Privacy and propriety
Abstract:
This chapter focuses on the issues of privacy and defamation, particularly as they relate to unpublished work disseminated through an institutional repository. Repository managers must take steps to ensure that content in the repository does not violate an individual’s privacy rights, nor harm their reputation. General privacy rights are discussed, along with the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). The chapter concludes with an examination of the potential risks and liability related to defamatory content.
While institutional repositories do present entirely new ethical issues for libraries, repositories also require attention to two topics that are already familiar to librarians: privacy and propriety. Respect for patron privacy has long been a core tenet of librarianship, and libraries also continually struggle with challenges to materials in their collections that community members believe to be inappropriate in some way. Management of repository collections brings both of these issues to the fore, though from a slightly different perspective. With regard to privacy, the focus is not on preserving the confidentiality of patrons' library circulation records, but on ensuring that materials posted in the repository do not violate individuals' personal or statutory privacy. Similarly, repository managers must also be mindful of the potential for materials to be deposited that are defamatory – and of how to limit the library’s (and parent institution’s) liability related to that content.
As with the issues related to research ethics, concerns about private or improper information in repository submissions are most relevant when dealing with original materials that have not been previously published or otherwise undergone formal editorial review. For example, it is unlikely that a paper that was peer – reviewed and presented at a professional conference would still contain questionable content. Furthermore, in considering the relative risk of distributing private information or defamatory content, making disciplinary or format distinctions is also useful in limiting overzealous oversight practices. An oral history transcript, anthropological field notes, or a medical case study, for instance, are all more likely to present privacy issues than would an exposition of John Donne’s holy sonnets. And a scientific research report on lasers and photonics would be a far less probable candidate for defamatory content than would be an investigative essay on corruption in the state legislature.
Ultimately, the library’s role in limiting the dissemination of private, defamatory, or obscene content through the repository will be largely educative. As previously mentioned, it would be unreasonable – and inappropriate – to expect the repository manager to actively review the nature and quality of all submitted content. But it should be the library’s responsibility to make students, staff, and faculty aware of applicable legal and ethical considerations that will guide their own creative and scholarly activities. Providing this education, whether through personal instruction or submission guidelines, will help ensure that repository collections respect both individuals' privacy and personal reputations.
Privacy
While Chapter 3 discussed the issue of confidentiality in relation to human subject research data, there are other scenarios, unrelated to research activities or research data, in which protecting individuals' privacy or private information must be a concern for repository managers. These range from general legal protections for individuals against invasion of privacy to protections for specific types of private information, such as education or health records.
At the most basic level, information about an individual – whether data, observations of behavior, or characteristics – should be considered private if an individual has not intentionally made it public. Though it relates specifically to private information in the context of research, the definition provided in the Common Rule is useful in explaining the general concept of what is "private":
Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record).
In the U.S.A., although the courts have determined that a right to privacy is present in the U.S. Constitution (Griswold v. Connecticut, 1965), an individual’s right to privacy – to keep his/her private information from being publicly shared – finds the most robust protection under state law. These protections take four forms. Individuals have the right not to be intruded upon in a private place (intrusion upon seclusion); the right not to have private facts shared publicly (public disclosure of private facts); the right not to be portrayed in a false light (false light); and the right not to have their identities or likeness used to endorse something without permission (commercial appropriation) (DuBoff and Krages, 2005). Though there is the potential for all four rights to be infringed by a repository submission, public disclosure of private facts is the most likely to occur (false light will also be discussed later in relation to defamation).
For an individual to have a legitimate claim that his/her private information was illegally publicly disclosed, there are four factors which generally must be true of the disclosure:
(1) The facts were disclosed (shared) publicly.
(2) The facts that were made public were previously private.
(3) Publicizing the facts would be offensive to a "reasonable person" (about whom such information was publicly disclosed).
(4) The facts that were publicized are not of "legitimate public concern" (or "newsworthy").
If even one of these is not true of the disclosure, then the person (or institution) who disclosed the facts/information cannot be held legally liable for that disclosure (CMLP, 2008a).
It should be obvious that dissemination of private information through an institutional repository would constitute public disclosure of that information. For example, such dissemination clearly meets the test provided in California’s guidance regarding "public" disclosure: "In deciding whether [name of defendant] publicized the information, you should determine whether it was made public either by communicating it to the public at large or to so many people that the information was substantially certain to become public knowledge" (JCC, 2011, pp. 10667). Even in an instance where an item in the repository is limited in its distribution – for example, available only to the institutional community via authentication or Internet protocol (IP) range restrictions – it seems likely that the local community would constitute a sufficient number of people to meet the latter part of that test (though such determination must ultimately be left to the courts).
