FERPA

This is a timely and important question.

Regarding the ability of law enforcement (including ICE, FBI, ATF, etc.) to enter a college or university campus: the administration will make that determination, and it will be based on many factors.

That said, by both state and federal law (Education Law 6434, and the Clery Act [20 U.S.C. 1092]), college and university campuses are supposed to have a relationship with local law enforcement, so some degree of cooperation with local police, a county sheriff, and the state troopers should already be in place. Many institutions, especially those close to borders or with particular security priorities, have established working relationships with the FBI.

Against that variable background, what happens within an academic library on campus (and in virtual spaces) is subject to further control.

To describe that and provide guidance, I have developed the below “GUIDE” that can be posted in academic libraries in New York State. The sections in yellow can be modified to fit your institution’s unique information. Feel free to use your own font (I am into Century Schoolbook these days, but Avenir Next has a quiet authority). You can also add additional protections and procedures; I have put in the bare minimum required by law and ethics.

NOTE: As will ALL templates, have your higher-ed institution’s lawyer review it first, whenever possible. They may have a few more considerations to add.

In addition to having clarity about the steps needed to demand student-related information, I want to encourage all academic librarians to stay calm. In the event you are asked for information about a student or colleague, follow policy and guidance (including what is below, if your institution decides to use it) and refer all inquiries to senior administration.

In the event of an enforcement action, one of the best things you can do is provide witness, and help that person get to a good lawyer. So, if you have extra adrenaline on this right now, using your librarian skills to assemble lists of legal aid and private attorneys with the right experience to help can be vital.

In summary: librarians at higher-ed institutions can’t control what campus policy is overall, but they can have clarity about the policy in the library. In addition, by attesting to what you see, and providing timely information to those who could be impacted, you are using your profession to ensure accurate information is timely applied. As of this writing (January 29th, 2025), helping your colleagues track accurate information about funded research and programs will help, too.

Thank you for thinking of your students and your ethical obligations as an academic librarian.

The Higher Ed Librarians’ of New York

GUIDE

To Responding to Law Enforcement & Others’

Requests for Library User Information

[INSERT YOUR LIBRARY LOGO HERE!]

FACT 1: “Library Records” in New York, including those held by higher education libraries, may not be disclosed to third parties without a duly executed subpoena, court order, or waiver signed by the library user, unless such disclosure is required for library operations (for example, reporting destruction of library property). [NY CPLR 4509]

FACT 2: “Library Records” in New York, including those held by higher education libraries, may not be shared with law enforcement (local, state, or federal) without a warrant, unless the library is the party filing the report (for example, reporting theft of library property).

FACT 3: At this library, a student’s Library Records are also confidential “Education Records” per the Family Education Rights Privacy Act (FERPA). While some records can be shared under FERPA, Library Records have an added layer of restriction (see FACT 1 and FACT 2).

FACT 4: The American Library Association’s Code of Ethics requires librarians to “protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.”

BECAUSE OF THESE LEGAL AND ETHICAL OBLIGATIONS:

1. Law Enforcement (local, state and federal): All requests for library user information will be referred to Campus [Safety/Security] or the [University/College’s] lawyer. Search warrants, subpoenas and court orders should be submitted directly to [position] for assessment, so prompt responses can be issued. Library workers are, by law and policy, barred from providing such information.

2. Attorneys: All requests for library user information will be referred to Campus [Safety/Security] or the [University/College’s] lawyer. Subpoenas and discovery demands should be submitted directly to [position] for assessment, so prompt responses can be issued. Library workers are, by law and policy, barred from providing such information.

3. Private Investigators: All requests for library user information will be referred to Campus [Safety/Security]. Library workers are, by law and policy, barred from providing such information.

4. Faculty, Staff, Coaches, Advisors: All requests for library user information will be referred to the Library Director, who will assess the degree to which such information may be shared under FERPA and CPLR 4509. If a student has signed a FERPA waiver that includes disclosure of Library Records, please alert the Library Director, so the information that the student has agreed can be shared can be promptly provided. Library workers are, by policy, barred from providing such information.

5. Information Technology (“IT”): All requests for library user information should be referred to the Library Director, including requests that could be fulfilled by IT. IT workers are, by law, barred from providing access to Education Records and Library Records without a FERPA waiver authorizing such access.

IN THE EVENT LIBRARY RECORDS OR INFORMATION RELATED TO LIBRARY USE IS DEMANDED DUE TO AN IMMEDIATE RISK TO HUMAN HEALTH (student or other), THE DIRECTOR OR LIBRARIAN IN CHARGE WILL WORK WITH OTHER [COLLEGE/UNIVERSITY] PERSONNEL TO MAKE A TIMELY DECISION BASED ON APPLICABLE LAW.

This Guide is posted and promulgated in the [NAME] Library to protect important privacy rights while promoting the orderly and safe operation of the campus.

The day this story really broke (August 7, 2023, a day that will live in minor infamy), Nathan in my office pointed this issue out to me.

"Did you see that Zoom is going to use customer content to train AI?" he asked (this is what passes for casual morning conversation in my office).

My eyebrows went up, mostly because Zoom was being upfront about it, rather than because it was being done at all (because yes, this is the way of the world now).  That said, there are some tricks libraries and educators—and any business that cares about use of personal data—can employ to resist it.

Not surprisingly, this comes down to two simple things: awareness, and language.

We'll use the recent Zoom scenario to illustrate:

I am not sure how awareness of the new clause first broke (I am going outsource that research to Nathan, and if he finds out, he'll put it in a footnote, here[1]).  But it is clear that fairly soon, consumers were unambiguously aware of the privacy and use concerns posed by the "we'll suck you into our AI" Terms of Use.

Here is the language Zoom used[2] (and has since retracted) to announce it would use our conferences, etc. to train AI:

"[You agree Zoom can use your Content] ... for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom's other products, services, and software, or any combination thereof..."

This is where language comes in.

As the world soon knew, this "old" language listed "artificial intelligence", as well as "training", (although the Terms' dubious use of commas suggests to me that Zoom could use our Content for not just "training" AI, but humans, too... actually an even more terrifying prospect, from some perspectives).[3]  So yes, lots to be concerned about when it comes to "Customer Content" (which is Zoom’s term for the recordings/data/analytics that come from "Customer Input", which is the raw content you put into Zoom[4]).

