Policy

CPLR 4509 [1] is a critical caisson in a library’s foundation, protecting users from those who would draw negative inferences based on access to the library.  The law sets out, in bold, simple language, that librarians shall not disclose such records to law enforcement (or others), unless there is an appropriate subpoena, court order, or disclosure is required by law.

That said, there will be instances when serious patron misconduct might require a report to law enforcement—but the mere act of reporting it will disclose a circulation record (for instance, a patron signing onto a library computer that is then used for a crime).  How does a library report the criminal behavior, while honoring the letter and spirit of 4509?

The American Library Association has compiled a great array of information on balancing these priorities, and it is clear that the answer lies in the library’s policies.  I will not re-create this excellent list of considerations here, but when it comes to this particular question, it is clear every library should have:

• Policies regulating conduct in the library (a policy on internet use can play a part in this);
• A policy setting the conditions for loss of patron privileges when misconduct impacts the community or library operations (this policy must have appropriate due process and levels of appeal);
• A policy, or well-established internal procedure, for reporting misconduct impacting operations of the library to law enforcement; this policy or procedure should consider how 4509 will be honored when such a report must be made;
• A policy for responding to law enforcement requests for circulation records (not based on a library’s report).  This policy should include the library’s process for evaluating law enforcement requests;
• All policies and procedures referring to “circulation records” should have clear and consistent language regarding what “circulation records” are (both under 4509, and in that particular library [2]).

The New York Library Trustees Association has a thorough database of policies addressing, from a variety of libraries, addressing these topics.  But just use these for inspiration, since policies must be crafted, evaluated, and periodically revised to serve the mission, legal requirements, and operational needs of your particular library. Ideally, your lawyer should not only review the final product, but be ready to assist with any law enforcement request, is a good idea.

A library that makes sure it has addressed the points in the above bullets, and has trained their staff on these priorities, is ready to protect circulation records, while safeguarding the “proper operation of the library!”

[1] Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute.

[2] Note the ALA guidance on steps to minimize creating/retaining circulation records.

The lawyer answers…

This is an area that library leadership has to be very careful about. While the laws, regulations, and policies governing library employees vary (based on the type of the library, and the type of institution the library/archive might be part of), there is a growing body of case law ruling that employers may not discipline—or chill—employees’ use of social networking to comment about their work experience.

As but one example, a recent National Relations Board (NLRB) decision [1] barred a company from using the following employee handbook provisions:

• Prohibiting the posting of “embarrassing, insulting, demeaning or damaging information” about the employer, its products, customers or employees.

• Barring discussion of all information gathered in conversations, emails, and meetings as “confidential and proprietary.”

• Prohibiting employees from referencing or citing employer’s members, employees or vendors in social networking without their express consent.

• Maintaining a rule in a “Social Networking Guideline” that prohibits the use of the employer’s name, logos or trademark without the employer’s consent.

Although the case cited is from a union environment, the NLRB has claimed jurisdiction for non-union workplaces where federal grant dollars fund operations [2]. And of course, municipal-owned libraries, who might not be subject to NLRB jurisdiction, have to worry about First Amendment concerns—a different but not less critical priority. This well-developed case-law means I can give a very brief, decisive reply to this question:

Policies related to employees’ personal social networking should be finalized with the input of legal counsel, who will help you consider the goals of the policy, to comply with the law. Once developed, such policies should be routinely assessed by your institution’s attorney.

That said, there are obviously many good reasons for a library to have a strong, distinct, and official presence on social networks—and the good news is that this can be accomplished by an approach that is more affirmative than proscriptive. The legal/operational tools of a strong social media presence are:

• Well-established library trademarks (name and logo);

• A domain name that matches the trademark name, if possible;

• Consistent use of those marks for social media sites/posts;

• An “official voice” (tone, style) for posts and content;

• Selecting and updating the utility used (FB page, Twitter, etc.) to make sure the settings support the tone you want;

• A consistent approach to hosting (or not allowing) community dialogue;

• Well-established parameters, consistent with the library’s mission, for how and why the page is operated;

• A person who has routine maintenance of the social media resources written into their job description or volunteer letter [3] (and, if possible, at least one back-up person);

• A strong internal policy, well-communicated to employees, that ties this all together. This policy should not reference personal social media.

By cultivating a strong social media presence, ancillary content by employees and volunteers, on their own personal pages, will be made less confusing. This is a tactic worth considering, because as shown above, restricting employees’ ability to discuss work via social media is fraught with legal risk.

The foresight and caution showed by this question is very wise, indeed!

[1] NLRB Cases 16–CA–107721, 16–CA–120055, and 16–CA–120910 (July 15, 2016)

[2] Hispanics United of Buffalo, Inc. and Carlos Ortiz. Case 03–CA–027872 (December 14, 2012). This case, a seminal decision in this line of case law, shows how these issues arise in day-to-day operations. It is written in plain language and is very instructive on this topic. The board decision can be found here.

[3] If a volunteer does this, checking with your insurance carrier to make sure they are covered for the activity is a smart thing to do!

