School Libraries

This question was submitted by a system serving elementary and secondary schools.

The answer for those schools (and for higher education, too) is: if the viewing of the DVD is tied to the reading of the book and the content is part of the class/curriculum, then YES, it can be viewed in class.

This exception to infringement by a school is found in 17 U.S.C. 110  (1), which states:

...the following are not infringements of copyright:

(1) performance or display of a work by instructors or pupils in the course of face-to-face teaching activities of a nonprofit educational institution, in a classroom or similar place devoted to instruction, unless, in the case of a motion picture or other audiovisual work, the performance, or the display of individual images, is given by means of a copy that was not lawfully made under this title, and that the person responsible for the performance knew or had reason to believe was not lawfully made;

So, to be clear: at a not-for-profit school, as part of the curriculum, in the school's designated learning space, the "movie based on the book" can be viewed as part of  the curriculum...so long as the copy being watched was not pirated or otherwise obtained through the shady  (but now losing ground to illegal streaming) DVD black market.

Thank you for this question.

The short answer to this question is: IF the video is only going to include the YouTube animal clips, and IF it is only going to be used in the school for instructional purposes, the proposed use is fine, since copyright section 110(1)[1] allows schools to play videos in class if the topic is related to a class, and YouTube doesn't limit use of its service to "personal" uses.

Now, I say "mostly" fine because, technically, the combination of the YouTube content into another video compilation could be considered the creation of a "derivative work" (like a sequel or a mash-up), instead of just "performing" (playing) the video as allowed by law.  But if the copy truly isn't leaving school grounds, and the "performance" is to promote a reading program in the classroom, and the footage really is just being swapping in and out with interviews with school staff, it would be a stretch for anyone to claim infringement.

With respect to the other issue that I detect in the question--would "School X" have a claim against the school for pinching its idea? I don't think so.  The project you describe is sufficiently different from theirs; after all, they got their author for their endeavor, and your school is focusing on local talent.  You can't copyright an idea[2]...just its expression.

When it comes to a school generating original educational content inspired by others, for use only within that school, the key is to model the type of respect for others that educators want to instill in their students, while taking full advantage of the protections educators have under the law.

In this case, "Respect" means not using pirated copies when a school plays instructional movies, and not using more content than the school is entitled to when the instruction is online.  "Protections," among other things, means that for in-person instruction, videos can be played, and for online instruction, parts of videos can be played, so long as the performance is from legitimate copies.[3]

[NOTE: For schools that want to up their game and start producing original content they will share with the world: this answer is not for you.  If any school out there is thinking of becoming an author/producer/provider of educational materials, don't rely on this answer, and develop a business plan that includes how to respect and protect IP.]

And finally, I have to say: thank you for this question.  First, it got me onto Animoto, which I am totally going to check out.[4]  And second: I love PARP.  Some of my fondest circa-1980 memories are of filling out my PARP form with my folks, after some time reading together on the couch,[5] so this question made me smile.  It's good to see the program is going strong, and the hamsters of the world are showing us how to cope with the ups and downs of life.

[1] 110(1) allows "Performance...of a work by instructors ...in the course of face-to-face teaching activities of a nonprofit educational institution, in a classroom or similar place devoted to instruction, unless, in the case of a motion picture...the performance... is given by means of a copy that was not lawfully made...."

[2] Of course, you can patent certain ideas, so please don't think I'm touting intellectual property anarchy.

[3] This aspect of Copyright Section 110 is different than the issue of streaming services being limited for personal use, and thus not always the best place for educators to get their in-class movies.

[4] I clearly don't get out much.

[5] My parents still have the same couch, which they got in 1964.   They are the greenest people I know.

In speaking to different libraries about being prepared for book challenges, I have repeatedly stressed one very important element: have your policies ready.

This question shows the depth of consideration that goes into that simple requirement.

In this case, that "depth" is found in the rocky chasm of the LGS-1, New York's end-all, be-all rules for public document management.  Need to know how long to keep records for a bingo game authorized by a village?[1]  Or how long to keep a record of exhumation?[2]  Or how long we hang onto bridge inspection records?[3] It's all in the LGS-1.

