Ed Law 2-d

First things first: whether a school board trustee, superintendent, principal, teacher, substitute, or volunteer, everyone must abide by the requirements of FERPA, Education Law Section 2-D, and CPLR 4509, each of which restrict access to library user records.

FERPA restricts access to education records on a “need to know” basis, even for employees.

Education Law Section 2-D restricts access to confidential student information.

CPLR 4509 restricts access to library user records, including those of minors.

Of course, knowing the law is different than following it. Plus, the scenario presented requires consideration of an additional factor: the substitute is a parent who’s looking at their child’s information.

Under the Education Law and FERPA, a parent has a right to inspect their child’s education record, and that is often interpreted to include their school library records.[1]

But! The right to inspect a record is not the same as using employee access to view a record for personal reasons. Unless district policy says otherwise,[2] a school employee taking advantage of their employee privileges to specifically access their child’s records is inappropriate.

Most people—including many teachers—are unaware of the additional layers of protection for library user records in New York State. Substitute teachers assigned to a school library might be given minimal information, and if the library is using volunteers, there may be even more reason to be cautious.[3] For this reason, a posted sign at the staff computer(s) could help emphasize the law and your library’s policy.

Here is sample language:

Use of this computer is limited to checking out and returning students’ selections and answering student questions. Accessing student library records for personal reasons is prohibited by privacy laws and district policy. Confidentiality of library services is an important part of library ethics and our school library system’s policies. If you have questions about this policy, please see [Media Specialist].

Or, if you want to have a more light-hearted approach:

Thank you for helping out today!

Just a few things we have to say:

Library user privacy

Means there are things you cannot see.

We only use the computer system

To check out items and return them.

If a student makes an inquiry

We handle it confidentially.

Borrowing records, what’s checked out

Can’t be casually talked about.

If you have a question about this list

Please ask the Media Specialist.

So welcome to our library crew!

Service with ethics is what we do.

Whenever possible, discussing policy guidance and signage like this with a supervisor and/or building principal, so they can back you up in the moment, is a wise idea.

In 2026, standing up for privacy and respect for laws governing electronic access to data grows more critical every day. Care on this topic is a sign of professionalism.[4]

Many thanks to the member for a thoughtful and important question.

[1]^ For more information, see Patron Confidentiality in School Libraries.

[2]^ I can’t imagine a district policy allowing this, but I have learned to never say never.

[3]^ For more, see Adult and Student Volunteers in School Libraries.

[4]^ Is standing up for privacy with doggerel poetry a sign of professionalism? I’ll leave that up to you.

School libraries operate as part of a public school.[1] In New York’s public schools, volunteers who will work in curricular operations (classes, library, gym, etc.) need to be vetted per school district policy. These days that usually involves a background check, but it will vary from district to district.[2]

The privacy of a student’s school library records (borrowing records, library computer searches) are confidential under several laws:

• The Family Educational Rights and Privacy Act (FERPA)
• New York State’s Civil Practice Law & Rules (CPLR) Section 4509
• New York State Education Law Section 2-d

The issue has also recently become more complicated as students use school-provided technology which is not configured to abide by the confidentiality of library records.[3]

When volunteering at a school library, a parent volunteer ideally will not have access to students’ library records (just like they shouldn’t have access to grades). Instead, they should help re-shelve books, read aloud, or help minimize chaos when there is a large group in the library.

If the parent volunteer needs to help with check-outs, a statement like the one the member suggests is fine. To make things even more direct (but also upbeat), another version could be:

Thank you for volunteering at our library! As a reminder:

• Student media selections are confidential by law;
• Past borrowing is confidential by law;
• Student questions when using the library are confidential;
• If you suspect a safety risk, immediately alert the librarian or another school employee.

We appreciate your service and your respect for our students’ privacy rights!

For student volunteers, the same guidance applies; students should primarily assist with re-shelving, cleaning, and other tasks that don’t expose them to private information.

However, for students who are believed to be trustworthy, here is a notice:

Thank you for volunteering at our library!

As a student volunteer, it is important for you to know that the materials you and your classmates borrow are confidential. Please do not reveal what has been borrowed by other students; that would be against the law and against school rules, and it could require us to take disciplinary action. If you want to learn more about the privacy of student library records, please ask.

We appreciate your help in the library!

