Privacy

This is one of those questions that a thoughtful attorney, wishing to be thorough, could write a book about. However, "Ask the Lawyer" is not a book, so we'll see what I can do in about one thousand words!

To give some useful answers, and also stick within our word limit:

1.  If a library/employer needs to convene a meeting of employees and decides it will use videoconferencing tech to do so, and then states an expectation that all participating employees will turn their cameras on during the meeting, no law in New York bars such a requirement.

2.  If employees of a library/employer that requires, as a matter of policy, that participants in a video conference must turn their cameras on, decide to demand via a collective bargaining agreement, or through policy, that keeping a camera "off" should be an option for an employee, that could become a negotiated or policy-based term of employment.  But an employer could say "no" when this is asked/demanded (and then take the hit on employee morale and/or union relations).

3.  If a solitary employee of an employer who requires participants in a video conference to turn their cameras on decides being on-camera is unacceptable to them, and they request an exception to the rule, that is a reasonable request--but there is no obligation on the part of the employer to honor it (and in fact, special exceptions could cause issues...more on that in a bit).

4.  If an employee has a disability that prevents them from working effectively while on camera, that employee could request keeping the camera "off" as a disability accommodation, and the employer would have to consider the request per their disability accommodations policy (Based on the particular circumstances, this may or may not result in a decision to grant the requested accommodation).

5.  Now, with respect to the use of pictures: if an employer uses an employee's image--taken as either a photograph, a screenshot, or through any other means--for commercial purposes without the employees' permission, that could potentially be a violation of the law.  This is why employers who wish to use their employees' images in catalogs, advertising campaigns, and other publications as part of commercial operations should obtain written permission for such use.[1]

6.  Library/employers who wish to be proactive about protecting employee privacy, while also acknowledging that a library's workforce does often play a public role in their community, should use thoughtfully developed policies to find the balance between public relations and employee safety and privacy. A well thought-out and routinely re-evaluated use of a "Social Networking Policy," a "Media Relations Policy," and a "Branding and Promotions Policy"[2] can achieve this balance.

7.  And now, for some thoughts on how this all fits together.

[Clears throat, steps on soapbox]

There is no one right way to do any of the above-listed items, but because having a solid process that respects the privacy of employees is part of attracting, developing, and retaining a qualified and dedicated workforce--as well as promoting the operations of the library--it is important that a library/employer find the way that works for them.

On the employee side, for library employees who are concerned about their privacy, or about being compelled to turn a camera on, if at all possible, raising the issues gently with management prior to any type of crisis point is a good idea.[3] For libraries that are using name tags, or have specific policies related to employee safety/privacy, or use of cameras on site, any of those policies are good entry points for consideration of these issues.

Law aside, as a business owner, and as the participant in (now) more online meetings than I can count,[4] I have found that it is very important to set the norms for online meetings[5] so that employees know what the expectations are.

How is that done?  When convening a meeting, at least until a group knows what the norms are, it is good to give a few of the ground rules. For instance, a good set of opening ground rules could be:

 "Thanks everyone for gathering today. While we can't be together in person, it is good to be together for this important topic. For this meeting, cameras are optional, but we ask that if your camera is off, you use a picture of your face for ease of communication. This meeting is not being recorded, and we ask that you refrain from taking screenshots unless you ask first. If you have questions during the discussion, feel free to put them in the chat. Our note-taker today is [Person], and if you have items that you want to make sure end up in the notes, please put those in the chat as we meet. The notes for the meeting will go out by tomorrow."

Another example, very different but just as enforceable, would be:

Thanks everyone for gathering today.  While we can't be together in person, it is good to be together for this important topic. For this meeting, we do ask that you keep your camera on, so we are all using the same modes of communication. Also, so we have a good record of the information we'll review and the decisions we'll make, this meeting is being recorded. As a courtesy, please do not take a screenshot unless you ask first. If you need to make a comment, please raise your hand, and I as moderator will get you in the queue. We don't have a note-taker for today, so please make your own notes for any points to follow-up, or ask [Person] for the recording. As with all our meetings, the recording will be considered confidential and not for release to anyone who was not in attendance."

...and the combinations could go on.

By being thoughtful about the nuances of privacy and the norms for meetings, a library/employer can both set the tone for a graceful meeting, and also position themselves to proactively address any employee concerns about the chosen norm for meetings overall. This is particularly important if an employer is insisting that cameras be on at all times; while there may be compelling reasons for this type of rule, if a library/employer is relying on employees who are working from home, there may also be compelling reasons to give employees the option of attending with their camera "off"; a well thought-out and routinely expressed set of norms will help with compliance, will make sure exceptions to "camera-on" rules are not perceived by others as unfair, and will create space for feedback in case employees want to request that the rule or norm be changed.

Thank you very much to the member for a compelling set of questions that are very much of the times. As with all "Recently Asked Questions" posted on "Ask the Lawyer, we invite feedback on this one (sent to info@losapllc.com or through the "Ask the Lawyer" submission page).  This is an evolving topic, and I am sure many library council members out there have thoughts on this!

 

---

[1] For more on image rights, see the “Ask the Lawyer” here: https://wnylrc.org/raq/posting-patron-images-facebook-when-image-release-required.

[2] There is no one name for this type of policy...some libraries call it "marketing," while others resist that label as too commercial-sounding.  If it didn't sound so cute, I'd say call it the "Who We Are and What We're Doing" policy, since that is really what it's for.

[3] I appreciate that not all employees are in situations where they feel empowered to raise this type of concern--gently, or at all. 

[4] In 2022, who can't claim this breadth of experience?  That said, because of my work, I have met with now hundreds of clients via telecon, so have seen a wide array of how business conduct online meetings.

[5] This is important for in-person meetings, too...but the norms may be a bit different.

I appreciate the care behind this question: when yearbook information is being assembled, not many people are thinking about all the places the publication could potentially go.

Whenever I get a question related to a yearbook, the first thing I do is check my legal research service to see if there are any new yearbook cases[1] in the New York State or federal courts. It's a chance to check on the latest in a niche area of case law, as well as to make sure I am working from the most current information.

Every time I check with the list of cases, I am reminded that while most people bust them out every so often for nostalgia or period-specific hairstyle mockery, one of the most frequent uses of yearbooks in the legal world is the identification of potential criminal defendants.

That's right. There are numerous cases[2] that show that in addition to a police station photo-array and a classic lineup, trotting out the high school yearbook is another way for people to seek out suspects in criminal matters.[3]

All to illustrate the member's very real concern: yearbooks, which can be used to directly and indirectly convey so much information about students, do not remain in school and student hands, and are not used exclusively to travel down memory lane.  They can be given away, they can be sold, and they can end up in police stations...perhaps by route of the public library.

Does that mean the library shouldn't house them?  Not from where I sit, but I do think some reasonable precautions to guard against releasing information about minors could be taken.

Schools[4] who wish to take such precautions can do the following:

1.  Register the copyright of the yearbook to the school.

2.  Include a copyright notice and a "reservation of rights clause"[5] in the published hard copy version, barring duplication for any purpose whatsoever.[6]

3.  Remind (it would be largely ineffective to require) students to keep their copy safe at home[7];

4.  If requested, provide a copy to the public library with the condition that the copy will not be in circulation and certainly not be digitized until a year after the earliest class featured in the book has graduated (i.e., if the books' youngest students are in class of 2030, the book should not be in circulation until 2031);

5.  Ask if the book could always be in a "special collection" that does not leave the library and cannot be scanned[8] (either forever, or until a specific date);

6.  If advertisers or sponsors require a copy of the book, make sure the advertising contract limits their use of the book to things that don't risk the privacy of the students (no leaving the display copy at the bar in the restaurant who bought an ad).