The documents the member references are sections of the LGS-1.

They look like this:

and

Looking at these requirements, the member's question is: "[S]hould the district have kept a list of all books in their libraries in any given year?"

The answer is: MAYBE, but not DEFINITELY.

Here is why:

The first section referenced by the member, at first blush, looks like it requires the retention of "book lists" for six years.  But examining that precise section, you will see the requirement is limited to records submitted prior to the "consolidation of school districts." 

So, outside of a district consolidation, section LGS-1 15, does not require compiling a list of books.

The next sections, LGS-1 598 and 599, refer to a school district maintaining records related to a "Catalog of holdings" and "Individual title purchase requisition," respectively.

We'll tackle 598 first.

598 requires that a "Manuscript or published catalog" of "holdings" must be retained "permanently."  It then requires that a "Continuously updated catalog" be retained until it is "superseded" or "obsolete."

This means that a district library's "catalog of holdings" that exists in a static form (like a print or PDF list) must be retained permanently, but a list of holdings that is ever-changing (like an ILS) is only retained until it changes form--or that form stops being useful.[4]

In practical terms, this does mean that if the library produces a static list (in print or electronic form), it must be retained forever.  That obligation, however, does not obligate the library to create such a list in the first place.  Meaning, in other words: if the library only uses an ever-changing catalog, it doesn't need to retain any particular copy.

This brings us to 599, which requires that an "[i]ndividual title purchase requisition" (the documentation showing a school library bought a book) must be retained for one year.

Again, in practical terms: while per 598, a school library is not obligated to compile a printed list showing that "Not All Boys are Blue" is in its library's collection, per 599, it does have to retain (and produce, if not otherwise accessible through FOIL) a school’s requisition to purchase "Not All Boys are Blue" if requested.

This gets more interesting as one considers that LGS-1 600 (also seen in the purple-bordered excerpt above), regarding "Records documenting selection of books" sets no minimum retention period.  Meanwhile, LGS-1 601, regarding "Library material censorship and complaint records" mandates such records be retained for at least six years (and encourages considering saving them for much longer, which strikes me as a good idea).

The upshot of these various rules creates a regime where a district is empowered to pick and choose, to some degree, what records it wants to create...but once created, imposes a very particular set of parameters for retaining, purging, and disclosing them.  This is why my answer to the member's question must be so ambiguous.

It is also why it is very important that a district have a well-developed policy on this issue.

Below are some examples of what, depending on the records a district elects to create, a district can say in answer to the question: "I want to make sure I approve of all the books my taxes paid for this year.  Can I have a list of all the books?"

[If the library maintains a published list and wants to be friendly.] "Sure thing.  We compile and publish a list of books in our collection every year as of the first Monday of September.  Do you want the one showing all the books in one particular library, or all the books in the district?"

[If the library doesn't maintain a published list, but has a continuously updated catalog, feels friendly, and allows access to library computers.] "No, we don't publish such a list.  But we do have a continuously updated catalog you can search on this terminal."

[If the library doesn't maintain a published list, has a continuously updated catalog, doesn't allow just anybody access to its computers, but feels somewhat helpful.] "No, we don't publish such a list.  But we do have a continuously updated catalog you can request a copy of."

[If the library doesn't maintain a published list, doesn't allow access to computers, and doesn't feel helpful, but does feel puckish.] "No, but if requested, we can supply you with a copy of every book requisitioned last year."[5]

[If the library doesn't maintain a published list, and doesn't want to offer alternative ways to share the information.] "No, we don't have that."

[If the library doesn't maintain a published list, and is okay risking a spat.]

"No."

Optional rider to all the above answers: "Here is a copy of our FOIL policy so you know the process for requesting our public records through our FOIL officer, and can be aware of our copying charges and the process for requesting electronic copies."

Now, as any veteran of public relations battles over school district policy knows, there's a time to be helpful, and there's a time to say "no."  I am not endorsing any particular answer, but based on a district's policy, it should know what records it keeps (and doesn't keep), and how people can access them.

