Privacy

This...is a big question.  It's only three short paragraphs.  But it's BIG.

It's "BIG" because the risks of getting this topic wrong are immense--from not only the obvious risks involving legal concerns, but risks involving ethics, privacy, and the goal at the heart of the issue: safety.

It's also BIG because the phrase "background check" is not tied to a precise or static definition.  When someone says "background check" in the context of employment, here are just a few of the things it could mean:

• Criminal background check
• Credit check
• Military service separation check (form "DD 214")
• Motor Vehicle Records ("MVR") check
• Transcript and education records check (including student disciplinary records)
• Licensing/professional oversight body (medical board, bar association, etc.) check/confirmation of good standing
• Civil litigation history review
• Reference check
• Previous employment verification
• Social media/publications check

Each of these "checks" comes with a wide array of legal requirements--or typical legal cautions--governing its use.

For instance:

• A criminal background check should only be used by an organization if it has an up-to-date "Criminal Background Check Policy," because in the state of New York, denying employment based on a criminal conviction requires the employer to do a precise analysis (of which the denied applicant can request a copy).[1]
• A credit check should only be used by an organization if it has an up-to-date "Credit Check Policy" to ensure the regulations in the Fair Credit Reporting Act ("FCRA") are being followed.[2]
• A MVR should only be used by an organization if it has an up-to-date "MVR Check Policy" that clearly sets out the types of moving violations and other records that would flag a basis for non-employment.[3]

For all types of checks, the institution using them should have a clear policy governing what jobs require them, and how such records are evaluated, maintained, and disposed of.

And finally: when developing, implementing, and routinely using any type of background check policy, an organization is wise to take care that it is not incorporating factors that can be shown to disproportionately negatively impact (i.e., discriminate against) a particular category of applicant.   

Okay, with all that off my chest, let's answer the actual questions.

First question:

Do background checks, fingerprinting, etc., need to be done for all positions?

The degree to which background checks and documentation of identity must be performed are governed by two things: what is legally required, and what the risk management practices of an institution dictate. 

These two factors mean that practices will vary from place-to-place.  A librarian working within a public school district in the state of New York will be subject to a criminal background check and must be fingerprinted[4] just as any other regular employee within their district. A librarian at a public or association library is not required by law to have a criminal background check, nor to be fingerprinted,[5] but an institution could decide, for risk management purposes, that a position requires that level of scrutiny for safety and security.  

Second question:

Does it need to be posted in the job advertisement that there will be a background check for the successful candidate or all finalist applicants?

There is no requirement in the law that a job advertisement has to disclose a background check in the job advertisement.  However, prior to obtaining and using any information from a third party whose business it is to provide background information, an employer must notify an applicant; this notice must be in writing and in a stand-alone format.  Further, before a negative decision is made based on such information, it must be disclosed to the applicant.  A good resource on this is the Federal Trade Commission,[6] but the third party provider, if they are a true professional, will provide the forms for each of these steps.

Now all that being said, it may be that some local hiring procedures or collective bargaining agreements require the disclosure of background checks in a job notice.  Further, some employers may want to disclose their intent to use a background check to avoid surprising candidates further into the process.  There is no bar to making such an early disclosure, but if given, such notices should be carefully drafted to avoid implying that those with arrests or criminal convictions[7] will not be considered for the position.

Third question:

Can the background check need to include a financial check and a legal check?

Yes, absolutely. A background check can include a credit check, a search for liens and other debt instruments, a review of criminal history, a consideration of driving record, and any combination of the items I listed at the top of this reply.  Just be careful: if your library or system relies on a third party to supply that information, it must follow the guidance from the Federal Trade Commission (see that link in footnote 6).

Okay, at this point, I have to re-emphasize: before using any type of check, a library should have a policy covering that type of check, and that policy should cover all check-specific legal compliance, as well as: when the check is conducted, how it is conducted, how the information is used, and how the documents related to it are disposed of/retained. [8]

When developing such a policy, a good rule of thumb for an institution considering any type of background check is to be able to clearly answer the question: "Why are we doing this check?"  While the reasons will vary, the answer should always relate to the essential functions listed in the job description, and the nature of your library.

For instance: if a position will create opportunities for a person to spend unsupervised time with vulnerable populations, a criminal background check and rigorous prior employer check is wise.  If a position requires a particular credential, verification of that credential makes sense.  And if you are hiring someone who will frequently have to drive the bookmobile, a motor vehicle records check is almost always imperative.

On the flip side: if a person is being hired for a job that doesn't require driving, a "current driver's license" should not be required. If a person will never have access to financial information or fiscal resources, a credit check is likely not necessary. And if a would-be library clerk has a DWI that is 20 years old--and no other criminal history--it is likely the conviction is not a basis to eliminate them from consideration.

Last question (and it's another biggie):

And tangentially, am I correct in my assumption library staff are not considered mandated reporters? Are there guidelines for this as well?

"Mandated reporters" is a legal term under Section 413 of the NY Social Services Law.  Professionals listed in that section are required to make a report when they:

 "...have reasonable cause to suspect that a child coming before them in their professional or official capacity is an abused or maltreated child, [OR] when they have reasonable cause to suspect that a child is an abused or maltreated child where the parent, guardian, custodian or other person legally responsible for such child comes before them in their professional or official capacity and states from personal knowledge facts, conditions or circumstances which, if correct, would render the child an abused or maltreated child."[9]

I have placed a list of the "Mandated Reporters" set by Section 413 below this answer. As you can see by reviewing the (long) list, library employees (unless their function also fits into one of the categories listed in 413) are NOT Mandated Reporters.

Of course, a library--or an institution that hosts a library--can decide and enforce via policy that its employees have an affirmative duty to report observed or suspected child abuse (or any abuse) that occurs on their property or in their programs.  Many insurance carriers actually require their insureds to have such a policy.[10]

[NOTE: If an employer has any type of "report abuse" policy, employees should be trained on how to make such reports no less than annually.  The average person can have a trauma response to witnessing abuse, which can impact their ability to report it, as well as negatively affect their well-being.  Routine training on how to recognize and report concerns, and experienced support for reporters, can help with this.]

Thank you for an important series of questions.

