Ethics

Some questions are tricky, some questions are complex, and some questions are simply a Huge Spider Web of Extremely Intricate and Dangerous Contingencies.

Not to be too dramatic, but this question is that last one.

What creates this tangled web?[1] Let’s explore the threads:

Thread One: The ALA Code of Ethics

Because the Code requires advocacy for proper working conditions, the ALA Code of Ethics may actually encourage what could be perceived as “disparagement” of an employer or financial supporter.

Here is the provision:

We treat co-workers and other colleagues with respect, fairness, and good faith, and advocate conditions of employment that safeguard the rights and welfare of all employees of our institutions. [emphasis added]

So, before adopting a restriction on employee communications, a library must consider this ethical obligation.

Thread Two: State and Federal Law

Both state and federal law can protect an employee’s right to complain about their working conditions.[2] And while not every type of complaint is protected,[3] given recent policy statements and cases (see footnote 2), it is wise to not paint what's barred with a broad brush.

Thread Three: State and Federal Constitutions

For a public library or municipality, barring disparagement of the municipality risks violation of both the state and the federal constitutions. I know that doesn’t apply directly to the library in question (since it is an association library and thus non-governmental), but it bears mentioning.

As does...

Thread Four: Civil Service

For Civil Service employees, if discipline for “disparagement” can be portrayed as “retaliation,” there could be a claim under Civil Service Law Section 75-b.[4]

And finally we have...

Thread Five: Fear

While not precisely a legal issue, limiting employee speech can be a major drain on morale, which in turn can lead to employee discontent, which in turn can lead to legal issues. To avoid that, it is best to aim for an environment that solicits and welcomes feedback, not one that stamps out criticism.

So, what can a library—mindful of its reputation and how its employees can impact it—do to protect itself?

Certainly, a library can require an employee writing or speaking publicly about the library to emphasize that they are only speaking for themselves.

Second, any employer can and should emphasize to employees that harassing, discriminatory, threatening, and abusive conduct—in and out of work, online and offline—may need to be addressed by the employer if it affects the work environment.

And third, a library can affirm that all its employees have a right to develop and express their own opinions, so long as they do not use library resources to convey them (no political candidates endorsed on company time!).

The language the member describes in the municipal policy sounds to me like a holdover of policies from the early 2000s. For the reasons discussed above, this kind of language has been removed from many policies over the past two decades. Case law and regulatory agency commentary (a tiny sampling of which are cited in this answer) show why.

Thank you for joining me in the spider web with an excellent question!

The New York State Education Department’s Office of the Professions, which oversees the licensure of social workers, describes social work this way:[1]

Social work is a profession that helps individuals, families, and groups change behaviors, emotions, attitudes, relationships, and social conditions to restore and enhance their capacity to meet their personal and social needs.

Social workers are trained to provide a variety of services, ranging from psychotherapy to the administration of health and welfare programs. They work with human development and behavior, including the social, economic, and cultural systems in which people function.

Sounds like a person who would be handy to have in not only a library, but perhaps in line at the grocery store, in a public park, and sitting next to you at a football game, right?

So, what would it look like (from the legal perspective) for a social worker to be embedded to work in a library?

Broadly speaking, there are three ways a social worker could offer services within a library or other not-for-profit/educational setting. Each way has its own legal and practical considerations.

The first way is for the library to employ the social worker. This would require the library to implement specific policies, resources, and insurance coverage (in other words, careful planning a budgeting), but it is doable.

The second way is for the library to contract with a social worker or agency to offer their services at the library. This would require less policy development and insurance coverage but would also require careful budgeting and a very thorough contract.

The third way would be for the library to cooperate with local departments of health and county social services to explore having professionals from the government agency on site.  In many ways, this would look like the “contract” option, but the agreement would likely be able to be far less formal.

For a variety of reasons, option #3 may often be the easiest, since there is already a lot of infrastructure in place for a county agency to support its local library or library system (the “insurance” part of things will be much simpler). That said, #2 is also fairly simple, so long as the social worker/agency can provide the required insurance coverage, and the library and provider can agree on a contract.

And option #1—the employment option—is not impossible. It just brings the biggest up-front challenges: develop a job description, policies, procedures, and insurance to support the position and all of its record-keeping and other ethical/professional obligations, and to ensure there is a firewall between the social worker’s records and other library records.

For a library that wants to explore this, it would be good to conduct a brainstorming session about what specific benefits the library would want to get from it and how they relate to the library’s plan of service.

For example: is the primary purpose so frontline staff can immediately refer patrons who may be in distress to a nearby resource for immediate assistance? Or is it so the social worker can offer community workshops and collaborate with staff on healthy programming? Once the primary goals and add-ons are determined, a job description/business plan (for option #1) or request for proposals (for option #2) could be developed to explore making it happen; the documents would address the legal/regulatory/risk factors (like ethics and how client records are kept, since they wouldn’t be “library records”).

The good news is that in 2024 there are actual, living models out there for these approaches!  While we didn’t delve too deeply, here are some links to New York libraries with social workers on site or in affiliation:

Baldwin Public Library

Brooklyn Public Library

Emma S. Clark Memorial Library

Farmingdale Public Library

Lindenhurst Memorial Library

Middle Country Public Library

New York Public Library

Thank you for a great question!

The answer is "Yes."

Of course, behind that answer is layer after layer of complexity.

Layer 1: The "you" in the policy quoted by the question (as in "Content access levels let you control which types of users can view and borrow certain...") could be the SLS, or could be an individual school, or even an individual employee of a school.  It's all about who has the access to control the settings, which is not something that should be left to chance and happenstance.