It is also important to note that it does not matter if the disclosure of private facts is offensive to the person about whom the facts are disclosed; rather, the disclosure must be found by the court to be offensive to "a reasonable person of ordinary sensibilities" (CMLP, 2008a). This test of offensiveness to a "reasonable" individual is well articulated by Prosser (1960):
"All of us, to some extent, lead lives exposed to the public gaze or to public inquiry, and complete privacy does not exist in this world except for the eremite in the desert. Any one who is not a hermit must expect the more or less casual observation of his neighbors and the passing public as to what he is and does, and some reporting of his daily activities. The ordinary reasonable man does not take offense at mention in a newspaper of the fact that he has returned from a visit, or gone camping in the woods, or that he has given a party at his house for his friends; and very probably Mr. Warren would never have had any action for the reports of his daughter’s wedding. The law of privacy is not intended for the protection of any shrinking soul who is abnormally sensitive about such publicity. It is quite a different matter when the details of sexual relations are spread before the public gaze, or there is highly personal portrayal of his intimate private characteristics or conduct."
(Prosser, 1960, pp. 396–7)
Even if the disclosure of private facts is found to be (reasonably) offensive, the final consideration in determining whether the disclosure of the facts is legally actionable is whether or not the facts themselves are actually of legitimate public concern. In making this determination, a court will likely examine whether:
(1) the facts that were disclosed had any "social value";
(2) the degree to which the disclosure of the facts invades the individual’s privacy; and
(3) the individual gave his/her consent to the publication or whether the individual had willingly placed him/herself in the public eye
(JCC, 2011, p. 1066)
Whether or not particular information about an individual has any social value (i.e., is of concern to the public and is therefore newsworthy) is a difficult determination to make – even for the courts (Bostwick, 1999). However, the Citizens Media Law Project recommends a common sense approach to the dilemma: "Avoid obscure and salacious details that don't have direct bearing on your topic, and don't use someone’s photograph to illustrate your work unless they have some reasonable connection to the issue at hand" (CMLP, 2008b). In other words, the same practical rules that govern the fair use of copyrighted materials apply to the use of private information as well: use only what is integral to your work, and not to the extent that it will infringe upon the rights of the owner of the work/ information.
As with fair use, the question as to whether publication of private facts constitutes a violation of another’s rights is determined on a case – by – case basis and is open to argument and interpretation. However, there are other privacy rights that are more well defined – specifically those dealing with health and educational records.
Privacy and health records: HIPAA
In the U.S.A., individuals' private medical records are protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). As a result of HIPAA, the Department of Health and Human Services (HHS) introduced the Standards for Privacy of Individually Identifiable Health Information (commonly referred to as the "Privacy Rule"). The HIPAA Privacy Rule regulates the use of certain types of information that are created and used by health insurers, health care providers, and associated entities (USDHHS, 2003).
The Privacy Rule protects only "individually identifiable health information", which the Rule terms "protected health information (PHI)" (USDHHS, 2003, p. 3). Under the Privacy Rule, individually identifiable health information includes any information about: an "individual’s past, present or future physical or mental health or condition"; "the provision of health care to the individual"; or "the past, present, or future payment for the provision of health care to the individual." In order for these types of information to be considered PHI, the information must directly identify a unique individual or hold a "reasonable" potential "to be used to identify the individual" (USDHHS, 2003, p. 4).
In general, organizations (such as hospitals, clinics, laboratories, health insurers, etc.) who create and use health records are only allowed to use (or disclose) the PHI that they gather from patients or clients for activities that directly relate to the treatment of the patient, to billing for services, and to the operations of the organization. Any other use of an individual’s health records generally requires either that the individual consent to the use, or that the organization redact certain direct identifiers from the PHI prior to using the information (USDHHS, 2003). Redaction of identifiers from the PHI creates what is called a "limited dataset", which is commonly used for research purposes.
It is likely that, if an academic institution has any programs related to the health professions, students and faculty will be conducting research that requires the use of information from health records. If the results of this research – either in the form of a manuscript, or dataset, or both – is deposited in an institutional repository, it is imperative for the repository manager to receive assurances from the depositor that his/her use of health information is in compliance with the HIPAA Privacy Rule. Fortunately, the Privacy Rule provides clear guidance for researchers on appropriate uses of PHI in research activities, and it should be a simple matter to establish whether a particular use was allowed.
An organization covered by HIPAA may use or share PHI for research purposes:
If the subject of the PHI has granted specific written permission through an Authorization.