List of "Mandated Reporters" under Section 413 of the Social Services Law (also called "human services professionals[11]"):

...any physician; registered physician assistant; surgeon; medical examiner; coroner; dentist; dental hygienist; osteopath; optometrist; chiropractor; podiatrist; resident; intern; psychologist; registered nurse; social worker; emergency medical technician; licensed creative arts therapist; licensed marriage and family therapist; licensed mental health counselor; licensed psychoanalyst; licensed behavior analyst; certified behavior analyst assistant; hospital personnel engaged in the admission, examination, care or treatment of persons; a Christian Science practitioner; school official, which includes but is not limited to school teacher, school guidance counselor, school psychologist, school social worker, school nurse, school administrator or other school personnel required to hold a teaching or administrative license or certificate; full or part-time compensated school employee required to hold a temporary coaching license or professional coaching certificate; social services worker; employee of a publicly-funded emergency shelter for families with children; director of a children’s overnight camp, summer day camp or traveling summer day camp, as such camps are defined in section thirteen hundred ninety-two of the public health law; day care center worker; school-age child care worker; provider of family or group family day care; employee or volunteer in a residential care facility for children that is licensed, certified or operated by the office of children and family services; or any other child care or foster care worker; mental health professional; substance abuse counselor; alcoholism counselor; all persons credentialed by the office of alcoholism and substance abuse services; employees, who are expected to have regular and substantial contact with children, of a health home or health home care management agency contracting with a health home as designated by the department of health and authorized under section three hundred sixty-five-l of this chapter or such employees who provide home and community based services under a demonstration program pursuant to section eleven hundred fifteen of the federal social security act who are expected to have regular and substantial contact with children; peace officer; police officer; district attorney or assistant district attorney; investigator employed in the office of a district attorney; or other law enforcement official.

[1] This is why the phrase "Must have no criminal history" or the like must not be included on a job notice.  For more information on this, visit https://dhr.ny.gov/protections-people-arrest-and-conviction-records.

[2] More info on this further into the answer.

[3] For some employers, this criteria is set by the provider of the organizations’ automobile and/or general liability insurance; this is especially true for organizations that use "company" vehicles.

[4] As listed here: http://www.nysed.gov/educator-integrity/who-must-be-fingerprinted-charts.

[5] Unless there is a very obscure local law I have been unable to find.  If you are aware of one, please email me at adams@losapllc.com.

[6] More information on how/when to give this notice is here: https://www.ftc.gov/tips-advice/business-center/guidance/background-checks-what-employers-need-know.

[7] Or other categories protected by law.

[8] That's right: I put that in italics, bold, and underlined it!  An "Ask the Lawyer" first.  No organization should ever "wing" a background check--of any kind.  There is too much at stake.

[9] I know, there is a lot of room for interpretation in this language; when in doubt, seek guidance.

[10] I think of this as the "Penn State Victims Requirement."

[11] 18 NYCRR § 433.2

I am always fascinated by the transformation documents can undergo, simply by operation of law, circumstance, or time.  For instance:

• Documents that are "education records" under FERPA can become simply "records," or "nothing" once the person to whom they pertain has died.[1]
• Documents that are "private information" under New York's new(ish) SHIELD Act[2] are no longer controlled by the Act if the digital copy is swapped for a copy on paper.
• Documents that use the "name and likeness" of a deceased performer, currently allowed, will be far more restricted when New York's new Civil Rights Law 50-f, which requires written permission for certain commercial uses, goes into effect on May 29th, 2021.[3]

And of course, documents can be "in" copyright, and "out" of copyright, or restricted due to medical content, or under terms of non-disclosure...restrictions that can shift based on any number of factors. 

An educational institution considering levels of access and use of student-related documents[4] has to consider not only these legal factors, but their unique policies.  Factor in fame,[5] and the stakes get even higher. 

Because of that complexity, I could muse/write/talk on this topic for hours.  But let's focus on the member’s specific questions:

1) When should on-site access to historical educational records be allowed (if ever), with reference to FERPA? What about providing copies of historical educational records?

If a former student is not deceased, there can be NO release of FERPA-protected education records to otherwise barred parties without written, dated consent.

If the former student is known to be deceased—or the passage of time suggests they might be deceased—then the records are no longer protected by FERPA, and that restriction no longer applies.

But as the member points out, there are other considerations.

2) When should on-site access to unpublished, non-educational records related to former students be allowed, in reference to state and federal copyright and privacy laws, and possibly FERPA? What about providing copies of these documents?
 

This is an interesting question because unless the records we're talking about ("related to former students") only contain "directory information,”[6] then they are by definition "education records" under FERPA.[7]  That is because the FERPA is intentionally expansive.  So old bills, dusty admissions files, and antiquated (but often fascinating) "administrative" records, although not "educational," per se, are still barred from release by FERPA if they relate directly to a student.[8]

BUT, as this question implies, FERPA isn't the only thing that could bar or restrict access to old records.  Copyright, privacy laws, and general prudence are all good reasons to not release institutional records unless there is a policy and process for doing so (like a policy for sending transcripts to future employers), or your institution is compelled to release them (like a judicial order or subpoena).

So, while a student will always have access to their records under FERPA, both former students and third parties should by default be barred from access or obtaining copies to records they are not entitled to.

Which brings us to:

3) Should we take a more risk-averse approach to high-profile alumni materials, or should our policies apply equally to all alums?

Many, but not all, educational institutions have internal archives—not formal "Archives" they hold in trust for the public (like the W.E.B. DuBois papers at University of Massachusetts),[9] but rather, materials they regard as important pieces of their institution's history and identity, so deliberately retain.

For some, this may be a complex and far-reaching catalog of institutional history.  For others, it may be simply hanging onto every program for every graduation ceremony.  And of course, for many, it will be special handling of any material that is related to famous or noteworthy alumnae.

Whether formal and well-funded, or informal and not funded,[10] every educational institution's internal archive should have a policy that covers: 1) that the archive exists to transition material from "records" into "archives;" 2) how those materials are selected; 3) how those archival materials are to be preserved; 4) how the archival materials are used and accessed internally; 5) how the archival materials are used and accessed externally; 6) the ethical standards and institutional values being applied in the overall operation of the archive. [11]

If an educational institution has in-house records of such magnitude that they warrant being their own archive (for instance, the Eqbal Ahmad papers at Hampshire College), yes, the development of that archive could warrant its own separate policy.  In that case, unique care would have to be taken to consider not only FERPA, but privacy laws, copyright (the author of an admissions letter is the copyright owner of that admissions letter...not the institution the letter was sent to, even if the institution retains the only physical copy).  