 Now let's use our awareness of the current Term of Use (current as of August 24, 2023, at least), and see what the language says:

"10.2 Permitted Uses and Customer License Grant. Zoom will only access, process or use Customer Content for the following reasons (the “Permitted Uses”): (i) consistent with this Agreement and as required to perform our obligations and provide the Services; (ii) in accordance with our Privacy Statement; (iii) as authorized or instructed by you; (iv) as required by Law; or (v) for legal, safety or security purposes, including enforcing our Acceptable Use Guidelines. You grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary for the Permitted Uses."

Although not as stark as the old language, there is still a lot of wiggle room to squeeze a blending of Customer Content with AI there.  What if Zoom is "obligated" to provide a service, and decides to use AI to do it?  What if Zoom decides AI is needed for "enforcing Acceptable Use Guidelines?"  What if Zoom decides that AI is needed for your safety, and that, also for your safety, Customer Content must be used to train that AI?

Of course, right now, the Terms also say (in bold, so you know they mean it[5]):

"Zoom does not use any of your audio, video, chat, screen sharing, attachments or other communications-like Customer Content (such as poll results, whiteboard and reactions) to train Zoom or third-party artificial intelligence models".

So can this assurance be trusted?  This brings us back to language.

Back in the day, of course, computer systems were not "trained" (as one would train a dog, or a small child to use the toilet) but rather, "programmed."

However, even in the (relatively) slow-moving world of the law, this is no longer the case.

Here is an excerpt from a recent case[6] where lawyers were squabbling over how to gather "Electronically Stored Evidence" ("ESI"):

Defendants propose the following method for searching and producing relevant ESI:

1) Narrow the existing universe of approximately 27,000 documents...

2) Undersigned counsel reviews a statistically significant sample of the remaining e-mails at issue and marks them relevant/irrelevant to create a "training set;"

 3) That training set is then used to "train" the eDiscovery vendor's artificial intelligence/predictive coding tool, which "reviews" the remaining e-mails and assigns each a percentage-based score that measures likelihood to be responsive...

So even in the law, computer systems are being "trained", and there is a precise meaning to the term (which in plain[7] terms is "repeatedly using data and parameters to create patterns desired by the user").

So, with all that said, let's look at the member's questions:

Question 1: I am wondering if there are any privacy or FERPA concerns that librarians and educators need to be worried about since Zoom is still used heavily in both library and school worlds.

The short answer is: yes.

Question 2: Should we be looking for alternatives or is this just the way of the world now?

The short answer is: yes.

Here is the reason for my first short answer:  Many contracts have what I call a "we were just kidding" clause that allows the contractor to change their terms at will, and without notice.  Here is the one in the current version of Zoom:

15.2 Other Changes. You agree that Zoom may modify, delete, and make additions to its guides, statements, policies, and notices, with or without notice to you, and for similar guides, statements, policies, and notices applicable to your use of the Services by posting an updated version on the applicable webpage. In most instances, you may subscribe to these webpages using an authorized email in order to receive certain updates to policies and notices.

What does this mean?  Even though they are in bold, Zoom can change its assurance on AI at any time.

The reason for my second short answer is this: Libraries and education institutions have incredible commercial leverage when they work together.  For this reason, libraries and educational institutions should always be using their awareness of data, ethics, use, and privacy issues to demand contract language that meets their expectations.

Those expectations will change from product to product. With a product like Zoom, which can generate audio/video/text/analytics/+, including content that later may be part of a student file (FERPA) or a library record (various) the assurances should be:

• All content entered is property of the customer (library or school);
• At all times, all content entered into the service, or content generated with the use of customer-supplied content, may only be used to provide the current service(s) specifically authorized by the customer;
• Any other use of data (for product improvement, for marketing) must be via a specific opt-in;
• Terms cannot change without notice and terms in effect at the time content was generated will govern such content, regardless of future changes;
• Customers can receive assurance that all data is purged upon request.
• Customers can verify that they can enforce and comply with all their own internal policies and obligations regarding data creation, use, and storage.

In addition, libraries and educational institutions should have a clear set of policies for how they, as the potential owners of recordings and other data associated with the use, will use their ownership and control of the content.  It would be unfortunate, to say the least, for a student to find that their college disciplinary hearing for underage drinking is now available on YouTube.[8]

Many public library groups and academic consortia are already working to develop this type of criteria[9] (which should focus more on isolating aspirations and expectations than on legal wording, since legal wording will vary from state to state). And some institutions are designing their own services[10] in order to avoid contract terms that don't meet their criteria.

At the individual institutional level, this means building assessment of such services, and bargaining time, into the procurement process.  It also means thinking through that institution's own particular ethics and responsibilities and developing internal policies to promote them.

So, while this is the world we live in, libraries and educational institutions are well-situated to make a better one. 

Thanks for an important question.

This question comes at us from a school district public library and supporting Board of Cooperative Educational Services ("BOCES").

One thing I knew very little[1] about when I started doing "Ask the Lawyer" was school district public library systems.  These are systems coordinated through a regional BOCES, creating a network of library resources, governed by their own section of the New York Education Law (and regulations, and Regents rules).

Over the years, the existence and importance of school district public library systems has grown more and more obvious to me--to the point where now, if you are so unfortunate to be trapped in an elevator with me, I might tell you all about them from ground level to the 32nd floor.[2]

One thing I would mention, around floor 15 or so, is that school district public libraries (and systems) have to balance privacy and data security obligations from a wide array of different state and federal laws.  I have written on this before (see "Ask the Lawyer #67, #80, and #143), and won't re-hash that here, except to say: everything in those past answers impacts this question.

With those prior columns as background, the answers to the member's three questions are:

For an Interlibrary Loan Electronic Transmission (whether printed out and included with the item(s) or sent via electronic means) in a K-12 setting, can a student's name (the one ultimately borrowing the item) be used in the "receipt" or notification slip?

Yes, if the library's policy requires it for the "proper operation" of the library (CPLR 4509), AND if the school can assure that only those who need to see it (for the benefit of the student) will see it (FERPA) or the student has signed a FERPA waiver, AND if all the required measures for data privacy are in place (ED2-d).

Should a student's School ID number be used? Can both be used at the same time?

Yes, if the library's policy requires it for the "proper operation" of the library (CPLR 4509), AND if the school can assure that only those who need to see it (for the benefit of the student) will see it (FERPA) or the student has signed a FERPA waiver, AND if all the required measures for data privacy are in place (ED2-d).

Is it taboo to have a student's name in ANY electronic transmission?

No, but school district and BOCES systems creating and transmitting such records should always be confident that the use of the student's name is in a document generated and transmitted per applicable policy.