I do have to say, this overall issue throws my lawyer brain for a loop. School library records are actually confidential under more laws than other academic records, and I think it would be odd to have a student inputting grades—or helping other students see a teacher’s gradebook—on a volunteer basis.[4]

So, to make frequent use of either parent or student volunteers to check out books, a school library should also have a relevant policy, such as:

School Library Volunteer Policy

Adult Volunteers

To involve parents and community members in the operations of the school library, the library makes use of adult volunteers.

Adult volunteers are evaluated and confirmed as follows [insert school policy on volunteers].

Adult library volunteers must demonstrate the ability to understand that school library records are confidential and must be trained in the law and ethics that require confidentiality of school library records.

Adult library volunteers are distinguished by a badge worn during their service.

Student Volunteers

To familiarize students with the ethics, laws, and policies governing school library services, and to involve students in the operations of the library, the school library makes use of student library volunteers.

Student library volunteers must demonstrate the ability to understand that school library records are confidential and must be trained in the law and ethics that require confidentiality of school library records.

Student library volunteers are designated by a badge worn during their service.

Whenever possible, such a policy should be reviewed by a school district’s lawyer.[5]

Thank you for an important question!

This question comes at us from a school district public library and supporting Board of Cooperative Educational Services ("BOCES").

One thing I knew very little[1] about when I started doing "Ask the Lawyer" was school district public library systems.  These are systems coordinated through a regional BOCES, creating a network of library resources, governed by their own section of the New York Education Law (and regulations, and Regents rules).

Over the years, the existence and importance of school district public library systems has grown more and more obvious to me--to the point where now, if you are so unfortunate to be trapped in an elevator with me, I might tell you all about them from ground level to the 32nd floor.[2]

One thing I would mention, around floor 15 or so, is that school district public libraries (and systems) have to balance privacy and data security obligations from a wide array of different state and federal laws.  I have written on this before (see "Ask the Lawyer #67, #80, and #143), and won't re-hash that here, except to say: everything in those past answers impacts this question.

With those prior columns as background, the answers to the member's three questions are:

For an Interlibrary Loan Electronic Transmission (whether printed out and included with the item(s) or sent via electronic means) in a K-12 setting, can a student's name (the one ultimately borrowing the item) be used in the "receipt" or notification slip?

Yes, if the library's policy requires it for the "proper operation" of the library (CPLR 4509), AND if the school can assure that only those who need to see it (for the benefit of the student) will see it (FERPA) or the student has signed a FERPA waiver, AND if all the required measures for data privacy are in place (ED2-d).

Should a student's School ID number be used? Can both be used at the same time?

Yes, if the library's policy requires it for the "proper operation" of the library (CPLR 4509), AND if the school can assure that only those who need to see it (for the benefit of the student) will see it (FERPA) or the student has signed a FERPA waiver, AND if all the required measures for data privacy are in place (ED2-d).

Is it taboo to have a student's name in ANY electronic transmission?

No, but school district and BOCES systems creating and transmitting such records should always be confident that the use of the student's name is in a document generated and transmitted per applicable policy.

This is tougher than it sounds, since schools now have so many electronic systems facilitating record-making and communication--a situation compounded by online learning during the pandemic.  Further, the decision to use those systems might be driven by function and cost, with only secondary attention being paid to privacy, as addressed in "Ask the Lawyer" #67, #80, and #143.

Since this question is rooted in interlibrary loan, I'll end with an example.

Below is a partial screenshot from the demo screen of OPALS, a popular ILS used by school district libraries (and other types of libraries, too).

As you'll see, OPALS enables the "viewing of all the borrowers in an attending class...."

There is nothing inherently wrong with this type of grouping of borrowers, so long as the district has addressed the various privacy obligations, and made sure the functionality and use of the system (in this example, OPALS) align with the school's approach and policies on privacy.

In other words, nothing should be left to chance.

So, with that, my ultimate answer--to all three questions-- is: any time a public school student's name is listed on a library record that leaves the bounds of the library (the "real" or virtual bounds), every unique way that happens (injury report, student discipline, interlibrary loan) should be covered by policy.

Now, let's consider how this issue looks "on the ground."  I poked around a bit, and while I found many interlibrary loan policies for school district library systems/BOCES in NY, I didn't find one that went so far into the weeds as setting terms for how/when to include borrower names on the routing slips (printed or electronic).

