Electronic Data Interchange: We Are Stampeding Copyright 1996 CAUSE. From _CAUSE/EFFECT_ magazine, Volume 19, Number 1, Spring 1996, pp. 40-42. Permission to copy or disseminate all or part of this material is granted provided that the copies are not made or distributed for commercial advantage, the CAUSE copyright and its date appear, and notice is given that copying is by permission of CAUSE, the association for managing and using information technology in higher education. To disseminate otherwise, or to republish, requires written permission. For further information, contact Julia Rudy at CAUSE, 4840 Pearl East Circle, Suite 302E, Boulder, CO 80301 USA; 303-939-0308; e-mail: jrudy@CAUSE.colorado.edu ELECTRONIC DATA INTERCHANGE: WE ARE STAMPEDING by Virginia Rezmierski Colleges and universities are moving rapidly towards electronic data interchange. Nay, we are stampeding towards EDI. Do we know why we have selected this trail? What is our purpose, our direction? Are we on course, or are we following distractions, side paths, and short cuts? And are we willing, able, or even eager to find ways to shed our responsibilities in some areas in order to stay on this trail? I have used the term stampeding because it denotes rapid movement in a direction determined not by individuals, but by a group, at a pace set by a few, with togetherness perhaps achieved under duress. With these characteristics in mind, it behooves us to examine three areas of concern as we move rapidly toward EDI: how we have determined this purpose and direction, whether we will be able to focus and stay the course, and how to remember our responsibilities along the way. Determining Purpose and Direction Why have we chosen this trail? Often, when we discuss EDI in the context of student data, we talk about how it will speed the handling of student records for admission to institutions, for transfer of students from one institution to another, for the processing of student aid applications, and provide remote access to student transcripts. Implicit in our emphasis on speed and electronic processes is the belief that with them will come a reduction in costs, a reduction in human effort, and better satisfaction for students. This begs the question, though, of who identified these needs. Did we as administrators say, "we need to handle student records more quickly, we need to make admissions faster," "we need to transfer students from one institution to another with more speed," or "we need to get student aid applications handled more rapidly"? Did the students tell us that they are tired of waiting for their applications to be processed, and for their student aid approvals to reach them? If this demand came directly from our customers (the students of our institutions) or from their representatives (the administrators who provide services to these customers), our rush to EDI may be justified. There are, however, plenty of occasions when a new technology has appeared on the scene and-instead of the actual needs of our communities determining our course-we have allowed the possibilities of the technology, or promises of future benefits, to divert us. Many a trail has been taken simply because the technology made it possible, not because we had any evidence of need or evidence of the actual benefits we would realize. Too, it is more exciting to focus on the bright promises of the destination than on the potential pitfalls along the way. Electronic data interchange increases the potential for tying databases together-database matching-with resulting potential for misuse of information. If everything is electronically available, and sorting for any number of variables can be done with ease, then information tends to become a commodity, simply zeros and ones out of which fascinating conclusions can be drawn, without sensitivity to the privacy of the individuals represented. Once databases are electronically available, this ability to match them becomes one of the most serious pitfalls on the EDI trail. Most dangerous of all are those unthinking, but perhaps well- intentioned, members of our communities who begin too many sentences with the phrases "what if we..." or "just think, we could...." At one institution, a new geographical information system details every university building, room, laboratory, and the grounds surrounding each, in minute detail. The system manager for that system is striving to match the GIS database with the student and personnel databases, among others. In a surge of enthusiasm he recently told a news reporter, "Just think, if we could match those databases, then you could have access to all of this. If something happened in one of the countries of the world and international reporters wanted information about our students from that country, you yourself, from your desk, could tell them where they lived, how many such students we had, their names, and how to locate them." The trail looks new and enticing, the possibilities on this trail hold promises (about which we are hearing a great deal) and dangers (about which we hear little), and lots of people are stampeding along it at an increasingly fast pace. However, some of the tough questions that we need to continually ask ourselves as we embark on this trail of EDI are: Who is determining this purpose and direction? What evidence do we have that the needs of our community will be met by marching on this trail? Will this enhance the mission of our institution? What evidence do we have that the trail is ready to be traveled? What evidence do we have that our community is ready to be taken on this trail? Is now the time? Focusing and Staying the Course If we are clear about why we have selected this trail-if we know that we have selected it through reasoned planning and are not stampeding simply because others are pushing us along-then we should be very clear about what destination we will reach and how