Layer 2: Databases like SORA are often licensed by school library systems ("SLSs"), not individual libraries or districts. This means that the access controlled by "you" might be controlled by SLS policy, rather than that of a member library (or the SLS's policy could specify that such control is handled at the district or individual library level).

Layer 3: The American Association of School Librarians discourages this type of limit in part 5 of its "Common Beliefs": "Learners have the freedom to speak and hear what others have to say, rather than allowing others to control their access to ideas and information."  This means that once content has been made a part of the school library or school library system's collection per established collection development policy, learners should have access to it.

Taking all these layers into account, a few things emerge:

First, there is a grave risk that restrictions in excess of appliable ethics, regulations, and policy could happen if such access controls are implemented without attention to applicable policy.

Second, if there is no policy that addresses restricting access (whether by age or individual student), that feature of a system should not be used.

Third, if a system with the capability to selectively bar access is acquired, that feature should only be implemented if there is clarity about what policy governs its use, whose policy is it, and who the "you" setting the limits is.  

But as the question points out, even with a policy in place, this may be a dangerous game (or a "creative work-around") when it comes to intellectual freedom, because as the AASL says: "Learners have the freedom to speak and hear what others have to say, rather than allowing others to control their access to ideas and information."

The decision to limit access to content that is part of collection of a school library or library system is an ethically slippery slope.  A district, school, and/or school library system should think very carefully about why it would enable such limits through policy, taking care the policy is consistent with governing ethics and regulations. 

So how is a library, school district, or system to ensure students have access to appropriate content?  The development of a pedagogically appropriate school library or school library system collection lies with their collection policies, NOT the ability to selectively control access to a collection once it is established.  This starts with using established criteria, developed and overseen by trained professionals, assembling a collection that meets the needs of the school.

By regulation (8 NYCRR 91.1), this mandate of a school library is broad: "The library in each elementary and secondary school shall meet the needs of the pupils, and shall provide an adequate complement to the instructional program in the various areas of the curriculum." [emphasis added]

By regulation (8 NYCRR 91.1), the mandate of a school library system is also broad, and it includes developing a plan for "cooperative collection development implementation," or in other words, a written plan for how cooperatively accessed materials are acquired and made available from one district to another.

There is no one way these broad mandates are achieved, and that is where the individuality of a school library system will assert itself.  But regardless of how those cooperative collection development plans are made, leaving the question "who controls collection access by age or individual identity?" unanswered is not a good option.  Through attention to applicable ethics, law, regulation, and the required collaborative governance[1], a school library system can answer that question with clarity, even if the answer is "no one."

The answer to these highly specific questions will assume readers have reviewed the ALA's excellent general guidance at https://www.ala.org/advocacy/privacy/guidelines/videosurveillance and the "Ask the Lawyer" guidance here: https://wnylrc.org/raq/patron-privacy-and-police.

With that background taken as read, let's address these questions related to a closed-circuit camera with audio recording at a school district public[1] library:

Is it legal to record sound [and/or] it is a violation of patron privacy?

In New York, recording third parties without their permission[2] is illegal "Eavesdropping" per Penal Law Section 250.05: a class E felony.

Section 250.05 is part of Penal Law Article 250 "Offenses Against the Right to Privacy," so from both the legal and ethical perspective, such recording is a violation.

Can board members review the tapes?

Assuming the tapes are visual only (and not illegal Eavesdropping), from the legal perspective, a board member could view a security camera recording, but from the ethical and risk management perspective, such viewing should only be per an established policy.

How does this all play out in the real world?

Put plainly:

A non-association library board in New York State considering use of a security camera system should ensure such a system is only used once there is a policy in place, and that policy should address the following questions:

• What is the purpose of the cameras?
• Where are the cameras pointing?
• How does the library ensure use of them is consistent with applicable ethics?
• Are any of the generated recordings patron library records?
• How long are the recordings kept for?
• Once the retention period is past, how are the recordings disposed of?
• How are the records secured against data breach or misappropriation?
• Who gets to view the recordings, and why?
• How will FOIL requests for the footage be handled?
• How will other requests for the footage be handled?
• When the library deems it necessary to retain recordings past their retention term, how are the recordings saved?
• Will any of the records be archived?

Below is a template policy for a non-association public library addressing the above questions.  Areas in yellow may be customized for the needs of a particular library (make sure you remove the footnotes).

Thank you for an important array of questions.

POLICY

To achieve the desired balance user privacy assurance and on-site security, any use of security cameras and of records generated by such cameras ("Security Recordings") in the Library will follow the below provisions.

A. Limited Use

Cameras will be used to generally monitor the areas noted on the floor plan or survey attached as "A."[4]

Cameras will never be used to monitor the following: [insert specific areas or angles to affirmatively be excluded; common examples are bathrooms, reference desk, check-out desk].

Cameras will be set up so they do not record the content of media accessed by patrons.

B. Notice

In all areas subject to security camera recording, the Library will post a sign: "The Library values patron privacy and security.  This area is monitored by security cameras."[5]

C. Patron Records

Security Recordings showing people are considered to be patron records and the Library will not release such recordings to third parties without a court order or subpoena.[6]

D.  Viewing and Use of Security Recordings by the Library

The Library will use Security Recordings to address general and specific security needs, including but not limited to:

• Assessing safety concerns
• Addressing Code of Conduct-related incidents
• Assessing operational and facility needs
• INSERT

When footage must be reviewed by the Library, such review must be authorized by either the Library Director or by a resolution of the Library’s Board of Trustees.[7]

When a Security Recording must be retained past the period set by Section G of this policy, for any reason, the basis and plan for the retention must be authorized by either the Library Director or by a resolution of the Library’s Board of Trustees.