From my perspective, if there isn't a need to compile information, it shouldn't be compiled.  Further, FOIL does not create the obligation to compile information if it is not already compiled.  On the other hand, waffling and appearing to dodge the question when concerned citizens are on the hunt for "objectionable material" might not be the best way to fight the battle for intellectual freedom.  "We don't have a list but we have a continuously updated database" strikes me as a glove-slap; it invites a fight...but nevertheless, if accurate, might be a perfectly valid response.

From my high horse over here in law-law land, a district should proceed from the presumption that if a book is in a school library's catalog, it belongs there; this is the stance that supports intellectual freedom, while also setting a good example for the students (but I am not the one who has to deal with angry community members storming a school board meeting).

Regardless of my personal thoughts on the diplomatic aspects of this issue, from the perspective of intellectual freedom, information access, education law, the LGS-1, and the First Amendment, here is what's important: have a sound policy governing 1) how library books are selected; 2) how library books are cataloged;[6] 3) how library books are challenged; and 4) how library books are removed, and follow that policy.

If, as part of that policy, a district has the desire and capacity to create an annual (or decennial, or whatever time span it wants) list of books in the school library catalog, great, but if such a list is created, it must be kept forever.  And if the district only uses a continuously updated library catalog, it should be clear from the policy who can access it, and how (at the school?  By appointment?  Remotely?).  And all of this turns on the district having a designated FOIL officer and process for timely responding to, assessing, and meeting FOIL requests.

So, there is my answer...and I know it rests on a dangerous triangle of law, practicality, diplomacy.   This stuff isn't easy.

I wish you a clear head, a steady heart, and a ready wit as you face whatever challenges come your way.

[1] 8 NYCRR §185.15 (2020); see schedule items 562-564.

[2] 8 NYCRR §185.15 (2020); see schedule item 136.

[3] 8 NYCRR §185.15 (2020); see schedule item 1085.   By the way, it's "6 years after structure no longer in use or inspected features have been replaced," which I find rather terrifying.

[4] Kind of whimsically sad notion: "You are needed, until you change or you aren't needed."  I would love to meet the person who wrote this part of the LGS-1; they had to be a philosophy major.

[5] I don't advise using this one.

[6] Including having a published list, or simply having a continuously updated database.

MAKING A COPY ON THIS MACHINE

MAY BE SUBJECT TO THE COPYRIGHT LAW OF THE UNITED STATES

This means 4 important things:

1.  Copying a copyright-protected work here could be a copyright violation[1].

2.  Copying protected works is sometimes allowed under "fair use."[2]  Our school's fair use policy is posted INSERT.

3.  Copying a copyrighted work to accommodate a disability under the ADA is allowed.   However, to do that, please see the [insert office for disability services] staff, since adaptive copies have special rules,[3] and we want to help you (or a person you are assisting) exercise your rights.

4.   Under the TEACH Act,[4] you may display or perform certain copyright-protected content in class, but that does not allow you to make additional copies for in-class or online instruction.  Please don't make copies that exceed the permission obtained by the school (unless you use our policy to determine it is fair use).

The copy machines are here for your use, and we appreciate your consideration of these laws.

Thanks!

[1] 17 U.S.C. 106 reserves the making of copies to the copyright owner.

[2] 17. U.S.C. 107 allows copying under certain circumstances, but simply "educational" or "not-for-profit"  use is not enough.  Read the guide at the link!

[3] See https://www.loc.gov/nls/about/organization/laws-regulations/copyright-law-amendment-1996-pl-104-197/.

[4] Section 110 of the Copyright Act.

Welcome to "Back to School 2021"...a year unlike any other!

I have weathered many K-12 "back-to-schools."  For instance, second grade back-to-school, for me, was in 1980.  For my son, it was in 2010.  And for my daughter, it was just a few days before I sat down to write this.

That 1980-to-2021 time span has allowed me to realize two things:

Realization #1: Erasers smell the same in 2021 as they did in 1980; and

Realization #2: Back-to-school 2021 kicked off in a world that has gone through a lot of rapid and (at times) de-stabilizing change.[1]

The good news about realization #2 is that the law--which tends to change much more slowly than the world around it-- is much the same.  So, for this answer, where we can, we'll be linking back to prior "Ask the Lawyer" answers, and where there is something new, we'll add it.