All that said, the end result need not be "risk-averse," so much as "risk-informed:" carefully assessing all the compliance concerns and risks,[12] how does an institution create an archive that suits its stated purpose and conforms to institutional ethics?  Until an institution is confident it has reached the right answer, access to third parties should not be granted, and only need-to-know access should be granted to those within the institution. 

I would like to thank the member for this question, it is a good one.  And I think we may have reached a new milestone at "Ask the Lawyer"—a reply where the footnotes are as long as the reply!

Thanks.  I wish you a well-resourced and culturally rich archive, and continue positive alumnae relations.

[1] See letter of LeRoy Rooker, Director, Family Policy Compliance Office, U.S. Department of Education letter of Date, found at https://studentprivacy.ed.gov/sites/default/files/resource_document/file/LettertoConnecticutStateArchivistRegardingEducationRecordsMay2008.pdf as of February 10, 2021, re-affirming "that the FERPA rights of “eligible students” lapse or expire upon the death of the student based on common law of privacy rights." [NOTE: This link was confirmed as no longer active and removed on 02/25/2022  as part of the routine review of "Ask the Lawyer" materials.]

[2] Text for this law can be found at: https://www.nysenate.gov/legislation/bills/2019/s5575.

[3] I am writing this on February 10, 2021. 

[4] This "Ask the Lawyer" answer does not address the issue of yearbook photos and student-generated art or academic work.  For that, see RAQ #108 and RAQ #91.

[5] What is "fame?"  It's a notion that is taking odd journeys these days.  As I said in footnote #3, I am writing this on February 10, 2021.  Jockeying with the impeachment proceedings for "fame" on the cover of today's digital New York Times: an article about a lawyer who appeared in virtual court as a cat.  I bet he can't wait for his 15 minutes to be over.

[6] "Directory information" includes, but is not limited to, the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.

[7] Here is the actual definition: "...those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution."

[8] There are exceptions to this, of course...one big one being the records of campus police.

[9] I value this archive because it has letters between W.E.B. DuBois and Mary Talbert, a Buffalo resident who was a stalwart organizer for civil rights and, on the side, historic preservation (she led the effort to save the house of Frederick Douglass).  I read her letters when I need a shot of pragmatic inspiration.

[10] Some "archives" exist because some wonderful employee couldn't bear to see institutional history thrown out, and they got permission to buy some boxes and put the "archives" in the storage closet. 

[11] The "Ask the Lawyer" from November 4, 2020 has more about ethical considerations for archival projects: RAQ #178.

[12] For this question, "risk" is not just legal risk, but relational and reputational risk, too.  After all, it might be legal to share a harsh evaluation from a thesis committee related to the work of a long-dead student...but is there value in doing it?  (Of course, there might be).  Knowing why something is in the archive, and having full confidence in that reason, is just as important as preserving the record in the first place.

This is a cool idea—aggregating and cataloging drone shots.   Someone fifty years from now will be very, very grateful for that type of work!

But as the member points out, there could be some technical or legal issues, namely: copyright, privacy, and security.  How does the library make sure none of those concerns negatively impact the project?

Let's take those in order.

Legal Concern: Copyright

This one is pretty simple: with one exception, the copyrights to pictures taken by a drone are owned by the operator(s) of the camera, who usually (but not always) is the same person/people flying the drone.  They are never the property of the area photographed (unless the property owner is also the photographer).

What is the "one exception" to that ownership?  If the photographer is taking the drone images as part of their regular job,[1] the copyright will belong to their employer (for example: if the drone shot was taken by the photographer to illustrate a story in a newspaper).[2]

Once the library establishes the copyright owner, the only copyright-related impediment to including the images in the catalog would be if the owner had sold the copyright, or given someone else "an exclusive license," since that would mean they could no longer license the images to your library.  Other than those complications, with the right agreement,[3] permission and use should be simple.

Legal Concern: Privacy & Security

The "copyright" section, above, is fairly simple.  Things are a bit more complex when it comes to privacy and security.

There is a huge array of drone-shot content that I could see risking a violation of privacy or a threat to security.  Here are the most common I could rattle off at a cocktail party:

• The risk of the images being the result of "Unlawful Surveillance,"[4] which is an “E” Felony in the state of New York.  "Unlawful Surveillance” is (among other things) taking a picture of a person dressing (or undressing) in a place where that person has a “reasonable expectation of privacy” (and they haven't agreed to pose for the picture);[5]
• The risk of the images being a violation of a person's "right of publicity,"[6] which is using someone's image for commercial purposes without their written authorization.  For instance, if the images were found on a site where they were being used for a commercial purpose.
• The risk of the images being the result of, or evidence of, trespass, harassment, and other criminal law violations that could result from a person deploying a drone over a residence, business, or area near an airport.

In addition to my "rattle it off" list, I did some research.  If we leave out the restrictions of reconnaissance and targeting drones, there is one other drone-related “no-no” to be wary of:

• The risk that the images are the result of harassing sea otters.[7]

In most of these concerns, it is not the act of including the images in the catalog that would be the legal issue--but rather, that the images themselves could be proof of a legal violation.  We’ll address that more in the last section.

Legal Concern: FAA-restricted Areas

The Federal Aviation Administration’s rules for academic, hobbyist and other forms of non-military drone use are here:

https://www.faa.gov/uas/public_safety_gov/media/FAA_UAS-PO_LEA_Guidance.pdf. [NOTE: This link was confirmed as no longer active and removed on 02/25/2022  as part of the routine review of "Ask the Lawyer" materials.]

I won't re-hash them, but the FAA does not bar taking pictures—just flying at certain locations and times.[8]  However, all operators--whether hobbyists or professionals--have to avoid certain areas at certain times. 

The FAA maintains a list of those areas, as well as a list of designated recreational UAS flight zones, available here:

https://www.faa.gov/uas/recreational_fliers/where_can_i_fly/airspace_restrictions/

This was so cool, I looked up my part of the state:

And now I know where not to fly the drone I don’t own.

Sample License for Use of Drone Pictures

Once you have confirmed that any drone shots your library would like to use are not: the result of or evidence of a crime, taken in forbidden air space,[9] or otter harassment, here is a sample license for securing permission to include them in an online catalog:

IRREVOCABLE, NON-EXCLUSIVE LICENSE

[NAME] ("Photographer"), an individual residing at [ADDRESS], and at least 18 years of age, hereby gives the [NAME LIBRARY] (the "Library") an irrevocable, non-exclusive, transferable license to use an image entitled [TITLE], a copy of which is attached hereto as "A" (the "Image"). The permission to use the Image includes unlimited use in any format now existing or later developed.

