Killing the Electronic Messenger Copyright 1996 CAUSE. From _CAUSE/EFFECT_ magazine, Volume 19, Number 1, Spring 1996, pp. 43, 53. Permission to copy or disseminate all or part of this material is granted provided that the copies are not made or distributed for commercial advantage, the CAUSE copyright and its date appear, and notice is given that copying is by permission of CAUSE, the association for managing and using information technology in higher education. To disseminate otherwise, or to republish, requires written permission. For further information, contact Julia Rudy at CAUSE, 4840 Pearl East Circle, Suite 302E, Boulder, CO 80301 USA; 303-939-0308; e-mail: jrudy@CAUSE.colorado.edu KILLING THE ELECTRONIC MESSENGER by Robert Morley With the expanding growth and implementation of new and emerging technology in general, and electronic data interchange (EDI) in particular, misconceptions and fears about adherence to existing privacy and confidentiality requirements have arisen. While privacy and confidentiality require constant vigilance on our part, EDI presents very little in the way of new challenges. Existing legal protection currently speaks to this. The fact that we're using a new technology, in this case EDI, is not a threat unto itself. It's another tool of information management. The obligations to privacy and confidentiality remain, regardless of the technology. EDI has been in use in the private sector since the early 1970s. In 1988 the American Association of Collegiate Registrars and Admissions Officers (AACRAO) began work on transaction set 130, the student record, later adopted as an official standard by the American National Standards Institute (ANSI). During this time postsecondary education has adopted computer-based record systems, microfilm, touchtone/voice-response technology, FAX, e-mail, World Wide Web, kiosks, and imaging systems, among others, as well as EDI. Why EDI in particular is being singled out as a threat to privacy and confidentiality of student information is unclear to me. EDI is currently used by other industries to transmit your financial history, your medical history, your insurance history, your census information, your tax information, and a significant portion of Department of Defense purchase requests, among others. Educational institutions, with over twenty years of experience with legal obligations and constraints in the collection, maintenance, and release of protected information, has begun to transmit its information utilizing EDI technology. Is there suddenly a problem? Much of the fear and misunderstanding is based, in part I believe, on the misconception that we will suddenly ignore our current policies and procedures and begin the release of protected information simply because new and emerging technology provides another technical capability to do so. Many if not most of the fears about EDI and privacy/confidentiality often begin with "what if" statements. What if the data/information are released to unauthorized third parties, or what if secondary usage is not controlled? How is the EDI transmission of student data, aggregate or personally identifiable, less secure or more threatening than current methods, e.g., tape exchange? Currently we send hardcopy records into that great unknown called the U.S. Postal System. Does the record actually arrive, does it arrive in time, is it actually handled by the appropriate person? (Never mind what address or addressee you've indicated, mail handling procedures are concerned with speed and sorting, not security and confidentiality.) The irony is that new technology, especially EDI, can provide far superior protection of information than that which is currently in use. Currently we are perfectly willing (and within legal obligations) to accept anonymous mail requests signed with signatures we don't recognize from people we don't know. We then expeditiously send protected information to people we don't know at an address we're not familiar with for purposes unknown to us, and not knowing if it ever arrived in the hands of the correct person. In the same scenario using EDI, possibly with the use of public/private keys, the request for the student record might arrive in encrypted format, be authenticated, the student record encrypted, sent to a previously agreed upon address, and its receipt acknowledged. However, increased levels of protection of information is analogous to protection of your home. It's a balance, an attempt to find an appropriate comfort level. Using bars on your home windows (like using high level/complex encryption algorithms on data transmission) provides security, but limits the number and types of communication exchanges. Institutions will make determinations as to their comfort level with new technology just as they currently do with phone, e-mail, FAX, etc. The greatest threats to privacy/confidentiality are similar to the greatest threats to security of any correspondence or information. That is, the greatest threat is not in the transmission or interception of the information/correspondence, but rather with the particular level of integrity and commitment of staff in the originating and receiving offices. Unfortunately, some people are demanding that new and emerging technology interpret and establish new and more expansive policies and procedures surrounding privacy and confidentiality. We seem to be ready to hold technology hostage while we try to come to consensus on matters of privacy and confidentiality. The application of technology within privacy and confidentiality context is somewhat analogous to writing instructions for the computer: It will do your bidding; you only need be clear as to what exactly it is that you think you're asking for. Educational institutions, quite often in the locus of the Registrar's Office, have routinely made decisions and evaluations regarding the collection, maintenance, and release of information within the context of privacy and confidentiality. New and emerging technology, particularly EDI, does not change the way we've been "doing business" for the past twenty years. As long as the stewards of protected information continue to act in their heretofore responsible manner, new and emerging technology should be considered an opportunity and not a threat. ************************************************************* Robert Morley (morley@mizar.usc.edu) is Associate Registrar at the University of Southern California. He is the current chair of the SPEEDE Committee of the American Association of Collegiate Registrars and Admissions Officers. Morley is also a member of the CAUSE Task Force on Privacy of Student Information as well as chair of the newly formed AACRAO Task Force on Technology.