Roadmap. What is Big Data? Big Data for Educational Institutions 5/30/2014. A Framework for Addressing Privacy Compliance and Legal Considerations

Transcription

1 Big Data for Educational Institutions A Framework for Addressing Privacy Compliance and Legal Considerations Roadmap Introduction What is Big Data? How are educational institutions using Big Data? What privacy, security and compliance risks exist? Framework for addressing risks What is Big Data? Big Data is a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications. The challenges include capture, curation, storage, search, sharing, analysis, and visualization. - en.wikipedia.org/wiki/big_data 1

2 What is Big Data? Characteristic Description Volume The sheer amount of data generated or data intensity that must be ingested, analyzed, and managed to make decisions based on complete data analysis Velocity How fast data is being produced and changed and the speed with which data must be received, understood, and processed Variety The rise of information coming from new sources both inside and outside the walls of the enterprise or organization creates integration, management, governance, and architectural pressures on IT What does Big Data mean to organizations? Analyzing Large Data Sets. The ability of the organization to access unimaginable amounts of structured and unstructured data (much more of it likely in the unstructured category) both internally and through external resources (e.g. data brokers, affiliates or partners). Purpose. Understanding the relationships within large data sets and correlations between data elements, in order to gain valuable insights (often precise and non-obvious) to improve business processes and goals. What does Big Data mean to organizations? Specialized Tools and Personnel. The need to leverage specialized tools and specialized employees (e.g. data scientists) to enable the capture, curation, storage, search, sharing and analysis of the data in a way that is valuable to the organization. Limitations and Legal Risk. Analyzing and addressing the potential limitations and legal risks and issues associated the collection, analysis and use of Big Data (and the insights derived from it). 2

3 Big Data Ecosystem Infrastructure Analytics Big Data Players Applications Integrators / consultants Data scientists Big Data In the Education Context What Data? Financial information Healthcare information Student records (grades, attendance, classes) Online activity Mobile activity / location information Social relationships Campus activity (lights on, visits to library) Data brokers 3

4 Big Data In the Education Context How Used? Admission process Student wellness/performance programs Resource allocation and budgeting Marketing? Privacy Security Compliance Key Legal Concerns Privacy and Security Compliance Optics / student relationship Compliance with internal policies Compliance with laws HIPAA GLB State law 4

5 Privacy and Security Compliance Can the institution collect? Can the institution disclose? Limitations on use? How must student data be protected? Privacy and Security Compliance Internal privacy policies concerning collection, use and disclosure of student data Multiple / inconsistent privacy policies which policy governs a particular data element? Failure to follow own policies may lead to regulatory / litigation risk or liability Policy changes may be needed Key Legal Issue Under, can personally identifiable information be disclosed to third parties to conduct the Big Data analytics? 5

6 Under, personally identifiable Information includes, but is not limited to: (a) The student's name; (b) The name of the student's parent or other family members; (c) The address of the student or student's family; (d) A personal identifier, such as the student's social security number, student number, or biometric record; (e) Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name; (f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or (g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates. Obtain consent (34 CFR 99.30) Key exceptions: School official exception (34 CFR 99.30(a)(1)) Studies exception (34 CFR 99.30(a)(6)) Directory information (34 CFR 99.30(a)(11)) De-identified records and information (34 CFR 99.31(b)(1)) School Officials Exception Performs an institutional service the school would otherwise use employees for Under the direct control of the agency or institution with respect to the use and maintenance of education records No redisclosure without consent (99.33(a)(1)) An educational agency or institution must limit access to only those education records in which school officials have legitimate educational interests (via technical, physical or administrative controls). 6

7 Study Exception Study purposes: Develop, validate, or administer predictive tests; Administer student aid programs; or Improve instruction. Study is conducted in a manner that does not permit personal identification of parents and students by individuals other than representatives of the organization that have legitimate interests in the information PII destroyed when no longer needed Study Exception -- Written agreement: Specify purpose, scope, and duration of the study or studies and the information to be disclosed Limits use of PII to meet purpose of study Conduct study in a manner that does not permit personal identification of parents and students, as defined in this part, by anyone other than representatives of the organization with legitimate interests PII is destroyed when no longer needed Directory Information Directory information means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. Examples: the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or parttime); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended. SSN or Student ID (with exceptions) not included Notice and opt-out opportunity must be provided (34 CFR 99.37) 7

8 De-identification In general Rendering identifiable data unable to be tied back to a particular identifiable individual Risk of re-identification Too many data elements Unique combination of data elements Combination with other data elements Expertise may be needed De-identification is a process not a state of being De-identification FTC General Standard Reasonable measures to ensure that the data is de-identified. A reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, computer, or other device. Factors Available methods and technologies nature of the data at issue the purposes for which it will be used The standard is not an absolute one; rather, companies The standard is not an absolute one; rather, companies must take reasonable steps to ensure that data is de-identified. "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers" De-identification Definition of Personally Identifiable Information Research study exception Stand-alone de-identification exception 8

9 De-identification PII Defintion Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. De-identification Exception De-identified records and information.an educational agency or institution, or a party that has received education records or information from education records under this part, may release the records or information without the consent required by after the removal of all personally identifiable information provided that the educational agency or institution or other party has made a reasonable determination that a student's identity is not personally identifiable, whether through single or multiple releases, and taking into account other reasonably available information. Research Study Exception Conduct study in a manner that does not permit personal identification of parents and students, as defined in this part, by anyone other than representatives of the organization with legitimate interests. 9

10 Making it Happen In house capabilities? De-identification at least? Use of third parties Do they need identifiable data? Assistance with de-identification Reduce risk by not relinquishing control Data Element and Flow Analysis. Understand the source and nature of the data elements that will be disclosed/analyzed Data elements and flow reveal compliance concerns Consider limiting data elements to reduce risk Statutory Basis for Disclosure & Use basis for disclosure of student personally identifiable information Consent School official Research HIPAA? GLB? 10

11 Internal Policy Compliance Which policy governs a particular data element? Internal privacy policies / statements IT acceptable use or similar policies External facing privacy policies: Intranet, Websites, Applications (online and mobile) Policy modifications / presentation De-Identification Strategies Methodology for de-identification Analyze risk of re-identification Internal versus third-party de-identification Bifurcating de-identification and data analysis Student Relations and Legal Risk Assume that Big Data activities will be revealed Communications strategy (pre- and post-) Clear, consistent and unified across channels Articulate benefits Articulate safeguards 11

12 Third Party Big Data Analytics Vendors Identify appropriate vendors Vet security and privacy practices before choosing a single vendor Draft and negotiate agreements basis for disclosure Limitations on use of student information Security and incident response requirements Audit / assessment rights Indemnification and liability Third Party Big Data Analytics Vendors Identify appropriate vendors Vet security and privacy practices before choosing a single vendor Draft and negotiate agreements basis for disclosure Limitations on use of student information Security and incident response requirements Audit / assessment rights Indemnification and liability Contract Terms basis for disclosure Basis for disclosure relative to other statutes (HIPAA, GLB, etc.) Limitations on use of student information Security and incident response requirements Audit / assessment rights Indemnification and liability 12

13 Q&A David Navetta, Esq., CIPP/US Partner, InfoLawGroup LLP