Photographer represents and warrants that the Image is their original work and that to the best of their ability to determine the rights of no individual or entity were violated by the creation of the Image.

In consideration of the rights granted herein, Library shall at all times credit Photographer with authorship and ownership of the photo as follows: This image is © [NAME], [YEAR], and is used by the [NAME LIBRARY] with permission from the photographer, who may be reached at [email address].

Signed by Photographer: _________________________.

Signed on behalf of the Library: ___________________________.

A Final Word on Getting "Permission"

This question was pre-packaged to consider issues of permission/legal concern related to images generated via drone, so I have structured it to give primary consideration of those issues.

However, I would be remiss if I didn't stress that when assembling an archive or image collection, worries about permission shouldn't always be a threshold consideration.

Why is that?  If a library or archive crafts the parameters of an image catalog around the purpose of that catalog—around why it is important to gather a certain type of content, within a certain range of criteria—permission might not even be necessary. 

Concerns about permission and legality should not prevent the assembly of a resource that has academic, documentary, or investigative value.[10]  And the more a collection or archive is shaped as a documentary, academic, or investigatory endeavor, the less the subject matter and content can pose legal concerns...or rather, the more protections[11] the project will be able to avail itself of.

Taking advantage of those exemptions starts with having a very clear scope for your project, a written set of ethics, and a statement of purpose for the endeavor. [12]

My takeaway in this final part of the answer?   If your project is of academic, historical, or social value, don't let lack of permission be a roadblock.  Instead, just like the member does in this question, set up a clear scope for your project, and then tackle any reservations head-on.  This will lay the groundwork for a strong archive or catalog.

Posterity will thank you.

[1] Head Photographer at "Drone Shot Weekly?"

[2] Here is the FAA guidance on media use of drones for newsgathering: https://www.faa.gov/about/office_org/headquarters_offices/agc/practice_areas/regulations/interpretations/Data/interps/2015/Williams-AFS-80%20-%20(2015)%20Legal%20Interpretation.pdf [NOTE: This link was confirmed as no longer active and removed on 02/25/2022  as part of the routine review of "Ask the Lawyer" materials.]  It’s interesting: even if using a small drone, such use doesn’t qualify for the “hobby” exception, and the drone should be registered.

[3] Do you need the “right agreement?” See the section of the answer called "Sample Agreement" for an example.

[4] NY Penal Law 250.45

[5] JUST TO BE CLEAR: I have 100% confidence that if a library comes across a creeper nude drone shot, they will not include it in an online catalog!  I am just being thorough.

[6] New York Civil Rights Law Section 50.

[7] Per 50 CFR 18.137: "Unmanned aerial systems or drones must not cause take by harassment of sea otters. Measures for avoidance of take may be required in an LOA, and may include maintaining a minimum altitude and horizontal distance no less than 100 m away from otters, conducting continuous visual monitoring by PSOs, and ceasing activities in response to sea otter behaviors indicating any reaction to drones."

[8] Thank you, THANK YOU to the member who sent this question.  Because of you, I got to read the FAA's guidance to local law enforcement for drone-related incidents, which includes this practical guidance "NOTE: Battery life is typically 20 to 30 minutes." 

[9] By the way, it might not be precisely forbidden for your library to post such images, just as a newspaper or academic publisher might reproduce them for purposes of news or scholarship.  But since those categories come with some higher risks (particularly of being told to cease and desist), it is wise to consider consistency with the purpose and ethics of your archive before including them.

[10] I am not saying to not consider them...just don't let them be project-killers.

[11] Such as fair use, journalism privileges, and recognition of the non-commercial nature of the use.

[12] Links to further "Ask the "Lawyer" content on this specific consideration (ethics as a key component to rock-solid archives) are here: RAQ #172 and RAQ #178.

Thank you for this question.  The LGS-1 is one of my favorite rabbit holes to explore.

I took a look at Schedule Item 596, which applies to "Borrowing or loaning records."  I have put a screenshot of the section, as it appears in the schedule as displayed on the NY State Archives web site: http://www.archives.nysed.gov/common/archives/files/lgs1.pdf

As you can see in the screenshot, 596 fixes the retention period for borrowing or loaning records for school libraries as "0 years after no longer needed."

"No longer needed" is one of those phrases in the LGS-1 that renders the retention period variable.  This flexibility can be both helpful and frustrating, since a district, BOCES, or school library must determine, via policy, what "needed" means.

This can vary from place to place, but in all instances should be based on a determination of what is meant (for the district/BOCES/or school library) by "need," and then confirmed in a policy.

After that, best practice is always to purge records once their retention period is over, and for something as deeply connected to ethics, compliance and privacy as library records,[1] that is doubly true.  For school libraries, that retention period is zero, once the records are no longer needed.

Therefore: determining how long student library borrowing records are "needed" (something that may vary from library to library, district to district, BOCES to BOCES), and then purging the record as soon as possible,[2] is a good way to use the LGS-1 to enhance an institution's commitment to privacy.

Thanks to the member for bringing up this nuance.  These issues are at the crossroads of ethics, compliance and automation, and require continuous and careful attention to detail and resulting policy.

[1] Please see "Ask the Lawyer" here for a discussion of school library records, CPLR 4509, and FERPA.

[2] The LGS-1 encourages, but does not require, "the systematic disposal of unneeded records."

Thank you for this careful and thoughtful question.  As we rush to migrate education to online, the small details can get overlooked.  As the member writes, information that used to be safeguarded in physical files or with separate passwords is increasingly accessible via a "one-stop shop."

Depending on the type of information involved, any number of ethical, privacy, and legal concerns can be impacted.

In this question, the member focuses on two types of information: library records, and FERPA-protected "education records."

For library records, there is an overlap of legal concerns—an overlap that was thoroughly discussed in the 5/6/19 answer the member cites.  In that reply, we established that depending on how a school/school library is set up, parent/guardian access to this information might be allowed--but it’s a question that should never be left to chance (it should always be answered by a school’s FERPA and library privileges policies).

