For an Interlibrary Loan Electronic Transmission (whether printed out and included with the item(s) or sent via electronic means) in a K-12 setting, can a student's name (the one ultimately borrowing the item) be used in the "receipt" or notification slip? Should a student's School ID number be used? Can both be used at the same time? Is it taboo to have a student's name in ANY electronic transmission?
This question comes at us from a school district public library and supporting Board of Cooperative Educational Services ("BOCES").
One thing I knew very little[1] about when I started doing "Ask the Lawyer" was school district public library systems. These are systems coordinated through a regional BOCES, creating a network of library resources, governed by their own section of the New York Education Law (and regulations, and Regents rules).
Over the years, the existence and importance of school district public library systems has grown more and more obvious to me--to the point where now, if you are so unfortunate to be trapped in an elevator with me, I might tell you all about them from ground level to the 32nd floor.[2]
One thing I would mention, around floor 15 or so, is that school district public libraries (and systems) have to balance privacy and data security obligations from a wide array of different state and federal laws. I have written on this before (see "Ask the Lawyer #67, #80, and #143), and won't re-hash that here, except to say: everything in those past answers impacts this question.
With those prior columns as background, the answers to the member's three questions are:
For an Interlibrary Loan Electronic Transmission (whether printed out and included with the item(s) or sent via electronic means) in a K-12 setting, can a student's name (the one ultimately borrowing the item) be used in the "receipt" or notification slip?
Yes, if the library's policy requires it for the "proper operation" of the library (CPLR 4509), AND if the school can assure that only those who need to see it (for the benefit of the student) will see it (FERPA) or the student has signed a FERPA waiver, AND if all the required measures for data privacy are in place (ED2-d).
Should a student's School ID number be used? Can both be used at the same time?
Yes, if the library's policy requires it for the "proper operation" of the library (CPLR 4509), AND if the school can assure that only those who need to see it (for the benefit of the student) will see it (FERPA) or the student has signed a FERPA waiver, AND if all the required measures for data privacy are in place (ED2-d).
Is it taboo to have a student's name in ANY electronic transmission?
No, but school district and BOCES systems creating and transmitting such records should always be confident that the use of the student's name is in a document generated and transmitted per applicable policy.
This is tougher than it sounds, since schools now have so many electronic systems facilitating record-making and communication--a situation compounded by online learning during the pandemic. Further, the decision to use those systems might be driven by function and cost, with only secondary attention being paid to privacy, as addressed in "Ask the Lawyer" #67, #80, and #143.
Since this question is rooted in interlibrary loan, I'll end with an example.
Below is a partial screenshot from the demo screen of OPALS, a popular ILS used by school district libraries (and other types of libraries, too).
As you'll see, OPALS enables the "viewing of all the borrowers in an attending class...."
There is nothing inherently wrong with this type of grouping of borrowers, so long as the district has addressed the various privacy obligations, and made sure the functionality and use of the system (in this example, OPALS) align with the school's approach and policies on privacy.
In other words, nothing should be left to chance.
So, with that, my ultimate answer--to all three questions-- is: any time a public school student's name is listed on a library record that leaves the bounds of the library (the "real" or virtual bounds), every unique way that happens (injury report, student discipline, interlibrary loan) should be covered by policy.
Now, let's consider how this issue looks "on the ground." I poked around a bit, and while I found many interlibrary loan policies for school district library systems/BOCES in NY, I didn't find one that went so far into the weeds as setting terms for how/when to include borrower names on the routing slips (printed or electronic).
Chances are, that's usually more of a "standard operating procedure" thing, rather than something set by formal "policy."[3]
But with increasing interconnectivity between library other school systems, it might be worth formalizing in future interlibrary loan policies. For instance, one sentence: "When effecting interlibrary loan, cooperating libraries shall mutually adhere to the other libraries' and systems' policies regarding borrower privacy"[4] is a sample of how to add a quick reminder about this critical consideration.
Because as the member's questions indicate, we can never be too "in the weeds" on privacy.
Thank you for an important array of questions.
[1] Okay, actually, nothing.
[2] In this mythical trip up 32 floors, we are visiting Buffalo City Hall, which if you have never seen, is a must-visit location.
[3] New York is a big state! I have no doubt there is a policy that does address this. If your district has one, please send a link to info@losapllc.com and reference this RAQ.
