Open your Data, not Pandora`s Box (ppt)

Transcript Open your Data, not Pandora`s Box (ppt)

Privacy and Data Sharing in Higher Education: Open your Data, not Pandora’s Box

August 9, 2012 2012 SHEEO Higher Education Policy Conference Kathleen M. Styles Chief Privacy Officer U.S. Department of Education

Presentation Overview

 Privacy Basics and History  FERPA Review and Update  Data-Sharing  Hot Topics  Resources and Additional Information

Privacy Basics

 Privacy versus Confidentiality  Civil liberties  Intimacy  The right to be let alone  Information privacy

Privacy: Where it Began

     Concept of Privacy arose with cities Emerging need to be able to identify individuals Technology is a game changer 1890 Harvard Law Review Databases

National Data Bank Proposal

     Idea originated in 1965 with the Bureau of the Budget Goal = Efficiency Proposal grew from 4 agencies into a massive cradle-to-grave electronic database Public opposition and Congressional Hearings → 1968 dropping of proposal Some privacy advocates now conclude that killing this proposal was a mistake

Databases – Great tools

    Efficiency Evidence-based answers to complex problems A strong history for protection of statistical databases Secure identification could have benefits

Databases – Common Criticisms

 Historical abuses    Why do they need to know that?

What Congress grants, Congress can take away Repurposing data  Breaches

FIPs – Five Principles

     No record keeping systems whose very existence is secret A way to find out what information is in the system and how it is used A way to prevent information obtained for one purpose being used for another without consent A way to correct a record about you Organizations with databases must assure the reliability of the data, and prevent misuse

Breaches by Educational Institutions

 No good data on breaches in education  Sense that it is a growing problem  Do you have to report breaches to ED?

Things to Remember

A partial list of things to remember:  Correcting data  Re-identification  Governance  Culture of confidentiality  Transparency

FERPA Update & Review 11

Background on Student Privacy

 1974 Family Educational Rights and Privacy Act (FERPA)  Move to electronic records  State longitudinal databases/accountability  2009 Fordham University report  New risks and vulnerabilities

Recent FERPA Amendments

  Final FERPA regulatory changes – Effective January 3, 2012 – Legal challenge: EPIC v. U.S. Dept. Education Expanded requirements for written agreements and enforcement mechanisms to help – Ensure program effectiveness – Promote effectiveness research – Increase accountability

Our Favorite FERPA Quote

“You know how sometimes FERPA can tie your brain in a knot trying to think through it all?”

Received in an email to PTAC

FERPA – Access & Consent

   Gives parents (and eligible students) the right to access and seek to amend their children’s education records Protects personally identifiable information (PII) from education records from unauthorized disclosure Requirement for written consent before sharing PII – unless an exception applies

Education Records

 FERPA regulations define education records as those records that are: – Directly related to a student; and – Maintained by an educational agency or institution or by a party acting for the agency or institution.

Exceptions

 Exceptions from the consent requirement for: – “Directory Information” – “Studies” – “Audits and Evaluations” – Health and Safety Emergencies – And other purposes as specified in §99.31

Studies Exception

  “ For or on behalf of” schools, school districts, or postsecondary institutions Studies must be for the purpose of – Developing, validating, or administering predictive tests; or – Administering student aid programs; or – Improving Instruction

Audit/Evaluation

Data can only be shared in order to – Audit or evaluate a Federal- or State supported education program; or – Enforce or comply with Federal legal requirements that relate to those education programs

Working with the New FERPA Regulations: Key Lessons

  Audit/Evaluation: Is the program being evaluated an “education program?” (as opposed to a child welfare program, e.g.) Audit/Evaluation: Are you proposing to use the shared data only for evaluation purposes? (as opposed to using the data for a program)

Remember! We’re from the Government. We’re here to help!

Should You Share Data?

FERPA allows postsecondary institutions to share data. It does not REQUIRE data sharing. You have to decide whether data sharing is appropriate.

Why Share Data?

   Improving the delivery of education services Designing better programs, using available information Coordinating across educational levels (High School → Higher Ed → Workforce) to improve student preparation and achievement

When Should You Share Data?

Okay, so you’ve determined that no law precludes the data sharing. When should you do it?

 When there is a legitimate (and authorized) educational purpose   When non-confidential data are not available/not sufficient When adequate mechanisms are in place to ensure the protection of the data

How Should You Share Data?

     Develop a data governance process – don’t re invent the wheel each time you get a request Share only the information necessary for the project Use written agreements (see “ Guidance on Reasonable Methods and Written Agreements ”) Pay attention to disclosure avoidance when publishing results Be transparent – share results

Hot Topics

     Analytics and “Big Data” “Smart Disclosure” Researcher Access Publishing Data Priorities for the coming year

Analytics and Big Data

   Big Data = shorthand reference to massive amounts of digital information + increase in computing power Allows users to track progress in large systems, and potentially across institutions Available for more than reporting: pattern recognition, learning prediction, business intelligence, resource optimization, etc.

Whoa! Have you forgotten whose data this is?

    Raises novel issues for privacy, legal compliance, and ethics FERPA – Consider the school official exception FERPA – Remember re-identification risk Beyond FERPA -- Consider privacy best practices. Are students aware of what you’re doing with their information?

“Smart Disclosure”

     Also called “My Data” buttons FSA is exploring options Allows users to download their own data, and re upload it onto mobile aps Privacy issue: sometimes it’s not just your data Privacy issue: sometimes teenagers (and adults!) don’t make smart decisions about re-disclosure

Researcher Access

   NCES has been licensing confidential data to researchers for several decades Working to expand this to include ED program data July 2012: “Forum Guide to Supporting Data Access for Researchers”

Publishing Data: It’s all about risk

“The release of any data usually entails at least some element of risk. A decision to eliminate all risk of disclosure would curtail [data] releases drastically, if not completely. Thus, for any proposed release of [data] the acceptability of the level of risk of disclosure must be evaluated.” Federal Committee on Statistical Methodology, “Statistical Working Paper #2”

What’s next?

    New Director in FPCO – Dale King Guidance, guidance and more guidance More training Introducing efficiencies

Best Practices and Guidance Resources

Already issued:  Guidance on Reasonable Methods and Written Agreements  January 2012 Webinar on Data Sharing     Data Governance and Stewardship FAQ: Cloud Computing Case Study 1: High School Feedback Report Identity Identification: Best Practices

Best Practices and Guidance Resources Coming Soon:

 Downloadable video training: “FERPA 101 for Colleges and Universities”   Case Study 5: Disclosure Avoidance and De-identification (tentative title) Breach Response Checklist

We need your input. What else can we do to help improve privacy and FERPA administration at your schools?

Contact Information 35