To that answer, and considering the spirit of the times, I'd simply add: any librarian out there, operating in elementary and secondary education, should be lauded when they raise privacy concerns.  Librarians should work with IT departments and procurement professionals to ensure data management and automation enable the separately governed access to a student's library records.  Even when access is legally allowed by a system, it is still good to emphasize the privacy of library records.

Here are several examples of how this can be done:

• Including privacy considerations in “Requests for Proposals” (RFP’s) and quotes for automation and other data management software that will hold library or student records;
• Training both library and IT staff to keep the division of different types of records with different access parameters at top of mind (“Remember, library records aren’t just protected by FERPA and ED 2-d”);
• Ensuring that release and parental permission forms distinguish between and properly govern access to different types of records;
• When making quick changes based on pandemic exigencies,[1] ensuring at least one person is tasked with assessing if the implementation conforms with applicable institutional ethics, policies, and privacy regulations.
• Using deliberate awareness tools, such as a pop-up window that appears prior to enabling access to library files, saying "Student library records are confidential under state law.  Only properly authorized parties should view these records," is a good way to distinguish access to library information from other education records.[2]

For any educator reading this and thinking “Uh-oh,” if the horse is out of the barn, it is never too late to adopt some retroactive corrections.  When parental access is as plenary as the member describes, if there is a confirmed issue (such as access to one student’s enrollment records leading to access to all students’ enrollment records[3]) working with IT to address the specific utility hosting that information, and how it can be further locked down, is the only solution.

There will be times when addressing an issue like the ones raised by the member is simply not within the authority of the person concerned.  A concerned librarian or educator might even find themselves rebuffed when they try to ring the alarm! When that happens, it is time to kick it upstairs.  Each school should have a FERPA officer, and at least one senior administrator whose role is associated with enforcing a code of ethics or policies on privacy.  Concerns of this type are all appropriate to direct to such an administrator.

No one engineers a FERPA or privacy violation on purpose, but unwitting violations can happen when the learning environment has to change fast.  Being alert and ready to identify and correct concerns as soon as they emerge is critical.  Thanks for a solid question that shows how it's done.

[1] “Pandemic Exigencies” would be a good name for a heavy metal band.

[2] As discussed in that 5/6/19 answer, who "properly authorized parties" are can vary from school to school.

[3] This is indeed a possible violation.  FERPA §99.12 states "(a) If the education records of a student contain information on more than one student, the parent or eligible student may inspect and review or be informed of only the specific information about that student."

Before I answer, I want to share a story.

A few years ago, I worked with a museum as they addressed the criminal prosecution and sentencing of a man who--in the guise of a volunteer--violated the trust of the institution, and later, when called into account for his behavior, initiated a campaign of verbal/written intimidation against the museum's employees (and trustees, and lawyers, and even his own lawyers).

As part of the former volunteer's sentence, and then his parole, he was restricted from any place with an archive.  During that time, I worked with the parole officer to make sure they had a good working understanding of what "with an archive" meant.

After the sentence and parole period expired, the person was returned to society, where state law requires that a past conviction can NOT be used to peremptorily deny a person certain opportunities (although after a careful analysis of precise factors, conviction can be considered before offering employment or a volunteer position[1]).

As the story and criminal conviction were widely reported in the news media, alerting other potentially vulnerable institutions to this cautionary tale was very easy; simply sending a link with "FYI" was enough to put an institution on notice of the past occurrence and position them to make a well-informed decision.  Any person who wanted further information could dig right into the court record, rather than rely on a second-hand account.

This ability to refer to the public record reduced, but didn't eliminate, the legal risks created when one institution "warns" another about troublesome visitors/customers/patrons.

Those legal risks include:

• The risk of a defamation claim;
• The risk of a civil rights claim;
• The risk of a claim called "interference with contract."

But what about when problematic behavior does not come with any media coverage or court filings?  What if it is confined to findings under a library code of conduct?  Can libraries within a regional system share information about particular patrons?

Yes, they certainly can, but just like applying a code of conduct within a library, certainly ethical and legal considerations apply.

To bar a patron, a library must follow its Code of Conduct, ensure the patron accused of wrongdoing gets due process ("due process" will vary a bit from library to library), and ensure the process and decision are properly documented and communicated to the patron.

As library professionals throughout the state of New York know, library patron records (which include Code of Conduct findings and consequences) are confidential, both per the ethics of the profession, and the law.

The law provides:

Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute.

If a library determines that the "proper operation of such library" is served by including the fact of the bar or restriction, then, so long as it is consistent with System policy[2], the information may be included in the notes as described in the member's question.

Of course, a patron of the System who is so designated has several avenues to challenge an inaccurate or unfair entry, including the type of claims I list above.

To avoid that, individual libraries making such entries should take care that:

• Any ban or restriction is the result of a policy decision;
• The patron was accorded all due process throughout the decision-making process;
• The decision-making and due process were well-documented;
• The entry into the system is minimal (effective date, sanction, and end date), with no color commentary/personal details.

Libraries wishing to document such determinations in their System should limit the information to "Starting DATE, Patron barred from ABC library until DATE" or "Patron privileges suspended at ABC library until DATE."

If a patron's behavior results in a criminal report, conviction, or other legal documentation, reference to the documentation is also a good idea (for example, "See ABC Policy Department Report #XXXX).

For patrons whose behavior is threatening or abusive to such a degree it warrants pro-active action (access restriction) beyond one library, a cooperative library System may, through policy and due process, effect System-wide restrictions. 

So, to answer the question:

 ...This will make the information available to all library staff within the library system. Are there privacy concerns?

...the answer is yes, but with care, those concerns are only priorities, not problems.

That is the benefit of being part of a cooperative system.  By using policy to consider both the civil rights of patrons (including privacy concerns), and the safety of workers and operational needs of each member library, the right balance can be achieved, and documented.

[1] For more information on this important civil rights protection, see this guidance from the NYS Division of Human Rights: “Protections Under the Law for People With Arrest and Conviction Records” (https://dhr.ny.gov/system/files/documents/2022/05/arrest_conviction.pdf).

[2] This is important...a System may decide that such entries are not consistent with System operations.  Individual libraries should take care that the upload of any information is consistent with their System's policies and standard operating procedures.

I didn't realize it in first grade, but a school library[1] is one of the first places a person experiences "the right to privacy" unmediated by a parent or guardian.

Think about it.  You go to the library and get to pick out whatever you want.  You check out books, and no one can tell you what to pick.  And aside from the person checking you out, no one has to see your selection; your records are private.