If the covered entity [organization holding the PHI] receives appropriate documentation that an IRB or Privacy Board [a committee specifically commissioned with oversight of the use of PHI] has granted a waiver or an alteration of the Authorization requirement.
If the PHI has been de – identified in accordance with the standards set by the Privacy Rule (in which case, the health information is no longer PHI).
If the information is released in the form of a limited dataset, with certain identifiers removed, and with a data use agreement between the researcher and the covered entity.
(USDHHS, 2004, p. 2)
In addition to these, a researcher may also access records containing PHI in order to prepare a research proposal (e.g., to identify whether a relevant population exists), or may perform research that examines the records/PHI of deceased individuals. For all of these uses, specific terms and conditions must be met both by the researcher and by the organization providing access to the health records/data (USDHHS, 2004).
As with other data or research results that are openly disseminated through a repository, the best way to protect individuals' privacy (in this case, related to their health) is to require that all data – in whatever forms they take, whether a dataset or descriptions in a manuscript – be anonymized.1 Indeed, even if a researcher has received the proper authorization or permission for research use of PHI, it is likely that the authorization does not permit disclosure of the PHI beyond the actual conduct of research (e.g., through publication or through distribution of a dataset in a repository; McCall et al., 2006). Therefore, any PHI – based research results (or associated data) submitted to an institutional repository must be properly de – identified.
Fortunately, the Privacy Rule provides clear guidance on what data elements must be removed in order for a dataset (or other presentation of health information) to be considered de – identified. The elements that must be removed are listed in Box 4.1.
Even if PHI – based research submitted to a repository contains only de – identified data, it may still be appropriate to request confirmation from the researcher that this dissemination is in keeping with the data use agreement that he/she entered into with the covered entity that provided the data. Depending on the scope of the research project, and the extent of the data being made available in the repository, the repository manager may even wish to consider requesting a copy of the data use agreement. The agreement could then be uploaded to the repository and stored as supplemental content with the primary research materials in case later questions arise regarding the data in question.
While research products are a reasonable focus when considering HIPAA – governed data, there are other types of materials that may also be relevant to consider. For example, health professions education often involves the use of case – based teaching, in which students examine the details of a real patient’s case. This is even more likely if the educational institution has associated teaching clinics or medical facilities. If faculty members develop teaching materials based on actual cases, and then wish to disseminate those materials through the repository as pedagogical examples, it is likely that – absent explicit consent from the patient – identifiable data or images may need to be redacted in order to de – identify the content.
For libraries at institutions with medical schools or other health professions programs, it is also possible that the library may hold archival collections that include historical medical records or other documents that could contain PHI (Wiener and Gilliland, 2011). If this is the case, the library must carefully examine any of these materials that it wishes to make available through its repository to ensure that private information is not inappropriately disseminated. For some types of materials (particularly those that would lose historical or research value through redaction), providing public access through the repository may not be appropriate. In those instances, the library must develop separate policies for providing restricted access to these collections for researchers (Wiener and Gilliland, 2011).
A final – and vital – consideration for libraries to consider with regard to HIPAA is their actual legal obligation under the Privacy Rule. While it is ethically imperative that libraries not facilitate the inappropriate dissemination of PHI, only certain institutions ("covered entities") also have a legal imperative to protect the privacy of these data. As defined by HIPAA, covered entities are "(1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards" (NIH, n.d.b). Only entities that meet this definition are legally required to comply with the Privacy Rule. For academic institutions without medical or other health programs, it is extremely unlikely that they will be in a position to be deemed a covered entity. However, institutions that do provide health care through affiliated hospitals or clinics will likely be considered covered entities. It is possible, though, that these institutions may decide to identify themselves as "hybrid entities", which means that only the units of the institution that actually provided health care would be legally bound by the Privacy Rule:
"For example, a university may be a single legal entity that includes an academic medical center’s hospital that conducts electronic transactions for which HHS has adopted standards. Because the hospital is part of the legal entity, the whole university, including the hospital, will be a covered entity. However, the university may elect to be a hybrid entity. To do so, it must designate the hospital as a health care component. The university also has the option of including in the designation other components that conduct covered functions or business associate – like functions. Most of the Privacy Rule’s requirements would then only apply to the hospital portion of the university and any other designated components. The Privacy Rule would govern only the PHI created, received, or maintained by, or on behalf of, these components. PHI disclosures by the hospital to the rest of the university are regulated by the Privacy Rule in the same way as disclosures to entities outside the university."