LIBRARIAN:  We have that copy Moulin Rouge you wanted!

PATRON:  Thank you!  I am planning to generate a version of it with my commentary over it. 

LIBRARIAN:  How interesting.  Are you planning to get permission, or claim Fair Use?

PATRON:  Um…?

LIBRARIAN:  Perhaps you would be interested in this book on copyright, too.   

It is professionally appropriate for librarians to promote awareness of copyright, trademark, and the other laws that govern the use of content.  But what can happen next can be risky:

PATRON:  Thank you for the copyright book!  I am pretty sure my use will be considered “Fair.”  What do you think?

LIBRARIAN:  I am so glad you found the book helpful.  As to any use of the DVD we provided…that is a question for your lawyer.

Unfortunately, the most attentive librarians are often the closest to this exposure, since they are the most dogged about providing access—exploring the furthest reaches of Fair Use and Section 108 to do it.  However, it also means that the pressure to go one step beyond, and advise the patron about what they intend to do with the materials, may be frequent.  When it occurs, librarians must emphasize the boundary between good service and legal advice.  Here is a formula for that:

I [the librarian] provide access to library materials based on the law and policy of my profession and institution; you [the user] should consult your own attorney regarding any legal concerns about your use of the materials being provided. 

In the event any of the service happens in writing, it is helpful to confirm this in writing.  This doesn’t have to read like an official “notice,” but can simply be a nice note:

Hi [NAME].  We were glad to help you find [RESOURCE].  As I mentioned, if you have legal concerns about the material you borrowed, you should consult an attorney.

By that way, I am not suggesting that every patron question needs a disclaimer! But for those areas where librarians are actively applying intellectual property law, or providing access to law-related resources, the boundaries of excellent service and legal advice can blur.  Users, who have a high-trust relationship with their librarians, might not appreciate that boundary. Tightening the focus and emphasizing it protects the patron, protects the institution, and protects the librarian.

Wow.  There is really just no hum-drum day for librarians, is there?

Okay, let’s take this in stages.

First, the member’s question starts with the premise that the alteration of certain documents is illegal.  That premise is correct.   And although there are any number of crimes such alteration could be (depending on the type of document), here in New York, the catch-all term would be “Forgery.”  

Forgery [1] is a crime that comes in many degrees, but whatever degree, it involves the act of falsely making or altering a document (meaning the forger invented it wholly, or—as in the scenario—somehow manipulates or alters the original).  However, it is important to note that a critical element of Forgery, no matter what degree, is the intent to defraud, deceive, or cause injury.

Second, the member raises the concern that, if library staff assist a patron who turns out to be a forger, they could risk being implicated in the crime—or feel an obligation to report what they have seen.  While I found no case law addressing this precise scenario, these are valid concerns.   

We’ll start with some good news: for staff to be (legally) implicated, they would have to be aware of the forger’s criminal intent.  In other words, the staff would have to know that the person was planning to defraud, deceive, or cause injury; the mere suspicion would not make them part of a crime [2].  

That said, if the content visible on the screen makes it difficult to ignore a crime in progress (for instance, the manipulation of child pornography) or the possibility of imminent harm to another (someone changing the checkboxes on a Power of Attorney, for example), both library operational integrity, and staff well-being, may require removing personal service, removing privileges, and/or alerting law enforcement.

Unfortunately, after looking at case law, guides from the ALA, and numerous policies in the field, I could find no graceful way for staff to simply discontinue service, without telling a patron why.  Since staff assistance is in many ways as much of a right (once it is routinely provided) as access to your collection and technology, withholding it without a clear basis is a due process concern (for public libraries) and a professional ethics [3]/best practices concern (for private libraries).

That said, I can offer the following steps to making sure staff are ready to address this difficult situation: 

First, every employee and volunteer assisting patrons should have the phrase “service to patrons, in accordance with established policies and procedures” in their employee handbook, job description or volunteer letter (the wording doesn’t have to be precisely this, but the requirement of staff to follow library policies should be express).

Second, an institution providing access to “maker equipment” (computers, scanners, 3D printers, recording devices, tools, etc), should have a posted, public policy forbidding use of library equipment for illegal activity.  Something like:

 “Use of library equipment for illegal activity is forbidden. Examples of illegal activity include  but are not limited to: manipulating illegal content, engaging in forgery (falsely altering documents), gaining unauthorized access to other computers or networks, and 3D printing of illegal devices.  Staff assisting you, who suspect illegal activity, are authorized to discontinue assistance, and the library may discontinue your library access and contact law enforcement.  Patrons using technology to alter official or signed documents should be aware that such activity may be perceived as potentially in violation of this policy.”

As with any library policy impacting access and privileges (including staff assistance), such a policy should have an established procedure, and at least one level of appeal. [4]

Third, staff and volunteers should be trained [5] on how to withdraw service while honoring the rights of patrons.  A very simple policy (coordinated with current bylaws and other institutional policies before implementation [6]), such as the generic one below, could assist with balancing staff well-being with patron rights:

POLICY

It is the policy of the library that, to promote the integrity of operations, and the well-being of staff, use of library equipment and staff services in furtherance of illegal activity is forbidden.  