In the present day, this means that kids whose faces might be all over Facebook[2], who are attending school via computer, and who "turn off their screen," when they don't want people peeking into their home life during remote learning, still have a right to confidentiality when it comes to the library in their school. And one of the biggest symbols of that student-library relationship is their library card.

So, with all that hanging in the balance, what are the legal considerations of putting student pictures on school library cards?

As often happens in the highly regulated worlds of education, privacy, and information, the answer is: "It depends."

In this case, the factors "it depends" on are numerous; rather than itemize them, I'll summarize them with a few pointed questions:

Factor 1: What else is "on" the library card?

Depending what other information is on the library card, combining a student’s picture with it could increase the likelihood of a violation of FERPA[3], Ed 2-d, or school policy.[4]  For instance, if the card is used for not only swipe access, but access to grades, disciplinary records, and library records, also including a picture ID on it makes it sensitive, indeed.

Factor 2:  Who "owns" the library card?

Some schools, by policy, give out student identification cards, but use a school or district-wide policy to confirm that the card is simply "on loan" to the student (and must be returned at certain events, like suspension or expulsion).  Other institutions issue a card, and it becomes the student's property; this means that the card is more under that student’s control.[5]

While there is no requirement to do one way over the other, the school and library should confirm the ownership of the card in a policy, as this can impact the decision to mark the card with picture ID, as well as who has control over the card in the future.

Factor 3:  Why does the picture need to be on the library card?

Is the school so large that in order to ensure it provides library services to the right student, the card must have a photo ID?  Is it a security measure, perhaps to deter theft (of library cards, and therefore collection assets)?  Do students need to "swipe" into the library, with the library positioned to monitor that they are letting in a student who isn't supposed to be in class?  Or is the library card doing double duty as the student's general student ID?  Whatever the reason, it should be understood and clearly based in policy.  And if the reason has to do more with security at that school than the operations of the library, it is better that the function be performed by the student ID, not the library card.[6]

Factor 4:  Who will have the right or ability to view the library card?

If the library card is only required to be viewed by library staff, the inclusion of the photo is consistent with FERPA's and CPLR 4509's different but equally applicable privacy requirements.  But if a security guard, teacher(s), bus driver, or others all have to see the library card for different reasons (this relates to question number 3), or could use the card to access the student's library records, that raises the possibility of concerns.

Factor 5:  Is there a "stealth" reason for the use of the photo and name?

For some students, if they do not have documentation such as a birth certificate or social security card, a library card with a picture ID might be the most official "documentation" they have.  If a library or school is intending that their cards perform this ancillary function, this should be done with the awareness that third parties relying on the identification function still need permission for the school or library to comment on the content of the card (for students under 18, this means a waiver by parents or guardians).  However, that same student (or their parents/guardians) can choose to share their confidential education records or library records however they wish.

Okay, that's a lot of "factors," but what is the answer?

Having dragged you through all that, I will answer the member's very simple question:  Is it legal to print student photos with their names on their school library cards for circulation use?

The answer is "Yes."

But!  If the library card will be used for anything more than "circulation use" within the library, it is wise to assess precisely what the card will be used for, root that purpose in well-developed policy that considers the above factors, and evaluate if the picture—which in this case, will be a FERPA-protected education record[7]—is needed at all.  The more the card is used for functions beyond the needs of the library, the more those functions should be achieved by a separate student ID, or in the alternative, schools should make sure that library information[8] is separate and isolated from other education records accessed by or listed on the card.

Thank you for an important question.

[1] It is important to note that a "public school library" is different than a public library, or an association library, or a college library.... but ALL are subject to CPLR 4509, the law making library records private.  And while they are different, a public school library, like the college library, is subject to FERPA.

[2] I used to be such a stickler about not posting any pictures of my kids on FB.  But the loving posts of other family members eventually wore me down.  Sorry, kids, I really tried.

[3] Photos of students maintained by their institutions, like an ID photo, are confidential education records under FERPA.  https://studentprivacy.ed.gov/faq/faqs-photos-and-videos-under-ferpa

[4] For instance, if the library card is also an all-purpose student ID that also functions as a key card or has lunch money on it, a policy should clearly separate those functions and there must be a clear protocol for voiding access when the card is reported lost.

[5] Just because the school owns the physical object doesn't mean they own the rights to the student's image.

[6] This is because, as written more thoroughly in Ask a Lawyer RAQ #100, school library records are subject to both FERPA and 4509 rules of privacy.  Combining education record with library records can make it difficult to tease out the different ways the materials may need to be handled. 

[7] See footnote 3.  Yes, this is a footnote to send you to a footnote.

[8] Either in hard copy, on the card, or via digital access.

As the member writes, it is very difficult to determine if some physical factors—coughing, a flush, seeming malaise—are in fact symptoms of COVID-19.  Confronting a patron with suspected symptoms can also lead to concerns impacting community relations, privacy, and the ADA.

A good Safety Plan addresses this concern, without requiring patrons[1] to be removed mid-visit from the library.

To position libraries to address the impact of patrons with suspected symptoms, New York's "Interim Guidance for Essential and Phase II Retail" (issued July 1, 2020)[2] states:

CDC guidelines on “Cleaning and Disinfecting Your Facility” if someone is suspected or confirmed to have COVID-19 are as follows:

• Close off areas used by the person suspected or confirmed to have COVID-19 (Responsible Parties do not necessarily need to close operations, if they can close off the affected areas).
• Open outside doors and windows to increase air circulation in the area.
• Wait 24 hours before you clean or disinfect.
• If 24 hours is not feasible, wait as long as possible.
• Clean and disinfect all areas used by the person who is suspected or confirmed to have COVID19, such as offices, bathrooms, common areas, and shared equipment.
• Once the area has been appropriately disinfected, it can be opened for use.
• Employees without close or proximate contact with the person who is suspected or confirmed to have COVID-19 can return to the work area immediately after disinfection.  Refer to DOH’s “Interim Guidance for Public and Private Employees Returning to Work Following COVID-19 Infection or Exposure“[3] for information on “close or proximate” contacts.  [4]
• If more than seven days have passed since the person who is suspected or confirmed to have COVID-19 visited or used the retail location, additional cleaning and disinfection is not necessary, but routine cleaning and disinfection should continue.