While such a hybrid designation might mean that the university library itself is not legally bound by the Privacy Rule, the library still has an ethical duty to ensure that no PHI – whether it originated at that institution or another – is inappropriately included in repository collections. In any case, it is recommended that repository managers at institutions with any affiliated health facilities request a determination from the institution’s legal counsel as to the library’s legal responsibilities under HIPAA.
Privacy and educational records: FERPA
Though not all educational institutions will need to address considerations related to private health information, every institution, by its nature, must address the issue of student privacy. In the U.S.A., the privacy of student education records is protected by the Family Educational Rights and Privacy Act (FERPA). According to FERPA, any educational institution which receives federal funding may not disclose personally identifiable information from a student’s education records without the parents' or student’s consent (this right transfers to the student when he/she is 18 years of age) (34 CFR 99). While there are exceptions to this consent requirement for specific legal, operational, educational, or research purposes, FERPA generally protects private student records from being widely – or publicly – shared.
According to the FERPA definition, an "education record" is any record that is (a) "directly related to a student" and (b) "maintained by an educational agency or institution or by a party acting for the agency or institution" (34 CFR 99.3). Education records do not include teacher’s personal notes, campus public safety records, employment records (if the student is employed by the school), medical records from a campus clinic, or peer – provided grades. Even with these restrictions, the scope of what may be considered an education record is quite broad: student grades, financial aid information, advising records, class assignments, and other materials.
As it has become common for universities to create online collections of student theses and dissertations, questions have been raised about whether these student works constitute education records under FERPA – and, as such, require specific student consent prior to posting online (Ramirez and McMillan, 2010). In its strictest interpretation, FERPA would seem to disallow the dissemination (without explicit consent) of student theses and dissertations as privileged education records. However, in 1993, the application of FERPA to theses and dissertations was clarified by the Department of Education:
"[W]e recognize that undergraduate and graduate 'theses' often differ in nature from typical student research papers and other education records, such as written examinations, in that they are published or otherwise made available as research sources for the academic community through the institution’s library. It has been and remains our understanding that in these circumstances an educational institution would ordinarily have obtained the student’s permission to make his or her work available publicly before doing so, perhaps in connection with notifying the student of specific course or program requirements.
Consequently, an institution need not obtain a student’s signed and dated specific written consent to disclose or publish a thesis in the library or elsewhere at the institution. Neither the statute, the legislative history, nor the FERPA regulations require institutions to depart from established practices regarding the placement or disclosure of student theses so long as students have been advised in advance that a particular undergraduate or graduate thesis will be made publicly available as part of the curriculum requirements."
This statement provides clear guidance for universities and libraries: as long as students are aware that, as part of the educational program, their theses/dissertations will be added to the library’s collections and made publicly available, no written authorization from students is required. Though the Department of Education interpretation was given when print copies were the norm at most institutions, it seems appropriate to assume that the interpretation is format agnostic.
Even with this assurance that a thesis or dissertation is exempt from the restrictions on disclosure of identifiable education records, some institutions may wish to request explicit consent from students to make their papers openly available online. This is easily accomplished by including appropriate language in a submission agreement (which will also likely address intellectual property concerns). For example:
I specifically acknowledge that this project may constitute an educational record under FERPA (20 U.S.C. 1232g) and expressly consent to the use of this project under this Agreement.
Students making submissions to this repository agree to share their work and waive any privacy rights granted by FERPA or any other law, policy or regulation, with respect to this work, for the purpose of publication
Although the relationship of theses and dissertations to FERPA is clear, it is likely that an institutional repository will collect other types of student work as well. If this includes coursework or assignments completed by students as a requirement of their educational program, those items may constitute education records. For these materials, it is strongly recommended that the repository manager obtain the student’s explicit authorization to post the work in the repository. This authorization should include language such as that referenced above which specifically acknowledges that the work may be covered by FERPA and that, with that knowledge, the student consents to its dissemination through the repository.
Institutional privacy policies
While libraries at all educational institutions in the U.S.A. need to be aware of FERPA (as well as any applicable state privacy laws), the library and repository manager must also comply with local policies regarding student privacy. Though ignoring these policies may not have legal ramifications, it would certainly have internal consequences – particularly in loss of support for the repository program.
It is especially important to understand that student privacy policies at some institutions may be more restrictive than FERPA. For example, FERPA allows an institution to publicly disclose certain information about students; this information is called "directory information", which:
includes, but is not limited to, the student’s name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full time or part time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.