This is tougher than it sounds, since schools now have so many electronic systems facilitating record-making and communication--a situation compounded by online learning during the pandemic.  Further, the decision to use those systems might be driven by function and cost, with only secondary attention being paid to privacy, as addressed in "Ask the Lawyer" #67, #80, and #143.

Since this question is rooted in interlibrary loan, I'll end with an example.

Below is a partial screenshot from the demo screen of OPALS, a popular ILS used by school district libraries (and other types of libraries, too).

As you'll see, OPALS enables the "viewing of all the borrowers in an attending class...."

There is nothing inherently wrong with this type of grouping of borrowers, so long as the district has addressed the various privacy obligations, and made sure the functionality and use of the system (in this example, OPALS) align with the school's approach and policies on privacy.

In other words, nothing should be left to chance.

So, with that, my ultimate answer--to all three questions-- is: any time a public school student's name is listed on a library record that leaves the bounds of the library (the "real" or virtual bounds), every unique way that happens (injury report, student discipline, interlibrary loan) should be covered by policy.

Now, let's consider how this issue looks "on the ground."  I poked around a bit, and while I found many interlibrary loan policies for school district library systems/BOCES in NY, I didn't find one that went so far into the weeds as setting terms for how/when to include borrower names on the routing slips (printed or electronic).

Chances are, that's usually more of a "standard operating procedure" thing, rather than something set by formal "policy."[3]

But with increasing interconnectivity between library other school systems, it might be worth formalizing in future interlibrary loan policies.  For instance, one sentence: "When effecting interlibrary loan, cooperating libraries shall mutually adhere to the other libraries' and systems' policies regarding borrower privacy"[4]  is a sample of how to add a quick reminder about this critical consideration.

Because as the member's questions indicate, we can never be too "in the weeds" on privacy.

Thank you for an important array of questions.

[1] Okay, actually, nothing.

[2] In this mythical trip up 32 floors, we are visiting Buffalo City Hall, which if you have never seen, is a must-visit location.

[3] New York is a big state!  I have no doubt there is a policy that does address this.  If your district has one, please send a link to info@losapllc.com and reference this RAQ.

[4] This is just sample language...no matter what you select, make sure your school district's attorney or BOCES system director reviews and approves any policy before it goes into effect!

Questions that combine higher education, data access, and "terms of use" enforcement always give me a moment of sad reflection, as I remember Internet pioneer and activist Aaron Schwartz. It was an alleged overuse of an academic database at MIT in 2012 that lead up to his demise.[1]

While the circumstances in the Schwartz tragedy are different from the situation described here, both scenarios--and the care the member has taken in framing this question--illustrate the importance of considering what's at stake when an institution balances contract compliance, digital access, and privacy.

What's "at stake" here? The member's question combines concerns about:

• Confidential use of library resources
• Academic freedom
• Intellectual freedom
• Honoring the exclusion of certain academic and library actions from liability for copyright infringement
• FERPA

Let's do a quick run-down of these critical areas:

In New York, the confidentiality of library services is protected by Civil Practice Law & Rules ("CPLR") section 4509, which states that library records indicative of the identity of a library user may only be accessed with that user's permission, or per a subpoena or court order. CPLR 4509 applies to private libraries within academic institutions as much as it does public libraries or those within school districts. It works hand-in-glove with the American Library Association's and New York Library Association's recitals of patron confidentiality in their Codes of Ethics.

In New York, the commitment of a higher education institution to academic freedom is reflected in various ways. An example is the American Association of University Professors' 1940 "Statement on the Principles of Academic Freedom"[2]: "Teachers are entitled to full freedom in research..."

In New York and throughout the nation, the commitment of libraries to collaborate with others to promote intellectual freedom and access to information is reflected the ALA Library Bill of Rights: "Libraries should cooperate with all persons and groups concerned with resisting abridgment of free expression and free access to ideas."

In New York and throughout the nation, certain academic and library actions that would otherwise violate copyright are excluded from liability for infringement. This exclusion is to ensure there is a clear and well-defined legal safety net for content accessed in furtherance of certain intellectual and academic freedoms.

And throughout the USA, the privacy of education records, including library records, is assured under the Family Education Rights Privacy Act" (FERPA).

Serving as a counterweight to all of these critical factors are an educational institution's obligations under federal law and regulation with regard to alleged copyright infringement, particularly the regulations found in 34 CFR §668. If I were to delve into that and describe all of those obligations here, this answer would be 50 times longer, but a good summary of what compliance in that regard looks like can be found in this sample policy from RIT: https://www.rit.edu/its/rit-response-copyright-infringement.  In short:  since 2008, federal law requires higher education institutions receiving federal financial aid and other federal benefits to be express enforcers and re-enforcers of copyright.[3]

Sitting astride of all of this is whatever notification commitments (and other responses)  a college or university library agreed to when it signed the license agreement with the database provider (I have reviewed many of these types of license agreements, and almost all of them have some form of notification action requirement, which can range from a warning as described by the member, to ensuring the immediate cutoff of access by an offender).  This means that in addition to the ethical, legal, and regulatory factors that have to be balanced in a question like this, we also have to consider obligations that are contractual.[4]

With all of these very important considerations now laid before us, let's review what the member is doing:  1) getting a notification of a possible terms violation from the provider, and then 2) using a firewalled[5] process to identify the user and alert them of the alleged violation, and then 3) assuring the vendor they have addressed the issue.  As asked by the member:  Is this process appropriate in resolving the misuse of a database, or does it violate the user’s/student’s privacy rights?

Here is my short answer: since the method of response described by the member shows there is a big firewall between the vendor and the institution (meaning: the outside party never learns the actual identity of the alleged violator), I believe so.  BUT: the only real way to ensure privacy is protected as it should be is to confirm that the information flowing between the library and the IT Department never goes any further...within the institution.

What do I mean by that? The information should never go to campus safety or security. Unless it is per a very clearly articulated procedure developed for the operational needs of the library, it should never go to the office responsible for student discipline. And it should certainly never go to an employer on campus, a faculty member, or an advisor.[6]

This caution is warranted because, although a library within a higher educational institution is not a separate business entity the way a chartered public library is an entity separate from the town or city that sponsors it, for purposes of an academic library's adherence to privacy ethics and laws, it should be considered a stand-alone entity. Information can flow into it, but information should not flow out, even to other departments, unless the flow serves the operational needs of the library, and verifiably goes no further.

This 'one-way flow" for user-associated academic library records is an easy goal to articulate, but in practice, it can be very difficult to assure. As systems within large and small institutions get more integrated in the interests of security and economy, so too is it more difficult to separate one type of information from another. However, when it comes to privacy and library confidentiality, because of the high stakes involving intellectual freedom, academic freedom, and student privacy, extra care and attention is warranted.