Staff concerned that a patron’s use of library technology may violate the law shall withdraw their services and/or patron access to the technology, per the below procedure.

In making this policy, the library re-affirms that unless authorized by law, patron records, including those generated by the use of technology, are confidential, and that users of the library technology have a right to privacy. 

In making this policy, the library re-affirms that all patrons are entitled to excellent service and access, and that such service and access shall not be removed without due process.

PROCEDURE

A staff member identifies a potential violation, withdraws from the patron, and consults a supervisor to confirm that withdrawing service and/or access is appropriate.

If the supervisor, upon further assessment, agrees that the use violates the policy, and that withdrawing service and/or access is appropriate, the supervisor will initiate the removal, and provide in writing to the patron:

On [DATE], your access to [/SERVICE/TECHNOLOGY] was removed, on the basis that the use was barred under our posted policy (copy enclosed).  This removal may be appealed by sending a letter of appeal to [PERSON], at [ADDRESS] by [DATE].   The library respects your privacy and does not require you to appeal or to provide any further information regarding this matter, unless you choose to do so.

If an appeal is filed, the [PERSON TO WHOM APPEAL IS DIRECTED] shall consult leadership and legal counsel as needed, and shall notify the patron, in writing, as to the result of the appeal within [#] business days.

If there is concern that IMMINENT HARM may be caused by patron use of technology, staff shall immediately alert XXXX, who shall determine if law enforcement must be called, or if there are any additional immediate action take, per governing procedures.

I am sorry to not have a more graceful solution, but I cannot advise that staff simply withdraw services and not return to the patron.  I have designed the above generic policy to provide a “uh-oh” moment for the patron, when they can remove themselves from a situation, and the supervisor can choose to not pursue the matter further.  This is a delicate dance on the tightropes of confidentiality and operational integrity.

Further, I have added the final clause in bold so the person in charge at the time is reminded to use the “buddy system” when it comes to making tough calls about safety, inferring criminal intent, and assessing imminent harm.  These are decisions that, whenever possible, should not be made in isolation. 

This balancing, giving a situation time to breath, and due process, are the best way to shield library staff while honoring library principles.  I hope you don’t have to use it too often!  But with more and more people relying on libraries for service beyond the traditional quest for information, I suspect more institutions will be addressing this issue.

[1] NY Penal Law 170.00

[2] Of course, a prosecutor can pursue criminal charges if they believe they can prove such awareness…and they can try and prove it by using knowledge of the content.  And for certain documents, merely altering them is a crime.  So erring on the side of caution is wise.

[3] At the heart of this question is staff who don’t want to be implicated in wrongdoing, but honor their professional ethics, including the obligations to:

• Provide the highest level of service to all library users, and accurate, unbiased responses to all requests for assistance;
• Distinguish between personal convictions and professional duties;
• Strive for excellence via use of professional skills;
• Protect each patron’s right to privacy and confidentiality

[4] This is advised by the ALA at http://www.ala.org/advocacy/intfreedom/guidelinesforaccesspolicies, and of course is required for municipal institutions.

[5] As part of this training, staff should be alerted to the library’s policies about any signs of activity posing a risk of imminent harm (which may be a result of illegal activity).

[6] This coordination is critical.  Please don’t use any model language without considering your full suite of bylaws, manuals, policies, and procedures already in place.

This has been a tough question to mull over!  That is because the answer is superficially “yes,” but in reality: “no.”

How do we get to this disjointed conclusion?  Schedule MI-1, as the member did, is a great place to start.

From there, although it is a bit older (in Internet years), the 2010 guidance from the New York State Archives, “Developing a Policy for Managing E-mail” (to which the Schedule MI-1 refers), speaks to this issue.  On page 7, it states:

“Another management strategy has been to rely on the “low­tech” method of printing out important emails to integrate them into a paper recordkeeping system. Printing emails is still a viable option for a small organization with limited technology support and finances, provided that individuals across the organization consistently apply records retention requirements to the printed emails, capture all essential metadata, and file the emails with their respective attachments.” [emphasis added]

This would suggest that, for certain institutions, under certain circumstances, e-mail does not need to be retained in its original form to be an “original document.”

However, while it would be elegant, I cannot endorse this approach.  As the guidance further states on page 13:

“The concept of “official copy” is problematic when dealing with email because of the volume of emails, the difficulty of controlling all copies, and the occasional need to prove an email was received as well as sent.” [emphasis added]

Since 2010, even more concerns make this a dubious solution. For a private institution, the requirements of accreditors, insurance carriers, and other stakeholders must be considered…while for libraries and archives that are part of local governments, per NYS regulation, the conversion of archival electronic records must be conducted in consultation with the State Archives, who may or may not endorse such a policy, based on the categories of documentation it would impact.

That said, for certain categories of documentation transmitted or received as e-mail (as defined by MI-1 or private policy), the “print approach” may work.  As a wholesale solution, however, it is not legally viable.