In this day and age, it can seem almost quaint to worry about the risk that over-exposure of yearbooks poses to privacy. But as the member points out, the information that can be gleaned from a yearbook can reveal things about a student's identity, activities, and schedule. Further-although they can of course be forged--in a sea of mis-identified or ambiguous images on social media, a yearbook's status as a school district "official" publication means they are a little more authentic (and thus valuable).

For this reason, a little extra care in how yearbooks are published and distributed is well-warranted, and should be respected by anyone who has asked to take it.

Thank you for a thoughtful question!

****BONUS EXTRA***

Here is a sample yearbook "reservation of rights""

(c) [YEAR] [District Name]

This [insert year] yearbook is a collective work protected by copyright owned by the [insert school district].  Individual images and compositions may be owned by individual authors.  No part of the book may be reproduced in any medium whatsoever without permission of the District.  The names and likenesses of people featured in this publication are protected by the laws of the state of New York.  Inquiries for permission may be directed to [address].

As with all template language, this is just a starting place...review the final with your lawyer before using!

 

Suggested tags: Yearbook, copyright, school district, digitization, image use, privacy

---

[1] It's a very sophisticated legal search; I visit Lexis-Nexus, and type "yearbook" into the search bar for state and federal cases, and organize the results "newest to oldest."

[2]For example, see Wagner v. Hyra 518 F. Supp. 3d 613 (NDNY Feb. 10, 2021); Tytell v. AIW-2010 Wind Down Corp., 2019 N.Y. Misc. LEXIS 5412 (NY Oct. 19, 2019); Williams v. County of Suffolk, 2019 N.Y. Misc. LEXIS 5412 (NY Oct. 1, 2019). I would add that cases against genealogy sites like Ancestry.com and PeopleConnect.com are also often yearbook-driven; for an example, see Braundmeier v Ancestry.Com Operations Inc., 2022 US Dist LEXIS 212415 [ND Ill Nov. 23, 2022, No. 20 C 7390].

[3] I am not endorsing this practice, just noting that it exists.

[4] While it will depend on the circumstances, the school will be the owner of the copyright to the yearbook, even if professional photographers and other contributors retain the rights to their original contributions.

[5] This is really just language to warn people off from making non-fair use copies.

[6] Neither the copyright registration nor the notice will be a "magic bullet" that will stop a third party from using yearbook-gleaned information if they are determined to act creepy, but they can help reduce certain opportunities for creepiness.

[7] Maybe include a free ticket to the 80th class reunion, only redeemable if presented intact with the yearbook?

[8] Except to make adaptive copies per the ADA, of course (or to address damage as allowed by 17 U.S.C. 108).

 

This is a timely question, because New York's Committee on Open Government (the authority on all things FOIL), has recently stated[1] that not only do public libraries have to follow FOIL, but cooperative public library systems have to, as well. So, the answer will be useful for libraries and library systems[2] alike.

NOTE: For those of you who need a quick primer on FOIL to get the most of this question: FOIL is the state law requiring timely public access to public agency records (with exceptions). As you can imagine, complying with this obligation requires a clear understanding of what constitutes a "public agency" is, what a "record" is, and what any exceptions might be.

FOIL defines a public agency record as “any information kept, held, filed, produced or reproduced by, with or for an agency or the state legislature, in any physical form whatsoever…” FOIL §86(4).

There is the potential for financial costs for agencies that fail to make timely and compliant FOIL disclosures.[3]

Further guidance on FOIL is available at https://opengovernment.ny.gov/freedom-information-law.

Before we dive deeply into this question, aside from the above small primer on FOIL, it is necessary to consider what "social media" is, in the FOIL context.

When websites were first developed and published by local governments (and libraries), the phrase "social media" was not used to refer to them.

Since that time, government agency use of not only web sites, but more socially interactive utilities like Facebook and Twitter, has exploded. From public "state of emergency" announcements via Twitter, to town council meetings streamed live via Facebook, government use of social media is rampant.

Despite this explosion, the phrase "social media", as used today, is not legally defined. Most critically, the phrase "social media" is not found in the LGS-1[4], which in New York's comprehensive list of record "types" that are subject to mandatory retention.[5]

Among other things, this means there is no one catch-all obligation to retain (and thus have them around to have to disclose) records posted via social media. Which means that instead of focusing on the medium (social media) we have to focus on the message (the "type" of record the social media is being used to create and/or transmit).

While certainly not the exclusive "type", the LGS-1 category social media is mostly used to create and/or transmit is type #68: "Public Relations".

Here is how the LGS-1 categorizes public relation records and sets their retention periods:

Public Relations 68 CO2 11, MU1 11, ED1 11, MI1 11

Official copy of publication, including newsletter, press release, published report, calendar, bulletin, recording, homepage or other website file, educational or informational program material prepared by or for local government, and associated consent forms.

NOTE: Specific publications are listed in other places in this Schedule. Before using this item to determine the minimum legal retention for a publication, determine if that publication is covered by a more specific item.

a

Publications which contain significant information or substantial evidence of plans and directions for government activities, or publications where critical information is not contained in other publications: RETENTION: PERMANENT

b

Publications where critical information is also contained in other publications or reports, publications which document routine activities, publications which contain only routine information, or publications (such as webpages) that Local Government Schedule (LGS-1) General Administration 15 facilitate access to government information on the Internet: RETENTION: 0 after no longer needed

NOTE: Appraise these records for historical significance prior to disposition. Records with historical value should be retained permanently. Local governments should consider permanent retention of samples of publications covered by part "b" of the above item. Contact the State Archives for additional advice in this area.

What does this quote mean? Among other things, unless a library is using a social media publication to be the "official copy" of news, it does not have to retain the copy.

And if the copy of the social media post is not retained, it is not available to be disclosed per FOIL (although the official copy might).

So, with all that established, let's re-visit the member's questions:

For public libraries that must comply with Freedom of Information Law (FOIL), how does FOIL impact our organization's use of social media? What sort of social media records can be FOIL-ed and what are some best practices for using social media in regards to FOIL?

Considering that the LGS-1 confirms that libraries are not obligated to retain everything posted on social media, but FOIL requires that if the record exists and is subject to FOIL, the library must disclose it, I will boil the answers down to 4 very simple things:

1. The library should have a FOIL compliance policy.

Why?

This will ensure the library has the right system and designated personnel for receiving, evaluating, replying to, and considering appeals of FOIL requests.

For more information on putting a policy in place, see the "model rules for agencies" at https://opengovernment.ny.gov/freedom-information-law#model-rules-for-agencies.

2. Social media should never be the sole copy of a notice or publication put out by a library.

Why?

If it is, the social media content may be subject to a "permanent" or a defined period of retention, even though the library doesn't control the means of publication (thus creating more work to properly retain the copy). This means that when the record is requested under FOIL, the Library had better be able to provide it, even if the social media provider is no longer in business, or for some reason, the content is no longer in existence.

3. Every public library[6] should have a records retention policy that tracks its obligations as set forth in the LGS-1 and sets the retention periods and purge times for routine records.

Why?

First, it's the law.[7]

Second, using the LGS-1 forces your library to consider what "type" of records it is generating and what retention periods apply to them--including records generated on and/or being pushed out by social media.

Third, but just as critically, it will encourage your library to purge or formally archive records no longer actively needed, minimizing the content to be disclosed under FOIL.

Fourth, it will better position your library's FOIL officer to timely respond to requests.