E.  FOIL Requests

Request for Security Recordings generated at a particular date and time shall be evaluated by the Library per its FOIL policy.

In keeping with the applicable laws, Security Recordings featuring Library users shall not be made available in response to FOIL requests.[8]

F.  Warrants, Subpoenas, Litigation Hold

Requests to disclose copies of or to retain Security Recordings per a warrant, duly issued subpoena, or "litigation hold"[9] demand will be evaluated by the Library Director or designee with advice of legal counsel as needed.

G. Retention & Data Security

The Library retains Security Recordings for [period decided by Library], unless a specific segment is required to be retained for operational purposes, in which case, such segment is retained for three (3) years as required by the Retention and Disposition Schedule for New York Local Government Records.

The Library may also identify certain footage it decides is worthy of being retained in permanent archives.

H.  Budget and Capacity

The board shall no less than annually review of the budget and operational capacity needed to assure that the retention, disposal, and security of Security Recordings may remain as required by this policy.[10]

The day this story really broke (August 7, 2023, a day that will live in minor infamy), Nathan in my office pointed this issue out to me.

"Did you see that Zoom is going to use customer content to train AI?" he asked (this is what passes for casual morning conversation in my office).

My eyebrows went up, mostly because Zoom was being upfront about it, rather than because it was being done at all (because yes, this is the way of the world now).  That said, there are some tricks libraries and educators—and any business that cares about use of personal data—can employ to resist it.

Not surprisingly, this comes down to two simple things: awareness, and language.

We'll use the recent Zoom scenario to illustrate:

I am not sure how awareness of the new clause first broke (I am going outsource that research to Nathan, and if he finds out, he'll put it in a footnote, here[1]).  But it is clear that fairly soon, consumers were unambiguously aware of the privacy and use concerns posed by the "we'll suck you into our AI" Terms of Use.

Here is the language Zoom used[2] (and has since retracted) to announce it would use our conferences, etc. to train AI:

"[You agree Zoom can use your Content] ... for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom's other products, services, and software, or any combination thereof..."

This is where language comes in.

As the world soon knew, this "old" language listed "artificial intelligence", as well as "training", (although the Terms' dubious use of commas suggests to me that Zoom could use our Content for not just "training" AI, but humans, too... actually an even more terrifying prospect, from some perspectives).[3]  So yes, lots to be concerned about when it comes to "Customer Content" (which is Zoom’s term for the recordings/data/analytics that come from "Customer Input", which is the raw content you put into Zoom[4]).

 Now let's use our awareness of the current Term of Use (current as of August 24, 2023, at least), and see what the language says:

"10.2 Permitted Uses and Customer License Grant. Zoom will only access, process or use Customer Content for the following reasons (the “Permitted Uses”): (i) consistent with this Agreement and as required to perform our obligations and provide the Services; (ii) in accordance with our Privacy Statement; (iii) as authorized or instructed by you; (iv) as required by Law; or (v) for legal, safety or security purposes, including enforcing our Acceptable Use Guidelines. You grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary for the Permitted Uses."

Although not as stark as the old language, there is still a lot of wiggle room to squeeze a blending of Customer Content with AI there.  What if Zoom is "obligated" to provide a service, and decides to use AI to do it?  What if Zoom decides AI is needed for "enforcing Acceptable Use Guidelines?"  What if Zoom decides that AI is needed for your safety, and that, also for your safety, Customer Content must be used to train that AI?

Of course, right now, the Terms also say (in bold, so you know they mean it[5]):

"Zoom does not use any of your audio, video, chat, screen sharing, attachments or other communications-like Customer Content (such as poll results, whiteboard and reactions) to train Zoom or third-party artificial intelligence models".

So can this assurance be trusted?  This brings us back to language.

Back in the day, of course, computer systems were not "trained" (as one would train a dog, or a small child to use the toilet) but rather, "programmed."

However, even in the (relatively) slow-moving world of the law, this is no longer the case.

Here is an excerpt from a recent case[6] where lawyers were squabbling over how to gather "Electronically Stored Evidence" ("ESI"):

Defendants propose the following method for searching and producing relevant ESI:

1) Narrow the existing universe of approximately 27,000 documents...

2) Undersigned counsel reviews a statistically significant sample of the remaining e-mails at issue and marks them relevant/irrelevant to create a "training set;"

 3) That training set is then used to "train" the eDiscovery vendor's artificial intelligence/predictive coding tool, which "reviews" the remaining e-mails and assigns each a percentage-based score that measures likelihood to be responsive...

So even in the law, computer systems are being "trained", and there is a precise meaning to the term (which in plain[7] terms is "repeatedly using data and parameters to create patterns desired by the user").

So, with all that said, let's look at the member's questions:

Question 1: I am wondering if there are any privacy or FERPA concerns that librarians and educators need to be worried about since Zoom is still used heavily in both library and school worlds.

The short answer is: yes.

Question 2: Should we be looking for alternatives or is this just the way of the world now?

The short answer is: yes.

Here is the reason for my first short answer:  Many contracts have what I call a "we were just kidding" clause that allows the contractor to change their terms at will, and without notice.  Here is the one in the current version of Zoom:

15.2 Other Changes. You agree that Zoom may modify, delete, and make additions to its guides, statements, policies, and notices, with or without notice to you, and for similar guides, statements, policies, and notices applicable to your use of the Services by posting an updated version on the applicable webpage. In most instances, you may subscribe to these webpages using an authorized email in order to receive certain updates to policies and notices.