we will evaluate our success, or failure, at the end of the trail. Is our goal a reduction in the cost of handling applications? If so, how will we measure the outcome of implementing electronic data interchange? What costs are being included in the baseline, and what costs will be included in the comparison of outcomes from this new way of doing business? If we seek to reduce the number of people that it takes to process applications, financial aid paperwork, and other such processes, then what are the numbers that are being included as the baseline for our current operations, and what will be collected to show the outcomes of EDI for these processes? If speed is the central issue, and the impetus has come from student desires, how will we measure their satisfaction with the new process? Particularly for public institutions, when a new trail has resulted in significant output or redirection of public funds, we must be prepared to show outcomes. If we start along this trail unclear about our purpose, unclear about who is setting the pace, unclear, perhaps, about the trail itself, then we may become distracted by the side trails, the new technological developments that can solve yet one more problem that may not even have been identified. A trail that doesn't quite get you to where you need to go-but gets you somewhere else-might be a serendipitous achievement, but it is more likely to be a disastrous detour. There is growing concern about the handling of personal data within the new electronic environment, about its secondary uses, and its potential misuses.[1] As we develop electronic data interchange, we will likely not restrict this capability to those data which are public, but will rapidly use the technology for sensitive, personally identifiable data as well. Medical records, for example, generally fall into the latter category in the opinions of most individuals, and the concern within the populace regarding electronic handling of medical data has grown significantly in the past few years.[2] As universities and colleges participate in this stampede to EDI, it is critical that they be determined to hold the line until necessary safeguards against inappropriate use of data have been put in place. They cannot, must not, be drawn to secondary uses of the data they are handling. Once data are easily accessible in electronic databases, such secondary uses become compellingly attractive. Many campus administrators already view the stores of student data-and the data that will be tied with them from testing services, funding sources, and others-as having value for developing new marketing strategies. Information gathered for one purpose can easily, and, in this author's opinion, wrongfully, be redirected for secondary purposes. This is another serious pitfall, but a likely consequence, of the trail we are following. One university administrator recently explained a scheme for matching accepted students with faculty members expert in the student's stated areas of interest. This process would match the student's statement of interests from national testing data with university admissions data. Having a personalized contact from a faculty member, reinforcing the student's interest in specific subject matter, the student would find the school more friendly and inviting, and thus be more likely to accept admission. But would that really be true? What was the student's expectation at the time that he or she expressed interest in a particular subject to the testing agency? Would this contact from the school feel like friendly support, or an intrusion? The central question is, "What was the purpose for which the information was originally given, and is the individual empowered or disempowered by such secondary uses of the information? Does he or she feel encouraged and supported, or pressured, targeted, and harassed?" Even more damaging than secondary uses which seem to mix motivations are those, attractive in this new environment, where profit is the sole motive. As budgets become increasingly tight, will we consider selling entire data sets-the personal data of individuals-for the income that many companies are already too willing to offer? As we follow the EDI trail, we must be aware of the pitfalls of secondary uses of data. The way we handle personal information can either increase or destroy trust between our institutions and the members of our communities. Fulfilling our responsibilities We university and college administrators, participating in this stampede, carry with us backpacks filled with the many responsibilities we have assumed as part of our institutional roles. We are responsible for implementing federal and state laws [3] regarding the privacy of data, regarding notice to individuals in the use of data, regarding third-party access to sensitive data, and many other features of data management. We are also responsible for implementing the policies and standards of our own institution and the expectations of our communities. Since EDI of student records includes data that are highly sensitive and personal in nature, as well as those which are public and not sensitive in nature, the trail selected by universities and colleges is of great importance to individuals within their communities, whether student, faculty, or staff. Their rights and privileges, their privacy, their reputations, and careers-the representations of them as individuals-are at stake. A phrase coined by U.S. Supreme Court Justice Louis Brandeis, "the right to be let alone," is often used when reference is made to the Constitutional provision for privacy. But a more complete look at Brandeis' words better captures the Constitutional basis and fullness of this right for U.S. citizens: The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness. They recognized the significance of man's spiritual nature, of his feelings and of his intellect. They knew that only a part of the pain, pleasure and satisfactions of life are to be found in material things. They sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the Government, the right to be let alone-the most comprehensive of rights and the right most valued by civilized men.