350 likes | 500 Vues
Privacy and Data Sharing in Higher Education: Open your Data, not Pandora’s Box. August 9, 2012 2012 SHEEO Higher Education Policy Conference. Kathleen M. Styles Chief Privacy Officer U.S. Department of Education. Presentation Overview. Privacy Basics and History FERPA Review and Update
E N D
Privacy and Data Sharing in Higher Education:Open your Data, not Pandora’s Box August 9, 2012 2012 SHEEO Higher Education Policy Conference Kathleen M. Styles Chief Privacy Officer U.S. Department of Education
Presentation Overview • Privacy Basics and History • FERPA Review and Update • Data-Sharing • Hot Topics • Resources and Additional Information
Privacy Basics • Privacy versus Confidentiality • Civil liberties • Intimacy • The right to be let alone • Information privacy
Privacy: Where it Began • Concept of Privacy arose with cities • Emerging need to be able to identify individuals • Technology is a game changer • 1890 Harvard Law Review • Databases
National Data Bank Proposal • Idea originated in 1965 with the Bureau of the Budget • Goal = Efficiency • Proposal grew from 4 agencies into a massive cradle-to-grave electronic database • Public opposition and Congressional Hearings → 1968 dropping of proposal • Some privacy advocates now conclude that killing this proposal was a mistake
Databases – Great tools • Efficiency • Evidence-based answers to complex problems • A strong history for protection of statistical databases • Secure identification could have benefits
Databases – Common Criticisms • Historical abuses • Why do they need to know that? • What Congress grants, Congress can take away • Repurposing data • Breaches
FIPs – Five Principles • No record keeping systems whose very existence is secret • A way to find out what information is in the system and how it is used • A way to prevent information obtained for one purpose being used for another without consent • A way to correct a record about you • Organizations with databases must assure the reliability of the data, and prevent misuse
Breaches by Educational Institutions • No good data on breaches in education • Sense that it is a growing problem • Do you have to report breaches to ED?
Things to Remember A partial list of things to remember: • Correcting data • Re-identification • Governance • Culture of confidentiality • Transparency
Background on Student Privacy • 1974 Family Educational Rights and Privacy Act (FERPA) • Move to electronic records • State longitudinal databases/accountability • 2009 Fordham University report • New risks and vulnerabilities
Recent FERPA Amendments • Final FERPA regulatory changes • Effective January 3, 2012 • Legal challenge: EPIC v. U.S. Dept. Education • Expanded requirements for written agreements and enforcement mechanisms to help • Ensure program effectiveness • Promote effectiveness research • Increase accountability
Our Favorite FERPA Quote “You know how sometimes FERPA can tie your brain in a knot trying to think through it all?” Received in an email to PTAC
FERPA – Access & Consent • Gives parents (and eligible students) the right to access and seek to amend their children’s education records • Protects personally identifiable information (PII) from education records from unauthorized disclosure • Requirement for written consent before sharing PII – unless an exception applies
Education Records • FERPA regulations define education records as those records that are: • Directly related to a student; and • Maintained by an educational agency or institution or by a party acting for the agency or institution.
Exceptions • Exceptions from the consent requirement for: • “Directory Information” • “Studies” • “Audits and Evaluations” • Health and Safety Emergencies • And other purposes as specified in §99.31
Studies Exception • “For or on behalf of” schools, school districts, or postsecondary institutions • Studies must be for the purpose of • Developing, validating, or administering predictive tests; or • Administering student aid programs; or • Improving Instruction
Audit/Evaluation Data can only be shared in order to • Audit or evaluate a Federal- or State-supported education program; or • Enforce or comply with Federal legal requirements that relate to those education programs
Working with the New FERPA Regulations: Key Lessons • Audit/Evaluation: Is the program being evaluated an “education program?” (as opposed to a child welfare program, e.g.) • Audit/Evaluation: Are you proposing to use the shared data only for evaluation purposes? (as opposed to using the data for a program) Remember! We’re from the Government. We’re here to help!
Should You Share Data? FERPA allows postsecondary institutions to share data. It does not REQUIRE data sharing. You have to decide whether data sharing is appropriate.
Why Share Data? • Improving the delivery of education services • Designing better programs, using available information • Coordinating across educational levels (High School → Higher Ed → Workforce) to improve student preparation and achievement
When Should You Share Data? Okay, so you’ve determined that no law precludes the data sharing. When should you do it? • When there is a legitimate (and authorized) educational purpose • When non-confidential data are not available/not sufficient • When adequate mechanisms are in place to ensure the protection of the data
How Should You Share Data? • Develop a data governance process – don’t re-invent the wheel each time you get a request • Share only the information necessary for the project • Use written agreements (see “Guidance on Reasonable Methods and Written Agreements”) • Pay attention to disclosure avoidance when publishing results • Be transparent – share results
Hot Topics • Analytics and “Big Data” • “Smart Disclosure” • Researcher Access • Publishing Data • Priorities for the coming year
Analytics and Big Data • Big Data = shorthand reference to massive amounts of digital information + increase in computing power • Allows users to track progress in large systems, and potentially across institutions • Available for more than reporting: pattern recognition, learning prediction, business intelligence, resource optimization, etc.
Whoa! Have you forgotten whose data this is? • Raises novel issues for privacy, legal compliance, and ethics • FERPA – Consider the school official exception • FERPA – Remember re-identification risk • Beyond FERPA -- Consider privacy best practices. Are students aware of what you’re doing with their information?
“Smart Disclosure” • Also called “My Data” buttons • FSA is exploring options • Allows users to download their own data, and re-upload it onto mobile aps • Privacy issue: sometimes it’s not just your data • Privacy issue: sometimes teenagers (and adults!) don’t make smart decisions about re-disclosure
Researcher Access • NCES has been licensing confidential data to researchers for several decades • Working to expand this to include ED program data • July 2012: “Forum Guide to Supporting Data Access for Researchers”
Publishing Data: It’s all about risk • “The release of any data usually entails at least some element of risk. A decision to eliminate all risk of disclosure would curtail [data] releases drastically, if not completely. Thus, for any proposed release of [data] the acceptability of the level of risk of disclosure must be evaluated.” • Federal Committee on Statistical Methodology, “Statistical Working Paper #2”
What’s next? • New Director in FPCO – Dale King • Guidance, guidance and more guidance • More training • Introducing efficiencies
Best Practices and Guidance Resources Already issued: • Guidance on Reasonable Methods and Written Agreements • January 2012 Webinar on Data Sharing • Data Governance and Stewardship • FAQ: Cloud Computing • Case Study 1: High School Feedback Report • Identity Identification: Best Practices
Best Practices and Guidance Resources Coming Soon: • Downloadable video training: “FERPA 101 for Colleges and Universities” • Case Study 5: Disclosure Avoidance and De-identification (tentative title) • Breach Response Checklist We need your input. What else can we do to help improve privacy and FERPA administration at your schools?