QUESTION 1: Can a teacher use a Spotify account in their classroom?

ANSWER: Not unless the license has changed to allow more than "personal use."  For more on that, see Using Streaming Services (Hulu, Netflix) in the Classroom.

QUESTION 2: Can a teacher use music with face-to-face instruction?

ANSWER:  Yes, so long as the music is part of the instruction, and the copy of the song was legally obtained.[2]

QUESTION 3: Can a service provider (counselor, therapist, social worker...) use music with students?

ANSWER:  There is no automatic permission or exception to the copyright law that allows a mental health service provider to use recordings, sheet music, or other copyright-protected property for purposes of licensed service.[3]

QUESTION 4: Can music be played during sporting events?

If the recorded or streamed music is protected by copyright, it should only be played with a license.

NOTE: Public schools will want to consult their lawyers about their risks in this regard now that the U.S. Supreme Court has (arguably) struck down the ability to sue "the state" and its subdivisions for copyright infringement.
 

5. Can music be used as part of the morning announcements?
If the music is protected by copyright, it should only be played with a license. 

NOTE: Public schools will want to consult their lawyers about their risks in this regard now that the U.S. Supreme Court has (arguably) struck down the ability to sue "the state" and its subdivisions for copyright infringement.

And with that, I wish you a joyous back-to-school.

[1] Perhaps this is why I found the familiar aroma of new "Pink Pearl" erasers comforting.

[2] This is allowed per Section 110(1) of the Copyright Act, which states that "performance or display of a work by instructors or pupils in the course of face-to-face teaching activities of a nonprofit educational institution, in a classroom or similar place devoted to instruction" is not infringement. 

[3] As I write that, it strikes me that such services are so important, ensuring the resource can be used legally is important.  There are a number of ways to do that, depending on the precise circumstances.

Thank you for this question.  The LGS-1 is one of my favorite rabbit holes to explore.

I took a look at Schedule Item 596, which applies to "Borrowing or loaning records."  I have put a screenshot of the section, as it appears in the schedule as displayed on the NY State Archives web site: http://www.archives.nysed.gov/common/archives/files/lgs1.pdf

As you can see in the screenshot, 596 fixes the retention period for borrowing or loaning records for school libraries as "0 years after no longer needed."

"No longer needed" is one of those phrases in the LGS-1 that renders the retention period variable.  This flexibility can be both helpful and frustrating, since a district, BOCES, or school library must determine, via policy, what "needed" means.

This can vary from place to place, but in all instances should be based on a determination of what is meant (for the district/BOCES/or school library) by "need," and then confirmed in a policy.

After that, best practice is always to purge records once their retention period is over, and for something as deeply connected to ethics, compliance and privacy as library records,[1] that is doubly true.  For school libraries, that retention period is zero, once the records are no longer needed.

Therefore: determining how long student library borrowing records are "needed" (something that may vary from library to library, district to district, BOCES to BOCES), and then purging the record as soon as possible,[2] is a good way to use the LGS-1 to enhance an institution's commitment to privacy.

Thanks to the member for bringing up this nuance.  These issues are at the crossroads of ethics, compliance and automation, and require continuous and careful attention to detail and resulting policy.

[1] Please see "Ask the Lawyer" here for a discussion of school library records, CPLR 4509, and FERPA.

[2] The LGS-1 encourages, but does not require, "the systematic disposal of unneeded records."

Thank you for this careful and thoughtful question.  As we rush to migrate education to online, the small details can get overlooked.  As the member writes, information that used to be safeguarded in physical files or with separate passwords is increasingly accessible via a "one-stop shop."

Depending on the type of information involved, any number of ethical, privacy, and legal concerns can be impacted.

In this question, the member focuses on two types of information: library records, and FERPA-protected "education records."

For library records, there is an overlap of legal concerns—an overlap that was thoroughly discussed in the 5/6/19 answer the member cites.  In that reply, we established that depending on how a school/school library is set up, parent/guardian access to this information might be allowed--but it’s a question that should never be left to chance (it should always be answered by a school’s FERPA and library privileges policies).