The care of the member in submitting this question and describing the careful process they are using is emblematic of the type of care that should be used at all times when safeguarding user confidentiality and privacy at a higher education academic library.

Thank you very much to the member for submitting such a careful question.

RIP, Aaron Schwartz.

[1] I say "led up to" rather than "led to" because while many believe the latter, the facts of the case clearly establish the former.

[2] Found as of November 14, 2021, here: https://www.aaup.org/report/1940-statement-principles-academic-freedom-and-tenure.

[3] I won't mince my words about that requirement: I don't like it. But I am not a member of Congress.

[4] And voluntary. This is why it is very important to read database licenses and to PUSH BACK on clauses that require draconian responses to alleged violations.

[5] By "firewalled," I mean that the vendor never knows the name or other identifying information of the alleged violator.

[6] Unless the student has signed a waiver. Then it can go to whoever has permission.

I am always fascinated by the transformation documents can undergo, simply by operation of law, circumstance, or time.  For instance:

• Documents that are "education records" under FERPA can become simply "records," or "nothing" once the person to whom they pertain has died.[1]
• Documents that are "private information" under New York's new(ish) SHIELD Act[2] are no longer controlled by the Act if the digital copy is swapped for a copy on paper.
• Documents that use the "name and likeness" of a deceased performer, currently allowed, will be far more restricted when New York's new Civil Rights Law 50-f, which requires written permission for certain commercial uses, goes into effect on May 29th, 2021.[3]

And of course, documents can be "in" copyright, and "out" of copyright, or restricted due to medical content, or under terms of non-disclosure...restrictions that can shift based on any number of factors. 

An educational institution considering levels of access and use of student-related documents[4] has to consider not only these legal factors, but their unique policies.  Factor in fame,[5] and the stakes get even higher. 

Because of that complexity, I could muse/write/talk on this topic for hours.  But let's focus on the member’s specific questions:

1) When should on-site access to historical educational records be allowed (if ever), with reference to FERPA? What about providing copies of historical educational records?

If a former student is not deceased, there can be NO release of FERPA-protected education records to otherwise barred parties without written, dated consent.

If the former student is known to be deceased—or the passage of time suggests they might be deceased—then the records are no longer protected by FERPA, and that restriction no longer applies.

But as the member points out, there are other considerations.

2) When should on-site access to unpublished, non-educational records related to former students be allowed, in reference to state and federal copyright and privacy laws, and possibly FERPA? What about providing copies of these documents?
 

This is an interesting question because unless the records we're talking about ("related to former students") only contain "directory information,”[6] then they are by definition "education records" under FERPA.[7]  That is because the FERPA is intentionally expansive.  So old bills, dusty admissions files, and antiquated (but often fascinating) "administrative" records, although not "educational," per se, are still barred from release by FERPA if they relate directly to a student.[8]

BUT, as this question implies, FERPA isn't the only thing that could bar or restrict access to old records.  Copyright, privacy laws, and general prudence are all good reasons to not release institutional records unless there is a policy and process for doing so (like a policy for sending transcripts to future employers), or your institution is compelled to release them (like a judicial order or subpoena).

So, while a student will always have access to their records under FERPA, both former students and third parties should by default be barred from access or obtaining copies to records they are not entitled to.

Which brings us to:

3) Should we take a more risk-averse approach to high-profile alumni materials, or should our policies apply equally to all alums?

Many, but not all, educational institutions have internal archives—not formal "Archives" they hold in trust for the public (like the W.E.B. DuBois papers at University of Massachusetts),[9] but rather, materials they regard as important pieces of their institution's history and identity, so deliberately retain.

For some, this may be a complex and far-reaching catalog of institutional history.  For others, it may be simply hanging onto every program for every graduation ceremony.  And of course, for many, it will be special handling of any material that is related to famous or noteworthy alumnae.

Whether formal and well-funded, or informal and not funded,[10] every educational institution's internal archive should have a policy that covers: 1) that the archive exists to transition material from "records" into "archives;" 2) how those materials are selected; 3) how those archival materials are to be preserved; 4) how the archival materials are used and accessed internally; 5) how the archival materials are used and accessed externally; 6) the ethical standards and institutional values being applied in the overall operation of the archive. [11]

If an educational institution has in-house records of such magnitude that they warrant being their own archive (for instance, the Eqbal Ahmad papers at Hampshire College), yes, the development of that archive could warrant its own separate policy.  In that case, unique care would have to be taken to consider not only FERPA, but privacy laws, copyright (the author of an admissions letter is the copyright owner of that admissions letter...not the institution the letter was sent to, even if the institution retains the only physical copy).  

All that said, the end result need not be "risk-averse," so much as "risk-informed:" carefully assessing all the compliance concerns and risks,[12] how does an institution create an archive that suits its stated purpose and conforms to institutional ethics?  Until an institution is confident it has reached the right answer, access to third parties should not be granted, and only need-to-know access should be granted to those within the institution. 

I would like to thank the member for this question, it is a good one.  And I think we may have reached a new milestone at "Ask the Lawyer"—a reply where the footnotes are as long as the reply!

Thanks.  I wish you a well-resourced and culturally rich archive, and continue positive alumnae relations.

[1] See letter of LeRoy Rooker, Director, Family Policy Compliance Office, U.S. Department of Education letter of Date, found at https://studentprivacy.ed.gov/sites/default/files/resource_document/file/LettertoConnecticutStateArchivistRegardingEducationRecordsMay2008.pdf as of February 10, 2021, re-affirming "that the FERPA rights of “eligible students” lapse or expire upon the death of the student based on common law of privacy rights." [NOTE: This link was confirmed as no longer active and removed on 02/25/2022  as part of the routine review of "Ask the Lawyer" materials.]

[2] Text for this law can be found at: https://www.nysenate.gov/legislation/bills/2019/s5575.

[3] I am writing this on February 10, 2021. 

[4] This "Ask the Lawyer" answer does not address the issue of yearbook photos and student-generated art or academic work.  For that, see RAQ #108 and RAQ #91.

[5] What is "fame?"  It's a notion that is taking odd journeys these days.  As I said in footnote #3, I am writing this on February 10, 2021.  Jockeying with the impeachment proceedings for "fame" on the cover of today's digital New York Times: an article about a lawyer who appeared in virtual court as a cat.  I bet he can't wait for his 15 minutes to be over.