Students (or parents, for those students under 18) must be given the opportunity to opt out of their institution disclosing the students' directory information. However, if they do not opt out, under FERPA that information may be disclosed (e.g., on a university website, in a press release, etc.). Even though such disclosure is legal, some institutions (such as the author’s – see Pacific University, n.d.) do not allow disclosure of any student information (including "directory" information) without a student or parent’s consent.
At an institution with a privacy policy that does not permit release of any student information, posting materials with student names or other information in an institutional repository will require permission. For example, if a faculty member submits a research poster of which he/she is the primary author, but the poster includes the names of student research assistants, the student assistants would be required to provide consent for their names to appear in the institution’s repository.
Student privacy and multimedia
Student names and other descriptive metadata are not the only forms of identifiable student information that may be submitted to a repository. As repositories collect a growing diversity of materials, including multimedia, open educational resources, classroom recordings, and other objects related to teaching and learning, repository managers must also consider federal, state, and local privacy guidelines related to the use of photographs or videorecordings of students.
Under FERPA, a photograph or videorecording taken of a student while that student is involved in a school – related activity should be considered an education record (assuming the photo or video is taken by an individual employed by, or acting for, the school) (Cox, 2010). Such a photograph or recording clearly contains personally identifiable information that is "directly related to a student" and is "maintained by an educational agency or institution or by a party acting for the agency or institution" (34 CFR 99). Unless a school elects to classify such photographs or recordings as directory information, they may not release them without the consent of the student or parent (as applicable) (Cox, 2010).
In addition to FERPA, institutions also must comply with applicable state privacy laws. As discussed previously, individuals have a right not to have their image used to endorse, implicitly or explicitly, a particular product. If a photograph is used in connection with an official university service (e.g., a repository), that use could potentially be considered a violation of that right. For example, Washington law states:
Any person who uses or authorizes the use of a living or deceased individual’s or personality’s name, voice, signature, photograph, or likeness, on or in goods, merchandise, or products entered into commerce in this state, or for purposes of advertising products, merchandise, goods, or services, or for purposes of fund – raising or solicitation of donations, or if any person disseminates or publishes such advertisements in this state, without written or oral, express or implied consent of the owner of the right, has infringed such right. An infringement may occur under this section without regard to whether the use or activity is for profit or not for profit.
While it may not seem that the inclusion of student images in teaching materials or classroom recordings posted in a repository would constitute an advertisement or a "solicitation of donations", repositories are often described as promotional tools for institutions. As such, it would be advisable to require documentation of explicit consent for materials with identifiable images of students – or, at minimum, an assurance that explicit consent has been obtained by the individual submitting the work to the repository.
Fortunately, it is likely that, in accordance with both FERPA and applicable state law, individual institutions will already have regulations in place that govern the use of images/recordings of students. If this is the case, there should be a standard policy and a photograph/video release form available to faculty, staff, and students, which the repository manager can easily refer to in communications regarding submissions. At many institutions, the public relations office will be the appropriate place to contact to find out what local policy is, and where image release forms may be accessed.
Whether related to FERPA or photographs, local policies on privacy should be incorporated, or referred to, within institutional repository policies and procedures. This will insure that the repository’s practices are consistent with its parent institution’s practices, and will make it easier to respond to students or faculty who feel the repository’s policies are too lenient, are too strict, or are otherwise inappropriate.
Privacy and oral history
Although privacy concerns at most institutions will appropriately focus on considerations for students, it is important to remember that the privacy rights described at the beginning of this chapter – whether related to photographs or other private information – apply to all individuals. Within the context of institutional repositories, there is perhaps no better reminder of this than the case of oral histories. The privacy considerations of oral histories are uniquely relevant not only because archives and special collections content may be added to a repository, but because oral histories may also be submitted as part of student or faculty research – particularly as part of sociological or anthropological research.
There is active debate and disagreement within the research community as to whether the practice of gathering oral histories should be governed by the ethical oversight of an IRB. Both the Oral History Association and the Society of American Archivists have argued that there are no grounds for such oversight (Trinkaus – Randall, 2011; Shopes, n.d.). However, practice varies from institution to institution, and it is recommended that the repository manager determine what local practice is. If an institution’s IRB does require review and approval of oral history projects, students and faculty who are submitting such work to the repository should be required to confirm that appropriate approval was obtained for the project.
