Recently a question has come up at our academic library concerning patron privacy and the notification to a patron (usually a student) concerning excessive downloading of content from databases in our collection. Our current practice has been to receive notification from the vendor about perceived illegal downloading. We then ask a member of our library IT team to investigate the situation, based on the information from the vendor. The contact information acquired by that IT staff member is then provided to the e-resource librarian. That librarian then contacts the individual via email, explaining the situation and indicating that such behavior must cease. Once that is done, the librarian notifies the vendor that the situation has been addressed, and there is no need to withhold access to the product from the campus. No personal identification of the user or student is provided to the vendor, nor distributed to anyone else. The question now: Is this process appropriate in resolving the misuse of a database, or does it violate the user’s/student’s privacy rights?
While the circumstances in the Schwartz tragedy are different from the situation described here, both scenarios--and the care the member has taken in framing this question--illustrate the importance of considering what's at stake when an institution balances contract compliance, digital access, and privacy.
What's "at stake" here? The member's question combines concerns about:
Let's do a quick run-down of these critical areas:
In New York, the confidentiality of library services is protected by Civil Practice Law & Rules ("CPLR") section 4509, which states that library records indicative of the identity of a library user may only be accessed with that user's permission, or per a subpoena or court order. CPLR 4509 applies to private libraries within academic institutions as much as it does public libraries or those within school districts. It works hand-in-glove with the American Library Association's and New York Library Association's recitals of patron confidentiality in their Codes of Ethics.
In New York, the commitment of a higher education institution to academic freedom is reflected in various ways. An example is the American Association of University Professors' 1940 "Statement on the Principles of Academic Freedom": "Teachers are entitled to full freedom in research..."
In New York and throughout the nation, the commitment of libraries to collaborate with others to promote intellectual freedom and access to information is reflected the ALA Library Bill of Rights: "Libraries should cooperate with all persons and groups concerned with resisting abridgment of free expression and free access to ideas."
In New York and throughout the nation, certain academic and library actions that would otherwise violate copyright are excluded from liability for infringement. This exclusion is to ensure there is a clear and well-defined legal safety net for content accessed in furtherance of certain intellectual and academic freedoms.
And throughout the USA, the privacy of education records, including library records, is assured under the Family Education Rights Privacy Act" (FERPA).
Serving as a counterweight to all of these critical factors are an educational institution's obligations under federal law and regulation with regard to alleged copyright infringement, particularly the regulations found in 34 CFR §668. If I were to delve into that and describe all of those obligations here, this answer would be 50 times longer, but a good summary of what compliance in that regard looks like can be found in this sample policy from RIT: https://www.rit.edu/its/rit-response-copyright-infringement. In short: since 2008, federal law requires higher education institutions receiving federal financial aid and other federal benefits to be express enforcers and re-enforcers of copyright.
Sitting astride of all of this is whatever notification commitments (and other responses) a college or university library agreed to when it signed the license agreement with the database provider (I have reviewed many of these types of license agreements, and almost all of them have some form of notification action requirement, which can range from a warning as described by the member, to ensuring the immediate cutoff of access by an offender). This means that in addition to the ethical, legal, and regulatory factors that have to be balanced in a question like this, we also have to consider obligations that are contractual.
With all of these very important considerations now laid before us, let's review what the member is doing: 1) getting a notification of a possible terms violation from the provider, and then 2) using a firewalled process to identify the user and alert them of the alleged violation, and then 3) assuring the vendor they have addressed the issue. As asked by the member: Is this process appropriate in resolving the misuse of a database, or does it violate the user’s/student’s privacy rights?
Here is my short answer: since the method of response described by the member shows there is a big firewall between the vendor and the institution (meaning: the outside party never learns the actual identity of the alleged violator), I believe so. BUT: the only real way to ensure privacy is protected as it should be is to confirm that the information flowing between the library and the IT Department never goes any further...within the institution.
What do I mean by that? The information should never go to campus safety or security. Unless it is per a very clearly articulated procedure developed for the operational needs of the library, it should never go to the office responsible for student discipline. And it should certainly never go to an employer on campus, a faculty member, or an advisor.
This caution is warranted because, although a library within a higher educational institution is not a separate business entity the way a chartered public library is an entity separate from the town or city that sponsors it, for purposes of an academic library's adherence to privacy ethics and laws, it should be considered a stand-alone entity. Information can flow into it, but information should not flow out, even to other departments, unless the flow serves the operational needs of the library, and verifiably goes no further.
This 'one-way flow" for user-associated academic library records is an easy goal to articulate, but in practice, it can be very difficult to assure. As systems within large and small institutions get more integrated in the interests of security and economy, so too is it more difficult to separate one type of information from another. However, when it comes to privacy and library confidentiality, because of the high stakes involving intellectual freedom, academic freedom, and student privacy, extra care and attention is warranted.
The care of the member in submitting this question and describing the careful process they are using is emblematic of the type of care that should be used at all times when safeguarding user confidentiality and privacy at a higher education academic library.
Thank you very much to the member for submitting such a careful question.
RIP, Aaron Schwartz.
 I say "led up to" rather than "led to" because while many believe the latter, the facts of the case clearly establish the former.
 Found as of November 14, 2021, here: https://www.aaup.org/report/1940-statement-principles-academic-freedom-and-tenure.
 I won't mince my words about that requirement: I don't like it. But I am not a member of Congress.
 And voluntary. This is why it is very important to read database licenses and to PUSH BACK on clauses that require draconian responses to alleged violations.
 By "firewalled," I mean that the vendor never knows the name or other identifying information of the alleged violator.
 Unless the student has signed a waiver. Then it can go to whoever has permission.