And fifth (but of the most relevance to the questions) it will enable your library to determine what, if any, of its social media content must be retained and thus ready for disclosure under FOIL (hopefully not much).

4. Whenever possible, the library should use its own media for primary communications, only relying on social media for secondary "boosting" of content.

Why?

This will make sure the primary copy the library is obligated to retain (if the LGS-1 requires retention) is controlled by the Library, making it simpler to fulfill a FOIL request.

5. The Library should only use its own social media (not accounts belonging to employees) for creating library records.

Why?

Because if the library relies on social media owned by employees and doesn't take care to generate in-house primary copies of certain records, the content generated by the employee could be subject to FOIL (for an example of how that can happen, see the COOG commentary FOIL AO 19732, found at https://docsopengovernment.dos.ny.gov/coog/ftext/f19732.htm).

Still with me? Have I lost you in the morass of FOIL and LGS-1? Hang in there!

I realize this is getting rather complex. So here are some practical examples of social media messages a library might post, and how that post might play out under the lens of FOIL, LGS-1, and other factors.

Social media message	Places where message is published	Publication a record subject to FOIL?	Retention period of record(s)	Considerations
Twitter post: "We have a new director!" with a link to more information about the new director on the library website.	Library website   Library newsletter   Twitter	YES for all.	Twitter post: 0 after useful   Library website: 0 after useful Library Newsletter: Permanent	If only Twitter was used, the retention period of the announcement via Twitter would be 6 years.   Regardless of format, each version of the record is subject to FOIL.
Facebook post: "You can find the proposed 2023 budget here [link to library website]"; post also found in a link on an employee's page, as they discuss the budget process on their personal account.	Library Facebook page   Library website   Hard copy of proposed budget available from library circulation desk upon request   Copy of proposed budget posted with board materials per OML.	YES for all.	Twitter post: 0 after useful   Library website: 0 after useful   Library newsletter: Permanent   Library budget: Permanent   Board packet with budget information: Permanent	The budget and meeting materials must be retained per the LGS-1; all the records available to the Library are subject to FOIL, but there is no obligation to retain the Facebook post.   Meanwhile, as they are not an official publication by the library, the link and commentary by the library employee is not subject to FOIL or any retention requirement.
Library Instagram post: "Look at this blank wall and imagine seeing a smiling face next year! The Library is applying for a variance to enable a drive-up window for pick-ups and returns; a hearing before the Zoning Board will be held on DATE," with link to hearing notice and renovation plans.	Boosted notice and link to materials: Instagram   Copy of building plans and notification of Zoning Board of Appeals meeting, along with proof of publication and mailing to neighbors and community as required by local law.	YES for all.	Instagram post: 0 after useful   Building permit documentation: permanent.   Proof of mailing and publication: varies (see LGS-1).	When mailings and publication of public notice are set by law, a library should ensure the precise publication requirements are followed; social media can supplement awareness but cannot replace required means of notice and publication.
Tweet from the library: "After review as required by policy, the Library has determined that the book "Gender Queer" is properly included in the catalog."	Library Twitter account   "News" section of library website   Library also has a record of complete decision-making process	YES to all.	Tweet: Because it is not the only means of notification, only for so long as useful.   Announcement on web site: Because public relations record is redundant to case file, only for so long as useful.   Actual record of decision: 6 years, but per LGS-1, consider archiving for future reference after retention period has expired.	This is one to consider carefully.   If the library's Twitter is set up to encourage extensive discussion of the decision, the library should consider archiving the Twitter content, as it will be subject to FOIL and may be of archival value.   However, while the Twitter content may be subject to FOIL for so long as it exists, if not archived nor accessible, there is no obligation to save it, and thus no concern that it was not properly stored.
Doodle poll linked from library's Facebook post: "Should we add a children's story hour at 6PM on Saturdays?" Poll solely conducted on Doodle, announced only via Facebook.[8]	No other primary publication.	YES.	Retention period: because this arguably falls into LGS-1 category 603 ("Program and exhibit file documenting planning and implementation of programs"), 6 years.	When planning library events, a file containing the full record should be kept--including a screen shot or image copy of the social media process at the time it was used--so disclosure per FOIL can be affected without having to return to an old social media post or other third-party resource.
Not a message, but social media information requested per FOIL:   List of usernames blocked from the Library's Twitter account.	Let's consider 3 scenarios:   1) the library only maintains the list on its Twitter account;   2) the library maintains a list, drawn from its Twitter account, in a "social media management" file;   3) The library blocks usernames only if they do not follow the Library's Code of Conduct with respect to social media; the list is kept with other "Code of Conduct" records.	YES to all forms.	Retention period: as set by library policy, either specifically or using a catch-all period.	The documentation of a decision to bar a username (or names) from the library's Twitter will be subject to FOIL; however, what the record looks like will be determined by how the library reaches and then documents that decision.   If the Twitter account is active and the printout of the lists can be obtained, that can be subject to FOIL; but if another record provides the information, the printout from Twitter might not be needed to fulfill the request for information.

When considering the examples above, and the member's questions, the important take-aways are:

• Know what records the library has; and
• Have a good system for disclosing those records upon request (if they are subject to FOIL).

In each of these examples, it should be clear that reliance on third-party social media to house the sole copy of the FOIL-able record is not the optimal way to do business. On the flip side, no fancy software is needed to archive contemporaneous social media records; rather, libraries should be using their record retention policies to determine how their records are generated, and how they are managed to be ready for disclosure under FOIL.

With a little planning, this can be done economically and in a way that furthers the library's commitment to information access and transparency

Thank you for hanging in there with me on this one! May all your FOIL requests be clear, and all your social media be impactful.

Below are the retention periods set by the LGS-1, specifically for libraries.

591 CO2 340, MU1 304, ED1 165, MI1 254

Incorporation, chartering and registration records: RETENTION: PERMANENT

592 CO2 341, MU1 305, ED1 158, MI1 255

Accession records: RETENTION: 1 year after accessioning procedure becomes obsolete NOTE: Some libraries accession manuscripts, rare books and special collections, but not their general library holdings. In these cases, the accession records need to be retained only for the kinds of materials still accessioned.

593 CO2 342, ED1 166, MI1 256

Informational copies of records prepared by and received from public library system, including but not limited to directories, minutes, budgets and reports: RETENTION: 0 after superseded or obsolete

594 MU1 306

Directory of public library system and member libraries, prepared by public library system (member library's copy): RETENTION: 0 after superseded or obsolete

595 Library card application records: RETENTION: 3 years after card expires or is inactive

596 CO2 343, MU1 307, ED1 159, MI1 257

Borrowing or loaning records: RETENTION: 0 after no longer needed

597

Interlibrary loan records, including requests to borrow or copy materials from other libraries, receipts for materials, copy logs, accounting records, and circulation records

a When no copies of original materials are requested: Local Government Schedule (LGS-1) Library/Library System RETENTION: 0 after no longer needed

b When copies of original materials are requested: RETENTION: 5 years after order is completed

598 CO2 344, MU1 308, ED1 160, MI1 258

Catalog of holdings

a Manuscript or published catalog: RETENTION: PERMANENT

b Continuously updated catalog: RETENTION: 0 after superseded or obsolete

599 CO2 345, MU1 309, ED1 161, MI1 259

Individual title purchase requisition which has been filled or found to be unfillable: RETENTION: 1 year

600 CO2 346, MU1 310, ED1 162, MI1 260

Records documenting selection of books and other library materials: RETENTION: 0 after no longer needed

601 CO2 347, MU1 311, ED1 163, MI1 261

Library material censorship and complaint records, including evaluations by staff, patrons' complaints and record of final decision: RETENTION: 6 years after last entry NOTE: Appraise these records for historical significance prior to disposition. Some library censorship records deal with serious constitutional issues and may have value for future research.