Whether or not IRB approval is required for oral histories, there is the possibility that the recordings and/or transcripts of oral history interviews will contain information that infringes on the privacy of either the interviewee or a third person mentioned in the interview. With regard to the interviewee, most potential concerns should have been addressed through the use of a consent form/release that clearly outlines how the information provided will be used and distributed. Ideally, if an oral history is to be disseminated through a repository, there will be language in the agreement between the subject and the historian that specifically addresses that possibility. For example: "Potential uses of the interviews (in whole or in part) include but are not limited to research, Internet display, media productions, publications, educational curriculum, and museum exhibits" and/or "I also grant the oral history program the right to use or permit my name and likeness to be used in conjunction with any Internet display, media production or publication" (Neuenschwander, 2012). It may be advisable to store copies of these agreements with oral history materials that are added to repositories, in case the terms of the agreements are ever called into question.
Because interview subjects do consent to participating in the gathering of oral histories, and are fully aware of how their responses may be used, it is far more likely that privacy issues will arise in relation to third parties mentioned in the interviews. For these individuals (or, possibly, corporate bodies) the potential issues are the same as those present in any other published materials. While a legal claim related to the public disclosure of private facts is certainly possible as the result of an oral history project, oral histories also have the potential to lead to a false light claim. As mentioned earlier, a false light claim is related to an individual’s right to not be portrayed in a false manner (DuBoff and Krages, 2005). In order for a false light claim to be successful, it must be shown that
(a) the false light in which the other was placed would be highly offensive to a reasonable person, and
(b) the actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other would be placed.
(Restatement (Second) of Torts, as cited in Neuenschwander, 2009, p. 50)
Despite the name, information that is at the center of a false light claim does not actually need to be false. In other words, an interview subject could share factual information about another person and the organization publishing that interview could still be subject to a false light claim. Two such scenarios could be if (a) facts have been slanted in some way that they provide an inaccurate portrayal of an individual or if (b) there is a "false association" presented in which "innuendo can be drawn from being shown with or connected to unsavory individuals or criminal events" (Neuenschwander, 2009, p. 52). Fortunately, for a false light lawsuit to be successful, the information must not only be made public, but be made public "with knowledge or in reckless disregard of whether the information was false or would place the person in a false light" (Leslie, 2011, p. 15). This type of "reckless disregard" seems unlikely to be present in most, if not all, oral histories that are disseminated through institutional repositories.
Whether in relation to oral history or to any published account about an individual, privacy concerns focus on individuals' rights to not have information about them made public in a way that invades their personal privacy, that embarrasses or offends them, or that paints them in an unflattering light. In these privacy rights, the emphasis is on the inappropriate public disclosure of true information and the negative impact of that disclosure. By identifying which types of repository submissions (e.g., oral histories, healthcare research, and student work) hold the greatest potential for the inclusion of private information, libraries can work with content creators and relevant academic departments to ensure that best practices are followed for avoiding infringement of others' privacy rights.
Defamation: from false light to false facts
Unfortunately, repository managers need to be cognizant of not only issues related to dissemination of private factual information, but also of the possible inclusion of harmful false information in repository submissions. The legal term for the dissemination of harmful false information is defamation, which is typically defined as "false statements of fact that harm another’s reputation" (SPLC, 2001). Defamation should not be confused with privacy claims related to "false light"; the latter deals with damaging portrayals of true information, while the former addresses only information that is completely false.
An individual is usually considered to have made a defamatory statement about someone else if all of the following are true: (a) the statement is presented as being factual, but is untrue; (b) the statement was made to someone other than the person being defamed; and (c) the statement caused damage to the individual’s reputation (Neuenschwander, 2009). In order for a statement to hold the potential to, or to actually, damage an individual’s reputation, the statement must usually (but not always) describe the individual "(1) committing a crime, (2) acting immorally or unethically, (3) associating with unsavory people or otherwise acting disgracefully or despicably, (4) demonstrating financial irresponsibility or unreliability, [or] (5) demonstrating professional incompetency" (Neuenschwander, 2009, p. 44). These types of statements are called "defamation per se", which means that the statements are clearly defamatory, and need little proof or further explanation as to why they are defamatory. Other types of statements, "defamation per quod", may also be considered defamatory, but require the individual to provide more proof of the damage to his or her reputation (DuBoff and Krages, 2005, pp. 24–5).
Defamatory statements can be either documented ("defamation with a permanent record, like a newspaper, a letter, a website posting, an email, a picture, or a radio or TV broadcast") or undocumented ("defamation with no permanent record", usually "a spoken statement") (Canadian Bar Association, 2012). The undocumented form of defamation is slander, while the documented form – which is of most relevance to repository managers – is libel (Townsend et al., 2000).
