Patron Privacy Policy • Maine InfoNet

Maine InfoNet — Approved, August 5, 2024

Maine’s libraries collect personally identifying information (PII) in order to provide basic services for the people of our state. While the collection of such information is essential for library operations, PII needs to be handled carefully in order to protect the privacy of all of our users.

Maine InfoNet and its partner libraries may provide patrons access to resources which then collect patron-supplied information and use it according to their terms of service. These are relationships that the patrons enter into, not release of information by Maine InfoNet.

Our obligations around privacy and confidentiality in Maine libraries are founded in Title 27 of the Maine Revised Statutes, section 121, on the confidentiality of library records. Although this statute does not apply to all libraries in Maine InfoNet, it provides sound guidance for all. The statute provides that the following information about library patrons is to be treated as confidential:
1. Personally identifying information, including name, address, phone number and e-mail address
2. Information that identifies any books or other materials that a patron has requested, obtained or used in the library, or that has been provided by the library.
What information should we have in our systems?
1. When libraries create patron records in our systems, they can include all of the information listed in the statute quoted above – name, address, phone number, and e-mail address.
2. In some cases, a library may also want to include birth date and / or driver’s license number; these additional pieces of information must be protected under the same confidentiality rules that govern all other PII.
3. PII should not be revealed, shared or published in any way that makes it available to any person who does not have a specific operational need for such information in order to perform library functions or operate library systems.
What information should we not have in our systems?
1. Under no circumstances should libraries collect or request individual Social Security numbers
2. Information that could reveal individual membership in any of the classes protected by federal anti-discrimination law, including information related to race, color, religion, sex, national origin, age, disability, marital status or political affiliation, is seldom needed for library operations and should rarely be collected.
Other records; relationship to FERPA.
1. In order to comply with the Maine statute on library confidentiality, other kinds of records, including attendance lists for library-sponsored events and sign-up sheets to use publicly-accessible computer terminals should also be treated as confidential. Such records should not be retained longer than is necessary for an operational need.
2. Student records at any educational institution that receives federal funding (i.e. K-12, college or university) are governed by FERPA, the Family Educational Rights and Privacy Act. The guidelines laid out by FERPA do not conflict with these policies, and institutions to whom FERPA is applicable are encouraged to follow the advice and procedures provided by their specific institution.
What information, under what conditions, can we share between libraries?
1. Title 27, section 121 of the Maine Revised Statutes, cited above, also contains a provision that permits release of confidential patron information in several circumstances: “with the express written consent of the library patron involved; to officers, employees, volunteers and agents of the library to the extent necessary for library administrative purposes; or as the result of a court order.”
2. This second clause of this permission to release patron information makes clear that exchanges necessary to facilitate interlibrary loan and other programs between libraries are acceptable. Information for the purposes of resource sharing or joint programing can be shared with other library employees or volunteers in order to facilitate such programing, taking due care to limit that sharing to the people and purposes listed.
3. Whenever a library has access to PII related to patrons at another library, such information should be treated with the same care and respect for this policy as PII related to the library’s own patrons.
How should we respond to requests to release patron information to a third party, especially law enforcement?
1. The Maine statute on the confidentiality of patron records is very clear that release of patron PII outside of libraries’ ordinary course of business (absent permission form the patron) is permitted only when there has been a court order for such information
2. Requests that are not accompanied by any kind of court order (a warrant or subpoena that specifies the information to be released) should not be honored, even if they are made by a law enforcement officer. Refer such requests to the library director or board.
3. If someone who does not properly identify themselves as a law enforcement officer makes a request or presents some form of court order for patron records, staff should accept the paperwork but not turn over any records to the person. The paperwork should be forwarded as soon as possible to the library director, library board or counsel to the library.
4. On the rare occasion when a law enforcement officer presents a warrant or subpoena that demands the release of specific patron information, such court orders should be complied with within the time period specified by the court. Note that a subpoena ordinarily specifies a future date by which its orders must be met, while a warrant usually requires immediate compliance. Whenever possible, the library director or a member of the libraries’ board should be notified and be present to ensure that the compliance is careful and complete. When that is not possible, however, the employee to whom the court order is presented should make their best efforts to comply with the order in the required timeframe, taking care to reveal only such information as the order specifies.