602 CO2 348, MU1 312, ED1 164, MI1 262

Patron's registration for use of rare, valuable or restricted non-circulating materials: RETENTION: 6 years

603

Program and exhibit file documenting planning and implementation of programs, services and exhibits sponsored or co-sponsored by the library, including but not limited to photographs, sketches, worksheets, publicity, brochures, exhibit catalogs, inventory lists, loan agreements, correspondence, attendance sheets or registration forms, and parental consent forms:

a Parental consent records: RETENTION: 6 years, or 3 years after child attains age 18, whichever is longer

NOTE: Photo release records are covered under item no. 68 in General Administration section. Local Government Schedule (LGS-1) Library/Library System 156 b Attendance sheets and registration forms, when no fee is charged: RETENTION: 0 after no longer needed c All other records: RETENTION: 6 years after exhibit closed or program ended NOTE: Appraise these records for historical significance or value for collections documentation prior to disposition. Some of these records may have continuing value for historical or other research and should be retained permanently. Contact the State Archives for additional advice.

---

[1] See the advisory opinion at https://docsopengovernment.dos.ny.gov/coog/ftext/f19797.html.

[2] I am a fan of transparency, but not necessarily this new position by the COOG. But now is not the time to discuss that!

[3] From FOIL Section 89 4 (c) "The court in such a proceeding: (i) may assess, against such agency involved, reasonable attorney's fees and other litigation costs reasonably incurred by such person in any case under the provisions of this section in which such person has substantially prevailed...."

[4] As of January 2023. LSG-1 can be found here: http://www.archives.nysed.gov/records/local-government-record-schedule/lgs-1-title-page

[5] The LGS-1 does not create obligations under FOIL. That said, because it defines "types" of records, and sets their retention periods (after which they can be discarded, and thus, incapable of being disclosed), it is a handy way to think about handling "types" of records subject to FOIL.

[6] In this case, this means all but association libraries. That said, all not-for-profits should have a record retention policy, and for an association library, tracking the retention terms in the LGS-1 is not a bad place to start.

[7] http://www.archives.nysed.gov/records/laws-local-government-records-law-57a

[8] I know this is not a preferred method of decision-making for libraries (for one of many reasons, it is not optimally accessible), I am just including it as an extreme example.

 

There is no one right answer to this question, but there is a formula for any library to come up with its own, unique answer.

Here is the formula:

[Situation] x [Ethics + Law] / [POLICY/Precedent] = YES or NO

Let me break this approach down.  And trust me, I will give a clear reply to the member's question at the end of all this.

The formula starts with the situation.  In the scenario we have here:

"Local police walked through our Library earlier today with no explanation. Later on, we noticed 2 teens on premises, who we assume should have been in school. We thought the police may have been looking for them as truants, but that is not confirmed."

There is a lot that can be said about this description, but one important aspect of it is the library's care to not reach a conclusion about why the teens were at the library instead of school (while the member describes an "assumption," there is no action on that assumption).  And as noted, law enforcement was not called; rather they "walked through...with no explanation."

This situation is then multiplied by the combined factor of ethics and law.  Both the ALA and NYLA Codes of ethics emphasize patron confidentiality.  Meanwhile, New York's Civil Practice Law and Rules ("CPLR") Section 4509,[1] the state law requiring a subpoena or judicial order before a user's library records can be shared without that patron's consent, does not define "library records" other than to state that they include "personally identifying details."  This is why whatever the situation, ethics, and law are, the answer must be assessed under a library's policy governing patron records (while considering past applications of the policy, to ensure consistent application).

It is at this last factor--policy--where things can get complicated.  With the advent of (sorta) new technologies, the definition of "library records" is not just internet searches and checked-out materials.  It could be what a person printed on a 3D printer, or their image on a surveillance camera, or their use of library wi-fi.  None of these things, right now, are listed in CPLR 4509, but many library professionals would consider them to be library records.

The trick is making sure that when a library takes a position about library records (especially with regard to records that, at first glance, are not about library services, but more about security), it is supported by their policy.

Okay, I know I promised a "clear answer".  So let's re-state the question: "if the police were to ask if we saw the teens, are we able to answer or is that considered a violation of patron privacy as it is with patron information and records?"

Based on a fictitious library consulting a fictitious lawyer, here is one possible answer:

To the ABC Library:

You have requested legal advice regarding whether a library may provide a substantive answer in response to law enforcement enquiring about the presence of a patron in the library.

Your concern is that such a disclosure, based on the visual observations of library employees rather than written/recorded records, could still be considered a violation of patron privacy.  You confirmed that at the time of the inquiry, the library had no operational need to release any such information.

I have reviewed the library's policy on patron confidentiality, and based on the below clause, I advise to not release such information unless there is a subpoena or judicial order:

"Consistent with the ALA and NYLA Codes of Ethics, the ABC library considers any record or information that indicates an individual's use of library services and/or facilities to be a library record under CPLR 4509, unless specifically excluded[2] by this policy."

Therefore, I advise not providing such information without a subpoena or judicial order, unless the requestor accurately points out that a specific law requires it.

Thank you for trusting me with this question.

Very truly yours,

A. Hypothetical Lawyer, Esq.

Of course, as the "formula" at the start of this answer points out, the "situation" may vary from time to time.   And CPLR 4509 does leave room for mandatory disclosure "when otherwise required by statute." [3] Those are the times when a library may want to consult a local attorney to obtain quick advice in the moment.

Since this formulaic balancing of facts, ethics, legal obligations, and policy can be difficult to keep in mind,[4] it may be helpful to summarize it to library trustees, employees, and volunteers this way: “A patron's use of the library and our services are confidential.  If anyone asks about a patron using or being at the library, our standard reply is 'Since patron information is confidential, I need to refer you to [the Director].’”[5]

Thanks for a very thought-provoking question.

---

[1] As of November 12, 2021, here is the text of CPLR 4509: "Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute."

[2] What are examples of things to exclude?  If a library is in shared space with a shared security surveillance system, that should be excluded (unless the library has confirmed via written contract that the footage of the library will only be reviewed per the policy).  If the library has a snack bar or gift shop and wants to monitor the point of sale for theft, that could be excluded.  Security footage of a community room used by third-party groups (not individuals) under a space rental agreement is another possible example. 

[3] Such as FERPA. For more on this, see the “Ask the Lawyer” posted here: Patron Confidentiality in School Libraries

[4] Even lawyers need to look this stuff up sometimes.  Just like I don't have some of the finer points of the Domestic Relations Law at my fingertips, not all lawyers can recite the requirements of CPLR 4509.

[5] Or designated positions with regular training and/or adequate experience to appreciate the fine points of the library's policy.

Questions that combine higher education, data access, and "terms of use" enforcement always give me a moment of sad reflection, as I remember Internet pioneer and activist Aaron Schwartz. It was an alleged overuse of an academic database at MIT in 2012 that lead up to his demise.[1]

While the circumstances in the Schwartz tragedy are different from the situation described here, both scenarios--and the care the member has taken in framing this question--illustrate the importance of considering what's at stake when an institution balances contract compliance, digital access, and privacy.