Libel and liability
Though it might seem that, outside oral histories – which can contain very personal anecdotes and statements – institutional repositories would not be likely destinations for libelous content, the competitive and reputation – based nature of academia presents opportunities for libel and repositories to intersect. For example, in 2003, a physicist posted an article to the ArXiv preprint repository that included criticism of another researcher’s work – criticism that at least one legal commentator deemed "potentially defamatory" (Giles, 2003, p. 7). As they share a similar content base, it seems safe to assume that institutional repositories are no less susceptible to this type of occurrence than are disciplinary repositories like ArXiv. Given that, it is worth considering the potential liability for repositories related to the distribution of libelous content.
Legal liability for a libelous statement rests with the person (or persons/ entities) who makes the statement public ("publishes" the statement); in short, anyone who is directly responsible for publishing the libelous statement will share in the liability (SPLC, 2010). In addition, anyone who further disseminates a libelous statement after its original publication is considered just as liable as the person who originally made the statement (Neuenschwander, 2009). Fortunately, although questions have been raised as to whether libraries are responsible for libelous content in their collections (Curry, 2005), U.S. state and federal courts have provided protections for libraries that disseminate others' libelous statements if they do so unknowingly (Osmond v. EWAP, Inc., 1984), or if they do not exhibit "reckless disregard for the truth" in distributing the statements (Gertz v. Welch, 1974).
Though this case law applies to library collections in general, a 1996 U.S. law – the Communications Decency Act – potentially presents a further set of protections to institutional repositories. Section 230 of the Act states that "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider" (U.S.C. Title 47, Sec. 230(a)(1)). As defined by the Act, an "interactive computer service" is
any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions
and an "information content provider" is "any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service" (U.S.C. Title 47, Sec. 230(f)(3)). The intent of this section of the Act is to provide immunity from liability to interactive service providers (like Internet service providers, website hosts, email lists, etc.) who provide a forum through which libelous content is published by third parties ("content providers"). Even if the service provider exerts some type of editorial role in relation to the content – by approving content for posting, editing content, etc. – the immunity is not affected (CMLP, 2011a).
It seems reasonable to presume (though there is no case law specific to institutional repositories to consult) that most institutional repositories would meet the statutory definition of being interactive computer services – particularly those repositories that are configured to allow self – submission on the part of students and faculty members. And even for those repository programs that utilize a mediated submission model, wherein contributors do not directly submit content into the repository platform, an argument could potentially be made that, in mediating the submissions, the repository manager is simply playing an editorial function such as that allowed by the Act. The ultimate purpose of the repository is unchanged – to provide a service that allows students and faculty to disseminate their work over the Internet.
Assuming that, in providing a repository, institutions are providing an interactive computer service, it would seem to follow that libraries (or more appropriately, their legally incorporated institutions) should be immune from liability for libelous content that faculty members or students (the "information content providers") elect to distribute through the repository. Unfortunately, it is not that simple – it must also be clearly established that the faculty member or student who is providing the content is actually a third party and not an "agent" of the institution providing the repository (SPLC, 2008, p. 283). If this is not the case and the content provider is an agent of the service provider, then the immunity does not apply and the institution would be just as liable as the individual for publishing the libelous content.
It is unlikely, especially given precedents relating to the publication of libelous content in student newspapers, that students would be considered agents of an academic institution (SPLC, 2008). If this is the case, the institution should have immunity for any libelous student content submitted to a repository. However, the potential institutional liability related to faculty work is a more complex matter. While faculty members are clearly employees (and thus, agents) of the institution, this does not automatically mean that the institution will be liable for libelous faculty content distributed through the repository.
When considering potential institutional liability related to faculty work, there are three relevant questions. First, is an employer eligible for immunity under Section 230 of the Communications Decency Act for an employee’s libelous content? As recent case law indicates, the answer is a qualified "yes": if the employer provides the interactive computer service to the employee; if the defamed party has named the employer as a publisher of the libelous content; and, finally, if the content was actually provided by the employee (Delfino v. Agilent Technologies, Inc., 2006).
The second question is whether the employee provided the content as part of his/her job. Although employers may be eligible for immunity under Section 230, a legal doctrine known as respondeat superior holds that they may still ultimately be liable for their employees' libelous statements if an employee was acting within the scope of his/her employment when making those statements (Zion, 2002). At the core of this distinction is the requirement that, for an information service provider to be immune, the libelous content must be provided by a third party – and an employee acting within the scope of his/her employment is not considered a third party:
"Material published through the employer’s system by an employee acting within the scope of his employment is not information provided by another, but is information provided by the employer and thus not immune from liability."
