privacy and data sharing in higher education: open your data, not pandora’s box
DESCRIPTION
Privacy and Data Sharing in Higher Education: Open your Data, not Pandora’s Box. August 9, 2012 2012 SHEEO Higher Education Policy Conference. Kathleen M. Styles Chief Privacy Officer U.S. Department of Education. Presentation Overview. Privacy Basics and History FERPA Review and Update - PowerPoint PPT PresentationTRANSCRIPT
Privacy and Data Sharing in Higher Education:
Open your Data, not Pandora’s Box
August 9, 20122012 SHEEO Higher Education Policy Conference
Kathleen M. StylesChief Privacy Officer
U.S. Department of Education
2
Presentation Overview
Privacy Basics and History
FERPA Review and Update
Data-Sharing
Hot Topics
Resources and Additional Information
3
Privacy Basics
Privacy versus Confidentiality
Civil liberties
Intimacy
The right to be let alone
Information privacy
4
Privacy: Where it Began
Concept of Privacy arose with cities
Emerging need to be able to identify individuals
Technology is a game changer 1890 Harvard Law Review Databases
5
National Data Bank Proposal
Idea originated in 1965 with the Bureau of the Budget
Goal = Efficiency Proposal grew from 4 agencies into a massive
cradle-to-grave electronic database Public opposition and Congressional Hearings
→ 1968 dropping of proposal Some privacy advocates now conclude that
killing this proposal was a mistake
6
Databases – Great tools
Efficiency Evidence-based answers to complex problems A strong history for protection of statistical
databases Secure identification could have benefits
7
Databases – Common Criticisms
Historical abuses
Why do they need to know that? What Congress grants, Congress
can take away
Repurposing data
Breaches
8
FIPs – Five Principles
No record keeping systems whose very existence is secret
A way to find out what information is in the system and how it is used
A way to prevent information obtained for one purpose being used for another without consent
A way to correct a record about you Organizations with databases must assure
the reliability of the data, and prevent misuse
9
Breaches by Educational Institutions
No good data on breaches in education
Sense that it is a growing problem
Do you have to report breaches to ED?
10
Things to Remember
A partial list of things to remember:
Correcting data
Re-identification
Governance
Culture of confidentiality
Transparency
11
FERPA Update & Review
12
Background on Student Privacy
1974 Family Educational Rights and Privacy Act (FERPA)
Move to electronic records
State longitudinal databases/accountability
2009 Fordham University report
New risks and vulnerabilities
13
Recent FERPA Amendments
Final FERPA regulatory changes – Effective January 3, 2012 – Legal challenge: EPIC v. U.S. Dept. Education
Expanded requirements for written agreements and enforcement mechanisms to help– Ensure program effectiveness – Promote effectiveness research – Increase accountability
Our Favorite FERPA Quote
“You know how sometimes FERPA can tie your brain in a knot trying to
think through it all?”
Received in an email to PTAC
15
FERPA – Access & Consent
Gives parents (and eligible students) the right to access and seek to amend their children’s education records
Protects personally identifiable information (PII) from education records from unauthorized disclosure
Requirement for written consent before sharing PII – unless an exception applies
16
Education Records
FERPA regulations define education records as those records that are: – Directly related to a student; and – Maintained by an educational agency or
institution or by a party acting for the agency or institution.
17
Exceptions
Exceptions from the consent requirement for:– “Directory Information”– “Studies”– “Audits and Evaluations”– Health and Safety Emergencies– And other purposes as specified in §99.31
18
“Research Exception”
19
Studies Exception
“For or on behalf of” schools, school districts, or postsecondary institutions
Studies must be for the purpose of– Developing, validating, or administering
predictive tests; or– Administering student aid programs; or– Improving Instruction
20
Audit/Evaluation
Data can only be shared in order to– Audit or evaluate a Federal- or State-
supported education program; or– Enforce or comply with Federal legal
requirements that relate to those education programs
21
Working with the New FERPA Regulations: Key Lessons Audit/Evaluation: Is the program being evaluated
an “education program?” (as opposed to a child welfare program, e.g.)
Audit/Evaluation: Are you proposing to use the shared data only for evaluation purposes? (as opposed to using the data for a program)
Remember! We’re from the Government. We’re here to help!
Should You Share Data?
FERPA allows postsecondary institutions to share data. It does not REQUIRE data sharing. You have
to decide whether data sharing is appropriate.
23
Why Share Data?
Improving the delivery of education services Designing better programs, using available
information Coordinating across educational levels (High
School → Higher Ed → Workforce) to improve student preparation and achievement
24
When Should You Share Data?
Okay, so you’ve determined that no law precludes the data sharing. When should you do it? When there is a legitimate (and authorized)
educational purpose When non-confidential data are not available/not
sufficient When adequate mechanisms are in place to
ensure the protection of the data
25
How Should You Share Data?
Develop a data governance process – don’t re-invent the wheel each time you get a request
Share only the information necessary for the project
Use written agreements (see “Guidance on Reasonable Methods and Written Agreements”)
Pay attention to disclosure avoidance when publishing results
Be transparent – share results
26
Hot Topics
Analytics and “Big Data” “Smart Disclosure” Researcher Access Publishing Data Priorities for the coming year
27
Analytics and Big Data
Big Data = shorthand reference to massive amounts of digital information + increase in computing power
Allows users to track progress in large systems, and potentially across institutions
Available for more than reporting: pattern recognition, learning prediction, business intelligence, resource optimization, etc.
28
Whoa! Have you forgotten whose data this is? Raises novel issues for privacy, legal compliance,
and ethics FERPA – Consider the school official exception FERPA – Remember re-identification risk Beyond FERPA -- Consider privacy best
practices. Are students aware of what you’re doing with their information?
29
“Smart Disclosure”
Also called “My Data” buttons FSA is exploring options Allows users to download their own data, and re-
upload it onto mobile aps Privacy issue: sometimes it’s not just your data Privacy issue: sometimes teenagers (and adults!)
don’t make smart decisions about re-disclosure
30
Researcher Access
NCES has been licensing confidential data to researchers for several decades
Working to expand this to include ED program data
July 2012: “Forum Guide to Supporting Data Access for Researchers”
Publishing Data: It’s all about risk“The release of any data usually entails at least some element of risk. A decision to eliminate all risk of disclosure would curtail [data] releases drastically, if not completely. Thus, for any proposed release of [data] the acceptability of the level of risk of disclosure must be evaluated.”
Federal Committee on Statistical Methodology, “Statistical Working Paper #2”
31
32
What’s next?
New Director in FPCO – Dale King Guidance, guidance and more guidance More training Introducing efficiencies
33
Best Practices and Guidance Resources
Already issued: Guidance on Reasonable Methods and Written
Agreements January 2012 Webinar on Data Sharing Data Governance and Stewardship FAQ: Cloud Computing Case Study 1: High School Feedback Report Identity Identification: Best Practices
34
Best Practices and Guidance ResourcesComing Soon: Downloadable video training: “FERPA 101 for
Colleges and Universities” Case Study 5: Disclosure Avoidance and
De-identification (tentative title) Breach Response Checklist
We need your input. What else can we do to help improve privacy and FERPA administration
at your schools?
35
Contact Information