[4] This is just sample language...no matter what you select, make sure your school district's attorney or BOCES system director reviews and approves any policy before it goes into effect!
Tags: CPLR 4509, Ed Law 2-d, FERPA, Loaning programs, Privacy, School Libraries
Many districts have had COVID-19 access for SORA Ebooks. I am not sure if it is ED Law 2-d compliant. We do not want to support or suggest products to our membership that do not meet that compliance. Can you let us know? Thank you!
New York school libraries[1] operate in a complex web of regulations governing student privacy. Laws such as FERPA, CPLR 4509, and “ED 2-d” all restrict what can be done (and can’t be done) with library records related to students.
At “Ask the Lawyer,” we’ve spent a fair amount of time on FERPA[2] and CLPLR 4509[3], so if you need some background on those, check the footnotes for this sentence.
That said, I have never written an “Ask the Lawyer” on ED 2-d, the new law protects “personally identifiable information” (“PII”)” held by a school district. I’ll weave the relevant parts of the law into this answer.
And I have never written about (or used) SORA. Since SORA is at the heart of this question, here is a little background on that:
SORA is a service provided by Rakuten/Overdrive. In its own words, it provides “Millions of ebooks and audiobooks for your students. Thousands of publishers. Comes loaded with hundreds of premium titles at no cost. Infinite reading possibilities on practically any device.”[4] Participating school districts enable student access to SORA through their own log-in points (the mechanics of which vary from school to school).
How does the service work? As one reviewer put it[5]: “SORA can be downloaded for free by all students and teachers. If their school or district is an OverDrive partner, they can then use SORA to access their school's digital collection and also connect with the local public library's digital collection.”[6]
And finally, it is worth noting that SORA has a very cute logo: a puffy-silver astronaut, soaring wide-eyed into an eye-relaxing sky of silver-blue. The astronaut is a combination of a Pokémon, Sailor Moon, and Big Hero Six.[7] He is ready to read, and all set to escort your students to a universe of reading, too! The logo is so cute, I don’t know how the member could think this company could do any wrong.
But savvy librarians are not distracted by cute logos. And in this case, our savvy librarian-member asks: is use of SORA by a district compliant with the privacy protections of New York State Education Law 2-d?
We’ll start this analysis with a term defined by the law: “third party contractor,” which ED 2-d defines as:
… any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs.
If SORA (or another service), meets this definition, then the district/school using it must implement the requirements of Ed 2-d, which are in the regulations found here:
http://www.nysed.gov/common/nysed/files/programs/data-privacy-security/part-121.pdf
I would set the full requirements out in this answer, but they are lengthy, and the regulations are about as plainly worded as can be.
In addition, for a library at a specific school in New York, there is a more institution-specific way to find these requirements. To comply with Ed 2-d, every school district must have their own “District Privacy Officer” (“DPO”)[8] and that DPO must ensure that their institution develops and publishes a document called the “Parents Bill of Rights for Data Privacy and Security.”[9]
The parents’ “Bill of Rights” must list the district/school’s obligations vis-à-vis third-party contractors, including precise requirements for the protection of student information accessed by a specific contractor. In other words, for each “third party contractor” (like, potentially, SORA), a district/school must publish the unique “supplemental” contract terms they’ve created to ensure the service meets Ed 2-d requirements.
Readers who want to see the Ed 2-d criteria of their own particular district or school should be able to find it by searching for that district’s “Bill of Rights.”[10] For any district using Overdrive and/or SORA, the “Bill of Rights” will either contain supplemental terms applicable to SORA, or they will have determined that their use of SORA does not disclose any PII.
So here is the question at the heart of the member’s question: does use of SORA, as arranged by a district, disclose PII to Overdrive? While each district needs to make that determination on its own, in my opinion, any third party contractor that students must log into using a school-issued ID, after which the student will access content that supplements their school library’s collection (and be able annotate and leave notes about[11]), has a high likelihood of collecting PII.
But as I say, it will be up to the district’s DPO to make the call. If that call is: “Heck, yeah, they’ll be getting PII,” the district will then need to follow the law and regulations[12] to ensure the use complies. This means verifying that the contract has the right Ed 2-d requirements, and supplementing its “Bill of Rights” by disclosing the precise requirements the contract imposes on the contractor. But if that call is: “We checked it out, and nope, no PII heading out the door here,” then nothing further is needed (insofar as ED 2-d is concerned).