(Zion, 2002, p. 510)
The third and final issue to consider related to faculty work has to do with the unique nature of academic employment. Assuming that the institution is eligible for immunity under Section 230, the question at hand is whether or not the libelous content created by the faculty member and distributed through the repository was created within the scope of the faculty member’s employment. The answer to this question has implications for not only institutional liability, but also for whether the institution will be compelled to offer a legal defense, and possibly indemnify, a faculty member for libel suits brought against him/her (Oates, 2003).
Ultimately, it will depend on examining the unique institutional context to determine what work is considered to fall within a faculty member’s scope of employment. In general, the most common forms of faculty work (and the most likely to be deposited in a repository) are the products of research and scholarship. While these are, to a certain extent, expected to be produced by most faculty members, the institution usually has no input into (or opportunity to approve of) exactly what scholarly works faculty members produce – leaving it an open question as to what content should be considered to be produced within the scope of the faculty member’s employment. One potential strategy for answering this question, and determining responsibility/liability, is examining the intellectual property rights vested in the work:
"Contractual publication responsibility by the university toward a faculty member. No attempt by the Provost must necessarily be made to review a publication for possible defamation or copyright infringement. It is understood by a faculty member that lawsuits for defamation, copyright infringement or other legal actions resulting from publication are solely the responsibility of the faculty member. Liberty University will assume responsibility for defamation or copyright infringement lawsuits only in those situations where the University has a copyright claim upon the publication as defined and explained in this Handbook or otherwise expressly sponsors the publication."
Beyond local policy, other factors such as whether the institution is private or public (the latter may have sovereign immunity from liability) and whether the content was previously published (which may place more liability on the original publisher) will help determine exactly where liability falls for libelous content that is distributed through the repository.
Although in reality the potential is slim for an institutional repository to be at the center of a legal claim related to defamatory material, it is still advisable to address this issue in relevant policies and procedures. An excellent place to start would be a discussion with the institution’s legal counsel to determine the exact nature of faculty employment and the degree of liability that the institution is prepared to assume for faculty scholarship.
Conclusion: limiting potential liability
Whether the concern is the distribution of defamatory statements, or the inappropriate dissemination of private information, there are several simple strategies that an institution (and a repository manager) can employ to help limit the potential for the repository to host improper – or illegal – content. First, identify content sources (e.g., specific academic departments) that are most likely to contribute materials that may contain private information or potentially defamatory statements. In the former case, for example, health professions or educational research may raise potential privacy issues, and in the latter instance, oral histories or journalism students' assignments could potentially raise libel issues. It’s also important to remember corporations can also be defamed, so reports or articles about businesses should be considered equally with content about individuals (CMLP, 2008b). Second, if individuals or populations from outside the U.S.A. are regularly the subject of materials deposited in the repository, ensure that the repository manager is aware of relevant laws from the nations in which those individuals reside – as those may be the jurisdictions where claims like a libel suit would be brought (Hann, 2003). Third, develop policies and procedures that require repository staff to confirm the existence of interview releases, authorization forms, or other relevant contracts with submitting authors when "high – risk" categories of materials are deposited in the repository. Fourth, have a policy and process in place that allows for authors of submitted content to offer corrections or retractions to work they have submitted to the repository (CMLP, 2008b). Fifth, provide clear language in publicly available policies and submission agreements that reminds submitting authors that works that defame or invade the privacy of others should not be placed in the repository (Townsend et al., 2000). Sixth, implement policies and procedures that make it clear to repository staff and to the public at large that the repository manager exercises only basic "editorial control" 3over submitted content, and should not be considered a co – creator or co – publisher of deposited works (CMLP, 2011a). As should be evident, beyond employing simple common sense (Hann, 2003), the most effective way for a repository to address these issues is to ensure that there is an appropriate policy infrastructure in place – which, not coincidentally, is the topic of the next chapter.
1The term "anonymous" is often misused, and bears clarification in this instance. If a researcher, at any time, has access to individually identifiable information as part of his/her dataset, the data are not – and cannot – be properly called anonymous, even if the investigator later removes all identifiable data elements. In this context, "anonymization" refers to rendering the data anonymous for any future users who will have never had access to the identifiable data elements.
3Though the concept of "editorial control" is discussed here primarily in relation to issues of libel and the Communications Decency Act in the U.S.A., it is an equally important idea in other jurisdictions as well:
"In Europe institutional repositories may be covered by the E – Commerce Directive. Only when institutional repositories act as a 'mere conduit' for material, they may escape liability for illegal acts in the case where they exercise no editorial control. With an institutional repository, this is fairly unlikely to be the case and in some cases then, institutions may be regarded in law as a publisher and therefore likely to be liable as a service provider of the repository."
(Mossink, 2006, p. 9)