What's "at stake" here? The member's question combines concerns about:

• Confidential use of library resources
• Academic freedom
• Intellectual freedom
• Honoring the exclusion of certain academic and library actions from liability for copyright infringement
• FERPA

Let's do a quick run-down of these critical areas:

In New York, the confidentiality of library services is protected by Civil Practice Law & Rules ("CPLR") section 4509, which states that library records indicative of the identity of a library user may only be accessed with that user's permission, or per a subpoena or court order. CPLR 4509 applies to private libraries within academic institutions as much as it does public libraries or those within school districts. It works hand-in-glove with the American Library Association's and New York Library Association's recitals of patron confidentiality in their Codes of Ethics.

In New York, the commitment of a higher education institution to academic freedom is reflected in various ways. An example is the American Association of University Professors' 1940 "Statement on the Principles of Academic Freedom"[2]: "Teachers are entitled to full freedom in research..."

In New York and throughout the nation, the commitment of libraries to collaborate with others to promote intellectual freedom and access to information is reflected the ALA Library Bill of Rights: "Libraries should cooperate with all persons and groups concerned with resisting abridgment of free expression and free access to ideas."

In New York and throughout the nation, certain academic and library actions that would otherwise violate copyright are excluded from liability for infringement. This exclusion is to ensure there is a clear and well-defined legal safety net for content accessed in furtherance of certain intellectual and academic freedoms.

And throughout the USA, the privacy of education records, including library records, is assured under the Family Education Rights Privacy Act" (FERPA).

Serving as a counterweight to all of these critical factors are an educational institution's obligations under federal law and regulation with regard to alleged copyright infringement, particularly the regulations found in 34 CFR §668. If I were to delve into that and describe all of those obligations here, this answer would be 50 times longer, but a good summary of what compliance in that regard looks like can be found in this sample policy from RIT: https://www.rit.edu/its/rit-response-copyright-infringement.  In short:  since 2008, federal law requires higher education institutions receiving federal financial aid and other federal benefits to be express enforcers and re-enforcers of copyright.[3]

Sitting astride of all of this is whatever notification commitments (and other responses)  a college or university library agreed to when it signed the license agreement with the database provider (I have reviewed many of these types of license agreements, and almost all of them have some form of notification action requirement, which can range from a warning as described by the member, to ensuring the immediate cutoff of access by an offender).  This means that in addition to the ethical, legal, and regulatory factors that have to be balanced in a question like this, we also have to consider obligations that are contractual.[4]

With all of these very important considerations now laid before us, let's review what the member is doing:  1) getting a notification of a possible terms violation from the provider, and then 2) using a firewalled[5] process to identify the user and alert them of the alleged violation, and then 3) assuring the vendor they have addressed the issue.  As asked by the member:  Is this process appropriate in resolving the misuse of a database, or does it violate the user’s/student’s privacy rights?

Here is my short answer: since the method of response described by the member shows there is a big firewall between the vendor and the institution (meaning: the outside party never learns the actual identity of the alleged violator), I believe so.  BUT: the only real way to ensure privacy is protected as it should be is to confirm that the information flowing between the library and the IT Department never goes any further...within the institution.

What do I mean by that? The information should never go to campus safety or security. Unless it is per a very clearly articulated procedure developed for the operational needs of the library, it should never go to the office responsible for student discipline. And it should certainly never go to an employer on campus, a faculty member, or an advisor.[6]

This caution is warranted because, although a library within a higher educational institution is not a separate business entity the way a chartered public library is an entity separate from the town or city that sponsors it, for purposes of an academic library's adherence to privacy ethics and laws, it should be considered a stand-alone entity. Information can flow into it, but information should not flow out, even to other departments, unless the flow serves the operational needs of the library, and verifiably goes no further.

This 'one-way flow" for user-associated academic library records is an easy goal to articulate, but in practice, it can be very difficult to assure. As systems within large and small institutions get more integrated in the interests of security and economy, so too is it more difficult to separate one type of information from another. However, when it comes to privacy and library confidentiality, because of the high stakes involving intellectual freedom, academic freedom, and student privacy, extra care and attention is warranted.

The care of the member in submitting this question and describing the careful process they are using is emblematic of the type of care that should be used at all times when safeguarding user confidentiality and privacy at a higher education academic library.

Thank you very much to the member for submitting such a careful question.

RIP, Aaron Schwartz.

---

[1] I say "led up to" rather than "led to" because while many believe the latter, the facts of the case clearly establish the former.

[2] Found as of November 14, 2021, here: https://www.aaup.org/report/1940-statement-principles-academic-freedom-and-tenure.

[3] I won't mince my words about that requirement: I don't like it. But I am not a member of Congress.

[4] And voluntary. This is why it is very important to read database licenses and to PUSH BACK on clauses that require draconian responses to alleged violations.

[5] By "firewalled," I mean that the vendor never knows the name or other identifying information of the alleged violator.

[6] Unless the student has signed a waiver. Then it can go to whoever has permission.

[NOTE: for background to this short answer, please see the much longer "Ask the Lawyer" Background checks and fingerprinting for new employees, that addresses the tightrope walk/legal minefields of employee background checks.]

So, does a school district public library[1] implementing a background check for new employees have to also check their current ones?

The answer is: no; barring an over-ruling requirement (such as a term in a union contract) a library board can implement a background check policy for all hires going forward, without imposing a "retroactive check" requirement for current employees. 

However, I would never advise that approach.  Here are three reasons why:

1.  Possible discrimination

A policy to only check the backgrounds of "new" employees could have a disproportionate impact on candidates on the basis of age, or gender, or race (to name a few).  By not checking everyone, an employer risks the appearance of (or actual occurrence of) illegal discrimination.

2.  Possible liability

Employee background check policies are implemented to reduce risk.  If an employer is using employee background checks to reduce risk, there should be a very good reason for not checking all employees (such as a union contract that bars it[2]), or the employer risks a claim of negligence.

3.  Worker relations

A work environment should be a place of high trust.  By subjecting one class of employees ("new" employees) to heightened scrutiny, in addition to the possible concern mentioned above in "1," it creates an unbalanced environment for trust.  This is bad for morale.

I appreciate that background checks can come with a cost, so minimizing their frequency is helpful.  I encourage any library implementing such a policy to check with their "Directors & Officers Insurance" carrier, since sometimes, carriers offer resources to defray and even pick up the costs of the check.

 

Thank you for a thoughtful question.

---

[1] Of course, if a school district public library is in a school (not a common scenario; school district public libraries are largely autonomous and separate from school district property), and if the librarians are on the payroll of the district, then they are already being background checked and fingerprinted, per the chart here: http://www.nysed.gov/educator-integrity/who-must-be-fingerprinted-charts.  Of course, this question pre-supposes that the board is setting the hiring policy, which means the library is autonomous.

[2] Just to be clear, a contractual obligation to not conduct criminal background checks should never be in a collective bargaining agreement!  However, some reasonable restrictions on the scope of such a check would be consistent with NY law and policy.

When it comes to the legal considerations of employee name tags, there are quite a few "do's" and just as many "don’ts."  I'll set them out below, with the legal rationale behind the guidance.

DO pick a legible font.

Accessibility matters.  Consult an ADA guide and pick a font that is easy to read.

For this reason, employee name-tags should not be hand-written.

DON'T require employees to wear name tags without a "Name Tag Policy".

As we'll see, some of the details of name tag use can get tricky.  A well-thought-out, board-adopted policy is the best way to ensure the policy covers all the required bases and is enforceable.

DO have a good reason to adopt the policy.

A name tag policy should not stand alone; it should be part of an overall approach to patron service.

DON'T adopt a “Name Tag Policy” solely because of the request of one patron.

Of course, a patron request could kick off a board's consideration of adopting such a policy, but again, employee name tags should be part of the overall approach to library operations.