What does this mean?  Even though they are in bold, Zoom can change its assurance on AI at any time.

The reason for my second short answer is this: Libraries and education institutions have incredible commercial leverage when they work together.  For this reason, libraries and educational institutions should always be using their awareness of data, ethics, use, and privacy issues to demand contract language that meets their expectations.

Those expectations will change from product to product. With a product like Zoom, which can generate audio/video/text/analytics/+, including content that later may be part of a student file (FERPA) or a library record (various) the assurances should be:

• All content entered is property of the customer (library or school);
• At all times, all content entered into the service, or content generated with the use of customer-supplied content, may only be used to provide the current service(s) specifically authorized by the customer;
• Any other use of data (for product improvement, for marketing) must be via a specific opt-in;
• Terms cannot change without notice and terms in effect at the time content was generated will govern such content, regardless of future changes;
• Customers can receive assurance that all data is purged upon request.
• Customers can verify that they can enforce and comply with all their own internal policies and obligations regarding data creation, use, and storage.

In addition, libraries and educational institutions should have a clear set of policies for how they, as the potential owners of recordings and other data associated with the use, will use their ownership and control of the content.  It would be unfortunate, to say the least, for a student to find that their college disciplinary hearing for underage drinking is now available on YouTube.[8]

Many public library groups and academic consortia are already working to develop this type of criteria[9] (which should focus more on isolating aspirations and expectations than on legal wording, since legal wording will vary from state to state). And some institutions are designing their own services[10] in order to avoid contract terms that don't meet their criteria.

At the individual institutional level, this means building assessment of such services, and bargaining time, into the procurement process.  It also means thinking through that institution's own particular ethics and responsibilities and developing internal policies to promote them.

So, while this is the world we live in, libraries and educational institutions are well-situated to make a better one. 

Thanks for an important question.

YES. Expressly barring library displays based on categories protected by law, such as sexual orientation and gender, is--among other things--a legal issue.

This is not to say a library can't pass a policy on library displays.  A library could easily implement a policy that requires displays to be timely, that they be reflective of the needs of the community, and that they display an array of materials from different sources.  Such a policy, done thoughtfully and with director and attorney input, could be perfectly appropriate, legal, and in line with the mission of a public library.

In addition, such a policy could address and provide established and well-thought-out procedures for the library to address:

• Concerns that a library display violates the bar on political activity by a library;
• Concerns that a library display is age-inappropriate;
• Concerns that the content in a library display is illegal;
• Concerns that the display could objected to by members of the community; and
• Concerns that the display is boring, non-engaging, and/or irrelevant.

But what such a policy could NOT do (without tripping legal concerns) is make blanket rules about display content based on categories that align with identities protected by law. [1]

Further, if such decisions are made in a vacuum, without policy (like an ad hoc board resolution), they run the risk of being both discriminatory and "arbitrary and capricious."  Such a ban--especially coupled with the dialogue and community interaction that might precede and follow it--could set the stage for:

• A claim of discrimination by a trustee;
• A claim of discrimination by an employee;
• A civil rights claim by a patron;
• A report triggering an investigation by the New York Division of Human Rights[2];
• A really awkward moment at the next sexual harassment training, since in New York, "sexual harassment" includes harassment on the basis of sex, sexual orientation, gender identity and the status of being transgender.

In addition, there are many local municipalities that have their own protections for certain protected categories, including sexual orientation and gender identity and expression.  So there is a risk of implicating not just state and federal, but local law, as well.

Of course, such a ban is FAR MORE that a legal issue.  But amidst everything else, it IS a legal concern.  And while their primary duty is to serve the library's mission, public library trustees also have a fiduciary duty to guard against claims that the library has violated state, federal and local civil rights laws.

How would a library board walk back having taken such a position?  Ideally, very quickly and decisively, with confidential legal advice from their local attorney[3].  This is because in and of itself, such a ban might not be enough to trigger legal action...rather like how just vodka isn't enough to make a martini.  But who knows when the vermouth will show up?

That said, if a board is at this point (and especially if the library director and staff are watching, without being consulted[4]), even after serious consideration of a such a policy or directive, change is possible. 

After all, each and every library trustee and employee in New York (and even their lawyers) can always learn more about the New York Human Rights Law,[5] federal civil rights law, and perhaps even the protections in their municipality.

And public libraries are there to enable learning by everybody.

Everybody.

[1] In New York, that includes: race, creed, color, national origin, sexual orientation, gender identity or expression, military status, sex, disability, marital status, or status as a victim of domestic violence.

[2] https://www.nysenate.gov/legislation/laws/EXC/296 This links brings the reader to a partial list of barred discriminatory actions.  Here is an excerpt (in other words, there's more): " 2. (a) It shall be an unlawful discriminatory practice for any person, being the owner, lessee, proprietor, manager, superintendent, agent or employee of any place of public accommodation, resort or amusement,
because of the race, creed, color, national origin, sexual orientation, gender identity or expression, military status, sex, disability, marital status, or status as a victim of domestic violence, of any person, directly or indirectly, to refuse, withhold from or deny to such person any of the accommodations, advantages, facilities or privileges thereof, including the extension of credit, or, directly or indirectly, to publish, circulate, issue, display, post or mail any written or printed communication, notice or advertisement, to the effect that any of the accommodations, advantages, facilities and privileges of any such place shall be refused, withheld from or denied to any person on account of race, creed, color, national origin, sexual orientation, gender identity or expression, military status, sex, disability or marital status, or that the patronage or custom thereat of any person of or purporting to be of any particular race, creed, color, national origin, sexual orientation, gender identity or expression, military status, sex or marital status, or having a disability is unwelcome, objectionable or not acceptable, desired or solicited.