Chances are, that's usually more of a "standard operating procedure" thing, rather than something set by formal "policy."[3]

But with increasing interconnectivity between library other school systems, it might be worth formalizing in future interlibrary loan policies.  For instance, one sentence: "When effecting interlibrary loan, cooperating libraries shall mutually adhere to the other libraries' and systems' policies regarding borrower privacy"[4]  is a sample of how to add a quick reminder about this critical consideration.

Because as the member's questions indicate, we can never be too "in the weeds" on privacy.

Thank you for an important array of questions.

[1] Okay, actually, nothing.

[2] In this mythical trip up 32 floors, we are visiting Buffalo City Hall, which if you have never seen, is a must-visit location.

[3] New York is a big state!  I have no doubt there is a policy that does address this.  If your district has one, please send a link to info@losapllc.com and reference this RAQ.

[4] This is just sample language...no matter what you select, make sure your school district's attorney or BOCES system director reviews and approves any policy before it goes into effect!

New York school libraries[1] operate in a complex web of regulations governing student privacy.  Laws such as FERPA, CPLR 4509, and “ED 2-d” all restrict what can be done (and can’t be done) with library records related to students.

At “Ask the Lawyer,” we’ve spent a fair amount of time on FERPA[2] and CLPLR 4509[3], so if you need some background on those, check the footnotes for this sentence.

That said, I have never written an “Ask the Lawyer” on ED 2-d, the new law protects “personally identifiable information” (“PII”)” held by a school district.  I’ll weave the relevant parts of the law into this answer.

And I have never written about (or used) SORA.  Since SORA is at the heart of this question, here is a little background on that:

SORA is a service provided by Rakuten/Overdrive.  In its own words, it provides “Millions of ebooks and audiobooks for your students. Thousands of publishers. Comes loaded with hundreds of premium titles at no cost. Infinite reading possibilities on practically any device.”[4]  Participating school districts enable student access to SORA through their own log-in points (the mechanics of which vary from school to school).

How does the service work?  As one reviewer put it[5]: “SORA can be downloaded for free by all students and teachers. If their school or district is an OverDrive partner, they can then use SORA to access their school's digital collection and also connect with the local public library's digital collection.”[6]

And finally, it is worth noting that SORA has a very cute logo: a puffy-silver astronaut, soaring wide-eyed into an eye-relaxing sky of silver-blue.  The astronaut is a combination of a Pokémon, Sailor Moon, and Big Hero Six.[7]  He is ready to read, and all set to escort your students to a universe of reading, too!  The logo is so cute, I don’t know how the member could think this company could do any wrong.

But savvy librarians are not distracted by cute logos.  And in this case, our savvy librarian-member asks: is use of SORA by a district compliant with the privacy protections of New York State Education Law 2-d?

We’ll start this analysis with a term defined by the law: “third party contractor,” which ED 2-d defines as:

 … any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs.

If SORA (or another service), meets this definition, then the district/school using it must implement the requirements of Ed 2-d, which are in the regulations found here:

http://www.nysed.gov/common/nysed/files/programs/data-privacy-security/part-121.pdf

I would set the full requirements out in this answer, but they are lengthy, and the regulations are about as plainly worded as can be.

In addition, for a library at a specific school in New York, there is a more institution-specific way to find these requirements.  To comply with Ed 2-d, every school district must have their own “District Privacy Officer” (“DPO”)[8] and that DPO must ensure that their institution develops and publishes a document called the “Parents Bill of Rights for Data Privacy and Security.”[9]

The parents’ “Bill of Rights” must list the district/school’s obligations vis-à-vis third-party contractors, including precise requirements for the protection of student information accessed by a specific contractor.  In other words, for each “third party contractor” (like, potentially, SORA), a district/school must publish the unique “supplemental” contract terms they’ve created to ensure the service meets Ed 2-d requirements. 

Readers who want to see the Ed 2-d criteria of their own particular district or school should be able to find it by searching for that district’s “Bill of Rights.”[10]  For any district using Overdrive and/or SORA, the “Bill of Rights” will either contain supplemental terms applicable to SORA, or they will have determined that their use of SORA does not disclose any PII.

So here is the question at the heart of the member’s question: does use of SORA, as arranged by a district, disclose PII to Overdrive?  While each district needs to make that determination on its own, in my opinion, any third party contractor that students must log into using a school-issued ID, after which the student will access content that supplements their school library’s collection (and be able annotate and leave notes about[11]), has a high likelihood of collecting PII.   