[emphasis on "suspected" has been added]

In other words: your Safety Plan, as informed by the most recent guidelines, should leave nothing to chance.  By using this procedure, library staff are never put in the position of having to guess, ask, or consider if a patron's coughing, sneezing, or other behaviors are COVID-19...rather, the moment the possibility is "suspected," the Plan kicks into action.

Of course, if a patron is properly masked, some of the risk of exposure is limited, even if they are infected (this is why we wear masks and identify areas with six feet of clearance in the first place).  And if a patron removes their mask mid-visit, refuses to keep appropriate distance, or refuses to spray down equipment after using it,[5] THAT person can be asked to leave, simply as a matter of policy—whether they are exhibiting symptoms, or not.[6]

So to answer the question: no, it is not advisable to ask patrons to leave the public building if they are exhibiting any visible COVID symptoms, for exactly the reasons the member provides.[7]  Rather, it is required that your Safety Plan keep people distant from each other, and that the library be ready to address any real or suspected exposure as quickly and effectively as possible. 

That said, having signage that reads "Safety first!  Patrons who are concerned about transmission of germs can arrange curbside service by [INSERT]" is a great way to remind people that if they are having an "off" day, there are many ways to access the services of your library.

I wish you a strong and steady re-opening.

[1] This answer does not apply to employees and visitors like contractors, who must be screened.

[2] Found as of July 25th, 2020 at https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/RetailMasterGuidance.pdf

[3] Found as of July 25th, 2020 at https://coronavirus.health.ny.gov/system/files/documents/2020/06/doh_covid19_publicprivateemployeereturntowork_053120.pdf

[4] I note that the DOH's "Interim Guidelines" do not include guidance to staff with suspected (as opposed to confirmed) exposure.  If an employee feels they were exposed to a suspected case of COVID-19, however, that will impact their answers on their next daily screening, which will trip consideration of whether they can report to work.

[5] Or whatever other safety measures a library has identified.  It is inspiring to read the variety of tactics out there, as listed at https://www.nyla.org/covid-19-library-reopening-plan-database/?menukey=nyla.

[6] Another member raised this consideration in this "Ask the Lawyer" from earlier in July 2020: RAQ #153

[7] Of course, if a patron is having a medical event and you have an immediate concern for their well-being, call 911.

The short answer

This answer is being written on May 28th, 2020.

At this time, in addition to Executive Order 202 issued on March 7, 2020 and declaring a state of emergency in New York through September 7th, 2020, there are 30 Executive Orders.

These Executive Orders create temporary modifications to a wide and ever-increasing array of state law and regulations. They have impacted elections, public health practices, landlord tenant relations, and countless operations of the New York State justice system.

However, as of this date, there has been no modification of section 4509 of the state Civil Procedure Law and Rules (“CPLR”), which, with only very limited exceptions, bars third-party access to a user’s library records.

Therefore, at this time, any library receiving a request from a third party for confidential library records, even if in relation to contract tracing efforts, should follow the same procedure they do for all other third-party requests: require a subpoena or judicial order.

The same answer, but with more information and analysis

I am grateful to the member for posing this question, because not only is it important to have clarity on this precise issue, it is important for information management professionals across the state of New York, including some of New York's most trusted information professionals — librarians — to be thinking about the impact and finer points of contact tracing.

So what is “contact tracing”?

The Centers for Disease Control describes contract tracing this way on their current COVID-19 response page[1]:

“In contact tracing, public health staff work with a patient to help them recall everyone with whom they have had close contact during the timeframe while they may have been infectious.  Public health staff then warn these exposed individuals (contacts) of their potential exposure as rapidly and sensitively as possible.”

After declaring COVID-19 a “communicable disease” as defined by the state’s Public Health Law, New York began using contact tracing to combat COVID-19.[2]  Local health departments led the way, organizing information and coordinating warnings within their jurisdiction, an initiative that inspired the previous question referenced by the member.

With the adoption of “New York Forward,” 30 contact tracers for every 100,000 residents is one of the express metrics[3] being used to establish when one of the state’s ten regions is ready to begin a phased reopening.  So, every region will be recruiting and deploying “tracers” to gather information and issue warnings to individuals who testing has confirmed have been exposed to COVID-19.

While emphasizing that such warnings must be issued “rapidly,” the CDC’s guidelines for contact tracing also emphasize privacy:

“To protect patient privacy, contacts are only informed that they may have been exposed to a patient with the infection. They are not told the identity of the patient who may have exposed them.”

The State of New York, however, does not require this level of confidentiality in its laws regarding quarantine, notification of infection, and contact tracing related to most communicable diseases.  While the precise regulations governing the use of contact tracing to fight the spread of HIV require the consent of the patient, the regulations applying to COVID-19 do not have similar requirements.[4] Nor is such information regarded as protected health information (“PHI”) under HIPAA.

I am highlighting these considerations not to denigrate contact tracing, which has been documented as effective in combating pandemics. However, as of this writing, as reported by The New York Times, many in authority, or with credibility in the arenas of privacy and data security, have expressed serious concerns regarding the procurement and arrangement of the software and personnel that will be used in this massive public health initiative.

Caution about privacy, even during times of emergency, is a good thing.

With all that, the collaborative, community health-focused approach I outlined on March 19, 2020, in [2020 Pandemic Date Specific] Contact tracing and privacy in libraries is one I continue to endorse.

In addition to that approach, here is a suggested reply in the event your library is contacted by a state-employed contact tracer, designed to work with your standard protocol for complying with 4509:

[After verifying credentials]

We know your work is critical to public health.  Please send us a written list of what you need, and we will work to obtain consent from our users, as required by CPLR 4509.  In the alternative, please ensure what you need is very thoroughly set forth in a duly issued subpoena or judicial order.  Our library will work to expedite your request as soon as we know we are authorized to do so.

One final point

After conducting the research set forth in this answer, it is my opinion that CPLR 4509’s assurance of the confidentiality of library records is not at odds with the current emergency measures our state is taking to protect lives and get our world back on track. 

First, it is critical to remember that under 4509, a person may give their written consent to disclosure.  Many people, upon learning they might pose a danger, will give their express and voluntary consent, if they have the capacity at the time.  That is their right, and there is no concern with your library contacting them to ask the question.

Second, if the need for confidential library records is truly critical, local board of health officials—and the tracers who will be helping their localities—can invoke the authority created by the public health law[5] to obtain duly authorized subpoenas. 