[3] And perhaps a check-in with their "directors and officers" insurance carrier.

[4] This type of issue is part of why the author consistently recommends trustees be trained on non-discrimination policies (including sexual harassment).

[5] https://dhr.ny.gov/new-york-state-human-rights-law

As I have written before, a big rule for the "Ask the Lawyer" service is "don't reinvent the wheel!"

So before I answer this, I will reiterate the member's mention of the "Prison Library Support Network", and refer readers to their excellent guide "Reference Letter Writing: A Volunteer Handbook."

The "Volunteer Handbook" reviews a lot of what I would otherwise supply: how to be respectful of an incarcerated person’s needs and personal considerations when responding to a reference request, how to be aware of and work within the larger social dynamics at play, and--critically--the practical considerations of sending mail to incarcerated people (it's also well-written, which is always a plus).

To the "Volunteer Handbook" I would add just a few considerations for a library at a private higher education institution:

First, it is important to recognize that while library services provided in the state of New York by both public libraries and academic libraries are confidential, incarcerated individuals do not have privacy with respect to information they receive via the mail.  Therefore, the normal librarian/library user dynamic is "off."

Here is a sample of the scrutiny mail to a person living in jail or prison will be subject to:

(c) Printed or photocopied materials.

(1) When, in the course of inspection, printed or photocopied materials are found, the entire contents of such correspondence may be delayed through the correspondence unit for up to six days while the materials are subject to media review guidelines (see Part 712 of this Title).

(2) A limit of five pages of printed or photocopied materials (an individual newspaper clipping will be considered one page) may be received within a piece of regular correspondence (except as provided in paragraphs [3] and [4] of this subdivision). In order to facilitate media review, pages or clippings must not be taped, glued, or pasted together or to other papers.

(3) Not to exceed once every four months, an inmate may make a written request to the superintendent to receive in excess of five pages of printed or photocopied legal papers specifically related to the inmate's current legal matter (e.g., legal brief or trial transcript relating to the inmate's active case) within a piece of regular correspondence. The inmate shall make the request in advance...[etc.]

Ugh.  That's a lot of compromised privacy.[1]  So, from the outset, just keep in mind that per 7 CRR-NY 720.4, as well as a facility's customized policies and procedures, the usual rule of confidentiality will not apply.

Aside from that, I add three things:

1.  An academic library should specify via written policy if it offers library privileges to community members within a defined geographic scope (not just students, alumni, and employees).

2.  An academic library should have a policy setting out its capacity and limits for providing hard copy/mailed responses to reference requests.

3.  If a library is going to provide services specifically to incarcerated persons living beyond the geographic scope allowed by their policies (as the member's question says, they get questions "from around the country"), a specific policy should be developed for providing that service, even if the institution doesn't have a fully-developed prison outreach program.

These three policies should be applied evenly, fairly, and with attention to budget and capacity. This means:

With respect to #1, if an academic institution allows residents within 100 miles to have library privileges, and there is a prison within that radius, a person who is incarcerated may have library privileges (although their ability to exercise them may be limited).

With respect to #2, if an academic library provides written, mailed responses to users, there should be time and resource limits on providing that service to users, and those limits should be uniformly applied with respect to both staff hours, and copying/mailing budget.

And with respect to #3, if a private academic institution wants to provide services to persons living in jail or prison beyond the scope of their usual services, but it not able to develop a full prison outreach program, such services should still be done per a specific policy.

Why a specific policy, if there isn't a fully developed outreach program?  A few reasons.  First, it will help set the boundaries for the service, based on the library's capacity.  By establishing those boundaries, the library/institution will be able to show that the resource is being allocated fairly.  And finally, it provides clarity on how such services are provided, who is responsible for providing them, and how much is allocated for the expense associated with them (useful information if your institution ever wants to expand the service through a grant).

Here is a sample policy:[2]

[ABC Library] Policy on Reference Services to Incarcerated Persons

Policy

As part of our mission, the [ABC College Library] provides up to [20 hours per month] of reference services to persons incarcerated anywhere within [the United States].

Procedure

Upon receiving a reference request from a person who is incarcerated, the ABC Library assesses if the inquiry can be answered by the library within [one month (30 days)].[3]

If it can be answered, the question is placed in a queue to be answered in order of receipt, and an answer will be sent via the USPS within 30 days of receipt.

If it cannot be answered, either due to a large queue, or because it is not within the capability of the institution, a reply is sent stating "The ABC Library received your request for reference services, and regrets that answering your question is not within our capability at this time."

The position responsible for reviewing requests, and for assessing and effecting a timely response, is [INSERT]. This responsibility may be delegated, based on capacity.

OPTIONAL: To the greatest extent possible, persons within [NAME Correctional Facility], which is in the Library's area of service, are served per the library's policy on community members, and hours spent serving such users are not counted against the monthly amount allowed under this policy].

I appreciate that for many institutions of higher education, this question is deeply related to mission. Therefore, in adopting even the most informal policy, such as the one above, I also suggest considering a recital of how the work specifically plays into the mission of the institution.

Thank you for a thoughtful question.

[1] I get why, but as someone opposed to the carceral system in general (we can do better), this is just another reason to develop a better system.

