Many districts have had COVID-19 access for SORA Ebooks. I am not sure if it is ED Law 2-d compliant. We do not want to support or suggest products to our membership that do not meet that compliance. Can you let us know? Thank you!
New York school libraries operate in a complex web of regulations governing student privacy. Laws such as FERPA, CPLR 4509, and “ED 2-d” all restrict what can be done (and can’t be done) with library records related to students.
That said, I have never written an “Ask the Lawyer” on ED 2-d, the new law protects “personally identifiable information” (“PII”)” held by a school district. I’ll weave the relevant parts of the law into this answer.
And I have never written about (or used) SORA. Since SORA is at the heart of this question, here is a little background on that:
SORA is a service provided by Rakuten/Overdrive. In its own words, it provides “Millions of ebooks and audiobooks for your students. Thousands of publishers. Comes loaded with hundreds of premium titles at no cost. Infinite reading possibilities on practically any device.” Participating school districts enable student access to SORA through their own log-in points (the mechanics of which vary from school to school).
How does the service work? As one reviewer put it: “SORA can be downloaded for free by all students and teachers. If their school or district is an OverDrive partner, they can then use SORA to access their school's digital collection and also connect with the local public library's digital collection.”
And finally, it is worth noting that SORA has a very cute logo: a puffy-silver astronaut, soaring wide-eyed into an eye-relaxing sky of silver-blue. The astronaut is a combination of a Pokémon, Sailor Moon, and Big Hero Six. He is ready to read, and all set to escort your students to a universe of reading, too! The logo is so cute, I don’t know how the member could think this company could do any wrong.
But savvy librarians are not distracted by cute logos. And in this case, our savvy librarian-member asks: is use of SORA by a district compliant with the privacy protections of New York State Education Law 2-d?
We’ll start this analysis with a term defined by the law: “third party contractor,” which ED 2-d defines as:
… any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs.
If SORA (or another service), meets this definition, then the district/school using it must implement the requirements of Ed 2-d, which are in the regulations found here:
I would set the full requirements out in this answer, but they are lengthy, and the regulations are about as plainly worded as can be.
In addition, for a library at a specific school in New York, there is a more institution-specific way to find these requirements. To comply with Ed 2-d, every school district must have their own “District Privacy Officer” (“DPO”) and that DPO must ensure that their institution develops and publishes a document called the “Parents Bill of Rights for Data Privacy and Security.”
The parents’ “Bill of Rights” must list the district/school’s obligations vis-à-vis third-party contractors, including precise requirements for the protection of student information accessed by a specific contractor. In other words, for each “third party contractor” (like, potentially, SORA), a district/school must publish the unique “supplemental” contract terms they’ve created to ensure the service meets Ed 2-d requirements.
Readers who want to see the Ed 2-d criteria of their own particular district or school should be able to find it by searching for that district’s “Bill of Rights.” For any district using Overdrive and/or SORA, the “Bill of Rights” will either contain supplemental terms applicable to SORA, or they will have determined that their use of SORA does not disclose any PII.
So here is the question at the heart of the member’s question: does use of SORA, as arranged by a district, disclose PII to Overdrive? While each district needs to make that determination on its own, in my opinion, any third party contractor that students must log into using a school-issued ID, after which the student will access content that supplements their school library’s collection (and be able annotate and leave notes about), has a high likelihood of collecting PII.
But as I say, it will be up to the district’s DPO to make the call. If that call is: “Heck, yeah, they’ll be getting PII,” the district will then need to follow the law and regulations to ensure the use complies. This means verifying that the contract has the right Ed 2-d requirements, and supplementing its “Bill of Rights” by disclosing the precise requirements the contract imposes on the contractor. But if that call is: “We checked it out, and nope, no PII heading out the door here,” then nothing further is needed (insofar as ED 2-d is concerned).
If you are a teacher or administrator at an educational institution using the school Services, please email firstname.lastname@example.org to request the review, correction, and/or removal of a student’s Personal Information, and we will facilitate your access to and correction of such Personal Information promptly upon your request.
The ability to “challenge the records” of a contractor is a requirement of Ed 2-d. This suggests to me that Overdrive knows SORA will be gathering protected information, and the service is ready to enter into contracts that give the required assurances. But only a look at the school’s contract for SORA, and its precise definition of PII, can ensure that.
1) Assesses what information will be accessed by or transferred to Rakutan/Overdrive as a result of their district contracting for SORA;
2) Determines if that information is PII as defined by Ed 2-d;
3) If it is PII, ensures the contract complies with Ed2-d; and
4) Takes the steps to publish the “Bill of Rights” supplement as required.
In other words: in Ed 2-d compliance, there should be no guesswork. By working with the school’s DPO, the guesswork should be entirely removed.
Thanks for a great question!
 Not to be confused with New York’s “school district public libraries,” which are chartered libraries operating separately from their associated district.
 As boasted at https://company.overdrive.com/k-12-schools/discover-sora/.
 If you want to read some harsh, some glowing, and some occasionally amusing reviews, check out the SORA review content here: https://play.google.com/store/apps/details?id=com.overdrive.mobile.android.sora&hl=en_US I particularly enjoyed the brief but scathing review by a person who thought the service was supposed to be a game.
 I am not one myself, but I have anime fans in the family. It rubs off.
 Per Regulation 121.8(a), “Each educational agency shall designate a Data Protection Officer to be responsible for the implementation of the policies and procedures required in Education Law §2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency.” That’s the “DPO.”
 No, that is not a typo in “parents.” The law left out either possessive apostrophe (“parent’s” or, for the plural possessive “parents’”). Grammar matters, NY Assembly…grammar matters.
 I tried this on several different districts/schools across the state; a few institutions that shall remain nameless seem to have flunked, but admittedly, I didn’t look much harder than a cursory google search—which worked for many of the other institutions searched.
 Yes, I watched the SORA demo and paid attention to the additional features, which includes highlighting content and typing in comments. I guess it beats writing in a book, which, to my husband’s great chagrin, I have been known to do (only to my own books).
 This is also critical because the definition of PII may vary slightly from institution from institution. This is because student PII is based on the definition of “education records” in FERPA, which does allow some variance in “directory information” and other nuances this footnote is too small to cover.
 As found on May 19, 2020, at: https://company.cdn.overdrive.com/policies/privacy-policy-for-children.htm
 Regulation 121.3(c)(4)
 Or designee, of course.
 “Personally Identifiable Information, as applied to student data, means personally identifiable information as defined in section 99.3 of Title 34 of the Code of 3 Federal Regulations implementing the Family Educational Rights and Privacy Act, 20 U.S.C 1232g, and as applied to teacher and principal data, means personally identifiable information as such term is defined in Education Law §3012-c (10).”
 I realize this answer may give DPO’s out there extra work. I am afraid I can’t apologize, since vigilance about privacy is a beautiful thing. And hey—job security!