DO memorialize the reason for the policy in the board minutes.

For example: "WHEREAS the board has found that easily identifying library employees by their first name or nickname promotes a positive experience for patrons, visitors, and vendors, and enhances initiatives to promote confidentiality and security...."[1]

DON'T demand that employees put their full name on the name tag.

This has to do with safety and privacy.  Most definitely, a board can determine that name tags may be part of the patron experience, and request that employees wear a badge that includes their name.  However, unless the policy sets out a reason why a full name is needed, full disclosure should not be required.[2]  Further, if an employee wants to use a nickname,[3] to further avoid identification outside of the workplace, that option should be considered.

DO consider that the format for the name tag include an employee's pronouns

This is just a nice thing to do, but is also a good way to document a practice of honoring the identity of employees in a way that is consistent with state and federal civil rights laws.

DON'T pass such a policy without thinking about your union (if there is one)

If there's a union, before you pass such a policy, get some legal input on the contract.  And even if there isn't a union, think about the requirement from the perspective of the employee experience.

DO require volunteers to wear name tags, if employees in similar situations are so required.

This goes back to documenting the reason for the name tag policy.  If the practice is that every employee working in patron-facing areas wears a name tag, patron-facing volunteers should, too.

---

[1] This is just an example.  There are many other reasons that a board may base its decision on.  The point is that the reasons should be genuine, and be documented.

[2] This one pains me because I tend to be a stickler for formality; upon first meeting someone, I would rather they call me "Ms. Adams" rather than "Stephanie" (which only strangers and my mother call me, since my nickname is "Cole").  So, if there is a library out there that wants to go formal "Ms. Adams/Mr. Adams/RP Adams," that's fine, too.  The point is: full names should only be displayed if it is determined they are necessary.

[3] Nicknames are okay, but DON'T let them detract from the professionalism of the workplace.  In one sexual harassment case, the manager of a bar used the nickname "Big Daddy" on his name tag.  It was found that this (and other actions of debatable taste) were not a legal violation, but as the judge dismissed the case, he commented that the behavior was "obnoxious and puerile" (see Urban v Capital Fitness, 2010 [EDNY Nov. 23, 2010, No. CV08-3858(WDW)]).  But of course, this was found to not be a violation in a bar, not a library.  And remember, things have changed a lot since 2010.

At first glance, this question seems simple: what are the possible legal risks to a librarian helping a patron fill out a legal document?

But within this question lies another, slightly more complex issue: when does good customer service become an accommodation for a disability?

This "slightly more complex" consideration is brought up by this part of the member's scenario:  "We had a patron come in this past week who said that he couldn't see well...", potentially meaning: the patron could not access the library services (use of the computer and internet) without assistance, because of a disability.

Of course, not every visual limit is a bona fide disability (I have to take off my glasses to read these days, but that does not entitle me, by law, to an accommodation under the ADA).  However, a patron requesting help to access a library service due to "low vision" (meaning that patron cannot view the screen even with corrective lenses), is potentially requesting an accommodation.

This is because "low vision" can be "a physical or mental impairment that substantially limits one or more major life activities," (which is the ADA's definition of a disability).

For patrons with "low vision," an ADA accommodation can take many forms aside from a human-powered solution, including:

• Ensuring computers have increased operating system font size with large-size computer monitors
• Screen magnification software
• Locator dots and/or large print keyboard labels for keyboard navigation
• External computer screen magnifier[1]

What accommodations a library chooses to offer to someone needing an accommodation to access library services will vary based on that library's size, type, served population, and (of course) budget. [2]  For some libraries, the "human solution" will be the only one available...which creates dilemmas like the one shown in the member's question.

Okay, let's press "pause" on the ADA aspect (we'll come back to it) and return to the original, simple question: what are the possible legal risks of a librarian helping a patron fill out a legal document?

The risks, of course, are that if the patron is accused of fraud, identity theft, or any other illegal activity based on the form's contents, it could lead to complications for the library (and thus, potentially, the employee).

Of course, most types of crimes based on fraud, false personation, and identity theft turn on the awareness and intent of the involved parties. Basically--and this is a big paraphrase--so long as a person can show they had no awareness or intent to help with a crime, they will have a defense against such an accusation...especially if they are performing the action as part of a duty in their job description.

But how can a library avoid such accusations against its employees in the first place?  This is where we take the ADA aspect off "pause," and consider how a library's policies can set firm boundaries for good customer service, while also facilitating accommodations for disability.

How is that done? Many libraries already have a version of this approach, but here's my plain-language version of a policy:

Library employees are here to help patrons use library resources, but librarians and library staff may not interpret, provide guidance, or fill in forms for patrons.

Patrons who need assistance filling in a form or completing a document due to uncertainty about the content are welcome to ask librarians for help locating the instructions or contact information for assistance.

Patrons who need assistance filling in a form or completing a document on the library's computer or other resource as an accommodation for a disability, please alert the Director or [insert alternate, accessible means], so the Library may act on the request per the library's ADA policy.

So, to be clear, my answer to the member's overall question is: to avoid doubt, librarians should never help patrons fill out the answers on legal forms if the help is just part of good customer service.[3]   HOWEVER, librarians absolutely can read the content and type substantive answers on a patron's legal forms if the library decides (and documents) that it is providing the assistance as part of a reasonable accommodation for a disability.

When considering employee-powered assistance as a form of accommodation, part of evaluating the request must be consideration of how it can be fulfilled ethically.  For instance, a person providing an ADA accommodation as an ASL Interpreter must follow the Registry of Interpreters' Code of Ethics[4] (or other professional association).  A person providing an ADA accommodation as a "reader" for a person who is blind or has low vision should not offer guidance or commentary on the content--their role is limited to reading, and perhaps typing, based on verbal prompts from the accommodated party.[5]  A person typing because the library's only keyboard is inaccessible to the patron and the library has no dictation software should similarly only type as an accommodation, and not offer comment or guidance. [6]

Some libraries, looking at the range and requirements for certain types of human-powered accommodations, may decide they do not have the staff capacity to provide such resources.  Others will say (and support by well-developed policy): sure, we can do that, here's how.[7]

The important thing, no matter what the decision is, is to keep a record as to why a library employee (or contractor) would assist a patron with filling out and/or submitting a confidential or legal document.  Since the only reason should be as an accommodation, that reason should be documented in either the policy (for instance, if the library has a standard service) or as an ad hoc request.

Thank you for a very compassionate and thoughtful question.

---

[1] Many thanks as always to the "AskJAN.org" web site, which lists common disabilities and their accommodations, including the definition and accommodations for "low vision," found here as of June 28,2021: https://askjan.org/disabilities/Low-Vision.cfm.

[2] "Ask the Lawyer" has addressed the various types of libraries’ obligations under the ADA in other answers, such as ADA Compliance When Screening Movies and Oral history transcriptions and the ADA.

[3] Assistance printing, formatting, duplicating, locating a hyperlink, and in general using library technology in furtherance of completing the form is okay.

[4] Found at https://rid.org/ethics/code-of-professional-conduct/.  Are there any libraries with in-house ASL interpreters?  That would be cool.

[5] The National Foundation for the Blind has a helpful article on this here: https://nfb.org//sites/default/files/images/nfb/publications/fr/fr35/1/fr350105.htm.

[6] This is why consideration of ADA access is so critical in procurement of library resources.   As you will see on most ADA-resource sites (like AskJAN.org), most accommodations these days are powered by technology.  Although some still rely on human action (for instance, reading aloud), most do not.  A library that factors these needs into procurement decisions (buying larger screens, or adaptable keyboards) will not only model a practical commitment to ensuring access, but will reduce the need for employees to be the mode of accommodation--lowering the risk of viewing and contributing to the completion and submission of confidential/legal documents.