[2] [Text in Brackets] in this sample policy indicates places where customization is most needed.

[3] An institution should research what time frame they feel is fair to offer; for some inquiries, sixty, or even ninety days may be reasonable.  This depends on the type of inquiries your institution is receiving...especially since this is a policy for a reactive service, rather than a deliberative outreach program.

This question needs to be answered on a sliding scale.

Here are three scenarios to show how the scale can slide:

Scenario 1: "Scrapbooking"

A museum makes robust use of social media to connect with its community.  At different events, a staffer or two are expected to take lots of photos, including shots of staff and guest speakers interacting with the community.  Members often comment how much they enjoy the images and connectivity.

Since the Museum got in on the ground floor of social media and the practice started on the Museum's website, some of the content is almost 3 decades years old ("born and aging digital"). At this point, some of the employees in the images have not only simply moved on--they've retired.

No written, signed permission to use the employees' images is obtained.

Scenario 2: "Image Crafting"

A library is working to show its commitment to diversity, equity, and inclusion.  The employee in charge of the web site and social media culls through photos of employees and patrons to post selected images on static pages that refer to a DEI commitment; while other use of the website and social media is managed as usual, these pages remain unchanged as stand-alone statements.

No written, signed permission to use the employees' images is obtained.

Scenario 3: "Stone Cold Marketing"

An association library is creating a brochure to kick off a capital campaign to build a new library on a donated piece of property.  The donated land is more centrally located in the library's area of service.  To raise funds for the hoped-for building that will serve a new generation of library users, the library asks all the employees and their kids to attend a photo shoot on the new land.  The idea is they will sit on blankets, reading, on the currently-empty lot, and the library's graphic designer will put a semi-transparent rendering of the future building over them, showing the library of the future.

No written, signed permission to use the employees' images (or their kids' images) is obtained. 

In New York, the law is pretty straightforward on the unauthorized commercial use of living people; NY Civil Rights Law Section 50 "Right of privacy" says "a person, firm or corporation that uses for advertising purposes, or for the purposes of trade, the name, portrait or picture of any living person without having first obtained the written consent of such person, or if a minor of his or her parent or guardian, is guilty of a misdemeanor."

Recently, the law was expanded to restrict the commercial use of the image of deceased "personalities": NY Civil Rights Law Section 50-F 2. a. provides "Any person who uses a deceased personality's name, voice, signature, photograph, or likeness, in any manner, on or in products, merchandise, or goods, or for purposes of advertising or selling, or soliciting purchases of, products, merchandise, goods, or services, without prior consent from the person or persons specified in subdivision four of this section, shall be liable for any damages sustained by the person or persons injured as a result thereof."[1]

"Ask the Lawyer" has addressed this issue a bit before: see https://wnylrc.org/raq/employee-privacy-and-image-use and https://wnylrc.org/raq/posting-patron-images-facebook-when-image-release-required, but we haven't focused on solutions to the question posed by the member: If an individual who no longer works at an institution finds that their picture is still being used by said institution, whether in promotional photos or on staff/faculty pages, does that individual have any legal recourse?

This is where our scenarios come in.

If the use is what I've called "scrapbooking" in the first scenario--part of a collection documenting events as they unfolded, and not featured or linked in a way that advertises the institution or asks for money--the law does not have much recourse.   That said, a former employee can always ask for an image to be removed as an act of courtesy, and if there is a compelling reason (safety, emotional well-being, not wanting to be affiliated with the institution any more) an attorney could help the person isolate and make a convincing argument for removal.

As the scale continues to slide, if the use is what I've called "image crafting" (the use referenced by the member in the question), if written permission was not granted, there may be grounds for demanding removal under the law.  A current or former employee who feels strongly about this should consider working with a lawyer, since the first request should accurately set out the basis for the requested removal.

On the final end of the scale, when the use is clearly for "advertising purposes, or for the purposes of trade" (like a posting soliciting a capital donation), written permission should have been obtained, and a former or current employee--unless their job description includes serving as a model or posing for published pictures--has a strong basis to demand removal under the law.

What can a cultural institution do to avoid the risk of unauthorized commercial use of an employee's image?  A few things:

First, unless it is part of the employee's job description, do not require use of the employee’s image on print publications and social media.  If the institution has determined that, for the sake of public relations and service, all public-facing employees will have their picture on the website, it should ensure that due attention to safety and privacy is factored into the requirement.[2]

Second, even when an employee seems "okay" with being featured in a publication (print or online), it is good to get written permission. While not all uses will qualify as "commercial" and thus risk violation of the law, it shows respect and proper attention to employee agency and safety.

Third, if feasible, consider a default position that every employee, unless it is in their job description, has "opted out" for use of employee images on institutional publications.  Then ask who would want to be featured.  For example: "To respect employee privacy, the library does not intentionally use the name and images of employees except to the extent they are listed on the website and in published board materials.  If you would like to be featured in library social media and publications, please alert the Director, so we can obtain a written image release.  This is not a requirement!"

Fourth, if your library or other cultural institution needs to rely on the personality and persona of an employee to the point where use of their name and image in association with the library is part of their job, consider putting that in their job description.  For example, "The [insert title] position is a community-facing position and in addition to routine interaction with the public, will be required to interface with the public via materials published by the [library] from time to time, including use of their name, signature, and recorded images of their likeness and voice."

And fifth, when in doubt, get an image release.

An image release can come in many forms; to be on the safe side, an image release should be custom-written for your institution, and the use it plans to make of authorized images.