[6] "Directory information" includes, but is not limited to, the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.

[7] Here is the actual definition: "...those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution."

[8] There are exceptions to this, of course...one big one being the records of campus police.

[9] I value this archive because it has letters between W.E.B. DuBois and Mary Talbert, a Buffalo resident who was a stalwart organizer for civil rights and, on the side, historic preservation (she led the effort to save the house of Frederick Douglass).  I read her letters when I need a shot of pragmatic inspiration.

[10] Some "archives" exist because some wonderful employee couldn't bear to see institutional history thrown out, and they got permission to buy some boxes and put the "archives" in the storage closet. 

[11] The "Ask the Lawyer" from November 4, 2020 has more about ethical considerations for archival projects: RAQ #178.

[12] For this question, "risk" is not just legal risk, but relational and reputational risk, too.  After all, it might be legal to share a harsh evaluation from a thesis committee related to the work of a long-dead student...but is there value in doing it?  (Of course, there might be).  Knowing why something is in the archive, and having full confidence in that reason, is just as important as preserving the record in the first place.

I didn't realize it in first grade, but a school library[1] is one of the first places a person experiences "the right to privacy" unmediated by a parent or guardian.

Think about it.  You go to the library and get to pick out whatever you want.  You check out books, and no one can tell you what to pick.  And aside from the person checking you out, no one has to see your selection; your records are private.

In the present day, this means that kids whose faces might be all over Facebook[2], who are attending school via computer, and who "turn off their screen," when they don't want people peeking into their home life during remote learning, still have a right to confidentiality when it comes to the library in their school. And one of the biggest symbols of that student-library relationship is their library card.

So, with all that hanging in the balance, what are the legal considerations of putting student pictures on school library cards?

As often happens in the highly regulated worlds of education, privacy, and information, the answer is: "It depends."

In this case, the factors "it depends" on are numerous; rather than itemize them, I'll summarize them with a few pointed questions:

Factor 1: What else is "on" the library card?

Depending what other information is on the library card, combining a student’s picture with it could increase the likelihood of a violation of FERPA[3], Ed 2-d, or school policy.[4]  For instance, if the card is used for not only swipe access, but access to grades, disciplinary records, and library records, also including a picture ID on it makes it sensitive, indeed.

Factor 2:  Who "owns" the library card?

Some schools, by policy, give out student identification cards, but use a school or district-wide policy to confirm that the card is simply "on loan" to the student (and must be returned at certain events, like suspension or expulsion).  Other institutions issue a card, and it becomes the student's property; this means that the card is more under that student’s control.[5]

While there is no requirement to do one way over the other, the school and library should confirm the ownership of the card in a policy, as this can impact the decision to mark the card with picture ID, as well as who has control over the card in the future.

Factor 3:  Why does the picture need to be on the library card?

Is the school so large that in order to ensure it provides library services to the right student, the card must have a photo ID?  Is it a security measure, perhaps to deter theft (of library cards, and therefore collection assets)?  Do students need to "swipe" into the library, with the library positioned to monitor that they are letting in a student who isn't supposed to be in class?  Or is the library card doing double duty as the student's general student ID?  Whatever the reason, it should be understood and clearly based in policy.  And if the reason has to do more with security at that school than the operations of the library, it is better that the function be performed by the student ID, not the library card.[6]

Factor 4:  Who will have the right or ability to view the library card?

If the library card is only required to be viewed by library staff, the inclusion of the photo is consistent with FERPA's and CPLR 4509's different but equally applicable privacy requirements.  But if a security guard, teacher(s), bus driver, or others all have to see the library card for different reasons (this relates to question number 3), or could use the card to access the student's library records, that raises the possibility of concerns.

Factor 5:  Is there a "stealth" reason for the use of the photo and name?

For some students, if they do not have documentation such as a birth certificate or social security card, a library card with a picture ID might be the most official "documentation" they have.  If a library or school is intending that their cards perform this ancillary function, this should be done with the awareness that third parties relying on the identification function still need permission for the school or library to comment on the content of the card (for students under 18, this means a waiver by parents or guardians).  However, that same student (or their parents/guardians) can choose to share their confidential education records or library records however they wish.

Okay, that's a lot of "factors," but what is the answer?

Having dragged you through all that, I will answer the member's very simple question:  Is it legal to print student photos with their names on their school library cards for circulation use?

The answer is "Yes."

But!  If the library card will be used for anything more than "circulation use" within the library, it is wise to assess precisely what the card will be used for, root that purpose in well-developed policy that considers the above factors, and evaluate if the picture—which in this case, will be a FERPA-protected education record[7]—is needed at all.  The more the card is used for functions beyond the needs of the library, the more those functions should be achieved by a separate student ID, or in the alternative, schools should make sure that library information[8] is separate and isolated from other education records accessed by or listed on the card.

Thank you for an important question.

[1] It is important to note that a "public school library" is different than a public library, or an association library, or a college library.... but ALL are subject to CPLR 4509, the law making library records private.  And while they are different, a public school library, like the college library, is subject to FERPA.

[2] I used to be such a stickler about not posting any pictures of my kids on FB.  But the loving posts of other family members eventually wore me down.  Sorry, kids, I really tried.

[3] Photos of students maintained by their institutions, like an ID photo, are confidential education records under FERPA.  https://studentprivacy.ed.gov/faq/faqs-photos-and-videos-under-ferpa

[4] For instance, if the library card is also an all-purpose student ID that also functions as a key card or has lunch money on it, a policy should clearly separate those functions and there must be a clear protocol for voiding access when the card is reported lost.

[5] Just because the school owns the physical object doesn't mean they own the rights to the student's image.

[6] This is because, as written more thoroughly in Ask a Lawyer RAQ #100, school library records are subject to both FERPA and 4509 rules of privacy.  Combining education record with library records can make it difficult to tease out the different ways the materials may need to be handled. 

[7] See footnote 3.  Yes, this is a footnote to send you to a footnote.

[8] Either in hard copy, on the card, or via digital access.

New York school libraries[1] operate in a complex web of regulations governing student privacy.  Laws such as FERPA, CPLR 4509, and “ED 2-d” all restrict what can be done (and can’t be done) with library records related to students.

At “Ask the Lawyer,” we’ve spent a fair amount of time on FERPA[2] and CLPLR 4509[3], so if you need some background on those, check the footnotes for this sentence.

That said, I have never written an “Ask the Lawyer” on ED 2-d, the new law protects “personally identifiable information” (“PII”)” held by a school district.  I’ll weave the relevant parts of the law into this answer.

