should be clear between a system and its members.

Who sets the terms of cardholder access? It depends, but the rights and obligations of cardholders, member libraries, and the system should be clearly set in guidance, forms, contracts, and policies.

Thank you for submitting such a great question.

Before I dive right into the answers (we are going to address every question), let me say what a lot of readers are probably thinking: most tech-savvy people know how to modify their phone so a recording they made doesn’t show up in their files. So, this answer will not only review the questions about sensitivity and liability but also discuss the practical concerns of enforcing a Code of Conduct when a decision turns on dubious evidence.

First, let’s talk about a policy on recording.

Any public library should feel confident adopting a policy limiting use of recording devices in areas where privacy of library users is assured.

For some libraries, this rule may be limited to the service desks and common rooms where people are reading, using computers, and accessing other specific library services and programs. For others, this rule may apply to the entire interior of the library.

Some libraries may even want to bar recording in their parking lot and grounds (a factor relevant to the member’s questions), but this may be harder to justify on the basis of privacy, as there is no guarantee of privacy when walking out in the open.

So, for argument’s sake, let’s say the member’s library does have a policy, but it doesn’t extend to the outside. What else could help with the situation presented here?

In addition to a policy on recording in the library,[1] any library can use its code of conduct to prohibit the deliberate antagonism[2] of one person by another on library property.

Once a person reports such a violation, it is up to the director of the library (or librarian in charge) to ensure the policy for evaluating a code of conduct violation is followed.

Library codes of conduct vary from place to place, but a good policy will always follow this pattern: notify the person of the accusation in writing, let them know the penalty that could be imposed, and provide a reasonable opportunity for the person to respond prior to that penalty starting. If the matter involves a very clear risk to safety or compliance (a physical threat, sexual harassment, etc.), the person can also be temporarily barred from the library while the matter is pending, if the policy allows it. After a decision is made, there should be one level of appeal (usually to the board of trustees after a decision by the library director, but in a larger organization, the final appeal can be to the director after a decision by another employee).

If the matter is being handled by law enforcement, the library should still follow its own policy before removing library access and privileges (this is true even if there is an order or protection put in place).

When the accused person is a minor, that person’s parent or guardian should be notified to the degree consented to by the minor (possibly as part of getting a library card) or as stated by the policy.

If, after being accused in writing, a person volunteers to “prove” their innocence by showing their phone, the library should consider if the risk of intrusiveness[3] is worth it; likely it is not. Far better is to hear from the complaining person and the accused person a recital of what happened, decide what is most likely to have happened, and if a violation did occur, decide what penalty will help create assurance of respect and safety going forward.

This is particularly true in a case like this, where unless some other aspect makes the recording harmful (Has it been shared on social media?[4] Was the person being bullied at the time?), the consequences for doing what the youth was accused of will likely be a warning.

How would this “due process” roll out? After getting the complaint, it would start with a letter stating:

On DATE, a library user reported that she was concerned that you were recording her on library property (outside, at TIME), after she requested not to be recorded. If this happened, this is against the Library’s Code of Conduct, which prohibits INSERT.

The Library will be reviewing this report, and we invite you and your parent/guardian to provide a statement in response. You may also come in at DATE/TIME to discuss this with me.

Because it is important for library users to feel safe and respected at the library, if this did occur, it may result in a warning, or a temporary loss of library privileges. If we impose a temporary loss of privileges, you will be able to appeal it before it goes into effect.

Although the situation in the member’s question does not require it, if a reported violation is more serious (a threat, an injury, property damage, etc.), here is the language for a temporary bar on access to the premises:

Because this report relates to [a threat to safety, serious injury, etc.], until this is resolved, you are barred from library premises. You may still use library services remotely. If you need assistance to arrange services remotely, please call NUMBER to work with POSITION[5] or e-mail PERSON.

Taking this careful, deliberate approach does more than assure due process; it also slows things down and gives an accused person and their accuser time to think. It makes sure both parties can be heard. If the people involved are minors, it provides adequate notice and opportunity for parents and guardians to be involved.

Just as important: it is gentler on library workers, who should not have to serve as the sudden judge and jury of disputes between patrons (but of course, often do).

This brings things full circle to the original question: Is the library at risk if a teen patron volunteers to share contents of a cell phone?

The answer to that is YES. That risk includes everything from the simple optics of invading the privacy of a minor to compromising their rights without their parent or guardian present. It is a situation that begs for a formal complaint to a board and/or for public relations fallout. When you consider that the evidence to be provided is probably of dubious value, these risks completely undermine the worth of such access.[6]

While it can take more time, addressing things in a calm, formal manner can teach people (particularly young people) that they have rights. For certain disputes,[7] if the library identifies a way to mediate the issue[8] and help the young library users reconcile their differences, that is fine, too.

Thank you for a thoughtful array of questions.