While it may seem like I am punting on this answer (“Go see your DPO!”[13]) I can say that the SORA Privacy Policy[14], as published on May 20, 2020, does contain the elements that are consistent with the requirements of ED 2-d. As but one example, Overdrive has a process for correcting records, which provides:
If you are a teacher or administrator at an educational institution using the school Services, please email privacy@overdrive.com to request the review, correction, and/or removal of a student’s Personal Information, and we will facilitate your access to and correction of such Personal Information promptly upon your request.
The ability to “challenge the records” of a contractor is a requirement of Ed 2-d.[15] This suggests to me that Overdrive knows SORA will be gathering protected information, and the service is ready to enter into contracts that give the required assurances. But only a look at the school’s contract for SORA, and its precise definition of PII, can ensure that.
The bottom line? No matter what the published “Privacy Policy” of SORA says, there is no way to fully confirm a school library’s use of SORA complies with Ed 2-d law and regulations until the district’s designated DPO[16]:
1) Assesses what information will be accessed by or transferred to Rakutan/Overdrive as a result of their district contracting for SORA;
2) Determines if that information is PII as defined by Ed 2-d[17];
3) If it is PII, ensures the contract complies with Ed2-d; and
4) Takes the steps to publish the “Bill of Rights” supplement as required.[18]
In other words: in Ed 2-d compliance, there should be no guesswork. By working with the school’s DPO, the guesswork should be entirely removed.
Thanks for a great question!
[1] Not to be confused with New York’s “school district public libraries,” which are chartered libraries operating separately from their associated district.
[4] As boasted at https://company.overdrive.com/k-12-schools/discover-sora/.
[5] Found at https://thelearningcounsel.com/article/sora-helps-give-k-12-students-more-access-ebooks-audiobooks-and-school%E2%80%99s-digital-collection
[6] If you want to read some harsh, some glowing, and some occasionally amusing reviews, check out the SORA review content here: https://play.google.com/store/apps/details?id=com.overdrive.mobile.android.sora&hl=en_US I particularly enjoyed the brief but scathing review by a person who thought the service was supposed to be a game.
[7] I am not one myself, but I have anime fans in the family. It rubs off.
[8] Per Regulation 121.8(a), “Each educational agency shall designate a Data Protection Officer to be responsible for the implementation of the policies and procedures required in Education Law §2-d and this Part, and to serve as the point of contact for data security and privacy for the educational agency.” That’s the “DPO.”
[9] No, that is not a typo in “parents.” The law left out either possessive apostrophe (“parent’s” or, for the plural possessive “parents’”). Grammar matters, NY Assembly…grammar matters.
[10] I tried this on several different districts/schools across the state; a few institutions that shall remain nameless seem to have flunked, but admittedly, I didn’t look much harder than a cursory google search—which worked for many of the other institutions searched.
[11] Yes, I watched the SORA demo and paid attention to the additional features, which includes highlighting content and typing in comments. I guess it beats writing in a book, which, to my husband’s great chagrin, I have been known to do (only to my own books).
[12] Found here: http://www.nysed.gov/data-privacy-security
[13] This is also critical because the definition of PII may vary slightly from institution from institution. This is because student PII is based on the definition of “education records” in FERPA, which does allow some variance in “directory information” and other nuances this footnote is too small to cover.
[14] As found on May 19, 2020, at: https://company.cdn.overdrive.com/policies/privacy-policy-for-children.htm
[15] Regulation 121.3(c)(4)
[16] Or designee, of course.
[17] “Personally Identifiable Information, as applied to student data, means personally identifiable information as defined in section 99.3 of Title 34 of the Code of 3 Federal Regulations implementing the Family Educational Rights and Privacy Act, 20 U.S.C 1232g, and as applied to teacher and principal data, means personally identifiable information as such term is defined in Education Law §3012-c (10).”
[18] I realize this answer may give DPO’s out there extra work. I am afraid I can’t apologize, since vigilance about privacy is a beautiful thing. And hey—job security!
Tags: Emergency Response, School Libraries, Ed Law 2-d, Overdrive, SORA