[7] An example of the types of accommodations offered on the "larger budget" end of things can be seen at NYPL: https://www.nypl.org/accessibility.

This question tugged at my heart, because lawyers face issues like this, too.[1]

Maintaining confidentiality while addressing concerns that a person is being victimized creates terrible tension.  The need to maintain a trusting relationship, governed by professional ethics, makes the tension all the more acute.

It is those professional ethics, however, that will carry the day.

What is the basis of a librarian's obligation of confidentiality?  Confidentiality of library records is, of course, protected by state law,[2] but it starts in item "III" in the ALA Code of Ethics[3]:

III. We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.

But this issue also related to item "I" from that Code:

I. We provide the highest level of service to all library users through appropriate and usefully organized resources; equitable service policies; equitable access; and accurate, unbiased, and courteous responses to all requests.  [emphasis added]

So, here we are: iron-clad confidentiality, coupled with "unbiased" responses to all service requests.  From within those ethical boundaries, the member has asked:

• If there is an obligation to protect a patron from a suspected scam;
• How they can help even if there is not an obligation; and
• Could the situation lead to liability for the library?

There are information management professionals far more qualified than I to discuss the professional nuances of these questions.  But from the legal perspective, and to address the legal questions about obligations, protection, and liability, here are my answers.

Question 1

What responsibility do library staff have to inform a patron if we think they may be in the process of communicating with and sending documents to a scammer?

Answer 1

There is no legal duty to inform a patron of this suspicion.  Further, I see nothing in the ALA Codes of Ethics that makes it an ethical duty of the profession. 

Question 2

How do we protect our patrons from scams/fraud while also respecting their privacy?

Answer 2

We have reviewed that there is no legal or ethical obligation to "protect" a patron in these circumstances, and there can even be concerns related to trust, confidentiality, and perceived bias that mean a librarian should keep their suspicions to themselves.

However, neither the requirement to be confidential, nor the obligation to provide services without bias, stop a librarian from doing what they do best: sharing information.  And nothing stops a library from pre-assembling a compilation of available resources the library can use to empower a patron to assess if they are being scammed.

Here is a scenario showing how such a "compilation" could be used:

PATRON: I need to print an email.

LIBRARIAN:  Sure, the computer in over here.  Let me know if you need instructions on how to print. 

PATRON:  Can you also help me find the email?  It has instructions to wire money.  It's from my grandson, Michael.  Normally I would ask his mother to help me but this is a real emergency and I can't tell her what's happening, it would just kill her.

LIBRARIAN: I am happy to help; there, it's printing. [pauses] You know, this request reminds me of something I read/heard about.  Do you want to know about it?

PATRON:  Sure.[4]

LIBRARIAN [searches for "bail the grandchild" scam]:  Here it is.[5]  [Retrieves list of information.] And here is a resource about who to call when there is a concern about the type of thing on this website. [Hands patron list of resources]

[end scene]

Here is a template for this type of "list of resources":

"Trust but Verify" A guide to checking the legitimacy of requests and correspondence. Compiled by the [insert name of library].
Have you been told you suddenly owe money?	a) YES  b) NO
Has there been a request for account or personal information from a new or unusual source?	a) YES  b) NO
Has someone told you a family member is in danger?	a) YES  b) NO
Is someone pressuring you to make a quick decision about money?	a) YES  b) NO
Does something about outreach to you just not feel right?  Or does it seem "too good to be true"?	a) YES  ​​​​​​​b) NO
These days, scammers can pretend to be from the IRS, Social Security, or even your religious organization or family. There are resources to help you let the good guys in, while keeping the bad guys out.  Here in [library location by county or municipality], the following resources can help you make the right call: [Insert any local volunteer lawyer projects] [Insert local bar association referral service] [Insert any county or municipal resource] [Insert other local resource] [suggested link: Better Business Bureau (https://www.bbb.org/us/ny/buffalo)--which "Scam Tracker" search, or similar]
Free for anyone 55 or older, there is also: https://elderjusticeny.org/resources/senior-legal-advice-helpline 1-844-481-0973 HELPLINE@ELDERJUSTICENY.ORG Your banker, lawyer, or accountant will also be able to help you confirm the source of requests for wire transfers and other financial transactions. ...Or you can ask a librarian to help you find a resource suited to a particular document or situation.  We can't tell you what's legit, but we can help you find the people who can. Don't feel bad asking, even data security specialists have to "Trust, but Verify" these days!

A simple offer of information, and a plain-language resource like this can be a handy way to raise concerns without having to tell someone "You're being scammed." 

At the end of the day, not all patrons will be receptive to this offer of information, and not all patrons will believe they are being scammed--even if their story matches a scam-scenario. 

But no matter what the patron's reaction, by taking this approach, the librarian will have done the only thing the librarian is ethically obligated to do in this type of situation: provided unbiased services, and granted access to information, while maintaining the confidentiality of same.

Question 3

How liable is the library/library staff if a patron is scammed after library staff use library resources to send documents/information that played into the scam, even at the patron's request?

Answer 3

If the librarian suspects that the scenario could be an illicit scam, but doesn't know this is phishing, social engineering, or another type of activity that can lead to fraud, there is no responsibility for what happens next (unless the library has adopted an internal policy[6] stating otherwise, in which case there could be some employer-imposed consequences).

On the other hand, if the librarian somehow knows that the scenario is an illicit scam, and actively helps with the commission of what they know to be a crime, then yes, there could be liability.  But once such a scam is known, not merely suspected, this becomes a whole other question.[7]

A few more comments

Another aspect I want to address is if the librarian is concerned not that the person is being duped, but that they don't have the mental capacity to comprehend and/or remember they are being duped. 

People with Alzheimer's and other conditions impacting cognitive ability may rely heavily on an established routine of visiting their local library.  Further, people with that impairment still may be able to function independently for most aspects of their day. However, a librarian detecting a possible scam could be on the front line of a legitimate concern that they don't have the function to assess the situation.

There are too many permutations of this situation for me to give general guidance, except to say: if there is a concern that a person can be vulnerable to harm due to a medical condition or disability, but their condition is not so extreme that there is clearly a justification to call medical services, call an expert.

If the person is over 55, the Center for Elder Law and Justice is a great resource; they address these types of issues every day, and their hot line is there to help assess a situation and identify possible next steps.  If the person is not over 55, a good resource could be the local Social Services agency.

Conclusion

When it comes to this issue, my overall advice is to remember that as a resource to the community, library employees are there to provide access to information and resources, not to protect people from harm.  The good news is, by providing that access in a manner consistent with library ethics, library employees can help patrons protect themselves from harm.  And that is how a library can help stop a person from being scammed.

Speaking from experience, I can say that not every person will take information when it is offered.  There are times when the only comfort that can be taken from a situation is to know that you tried your best.  But by focusing on the ethics, and the provision of information, a librarian can help a person identify a scam, and avoid legal entanglements.

I wish you strength on this one.  Your patrons are very fortunate.

 

---

[1] And if there are any accountants, athletic trainers, or mental health counsellors who (for some reason) read an "Ask the Lawyer" column for libraries, museums, and historical societies, I bet it sounds familiar to them, as well.

[2] CPLR 4509

[3] Which is replicated in the New York Library Association Code of Ethics.

[4] Don't worry, we'll also address what you can do if the patron says "No, just help me scan my driver's license," and what to do if you are concerned the person doesn't have the capacity to make an informed decision.