To that answer, and considering the spirit of the times, I'd simply add: any librarian out there, operating in elementary and secondary education, should be lauded when they raise privacy concerns.  Librarians should work with IT departments and procurement professionals to ensure data management and automation enable the separately governed access to a student's library records.  Even when access is legally allowed by a system, it is still good to emphasize the privacy of library records.

Here are several examples of how this can be done:

• Including privacy considerations in “Requests for Proposals” (RFP’s) and quotes for automation and other data management software that will hold library or student records;
• Training both library and IT staff to keep the division of different types of records with different access parameters at top of mind (“Remember, library records aren’t just protected by FERPA and ED 2-d”);
• Ensuring that release and parental permission forms distinguish between and properly govern access to different types of records;
• When making quick changes based on pandemic exigencies,[1] ensuring at least one person is tasked with assessing if the implementation conforms with applicable institutional ethics, policies, and privacy regulations.
• Using deliberate awareness tools, such as a pop-up window that appears prior to enabling access to library files, saying "Student library records are confidential under state law.  Only properly authorized parties should view these records," is a good way to distinguish access to library information from other education records.[2]

For any educator reading this and thinking “Uh-oh,” if the horse is out of the barn, it is never too late to adopt some retroactive corrections.  When parental access is as plenary as the member describes, if there is a confirmed issue (such as access to one student’s enrollment records leading to access to all students’ enrollment records[3]) working with IT to address the specific utility hosting that information, and how it can be further locked down, is the only solution.

There will be times when addressing an issue like the ones raised by the member is simply not within the authority of the person concerned.  A concerned librarian or educator might even find themselves rebuffed when they try to ring the alarm! When that happens, it is time to kick it upstairs.  Each school should have a FERPA officer, and at least one senior administrator whose role is associated with enforcing a code of ethics or policies on privacy.  Concerns of this type are all appropriate to direct to such an administrator.

No one engineers a FERPA or privacy violation on purpose, but unwitting violations can happen when the learning environment has to change fast.  Being alert and ready to identify and correct concerns as soon as they emerge is critical.  Thanks for a solid question that shows how it's done.

[1] “Pandemic Exigencies” would be a good name for a heavy metal band.

[2] As discussed in that 5/6/19 answer, who "properly authorized parties" are can vary from school to school.

[3] This is indeed a possible violation.  FERPA §99.12 states "(a) If the education records of a student contain information on more than one student, the parent or eligible student may inspect and review or be informed of only the specific information about that student."

I didn't realize it in first grade, but a school library[1] is one of the first places a person experiences "the right to privacy" unmediated by a parent or guardian.

Think about it.  You go to the library and get to pick out whatever you want.  You check out books, and no one can tell you what to pick.  And aside from the person checking you out, no one has to see your selection; your records are private.

In the present day, this means that kids whose faces might be all over Facebook[2], who are attending school via computer, and who "turn off their screen," when they don't want people peeking into their home life during remote learning, still have a right to confidentiality when it comes to the library in their school. And one of the biggest symbols of that student-library relationship is their library card.

So, with all that hanging in the balance, what are the legal considerations of putting student pictures on school library cards?

As often happens in the highly regulated worlds of education, privacy, and information, the answer is: "It depends."

In this case, the factors "it depends" on are numerous; rather than itemize them, I'll summarize them with a few pointed questions:

Factor 1: What else is "on" the library card?

Depending what other information is on the library card, combining a student’s picture with it could increase the likelihood of a violation of FERPA[3], Ed 2-d, or school policy.[4]  For instance, if the card is used for not only swipe access, but access to grades, disciplinary records, and library records, also including a picture ID on it makes it sensitive, indeed.

Factor 2:  Who "owns" the library card?

Some schools, by policy, give out student identification cards, but use a school or district-wide policy to confirm that the card is simply "on loan" to the student (and must be returned at certain events, like suspension or expulsion).  Other institutions issue a card, and it becomes the student's property; this means that the card is more under that student’s control.[5]

While there is no requirement to do one way over the other, the school and library should confirm the ownership of the card in a policy, as this can impact the decision to mark the card with picture ID, as well as who has control over the card in the future.

Factor 3:  Why does the picture need to be on the library card?

