Recently Asked Questions (RAQs)

We got a question from a school library...

I was wondering about student privacy when substitutes are in the library. When I started here, subs were able to use the circulation desk to check out material. However, since September we have had one substitute who is also a parent looking up their children’s accounts. We also had another issue with a different substitute looking up material to see what students were checking out. When I found this out it made me uncomfortable and I am no longer allowing subs to circulate materials. I have had some pushback from subs about the sudden limitations. I was thinking that the information would be along the same lines as an adult volunteer. However, I did not know if subs had more privileges to access student accounts because they are district employees. I would like something in writing to reference if admin ever asks.

According to the RAQ: Using Emails from ILS Patron Database: “Although a member library contributes information to an ILS, unless system bylaws or policies say otherwise, that information belongs to the system, who is just as ethically and legally bound to protect the information as a member library.”

However, there was a question during a session at NYLA regarding system ownership of library records that seemed to contradict this.

If the system owns the ILS and therefore the library records, wouldn’t that mean that policies pertaining to accessing/creating/modifying/deleting records for the ILS should be governed by system policies that are also approved by each member library board?

I’m specifically thinking of such policies as Confidentiality of Library Records / Inquiries from Law Enforcement - where if the system owns the records then wouldn’t both these policies just be a system one? Also with having consistency for Library Card Applications. A patron can go to one of our libraries and have to show many forms of identification - but the same patron could see us at an outreach event and not even have to show their ID to get a card.

[This question came to use in response to the RAQ Does the Rise of AI Mean Public Libraries Should Stop Posting Policies to Ensure Security?, where a footnote said “It is possible we are long past the end of the “open internet,” and more things need to be restricted, both for legal and operational reasons. Hopefully we’ll get a question about that soon, because I have a lot to say.”]

Can we talk about putting things behind a log-in to avoid misappropriation of content? I have pretty much taken this question from the 10/14/25 Ask The Lawyer’s “Does the Rise of AI Mean Public Libraries Should Stop Posting Policies to Ensure Security?” response. It strikes me as an important topic as I recently read the Library Journal September 2025 article “AI Bots Cause Slowdowns, Crashes” (on pages 12-13).

Recently a law firm from Albany sent us a memo claiming to represent the plaintiff in a civil suit and informing us of their intent to have a subpoena issued for access to our security footage on a particular day. The memo asked us to preserve the footage in question in expectation of the subpoena. They did not specify an area of the library or a time for the footage.

I would like to know what limitations and obligations we have in this civil matter with regard to patron privacy.

Hello,

We have had a huge increase in AI bots on our member library websites. My concern is that internal policies linked on member websites will be “learned” by AI and linked (cited) back to that member library. I’m concerned that members might have their Emergency Action Plan in their Personnel Policy Manual, and that financial controls could be used by ransomware hackers. We go by the following list to define internal and external policies: https://nyslibrary.libguides.com/Handbook-Library-Trustees/policy-checklist

Would it be a “good practice” to not post internal policies online? If there are a few internal policies that you feel should be posted online, would it be best to say online that you have the policy, but please contact the director (or library) for the file/print copy? That way, AI won’t be trained on the policy.

Thank you!