But as I say, it will be up to the district’s DPO to make the call.  If that call is: “Heck, yeah, they’ll be getting PII,” the district will then need to follow the law and regulations[12] to ensure the use complies. This means verifying that the contract has the right Ed 2-d requirements, and supplementing its “Bill of Rights” by disclosing the precise requirements the contract imposes on the contractor.  But if that call is: “We checked it out, and nope, no PII heading out the door here,” then nothing further is needed (insofar as ED 2-d is concerned).

While it may seem like I am punting on this answer (“Go see your DPO!”[13]) I can say that the SORA Privacy Policy[14], as published on May 20, 2020, does contain the elements that are consistent with the requirements of ED 2-d.  As but one example, Overdrive has a process for correcting records, which provides:

If you are a teacher or administrator at an educational institution using the school Services, please email privacy@overdrive.com to request the review, correction, and/or removal of a student’s Personal Information, and we will facilitate your access to and correction of such Personal Information promptly upon your request.

The ability to “challenge the records” of a contractor is a requirement of Ed 2-d.[15]  This suggests to me that Overdrive knows SORA will be gathering protected information, and the service is ready to enter into contracts that give the required assurances.  But only a look at the school’s contract for SORA, and its precise definition of PII, can ensure that.

The bottom line?  No matter what the published “Privacy Policy” of SORA says, there is no way to fully confirm a school library’s use of SORA complies with Ed 2-d law and regulations until the district’s designated DPO[16]:

1) Assesses what information will be accessed by or transferred to Rakutan/Overdrive as a result of their district contracting for SORA;

2) Determines if that information is PII as defined by Ed 2-d[17];

3) If it is PII, ensures the contract complies with Ed2-d; and

4)  Takes the steps to publish the “Bill of Rights” supplement as required.[18]

In other words: in Ed 2-d compliance, there should be no guesswork.  By working with the school’s DPO, the guesswork should be entirely removed.

Thanks for a great question!

[1] Not to be confused with New York’s “school district public libraries,” which are chartered libraries operating separately from their associated district.

[2] Patron Confidentiality in School Libraries

[3] RAQs featuring CLPLR

[4] As boasted at https://company.overdrive.com/k-12-schools/discover-sora/.

[5] Found at https://thelearningcounsel.com/article/sora-helps-give-k-12-students-more-access-ebooks-audiobooks-and-school%E2%80%99s-digital-collection

[6] If you want to read some harsh, some glowing, and some occasionally amusing reviews, check out the SORA review content here: https://play.google.com/store/apps/details?id=com.overdrive.mobile.android.sora&hl=en_US  I particularly enjoyed the brief but scathing review by a person who thought the service was supposed to be a game.

[7] I am not one myself, but I have anime fans in the family.  It rubs off.

[8] Per Regulation 121.8(a), “Each educational agency shall designate a Data Protection Officer to be responsible for the implementation of the policies and procedures required in Education Law §2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency.”  That’s the “DPO.”

[9] No, that is not a typo in “parents.”  The law left out either possessive apostrophe (“parent’s” or, for the plural possessive “parents’”).  Grammar matters, NY Assembly…grammar matters.

[10] I tried this on several different districts/schools across the state; a few institutions that shall remain nameless seem to have flunked, but admittedly, I didn’t look much harder than a cursory google search—which worked for many of the other institutions searched.

[11] Yes, I watched the SORA demo and paid attention to the additional features, which includes highlighting content and typing in comments.  I guess it beats writing in a book, which, to my husband’s great chagrin, I have been known to do (only to my own books).

[12] Found here: http://www.nysed.gov/data-privacy-security

[13] This is also critical because the definition of PII may vary slightly from institution from institution.  This is because student PII is based on the definition of “education records” in FERPA, which does allow some variance in “directory information” and other nuances this footnote is too small to cover.

[14] As found on May 19, 2020, at: https://company.cdn.overdrive.com/policies/privacy-policy-for-children.htm

[15] Regulation 121.3(c)(4)

[16] Or designee, of course.

[17] “Personally Identifiable Information, as applied to student data, means personally identifiable information as defined in section 99.3 of Title 34 of the Code of 3 Federal Regulations implementing the Family Educational Rights and Privacy Act, 20 U.S.C 1232g, and as applied to teacher and principal data, means personally identifiable information as such term is defined in Education Law §3012-c (10).”

[18] I realize this answer may give DPO’s out there extra work.  I am afraid I can’t apologize, since vigilance about privacy is a beautiful thing.  And hey—job security!