And I have never written about (or used) SORA.  Since SORA is at the heart of this question, here is a little background on that:

SORA is a service provided by Rakuten/Overdrive.  In its own words, it provides “Millions of ebooks and audiobooks for your students. Thousands of publishers. Comes loaded with hundreds of premium titles at no cost. Infinite reading possibilities on practically any device.”[4]  Participating school districts enable student access to SORA through their own log-in points (the mechanics of which vary from school to school).

How does the service work?  As one reviewer put it[5]: “SORA can be downloaded for free by all students and teachers. If their school or district is an OverDrive partner, they can then use SORA to access their school's digital collection and also connect with the local public library's digital collection.”[6]

And finally, it is worth noting that SORA has a very cute logo: a puffy-silver astronaut, soaring wide-eyed into an eye-relaxing sky of silver-blue.  The astronaut is a combination of a Pokémon, Sailor Moon, and Big Hero Six.[7]  He is ready to read, and all set to escort your students to a universe of reading, too!  The logo is so cute, I don’t know how the member could think this company could do any wrong.

But savvy librarians are not distracted by cute logos.  And in this case, our savvy librarian-member asks: is use of SORA by a district compliant with the privacy protections of New York State Education Law 2-d?

We’ll start this analysis with a term defined by the law: “third party contractor,” which ED 2-d defines as:

 … any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs.

If SORA (or another service), meets this definition, then the district/school using it must implement the requirements of Ed 2-d, which are in the regulations found here:

http://www.nysed.gov/common/nysed/files/programs/data-privacy-security/part-121.pdf

I would set the full requirements out in this answer, but they are lengthy, and the regulations are about as plainly worded as can be.

In addition, for a library at a specific school in New York, there is a more institution-specific way to find these requirements.  To comply with Ed 2-d, every school district must have their own “District Privacy Officer” (“DPO”)[8] and that DPO must ensure that their institution develops and publishes a document called the “Parents Bill of Rights for Data Privacy and Security.”[9]

The parents’ “Bill of Rights” must list the district/school’s obligations vis-à-vis third-party contractors, including precise requirements for the protection of student information accessed by a specific contractor.  In other words, for each “third party contractor” (like, potentially, SORA), a district/school must publish the unique “supplemental” contract terms they’ve created to ensure the service meets Ed 2-d requirements. 

Readers who want to see the Ed 2-d criteria of their own particular district or school should be able to find it by searching for that district’s “Bill of Rights.”[10]  For any district using Overdrive and/or SORA, the “Bill of Rights” will either contain supplemental terms applicable to SORA, or they will have determined that their use of SORA does not disclose any PII.

So here is the question at the heart of the member’s question: does use of SORA, as arranged by a district, disclose PII to Overdrive?  While each district needs to make that determination on its own, in my opinion, any third party contractor that students must log into using a school-issued ID, after which the student will access content that supplements their school library’s collection (and be able annotate and leave notes about[11]), has a high likelihood of collecting PII.   

But as I say, it will be up to the district’s DPO to make the call.  If that call is: “Heck, yeah, they’ll be getting PII,” the district will then need to follow the law and regulations[12] to ensure the use complies. This means verifying that the contract has the right Ed 2-d requirements, and supplementing its “Bill of Rights” by disclosing the precise requirements the contract imposes on the contractor.  But if that call is: “We checked it out, and nope, no PII heading out the door here,” then nothing further is needed (insofar as ED 2-d is concerned).

While it may seem like I am punting on this answer (“Go see your DPO!”[13]) I can say that the SORA Privacy Policy[14], as published on May 20, 2020, does contain the elements that are consistent with the requirements of ED 2-d.  As but one example, Overdrive has a process for correcting records, which provides:

If you are a teacher or administrator at an educational institution using the school Services, please email privacy@overdrive.com to request the review, correction, and/or removal of a student’s Personal Information, and we will facilitate your access to and correction of such Personal Information promptly upon your request.

The ability to “challenge the records” of a contractor is a requirement of Ed 2-d.[15]  This suggests to me that Overdrive knows SORA will be gathering protected information, and the service is ready to enter into contracts that give the required assurances.  But only a look at the school’s contract for SORA, and its precise definition of PII, can ensure that.

The bottom line?  No matter what the published “Privacy Policy” of SORA says, there is no way to fully confirm a school library’s use of SORA complies with Ed 2-d law and regulations until the district’s designated DPO[16]:

1) Assesses what information will be accessed by or transferred to Rakutan/Overdrive as a result of their district contracting for SORA;

2) Determines if that information is PII as defined by Ed 2-d[17];

3) If it is PII, ensures the contract complies with Ed2-d; and

4)  Takes the steps to publish the “Bill of Rights” supplement as required.[18]

In other words: in Ed 2-d compliance, there should be no guesswork.  By working with the school’s DPO, the guesswork should be entirely removed.

Thanks for a great question!

[1] Not to be confused with New York’s “school district public libraries,” which are chartered libraries operating separately from their associated district.

[2] Patron Confidentiality in School Libraries

[3] RAQs featuring CLPLR

[4] As boasted at https://company.overdrive.com/k-12-schools/discover-sora/.

[5] Found at https://thelearningcounsel.com/article/sora-helps-give-k-12-students-more-access-ebooks-audiobooks-and-school%E2%80%99s-digital-collection

[6] If you want to read some harsh, some glowing, and some occasionally amusing reviews, check out the SORA review content here: https://play.google.com/store/apps/details?id=com.overdrive.mobile.android.sora&hl=en_US  I particularly enjoyed the brief but scathing review by a person who thought the service was supposed to be a game.

[7] I am not one myself, but I have anime fans in the family.  It rubs off.

[8] Per Regulation 121.8(a), “Each educational agency shall designate a Data Protection Officer to be responsible for the implementation of the policies and procedures required in Education Law §2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency.”  That’s the “DPO.”

[9] No, that is not a typo in “parents.”  The law left out either possessive apostrophe (“parent’s” or, for the plural possessive “parents’”).  Grammar matters, NY Assembly…grammar matters.

[10] I tried this on several different districts/schools across the state; a few institutions that shall remain nameless seem to have flunked, but admittedly, I didn’t look much harder than a cursory google search—which worked for many of the other institutions searched.

[11] Yes, I watched the SORA demo and paid attention to the additional features, which includes highlighting content and typing in comments.  I guess it beats writing in a book, which, to my husband’s great chagrin, I have been known to do (only to my own books).