Unlike many other laws and regulations, CPLR 4509 can remain as written, while New York undertakes an unprecedented, massive effort to conduct contact tracing, and protect public health.  

Thank you for an important question.

[1] Found on May 28, 2020 at https://www.cdc.gov/coronavirus/2019-ncov/php/principles-contact-tracing.html.

[2] Since reporting new or unusual communicable diseases is also required, cases were probably also reported before March 7.

[3] These metrics are laid out in a graph found at https://www.governor.ny.gov/programs/new-york-forward.

[4] That section is 10 NYCRR 2.10, which states: “It shall be the duty of every physician to report to the city, county or district health officer, within whose jurisdiction such patient resides, the full name, age and address of every person with a suspected or confirmed case of a communicable disease, any outbreak of communicable disease, any unusual disease or unusual disease outbreak and as otherwise authorized in section 2.1 of this Part, together with the name of the disease if known, and any additional information requested by the health officer in the course of an investigation pursuant to this Part, within 24 hours from the time the case is first seen by him, and such report shall be by telephone, facsimile transmission or other electronic communication if indicated, and shall also be made in writing, except that the written notice may be omitted with the approval of the State Commissioner of Health.”

[5] New York Public Health Law, Section 309.

This is a great question.  An important question. And unfortunately, an all-too-infrequently asked question…

Because the answer is “YES.”

The risks and cautions and caveats related to use of employee-owned technology are endless, but here are the top five in my world:

• Educators working with FERPA-protected information should not store it on their personal devices. 
• Health professionals working with HIPAA-protected information should not store it on their personal devices. 
• Librarians working with patron information should not store it on their personal devices. 
• Any employee working with content restricted by contract should not store it on their personal devices.
• Any employee handling sensitive data (HR, fiscal, trade secrets, business plans) should not store it on their personal devices.[1]

This is my education/not-for-profit/library top five, but I could go on and on.  And while the first layer of risk posed by this issue relates to legal compliance, privacy, and security, underlying those primary concerns is the risk that in the event of alleged non-compliance, or another legal concern, the employee-owned device the information is hosted on could be subject to discovery—even if it is personal property.

What is “discovery?”  Fancy lawyer talk for being subpoenaed or otherwise brought in as evidence.[2]

How does a library, museum, educational institution or archive—especially one operating ad hoc from home as a result of pandemic concerns--avoid these concerns?

Here is a 3-pronged solution:

Prong 1: know your data.

Every institution should know the information it stores, and sort it by sensitivity. From there, policy (or at least, “standard operation procedures”) should inform how such information is stored, and when/how it might get transmitted and stored (if ever) on a non-proprietary device.

Here’s an example based on the different types of information stored and transmitted by libraries:  The templates for the brochures about a library’s story hour will generally be regarded as much less sensitive than the files regarding employees or patrons.  So, while transmitting the story hour templates from an institutionally-owned computer to a personal machine might be okay, you would never transmit the payroll or employment history records that way.  Policy and training should support awareness of the distinctions, and while the brochure templates might occasionally need to be accessed on employee-owned tech, the more sensitive types never should be.

Prong 2: know your tech.

Every institution should ensure employees who must access and store information regarded as sensitive have a work-issued account and device(s).  An inventory of that technology should be maintained, so the institution is aware of precisely where the information stored on it will be.

Barring that (whether due to time or budget), networks and resources should be set up to filter out the security risk of content going to and from machines with less robust security.

Knowing your technology is set up to meet the demands of your institution’s more sensitive data is key.

But there’s one more thing…

Prong 3: Work to minimize risk, even if you can’t eliminate it.

Don’t let “perfect” be the enemy of “good.”

Stuff happens:

• A presentation where suddenly you can’t access a work file, but engineer a work-around using a Gmail address;
• An emergency situation where a sensitive file has to be opened on a home computer;
• A jump drive with both your photos from a family trip, and proprietary information, is uploaded onto a personal laptop.

Everyone[3] has had an instance where convenience triumphed over security.  But that should be the exception, not the rule.

Even during times of emergency response and sudden adjustment (read: pandemic, or a crisis at the location of your organization), awareness of an institution’s data and technology can be used to minimize the exposure of more sensitive information to risky situations—even if sometimes, the end result is less than ideal.  Admitting your institution is not perfect just means that in less reactive times, it must use the budget process and long-range planning to further reduce the risk, as time goes by.

And that is how to reduce the risk of employee tech getting subpoenaed in the event there is a content-related legal claim.[4]

I am grateful the member asked this question, because particularly right now,[5] this is a really common issue (although it remains a serious issue in less panicky times). So common, in fact, that I call it the “chocolate in the peanut butter” question.[6]

Why is this legal concern named after such a delicious combo?  Because the imagery really isolates the problem.  When it comes to using employee tech, the convenience can be all too seductive.  It can be, in fact, deliciously easy.

One reason to avoid this, among many, is because that technology could be subject to discovery.

But good risk practices can minimize this risk (even if you indulge on occasion). When working from a remote location, if you do not have time or the technology to take work devices with you, use of private devices, if necessary, should only be for only the lowest-risk content.  Further, to minimize the risk of data loss, non-compliance, and security, such use should only be after a qualified professional has determined it can be done with no risk, and employees are trained to keep things confidential, and remove proprietary content after it is needed.[7]

[1] By “personal devices” I also mean personal email accounts, Zoom accounts, cell phones, tablets, laptops, DropBox folders, etc.  All content handled by employees for institutional purposes should be on institutional resources.

[2] How does “discovery” play out?  Lots of ways.  For instance, once I was defending a person whose personal laptop was subject to “discovery” in a civil case.  We didn’t surrender the laptop.  Normally, that might have posed a problem, but in this case, the laptop had been destroyed during a fight at a concert many years before.  We had to produce the old police report to show that the property really had been destroyed, and we weren’t just resisting discovery.

[3] Okay, this is hyperbole.  Hopefully it’s not “everyone” (I’m looking at you, hospitals, therapists, and the IRS).

[4] This answer does not contemplate the related but distinct issue of employer resources being use for personal purposes, or to harass others…which is the dark mirror of this issue.  But good practices in one regard will lead to good practices in the other!

[5] Largely unforeseen, 100% order to work from home impacting most businesses.

[6] …although when I am feeling dramatic, I call it “data bleed.”

[7] Bearing in mind the deleted content is often never truly deleted…and thus could still be subject to discovery!