Is the school so large that in order to ensure it provides library services to the right student, the card must have a photo ID?  Is it a security measure, perhaps to deter theft (of library cards, and therefore collection assets)?  Do students need to "swipe" into the library, with the library positioned to monitor that they are letting in a student who isn't supposed to be in class?  Or is the library card doing double duty as the student's general student ID?  Whatever the reason, it should be understood and clearly based in policy.  And if the reason has to do more with security at that school than the operations of the library, it is better that the function be performed by the student ID, not the library card.[6]

Factor 4:  Who will have the right or ability to view the library card?

If the library card is only required to be viewed by library staff, the inclusion of the photo is consistent with FERPA's and CPLR 4509's different but equally applicable privacy requirements.  But if a security guard, teacher(s), bus driver, or others all have to see the library card for different reasons (this relates to question number 3), or could use the card to access the student's library records, that raises the possibility of concerns.

Factor 5:  Is there a "stealth" reason for the use of the photo and name?

For some students, if they do not have documentation such as a birth certificate or social security card, a library card with a picture ID might be the most official "documentation" they have.  If a library or school is intending that their cards perform this ancillary function, this should be done with the awareness that third parties relying on the identification function still need permission for the school or library to comment on the content of the card (for students under 18, this means a waiver by parents or guardians).  However, that same student (or their parents/guardians) can choose to share their confidential education records or library records however they wish.

Okay, that's a lot of "factors," but what is the answer?

Having dragged you through all that, I will answer the member's very simple question:  Is it legal to print student photos with their names on their school library cards for circulation use?

The answer is "Yes."

But!  If the library card will be used for anything more than "circulation use" within the library, it is wise to assess precisely what the card will be used for, root that purpose in well-developed policy that considers the above factors, and evaluate if the picture—which in this case, will be a FERPA-protected education record[7]—is needed at all.  The more the card is used for functions beyond the needs of the library, the more those functions should be achieved by a separate student ID, or in the alternative, schools should make sure that library information[8] is separate and isolated from other education records accessed by or listed on the card.

Thank you for an important question.

[1] It is important to note that a "public school library" is different than a public library, or an association library, or a college library.... but ALL are subject to CPLR 4509, the law making library records private.  And while they are different, a public school library, like the college library, is subject to FERPA.

[2] I used to be such a stickler about not posting any pictures of my kids on FB.  But the loving posts of other family members eventually wore me down.  Sorry, kids, I really tried.

[3] Photos of students maintained by their institutions, like an ID photo, are confidential education records under FERPA.  https://studentprivacy.ed.gov/faq/faqs-photos-and-videos-under-ferpa

[4] For instance, if the library card is also an all-purpose student ID that also functions as a key card or has lunch money on it, a policy should clearly separate those functions and there must be a clear protocol for voiding access when the card is reported lost.

[5] Just because the school owns the physical object doesn't mean they own the rights to the student's image.

[6] This is because, as written more thoroughly in Ask a Lawyer RAQ #100, school library records are subject to both FERPA and 4509 rules of privacy.  Combining education record with library records can make it difficult to tease out the different ways the materials may need to be handled. 

[7] See footnote 3.  Yes, this is a footnote to send you to a footnote.

[8] Either in hard copy, on the card, or via digital access.

Not only can the students play, record, and stream “Pomp & Circumstance,” but they can also create an original musical based on it, rap over it, score an original movie with it, and in short: do anything they want with it.[1]

While anyone graduating in 2020 deserves this kind of red-carpet legal treatment, not only can the students do it, but everyone else can, too.  That is the beauty of a work being in “the public domain.”[2]

Thanks, and may all your virtual ceremonies be joyous.

[1] That said, any publisher that has created and distributed its own version of “Pomp and Circumstance” with a specific arrangement, illustrations, instructions, etc. may own the copyright to that particular text, and it shouldn’t be duplicated via hard copy or scanning.  In a similar vein, any publisher that has issued a specific recording may own the rights to that specific recording, and that should not be streamed or used without permission, either.  But the composition of “Pomp and Circumstance” is in the public domain, so generating a student-created version of it is fine, and if the district is the one recording it, they (and the performers) own the copyright (see Copyright Office Circular 56)!