That said, here is a sample:

Image Release

NAME, who is at least 18 years of age, consents to the use of their image, name, and likeness, as governed by New York Civil Rights Law 50 for purposes of informing the public about events, opportunities, and initiatives of the XYZ Library, including fundraising initiatives.  As an employee, I understand that such consent is not a requirement of my position, and I may revoke this consent at any time by sending a written request to make no further use of my image under this Image Release. I understand that "revoking consent" means no further use will be made of my image, but that past use will not be removed. Unless revoked by me personally, this release shall be binding on my heirs and cover the institution's use of my "right of personality" as covered by New York Civil Rights Law 50-F.

DATE:______________

SIGNATURE:______________________

WITNESS:____________________________

Records retention period of this release: PERMANENT.

A well-written release can cover you whether you are "scrapbooking", "image crafting", or engaging in "stone cold marketing."

Thank you for a thoughtful question!

[1] I won't list them all here, but there are many exceptions to this law for use by artists, journalists, etc.  If you are just learning about Civil Rights Law 50-F in this RAQ, please don't let it stifle your archive, art, or journalism! You can find the list of exceptions here: https://www.nysenate.gov/legislation/laws/CVR/50-F.

[2] I could write a whole chapter on this consideration, but we'll leave it there for now.

There is no one right answer to this question, but there is a formula for any library to come up with its own, unique answer.

Here is the formula:

[Situation] x [Ethics + Law] / [POLICY/Precedent] = YES or NO

Let me break this approach down.  And trust me, I will give a clear reply to the member's question at the end of all this.

The formula starts with the situation.  In the scenario we have here:

"Local police walked through our Library earlier today with no explanation. Later on, we noticed 2 teens on premises, who we assume should have been in school. We thought the police may have been looking for them as truants, but that is not confirmed."

There is a lot that can be said about this description, but one important aspect of it is the library's care to not reach a conclusion about why the teens were at the library instead of school (while the member describes an "assumption," there is no action on that assumption).  And as noted, law enforcement was not called; rather they "walked through...with no explanation."

This situation is then multiplied by the combined factor of ethics and law.  Both the ALA and NYLA Codes of ethics emphasize patron confidentiality.  Meanwhile, New York's Civil Practice Law and Rules ("CPLR") Section 4509,[1] the state law requiring a subpoena or judicial order before a user's library records can be shared without that patron's consent, does not define "library records" other than to state that they include "personally identifying details."  This is why whatever the situation, ethics, and law are, the answer must be assessed under a library's policy governing patron records (while considering past applications of the policy, to ensure consistent application).

It is at this last factor--policy--where things can get complicated.  With the advent of (sorta) new technologies, the definition of "library records" is not just internet searches and checked-out materials.  It could be what a person printed on a 3D printer, or their image on a surveillance camera, or their use of library wi-fi.  None of these things, right now, are listed in CPLR 4509, but many library professionals would consider them to be library records.

The trick is making sure that when a library takes a position about library records (especially with regard to records that, at first glance, are not about library services, but more about security), it is supported by their policy.

Okay, I know I promised a "clear answer".  So let's re-state the question: "if the police were to ask if we saw the teens, are we able to answer or is that considered a violation of patron privacy as it is with patron information and records?"

Based on a fictitious library consulting a fictitious lawyer, here is one possible answer:

To the ABC Library:

You have requested legal advice regarding whether a library may provide a substantive answer in response to law enforcement enquiring about the presence of a patron in the library.

Your concern is that such a disclosure, based on the visual observations of library employees rather than written/recorded records, could still be considered a violation of patron privacy.  You confirmed that at the time of the inquiry, the library had no operational need to release any such information.

I have reviewed the library's policy on patron confidentiality, and based on the below clause, I advise to not release such information unless there is a subpoena or judicial order:

"Consistent with the ALA and NYLA Codes of Ethics, the ABC library considers any record or information that indicates an individual's use of library services and/or facilities to be a library record under CPLR 4509, unless specifically excluded[2] by this policy."

Therefore, I advise not providing such information without a subpoena or judicial order, unless the requestor accurately points out that a specific law requires it.

Thank you for trusting me with this question.

Very truly yours,

A. Hypothetical Lawyer, Esq.

Of course, as the "formula" at the start of this answer points out, the "situation" may vary from time to time.   And CPLR 4509 does leave room for mandatory disclosure "when otherwise required by statute." [3] Those are the times when a library may want to consult a local attorney to obtain quick advice in the moment.

Since this formulaic balancing of facts, ethics, legal obligations, and policy can be difficult to keep in mind,[4] it may be helpful to summarize it to library trustees, employees, and volunteers this way: “A patron's use of the library and our services are confidential.  If anyone asks about a patron using or being at the library, our standard reply is 'Since patron information is confidential, I need to refer you to [the Director].’”[5]

Thanks for a very thought-provoking question.

[1] As of November 12, 2021, here is the text of CPLR 4509: "Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute."

[2] What are examples of things to exclude?  If a library is in shared space with a shared security surveillance system, that should be excluded (unless the library has confirmed via written contract that the footage of the library will only be reviewed per the policy).  If the library has a snack bar or gift shop and wants to monitor the point of sale for theft, that could be excluded.  Security footage of a community room used by third-party groups (not individuals) under a space rental agreement is another possible example. 

[3] Such as FERPA. For more on this, see the “Ask the Lawyer” posted here: Patron Confidentiality in School Libraries

[4] Even lawyers need to look this stuff up sometimes.  Just like I don't have some of the finer points of the Domestic Relations Law at my fingertips, not all lawyers can recite the requirements of CPLR 4509.