[12] Found here: http://www.nysed.gov/data-privacy-security

[13] This is also critical because the definition of PII may vary slightly from institution from institution.  This is because student PII is based on the definition of “education records” in FERPA, which does allow some variance in “directory information” and other nuances this footnote is too small to cover.

[14] As found on May 19, 2020, at: https://company.cdn.overdrive.com/policies/privacy-policy-for-children.htm

[15] Regulation 121.3(c)(4)

[16] Or designee, of course.

[17] “Personally Identifiable Information, as applied to student data, means personally identifiable information as defined in section 99.3 of Title 34 of the Code of 3 Federal Regulations implementing the Family Educational Rights and Privacy Act, 20 U.S.C 1232g, and as applied to teacher and principal data, means personally identifiable information as such term is defined in Education Law §3012-c (10).”

[18] I realize this answer may give DPO’s out there extra work.  I am afraid I can’t apologize, since vigilance about privacy is a beautiful thing.  And hey—job security!

What a difference a month makes.  When this question came in, my kids were in school, my staff was at the office…and I am willing to bet at least one person in that group had an overdue library book.

Now, of course, we are all home trying to “flatten the curve” of a global pandemic.  If we had overdue books before, they might be overdue for a bit longer.[1]

Despite a global shift in focus since this submission, it is still a good one, and the second question may be more urgent than ever.

The FERPA fundamentals impacting this question were addressed in an “Ask the Lawyer” last year: Patron Confidentiality in School Libraries.

With that as background,[2] here are my answers:

Is sending unsealed overdue notices to students in their classrooms a FERPA violation?

Unless there is a specific waiver or request for the information, unsealed notices distributed in classrooms risks both a FERPA violation, and a violation of CPLR 4509.

Sealing the notices so the contents can’t easily be seen by people who aren’t the students or their legal guardians is a good idea.

Is calling a student's home and leaving a message stating that they have an overdue book and giving the price of the book a FERPA violation?

Unless the student requests it, or a policy states that such a practice is for the proper operation of the library, a message reciting library records to a home phone answering machine risks a violation of CPLR 4509.[3]  If the student is under 18, it is not a FERPA violation—so long as the home answering machine is that of the child’s legal guardians—but as reviewed here, FERPA is not the only privacy law a school library in New York must follow.

Lost in a sea of law and regulations?  When considering the implications of FERPA and CPLR 4509 for a school library, seeking solutions that err on the side of privacy is always the safest course.   While applying the letter of the law can be frustrating, a default prioritization of privacy will almost always carry the day.[4]

Thanks for a thoughtful question.  At times of de-stabilization and change, focusing on the principles that guide us—like a commitment to providing access to information along with assured privacy—can bring calm.

[1] Many thanks to the Buffalo and Erie County Public Library for automatically renewing our books!

[2] Intricate, complex, and possibly unsatisfying background!

[3] I like this 2009 guidance from the New York Committee on Open Government on the nuances of CPLR 4509: https://docs.dos.ny.gov/coog/ftext/f17671.html

[4] If health and safety are in seeming conflict with privacy, that is a good time to do a quick check-in with a lawyer.

This question is rather like asking an astronautical engineer: When on a spacewalk, are there any safety procedures specifically related to securing my helmet as I exit the airlock? 

Such a question could inspire an initial reaction like:  Safety concerns?  In SPACE???  Blazing comets,[1] the safety concerns start the moment you blast off!

But upon reflecting on the actual question, the calm, composed answer might be: “To ensure integrity of the pressure garment assembly, double-check the neck-dam’s connection to the helmet’s attaching ring.”[2]

Lawyers get this way addressing questions related to children and liability.  Our first reaction is to think about everything that can go wrong.  But then we calm down and focus on the specific issue at hand.

So, here is my calm, composed answer to the member’s very specific question:

There are two potential instances where a public library offering a program for unaccompanied minors might be obligated by law to collect emergency contact information.

FIRST INSTANCE

If the program the library is hosting is a camp required by law to have a “Safety Plan,” applicable regulations arguably require that the library gather the child’s emergency medical treatment and contact information.[3]

SECOND INSTANCE

If the library is paying a child performer as part of an event, the law requires that the library must collect the child performer’s parent/guardian information before the performance.[4]

Other than the above instances, while such a practice may be required by an insurance carrier,[5] a landlord, or event sponsor, there is no state law or regulation that makes collecting emergency contact information a specific requirement of a public library.

I do have two additional considerations, though.

FIRST CONSIDERATION

 “Emergency contact” information provided by the parents/guardians, in a signed document drafted expressly for your library, is generally the best course of action when welcoming groups of unaccompanied minors for events not covered by your library’s usual policies. 

I write this because Murphy’s Law (which is not on the bar exam, but remains a potent force in the world) will ensure the one time there is an incident at your youth program, the district’s automation system will be down.

Which brings us to the….

SECOND CONSIDERATION

Libraries and educational institutions sharing automation systems must make sure that such data exchange does not violate either FERPA (which bars educational institutions from sharing certain student information), or CPLR 4509 (which bars libraries from sharing user information).

Emergency contact information maintained by a school is potentially a FERPA-protected education record.[6]  If FERPA-protected, it is illegal for any third party—such as a public library—to access it unless there is an agreement in place with certain required language AND the library’s use of the information is in the students’ “legitimate educational interests.” [7]

Of course, given the right circumstances, meeting these criteria is perfectly possible.  In fact, such agreements can be a routine part of a school’s operations.   But just like with a space helmet before leaving the airlock, its best to confirm that everything is in place before you take the next step.[8]

Thanks for a thought-provoking question.

In the state of New York, library records linked to the names of users can only be disclosed:

1) upon request or consent of the user;

2) pursuant to subpoena or court order; or

3) where otherwise required by statute.

Therefore, the strong default answer to the member’s questions is “NO.”

This strong default position is based on New York Civil Procedure Rules (“CPLR”) 4509, which states:

Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute.

[emphasis added]

But when it comes to the records of minors at a school serving minors, after this omni-present strong default, there are some additional factors to consider.

FACTOR #1

Does the school condition library privileges on express parent/guardian access to library records?

Under CPLR 4509’s first prong (“consent of the user”), some libraries may condition library use by a minor on permission to share library records with parents/guardians. 

This condition is not invisible or automatic; it would need to be in the cardholder agreement signed by the student, or in a written school policy passed by the school board.  It must be clear, and in writing.

There is much vigorous debate about what level of parent/guardian access it is appropriate to condition library privileges on.[1]  But since such conditioning is allowed by the law, setting the appropriate balance between privacy and access is the job of the library and its leadership.