[2] “In the public domain” means “no longer protected by copyright.”  Edward Elgar, composer of “Pomp & Circumstance,” died in 1934, so even under the most rigorous scheme of ownership, the copyright to P&C has expired.

New York school libraries[1] operate in a complex web of regulations governing student privacy.  Laws such as FERPA, CPLR 4509, and “ED 2-d” all restrict what can be done (and can’t be done) with library records related to students.

At “Ask the Lawyer,” we’ve spent a fair amount of time on FERPA[2] and CLPLR 4509[3], so if you need some background on those, check the footnotes for this sentence.

That said, I have never written an “Ask the Lawyer” on ED 2-d, the new law protects “personally identifiable information” (“PII”)” held by a school district.  I’ll weave the relevant parts of the law into this answer.

And I have never written about (or used) SORA.  Since SORA is at the heart of this question, here is a little background on that:

SORA is a service provided by Rakuten/Overdrive.  In its own words, it provides “Millions of ebooks and audiobooks for your students. Thousands of publishers. Comes loaded with hundreds of premium titles at no cost. Infinite reading possibilities on practically any device.”[4]  Participating school districts enable student access to SORA through their own log-in points (the mechanics of which vary from school to school).

How does the service work?  As one reviewer put it[5]: “SORA can be downloaded for free by all students and teachers. If their school or district is an OverDrive partner, they can then use SORA to access their school's digital collection and also connect with the local public library's digital collection.”[6]

And finally, it is worth noting that SORA has a very cute logo: a puffy-silver astronaut, soaring wide-eyed into an eye-relaxing sky of silver-blue.  The astronaut is a combination of a Pokémon, Sailor Moon, and Big Hero Six.[7]  He is ready to read, and all set to escort your students to a universe of reading, too!  The logo is so cute, I don’t know how the member could think this company could do any wrong.

But savvy librarians are not distracted by cute logos.  And in this case, our savvy librarian-member asks: is use of SORA by a district compliant with the privacy protections of New York State Education Law 2-d?

We’ll start this analysis with a term defined by the law: “third party contractor,” which ED 2-d defines as:

 … any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs.

If SORA (or another service), meets this definition, then the district/school using it must implement the requirements of Ed 2-d, which are in the regulations found here:

http://www.nysed.gov/common/nysed/files/programs/data-privacy-security/part-121.pdf

I would set the full requirements out in this answer, but they are lengthy, and the regulations are about as plainly worded as can be.

In addition, for a library at a specific school in New York, there is a more institution-specific way to find these requirements.  To comply with Ed 2-d, every school district must have their own “District Privacy Officer” (“DPO”)[8] and that DPO must ensure that their institution develops and publishes a document called the “Parents Bill of Rights for Data Privacy and Security.”[9]

The parents’ “Bill of Rights” must list the district/school’s obligations vis-à-vis third-party contractors, including precise requirements for the protection of student information accessed by a specific contractor.  In other words, for each “third party contractor” (like, potentially, SORA), a district/school must publish the unique “supplemental” contract terms they’ve created to ensure the service meets Ed 2-d requirements. 

Readers who want to see the Ed 2-d criteria of their own particular district or school should be able to find it by searching for that district’s “Bill of Rights.”[10]  For any district using Overdrive and/or SORA, the “Bill of Rights” will either contain supplemental terms applicable to SORA, or they will have determined that their use of SORA does not disclose any PII.

So here is the question at the heart of the member’s question: does use of SORA, as arranged by a district, disclose PII to Overdrive?  While each district needs to make that determination on its own, in my opinion, any third party contractor that students must log into using a school-issued ID, after which the student will access content that supplements their school library’s collection (and be able annotate and leave notes about[11]), has a high likelihood of collecting PII.   

But as I say, it will be up to the district’s DPO to make the call.  If that call is: “Heck, yeah, they’ll be getting PII,” the district will then need to follow the law and regulations[12] to ensure the use complies. This means verifying that the contract has the right Ed 2-d requirements, and supplementing its “Bill of Rights” by disclosing the precise requirements the contract imposes on the contractor.  But if that call is: “We checked it out, and nope, no PII heading out the door here,” then nothing further is needed (insofar as ED 2-d is concerned).

