When I first accepted the position as ED’s Chief Privacy Officer the workload revolved heavily around privacy issues in the K-12 context, especially issues relating the Family Educational Rights Privacy Act (FERPA) and its applicability to State Longitudinal Databases. Recently our office is spending an increasing amount of time providing guidance in the higher ed arena. Colleges, universities, and other postsecondary institutions often have research agendas that involve data; they often have medical facilities; and most importantly, colleges and universities often function as change agents, particularly for technological and social change. The combination of new technologies and new uses of data create today’s cutting-edge privacy issues, including “Big Data,” matching with wage data, data sharing in general, the use of analytics, cloud computing, MOOCs, and school use of web engagement tools.
In the course of your work, you will likely be approached to review or approve a data initiative, and it can be difficult to sort out the associated privacy and compliance issues that may arise. I’d like to offer a few thoughts on how you should respond when faced with the perennial “Can we do this?” question.
The first and most obvious place to start is with legal compliance. FERPA, which my office administers, may come into play, along with a host of other federal and state privacy statutes. Your first action should be to evaluate whether the proposed action complies with these statutes and their implementing regulations. While FERPA has a general rule against disclosure of student information from education records, one or more exceptions may come into play, such as the school official exception, or the audit and evaluation exception.
But compliance analysis is only the first step. Many federal and state privacy statutes have been on the books for decades, providing – at best – a spotty framework for analyzing whether a given action is a good idea. I strongly recommend also analyzing proposed data initiatives in terms of Fair Information Practices (FIPS). Consider not just whether an initiative is legal, but whether it is a good idea. Have you given students meaningful notice of what you intend to do with the data you collect about their use of their student ID card? Do you really need to collect extensive information about on-line student practices? Have you appropriately limited access to online databases? Lance Spitzner in his earlier blog post expressed this approach in terms of respect. I agree that we need to be respectful of student information when evaluating data initiatives. You can find varying number of FIPs in various iterations [see, e.g., http://bobgellman.com/rg-docs/rg-FIPShistory.pdf].
Finally, I want to be clear that we are available to help you as you conduct these evaluations. We have issued a substantial amount of guidance on our Privacy Technical Assistance Center (PTAC) website on topics ranging from cloud computing and data governance to disclosure avoidance. And we’re happy to talk to you informally about your data initiative, to help you evaluate how to build in best practices for privacy and security, as well as legal compliance. The easiest way to request assistance is to send an e-mail to PTAC.
Kathleen M. Styles is the Chief Privacy Officer for the United States Department of Education