Main Nav

ED CPO on Privacy, Emerging Technologies, and New Uses of Data

When I first accepted the position as ED’s Chief Privacy Officer the workload revolved heavily around privacy issues in the K-12 context, especially issues relating the Family Educational Rights Privacy Act (FERPA) and its applicability to State Longitudinal Databases. Recently our office is spending an increasing amount of time providing guidance in the higher ed arena. Colleges, universities, and other postsecondary institutions often have research agendas that involve data; they often have medical facilities; and most importantly, colleges and universities often function as change agents, particularly for technological and social change. The combination of new technologies and new uses of data create today’s cutting-edge privacy issues, including “Big Data,” matching with wage data, data sharing in general, the use of analytics, cloud computing, MOOCs, and school use of web engagement tools.

In the course of your work, you will likely be approached to review or approve a data initiative, and it can be difficult to sort out the associated privacy and compliance issues that may arise. I’d like to offer a few thoughts on how you should respond when faced with the perennial “Can we do this?” question.

The first and most obvious place to start is with legal compliance. FERPA, which my office administers, may come into play, along with a host of other federal and state privacy statutes. Your first action should be to evaluate whether the proposed action complies with these statutes and their implementing regulations. While FERPA has a general rule against disclosure of student information from education records, one or more exceptions may come into play, such as the school official exception, or the audit and evaluation exception.

But compliance analysis is only the first step. Many federal and state privacy statutes have been on the books for decades, providing – at best – a spotty framework for analyzing whether a given action is a good idea. I strongly recommend also analyzing proposed data initiatives in terms of Fair Information Practices (FIPS). Consider not just whether an initiative is legal, but whether it is a good idea. Have you given students meaningful notice of what you intend to do with the data you collect about their use of their student ID card? Do you really need to collect extensive information about on-line student practices? Have you appropriately limited access to online databases? Lance Spitzner in his earlier blog post expressed this approach in terms of respect. I agree that we need to be respectful of student information when evaluating data initiatives. You can find varying number of FIPs in various iterations [see, e.g., http://bobgellman.com/rg-docs/rg-FIPShistory.pdf].

Finally, I want to be clear that we are available to help you as you conduct these evaluations. We have issued a substantial amount of guidance on our Privacy Technical Assistance Center (PTAC) website on topics ranging from cloud computing and data governance to disclosure avoidance. And we’re happy to talk to you informally about your data initiative, to help you evaluate how to build in best practices for privacy and security, as well as legal compliance. The easiest way to request assistance is to send an e-mail to PTAC.

Kathleen M. Styles is the Chief Privacy Officer for the United States Department of Education

Comments

I agree that PTAC has developed excellent resources on "Data Security" and our institution (New Mexico State University) has used these resource to enhance our current institutional information security program.

We have used all resources but have especially used the "Data Breach Response Checklist" and their training resources.  I would very highly recommend that other institutions of higher ed should consider visiting the PTAC webpage.

Carlos S. Lobato, IT Compliance Officer

 

 

 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.