[5] Or designated positions with regular training and/or adequate experience to appreciate the fine points of the library's policy.

Questions that combine higher education, data access, and "terms of use" enforcement always give me a moment of sad reflection, as I remember Internet pioneer and activist Aaron Schwartz. It was an alleged overuse of an academic database at MIT in 2012 that lead up to his demise.[1]

While the circumstances in the Schwartz tragedy are different from the situation described here, both scenarios--and the care the member has taken in framing this question--illustrate the importance of considering what's at stake when an institution balances contract compliance, digital access, and privacy.

What's "at stake" here? The member's question combines concerns about:

• Confidential use of library resources
• Academic freedom
• Intellectual freedom
• Honoring the exclusion of certain academic and library actions from liability for copyright infringement
• FERPA

Let's do a quick run-down of these critical areas:

In New York, the confidentiality of library services is protected by Civil Practice Law & Rules ("CPLR") section 4509, which states that library records indicative of the identity of a library user may only be accessed with that user's permission, or per a subpoena or court order. CPLR 4509 applies to private libraries within academic institutions as much as it does public libraries or those within school districts. It works hand-in-glove with the American Library Association's and New York Library Association's recitals of patron confidentiality in their Codes of Ethics.

In New York, the commitment of a higher education institution to academic freedom is reflected in various ways. An example is the American Association of University Professors' 1940 "Statement on the Principles of Academic Freedom"[2]: "Teachers are entitled to full freedom in research..."

In New York and throughout the nation, the commitment of libraries to collaborate with others to promote intellectual freedom and access to information is reflected the ALA Library Bill of Rights: "Libraries should cooperate with all persons and groups concerned with resisting abridgment of free expression and free access to ideas."

In New York and throughout the nation, certain academic and library actions that would otherwise violate copyright are excluded from liability for infringement. This exclusion is to ensure there is a clear and well-defined legal safety net for content accessed in furtherance of certain intellectual and academic freedoms.

And throughout the USA, the privacy of education records, including library records, is assured under the Family Education Rights Privacy Act" (FERPA).

Serving as a counterweight to all of these critical factors are an educational institution's obligations under federal law and regulation with regard to alleged copyright infringement, particularly the regulations found in 34 CFR §668. If I were to delve into that and describe all of those obligations here, this answer would be 50 times longer, but a good summary of what compliance in that regard looks like can be found in this sample policy from RIT: https://www.rit.edu/its/rit-response-copyright-infringement.  In short:  since 2008, federal law requires higher education institutions receiving federal financial aid and other federal benefits to be express enforcers and re-enforcers of copyright.[3]

Sitting astride of all of this is whatever notification commitments (and other responses)  a college or university library agreed to when it signed the license agreement with the database provider (I have reviewed many of these types of license agreements, and almost all of them have some form of notification action requirement, which can range from a warning as described by the member, to ensuring the immediate cutoff of access by an offender).  This means that in addition to the ethical, legal, and regulatory factors that have to be balanced in a question like this, we also have to consider obligations that are contractual.[4]

With all of these very important considerations now laid before us, let's review what the member is doing:  1) getting a notification of a possible terms violation from the provider, and then 2) using a firewalled[5] process to identify the user and alert them of the alleged violation, and then 3) assuring the vendor they have addressed the issue.  As asked by the member:  Is this process appropriate in resolving the misuse of a database, or does it violate the user’s/student’s privacy rights?

Here is my short answer: since the method of response described by the member shows there is a big firewall between the vendor and the institution (meaning: the outside party never learns the actual identity of the alleged violator), I believe so.  BUT: the only real way to ensure privacy is protected as it should be is to confirm that the information flowing between the library and the IT Department never goes any further...within the institution.

What do I mean by that? The information should never go to campus safety or security. Unless it is per a very clearly articulated procedure developed for the operational needs of the library, it should never go to the office responsible for student discipline. And it should certainly never go to an employer on campus, a faculty member, or an advisor.[6]

This caution is warranted because, although a library within a higher educational institution is not a separate business entity the way a chartered public library is an entity separate from the town or city that sponsors it, for purposes of an academic library's adherence to privacy ethics and laws, it should be considered a stand-alone entity. Information can flow into it, but information should not flow out, even to other departments, unless the flow serves the operational needs of the library, and verifiably goes no further.

This 'one-way flow" for user-associated academic library records is an easy goal to articulate, but in practice, it can be very difficult to assure. As systems within large and small institutions get more integrated in the interests of security and economy, so too is it more difficult to separate one type of information from another. However, when it comes to privacy and library confidentiality, because of the high stakes involving intellectual freedom, academic freedom, and student privacy, extra care and attention is warranted.

The care of the member in submitting this question and describing the careful process they are using is emblematic of the type of care that should be used at all times when safeguarding user confidentiality and privacy at a higher education academic library.

Thank you very much to the member for submitting such a careful question.

RIP, Aaron Schwartz.

[1] I say "led up to" rather than "led to" because while many believe the latter, the facts of the case clearly establish the former.

[2] Found as of November 14, 2021, here: https://www.aaup.org/report/1940-statement-principles-academic-freedom-and-tenure.

[3] I won't mince my words about that requirement: I don't like it. But I am not a member of Congress.

[4] And voluntary. This is why it is very important to read database licenses and to PUSH BACK on clauses that require draconian responses to alleged violations.

[5] By "firewalled," I mean that the vendor never knows the name or other identifying information of the alleged violator.

[6] Unless the student has signed a waiver. Then it can go to whoever has permission.