[5] Here it is: https://www.consumer.ftc.gov/articles/scammers-use-fake-emergencies-steal-your-money.

[6] It is interesting to contemplate if there could be a policy for the use of information transmission equipment (phones, faxes, scanners, email, etc.) that included a provision that "Library employees who suspect a patron is falling prey to or contributing to a criminal enterprise must immediately report their concerns to the director for appropriate action under the relevant policy;" linked with a provision in a Code of Conduct "Patrons using library resources.”

[7] I struggled to come up with a scenario where the librarian knows the scam is on, but here goes: A librarian is a personal friend of Jeff Bezos.  A patron comes in and says Jeff Bezos wants to give $50,000.00 to the patron and 5,000 other lucky people; they just need to wire Jeff $5,000.  While helping to print the wire instructions, the librarian calls their friend Jeff Bezos to ask: "Hey, Jeff, are you giving fifty thousand dollars each to five thousand people?" at which point Jeff Bezos laughs and says, "No way, but can you believe some people are actually wiring me money?  Now I can repaint my third yacht.  Best scam ever.  Hey, want to go fishing?"  Now the librarian knows it's a scam; if they help in any way after that, they are arguably complicit.

Many libraries, for a variety of good reasons, have security cameras.  Some libraries control those recording systems; others do not.  But no matter how they get there, when cameras are in a library, the questions posed by the member are critical.

Here is why: every library in the State of New York is bound by ethics and law to safeguard patron privacy.  Those obligations start with the ethics of the American Library Association[1] and the New York Library Association,[2] assuring patron privacy; these ethics find legal teeth in New York Civil Practice Law and Rules[3] and the Public Officer's Law.[4]

At the local level, patron privacy is often reinforced in a library's ethics statement, bylaws, and policies.  The practical duties of patron privacy are found in job descriptions (particularly of directors and IT professionals), and in membership terms between libraries and systems.  And it is part of every new employees' on-boarding.[5]

Because librarians and library leadership are so aware of this privacy obligation, and because assurance of patron privacy is a key component of information access, protecting patron privacy is often referred to in the library community as nigh-unto-sacred duty. So sacred, in fact, that I have met more than one librarian willing to go toe-to-toe with law enforcement seeking unauthorized access to patron data.[6]

While it takes a certain type of gumption to stand up to law enforcement, it takes another type (equally critical, but not as concentratedly defiant) of gumption to think about patron privacy in the context of software, landlords, and security cameras.  One takes a willingness to take a stand in the moment.  The other takes a willingness to think about details, to leave nothing to chance, and to ask a lot of very specific, very persistent questions.[7]

Both of these types of gumption are critical to the modern librarian, but only one gives you an easily dramatic answer to the question "how was your day?"

We'll leave the dramatic aspect of this for another time.[8]  Below, please find a boring--but vital-- checklist of steps and language to help a library answer the questions posed by the member, when a landlord is using cameras trained on library premises:

Step 1: Assess what the library's lease says about security and use of cameras

For libraries with landlords (remember, your library has a landlord even if you only pay a token amount of rent,[9]) it is important to have a written lease. 

Why?  Because, among other critical things,[10] that lease can provide clarity about who provides the on-site security (including a camera system) and set the stage for how the landlord and the tenant will manage security-related details.

In this case, the member has clarified that the security system will be controlled by the municipal (county) landlord.  Here are the details posited by the member:

These cameras will not be regularly monitored unless there is a reason to consult them. We will not be viewing the footage per a patron’s request. They will be maintained by our county facilities staff and consulted only in cases where a criminal act was committed.

These details, upon which the library will base its own actions, should be confirmed in the lease.  Such confirmation should include, whenever possible, a marked survey or map of the property, showing the limits of the camera's line of sight.

Step 2:  Assess if the lease terms and security camera arrangements promote the privacy commitments of the library

Just a note: while a municipality may procure and install a camera system with the intent to only monitor it "in the event of alleged criminal activity," in my experience, there is no way to enforce such a restriction, and some risk that the use of the cameras could change over time.

For instance:

• The recordings could be subject to disclosure under the Freedom of Information law;
• The recordings could be accessed via subpoena in the event of an alleged personal injury or other civil claim;
• The temptation for a town, city, or county to use the recordings internally (even for something as innocent as using them to check if a snowplow crew did a good job, or if a worker is arriving on time) might be hard to resist.

A library can't control this.  That said, when a camera system is installed, a library can request assurance that the municipality's internal policy, governing the cameras, include language:

• Alerting the users of the system to the sensitivity of patron records at a library;
• Confirming that the footage showing people entering and leaving the library is not regarded as a "library record" by either party; and
• Confirm that under no circumstances should the security cameras enable recording of information reflecting patron use of services.[11]

Once a library performs these two steps, it can answer the member's two questions:

First question: What type of permanent notification do we need to post about the use of cameras?

Once the library has written assurance that the landlord's use of recording technology will not result in the creation or disclosure of a library record, it is up to the director and board if, or how, your library should alert the community.

Personally, as a patron, I would appreciate a "courtesy notice" such as: "Your library records are confidential.  Please know that while our landlord has security cameras in [ZONES], the library does not allow recording that could impact patron privacy inside the building."[12]

OR (if the library makes use of its own security cameras): "Your library records are confidential.  Please know that our landlord has security cameras in [ZONES] and may use those for security purposes, but any security camera record maintained by the Library that shows use of library services is considered confidential and is used for library purposes only."

Second question: What major points do we need to ensure we include in our privacy policy?

The privacy policy of the library, or in the alternative, the minutes of the board, should reflect the details and privacy safeguards confirmed through the two-step analysis above. 

For instance, after the analysis is done, the board can note in the minutes: "Regarding the landlord's use of outside security cameras: As of DATE, the Library's landlord, NAME, will have security cameras observing certain outdoor areas, including library property.  The Library has verified that its lease, and the landlord's internal policy, prevent the landlord's security cameras from generating or disclosing confidential library records.  The public will be notified as to where the cameras are recording, and that such recordings are not confidential library records."

I appreciate that this review/confirm process can be a bit clunky.  However, it is also an opportunity to alert a critical partner (a landlord, and sponsoring municipality) to the importance of library-patron confidentiality, and to assure the public that privacy is a priority.  By seizing the moment to confirm that privacy is being properly considered and enforced, a library not only assures its ethics and legal compliance, but can create an ally in that eternal (and important) fight.[13]

I hope this approach is helpful.

 

 

---

[1] ALA Code of Ethics.

[2] As found in the NYLA Code of Ethics: " III. We protect each library user's right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted."

[3] CPLR 4509 states: “Library records, which contain names or other personally identifying details regarding the users ...including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute.”

[4] https://docs.dos.ny.gov/coog/ftext/13308.htm

[5] If it's not, it should be.

[6] You guys are so cool when you do that.

[7] Like the member is, here.

[8] Actually, we address it here: RAQ #26.

[9] Generally, this token rent is placed at $1/year.  Just once it would be fun to see a more random number, like $1.26/year.

[10] Such as insurance, hours of operation, emergency procedures, notification in the event of injury, protocol for repairs, capital improvements, etc...  For more commentary on this, see RAQ #166 about having any MOU with a sponsoring municipal entity.

[11] If security cameras are aimed at a curbside pick-up location, the library should consider if the recording is a library record.

[12] Forbidding recording in a public library is a controversial topic, I know.  This language is written to address recording that can impact patron privacy.

[13] Hey, I managed to make careful attention to minutia sound dramatic!