While it may seem like I am punting on this answer (“Go see your DPO!”[13]) I can say that the SORA Privacy Policy[14], as published on May 20, 2020, does contain the elements that are consistent with the requirements of ED 2-d.  As but one example, Overdrive has a process for correcting records, which provides:

If you are a teacher or administrator at an educational institution using the school Services, please email privacy@overdrive.com to request the review, correction, and/or removal of a student’s Personal Information, and we will facilitate your access to and correction of such Personal Information promptly upon your request.

The ability to “challenge the records” of a contractor is a requirement of Ed 2-d.[15]  This suggests to me that Overdrive knows SORA will be gathering protected information, and the service is ready to enter into contracts that give the required assurances.  But only a look at the school’s contract for SORA, and its precise definition of PII, can ensure that.

The bottom line?  No matter what the published “Privacy Policy” of SORA says, there is no way to fully confirm a school library’s use of SORA complies with Ed 2-d law and regulations until the district’s designated DPO[16]:

1) Assesses what information will be accessed by or transferred to Rakutan/Overdrive as a result of their district contracting for SORA;

2) Determines if that information is PII as defined by Ed 2-d[17];

3) If it is PII, ensures the contract complies with Ed2-d; and

4)  Takes the steps to publish the “Bill of Rights” supplement as required.[18]

In other words: in Ed 2-d compliance, there should be no guesswork.  By working with the school’s DPO, the guesswork should be entirely removed.

Thanks for a great question!

[1] Not to be confused with New York’s “school district public libraries,” which are chartered libraries operating separately from their associated district.

[2] Patron Confidentiality in School Libraries

[3] RAQs featuring CLPLR

[4] As boasted at https://company.overdrive.com/k-12-schools/discover-sora/.

[5] Found at https://thelearningcounsel.com/article/sora-helps-give-k-12-students-more-access-ebooks-audiobooks-and-school%E2%80%99s-digital-collection

[6] If you want to read some harsh, some glowing, and some occasionally amusing reviews, check out the SORA review content here: https://play.google.com/store/apps/details?id=com.overdrive.mobile.android.sora&hl=en_US  I particularly enjoyed the brief but scathing review by a person who thought the service was supposed to be a game.

[7] I am not one myself, but I have anime fans in the family.  It rubs off.

[8] Per Regulation 121.8(a), “Each educational agency shall designate a Data Protection Officer to be responsible for the implementation of the policies and procedures required in Education Law §2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency.”  That’s the “DPO.”

[9] No, that is not a typo in “parents.”  The law left out either possessive apostrophe (“parent’s” or, for the plural possessive “parents’”).  Grammar matters, NY Assembly…grammar matters.

[10] I tried this on several different districts/schools across the state; a few institutions that shall remain nameless seem to have flunked, but admittedly, I didn’t look much harder than a cursory google search—which worked for many of the other institutions searched.

[11] Yes, I watched the SORA demo and paid attention to the additional features, which includes highlighting content and typing in comments.  I guess it beats writing in a book, which, to my husband’s great chagrin, I have been known to do (only to my own books).

[12] Found here: http://www.nysed.gov/data-privacy-security

[13] This is also critical because the definition of PII may vary slightly from institution from institution.  This is because student PII is based on the definition of “education records” in FERPA, which does allow some variance in “directory information” and other nuances this footnote is too small to cover.

[14] As found on May 19, 2020, at: https://company.cdn.overdrive.com/policies/privacy-policy-for-children.htm

[15] Regulation 121.3(c)(4)

[16] Or designee, of course.

[17] “Personally Identifiable Information, as applied to student data, means personally identifiable information as defined in section 99.3 of Title 34 of the Code of 3 Federal Regulations implementing the Family Educational Rights and Privacy Act, 20 U.S.C 1232g, and as applied to teacher and principal data, means personally identifiable information as such term is defined in Education Law §3012-c (10).”

[18] I realize this answer may give DPO’s out there extra work.  I am afraid I can’t apologize, since vigilance about privacy is a beautiful thing.  And hey—job security!