[4] Administrators trying to fulfill their responsibilities in the stampede to EDI often find their responsibilities too heavy, and their backpacks too bulky, for the trail that is being forged. As universities and colleges attempt to meet the needs of their communities, it is not uncommon to find technology designed for one purpose being harnessed for another with a less than perfect fit. There are often times when someone stating a particular value or need of a community is told, "this technology cannot do that." Electronic mail privacy is an example of such a dissonance between the values of users-their desire for private communication-and the current capabilities of the technology. As we move to EDI, administrators will be faced with two distinct paths. They can try to interpret the risks in not fulfilling all of their legal obligations in the handling of student information, interpreting the laws as narrowly as possible in order to smooth over the problems with technical implementation. Or they can refuse to continue down the trail until the technology answers the demands of their responsibilities at a level which fulfills the intent, not just the letter of the standards they are responsible for implementing. If the levels of data protection, or the processes for verifying the integrity of data, required by the law (and by the ethical standards of the community), cannot be provided by the currently available technology, administrators will have to make choices. Some organizations have tried to protect themselves by asking individuals to sign blanket consent forms. Others have designed their processes to maximize their chances for obtaining consent by selecting times when the subject feels particularly vulnerable, and will be most willing to give permissions. Neither of these approaches reflects the highest ethical ground, nor the intent of laws and standards regarding privacy. At a hospital recently, in the waiting room with about a dozen other patients waiting for preoperative procedures, I was given a printed form and told to "just sign the bottom and hospital personnel will take it from there." The form had lines for my name, address, and other demographic information. It indicated that permission was being given for Dr. (left blank) to release the following information (left blank) to the following recipients (left blank). The waiting room was filled with anxious people; each one signed the form without questioning the procedure ... with one exception. Personal information is increasingly becoming a commodity, a thing which benefits not only the person to whom the information refers, but also those who seek to use that information. Indeed, in this information age, personal information is becoming a commercial commodity from which a second entity can make a profit. Consent, therefore, must be given knowledgeably and with full understanding, not under duress in an unbalanced power relationship, or in ignorance of its implications. The importance of this act of giving consent must be endorsed and supported by universities and colleges as we travel the EDI trail. Some administrators have already indicated that following this trail may take precedence over fulfilling the letter, or even the intent, of their responsibilities at this time. This would indeed be a loss, for higher education has the opportunity to lead the way, to set the pace, and determine the direction in the electronic handling of student, faculty, and staff personal data. We need to ask what is driving this stampede at this time, and we need to determine how to influence the movement both in destination and route. Conclusion University and college administrators will need to confirm their own purpose and direction in the stampede to electronic data interchange. They will need to stay the course, avoiding the enticements of secondary and inappropriate uses of data. They will surely seek to fulfill the responsibilities of their roles according to law, standards, and policies and do so in the face of technology that may only partially fit their needs. Insisting that they keep to the highest ethical ground, empowering individuals over institutions or corporations, and maintaining the trust of their communities, will be the surest route to success. ============================================================= FOOTNOTES: [1] Equifax Report on Consumers in the Information Age, "The Privacy-Intensive Industries-Telecommunications," (New York: Louis Harris and Associates, 1990), p. 78. [2] Harris-Equifax, "Health Information Privacy Survey, 1993," conducted for Equifax by Louis Harris and Associates in association with Dr. Alan Westin, Columbia University (New York: Louis Harris and Associates, 1993), p. 10. [3] Computer Matching and Privacy Prevention, 5 USC 552 A, Family Educational Rights and Privacy Act (FERPA), 20 USC 1232g, 34 CFR Part 99; Freedom of Information Act (FOIA), 5 USC 552 (a)(2), 45 CFR Part 5b, and others. [4] Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting). ************************************************************* Virginia E. Rezmierski (ver@umich.edu), an educational psychologist by training, is Assistant for Policy Studies to the Vice Provost for Information Technology at the University of Michigan, where she directs the Office of Policy Development and Education in the Information Technology Division. She holds an adjunct associate professorship in the Schools of Education and Public Policy. Dr. Rezmierski chairs numerous committees that analyze ethical and legal issues and write policy for the University as a whole in the area of information technology related issues.