The bottom line on this factor? If a school library has an express, written policy allowing it,[2] and if that policy also complies with the school’s obligation’s under FERPA (see below), a list of titles checked out may be disclosed  to parents in conformity with CPLR 4509.

FACTOR #2 

Does the school regard library records as “education records” under FERPA?

The member’s questions warrant three considerations vis-à-vis FERPA (“Family Education Rights Privacy Act”), a country-wide law which applies to any educational institution receiving federal aid.

First FERPA consideration: Are the school’s library records accessible as “education records” under FERPA?

Because it is famous for protecting privacy, people generally think of FERPA as a bar—not a means—to information.  But FERPA expressly allows parents and guardians of students under 18 (unless the minors are attending a higher ed institution) to “inspect” “education records,” and, under the right circumstances, allows disclosure of education records to school administrators. 

A list of titles borrowed from a library, if maintained in a way that meets FERPA’s definition of “education records” could be subject to such inspection and disclosure. 

So let’s look at that definition:

[Information]

(1) Directly related to a student; and

(2) Maintained by an educational agency or institution or by a party acting for the agency or institution.[3]

That’s a broad definition!  But several categories of information are exempted from it, including:

 (i)  records of instructional, supervisory, and administrative personnel and educational personnel ancillary thereto which are in the sole possession of the maker thereof and which are not accessible or revealed to any other person except a substitute;[4]

Under this exception, school library records, if kept in a certain way (with only the librarian, or “substitute,” having access to the records, and the information not linked to or accessible to others, including the student), are arguably exempt from FERPA. 

What’s the take-away, here?  It is possible—but not a uniform rule—that school library records are “education records” under FERPA.  Determining if they are should be part of a school’s annual FERPA notice and policy work, and should be a consideration when a school library considers automation options. 

Second FERPA Consideration: If a school determines their library records DO qualify as “education records,” does a school administrator, safety officer, or SRO[5] have a right to access them under FERPA?

Even if the library records at a specific school qualify as “education records,” when it comes to school administrators, there are only two instances where disclosure is allowed.

The first instance is created by FERPA regulation §99.3.  It allows “… disclosure … to other school officials…[if the disclosure is in the student’s] legitimate educational interests.” 

With regard to a request for a list of borrowed library books, this means there must be a direct, pedagogical reason to disclose that particular list to that particular administrator, safety officer, or (if their contract has the right provisions) external personnel.  To determine if those individuals’ access is in the students “legitimate educational interests,” consideration of the unique circumstances is required, but it comes down to: how does this serve the student?  

The second instance is created by FERPA regulation §99.36.  This regulation allows an educational agency or institution to “disclose personally identifiable information from an education record to appropriate parties… in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals.”

Under extraordinary circumstances, this exception could be cited to justify disclosure of education records to an administrator, safety officer or SRO addressing a concern about immediate health or safety. 

But the circumstances warranting the disclosure would need to be—as I say—extraordinary.  Congress and the U.S. Department of Education want this to be a very narrow exception tied to imminent threats:

The Department has consistently interpreted this provision narrowly by limiting its application to a specific situation that presents imminent danger to students or other members of the community, or that requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individuals.

Such a “health/safety” analysis—especially if used to justify disclosure of library records—will be highly fact-specific.  Whenever possible, it should be done in consultation with the school’s attorney, with careful consideration of the precise circumstances and any relevant policies (by the way, this is the kind of “now or never/critical” question school attorneys cancel meetings to research and answer promptly).

Third FERPA consideration: if a school determines their library records are “education records,” CPRL 4509 may still bar parent access under FERPA.

And finally, there is also a possibility that even if a school’s library records are “education records,” under FERPA, library records in New York schools are barred from being shared (without consent) with parents/guardians by CPLR 4509. 

I base this on §99.4 of the FERPA regulations, which states:

An educational agency or institution shall give full rights under the Act to either parent, unless the agency or institution has been provided with evidence that there is a court order, State statute, or legally binding document relating to such matters as divorce, separation, or custody that specifically revokes these rights.[6]

In New York, we have just such a “State statute:” CPLR 4509.  When it was adopted, its role was described as follows:

The New York State Legislature has a strong interest in protecting the right to read and think of the people of this State. The library, as the unique sanctuary of the widest possible spectrum of ideas, must protect the confidentiality of its records in order to insure its readers' right to read anything they wish, free from the fear that someone might see what they read and use this as a way to intimidate them. Records must be protected from the self-appointed guardians of public and private morality and from officials who might overreach their constitutional prerogatives. Without such protection, there would be a chilling effect on our library users as inquiring minds turn away from exploring varied avenues of thought because they fear the potentiality of others knowing their reading history.[7]

Those are some stirring words about privacy.  They show what the Assembly’s intent was when CPLR 4509 was passed. 

That said, this potential conflict between CPLR 4509 and FERPA has not been tested in a court of law.[8]  This position is not something a school should  adopt or rely on without consultation with their own attorney, as part of their annual FERPA notice and policy work.

But it is definitely something to consider.

Final FERPA Consideration: how to resolve a FERPA question when state and federal law conflict.

The good news in all this 4509/FERPA complexity is that FERPA itself anticipates this type of conflict and resulting concerns.  FERPA Regulation §99.61 states:

If an educational agency or institution determines that it cannot comply with the Act or this part due to a conflict with State or local law, it shall notify the Office within 45 days, giving the text and citation of the conflicting law.

In other words, the U.S. Department of Education knows schools will be wrestling with these issues!  A school that makes a good-faith determination of non-disclosure under FERPA (always with the advice of their attorney) can follow this policy for reporting a conflict.  The USDOE will write you back, even if your concern is policy-driven or hypothetical.

Conclusion

Since school libraries—which are legally distinct from libraries at colleges and universities—are specifically named in CPLR 4509, there is no doubt that 4509’s strong bar on disclosure applies to schools where minors are in attendance, while the law is silent about access of guardians/parents to their children’s library records.

The best way for a school library and its leadership to handle these questions is in advance, by having a policy that respects student/family rights, and the operations of the library. 

A good school library “Confidentiality of Library Records” policy will protect student privacy, educate students about their right to privacy, coordinate with the school’s position under FERPA, consider student and employee well-being, and position the library to operate properly. 

Creating such a policy is an exercise in staff teamwork and aboard responsibility.  Considering the complexity of the different factors at pay, I urge school librarians and their leaders to review these considerations with their own attorneys, and to work with their boards to adopt policies that reflect the legal position and the educational priorities of their institutions.

Thank you for these important questions.