Recently Asked Questions (RAQs)

According to the RAQ: Using Emails from ILS Patron Database: “Although a member library contributes information to an ILS, unless system bylaws or policies say otherwise, that information belongs to the system, who is just as ethically and legally bound to protect the information as a member library.”

However, there was a question during a session at NYLA regarding system ownership of library records that seemed to contradict this.

If the system owns the ILS and therefore the library records, wouldn’t that mean that policies pertaining to accessing/creating/modifying/deleting records for the ILS should be governed by system policies that are also approved by each member library board?

I’m specifically thinking of such policies as Confidentiality of Library Records / Inquiries from Law Enforcement - where if the system owns the records then wouldn’t both these policies just be a system one? Also with having consistency for Library Card Applications. A patron can go to one of our libraries and have to show many forms of identification - but the same patron could see us at an outreach event and not even have to show their ID to get a card.

Hello,

We have had a huge increase in AI bots on our member library websites. My concern is that internal policies linked on member websites will be “learned” by AI and linked (cited) back to that member library. I’m concerned that members might have their Emergency Action Plan in their Personnel Policy Manual, and that financial controls could be used by ransomware hackers. We go by the following list to define internal and external policies: https://nyslibrary.libguides.com/Handbook-Library-Trustees/policy-checklist

Would it be a “good practice” to not post internal policies online? If there are a few internal policies that you feel should be posted online, would it be best to say online that you have the policy, but please contact the director (or library) for the file/print copy? That way, AI won’t be trained on the policy.

Thank you!

Outside of best practices for staff handling of sensitive documents, are public libraries otherwise bound by HIPAA, FERPA and SOX when sending faxes for patrons, in terms of the privacy protections provided (or not) by the type of fax technology?

Our library currently uses a traditional standalone fax machine (staff mediated) to send and receive public faxes across a dedicated copper phone line, so there’s a direct connection between receiver and sender, maintaining privacy during transmission. Faxing remains a popular service here largely for that reason -- patrons are often told by the fax destination that documents must be sent via fax and not scanned to email.

We’ve been told that copper phone lines will soon be eliminated, so we’re investigating fax-to-email services, which are cheaper than our current method and can use our public copier as the faxing device. However, the Forbes article linked below says faxing by email does not offer privacy protections: “Virtual fax introduces an intermediary into the fax process; there’s no direct connection between the sending and receiving parties. This can be problematic if your business has certain regulatory compliance requirements to support (for example, HIPAA, FERPA and SOX).” The article cites an encrypted kind of fax by IP, “T.38 Fax Lines,” which we suspect would not be cost effective for us.

Are libraries bound by HIPAA et al in the type of faxing technology they can use?