Beyond IRBs: Designing Ethical Review Processes for Big Data Research
In the age of Big Data, innovative uses of information are continuously emerging in a wide variety of contexts. Increasingly, researchers at companies, not-for-profit organizations and academic institutions use individuals’ personal data as raw material for analysis and research. For research on data subject to the Common Rule, institutional review boards (IRBs) provide an essential ethical check on experimentation. Still, even academic researchers lack standards around the collection and use of online data sources, and data held by companies or in non-federally funded organizations is not subject to such procedures. Research standards for data can vary widely as a result. Companies and non-profits have become subject to public criticism and may elect to keep research results confidential to avoid public scrutiny or potential legal liability.
To prevent unethical data research or experimentation, experts have proposed a range of solutions, including the creation of “consumer subject review boards,”[1] formal privacy review boards,[2] private IRBs,[3] and other ethical processes implemented by individual companies.[4] Organizations and researchers are increasingly encouraged to pursue internal or external review mechanisms to vet, approve and monitor data experimentation and research. However, many questions remain concerning the desirable structure of such review bodies as well as the content of ethical frameworks governing data use. In addition, considerable debate lingers around the proper role of consent in data research and analysis, particularly in an online context; and it is unclear how to apply basic principles of fairness to selective populations that are subject to research.
To address these challenges, the Future of Privacy Forum (FPF) is hosting an academic workshop supported by the National Science Foundation, which will discuss ethical, legal, and technical guidance for organizations conducting research on personal information. Authors are invited to submit papers for presentation at a full-day program to take place on December 10, 2015. Successful submissions may address the following issues:
What are the key ethical questions surrounding data-driven research and consumer testing? Should analysis of online data be treated differently than subject testing generally? Which issues warrant additional review?
What lessons can be learned from existing institutional review boards (IRBs), including both academic panels and standalone private entities? Which features of existing IRB structures are applicable to corporate and non-profit big data research?
Which existing government or industry practices offer insights into how researchers can approach ethical questions for Big Data?
How should organizations structure an ethical review process? Which substantive requirements and principles should govern it? How should organizations ensure independent review? Could review mechanisms be wholly internal or must external stakeholders or committees be involved?
What is the proper scope of review? While IRBs currently focus on human-subject testing, Big Data raises a different set of concerns focusing on subsequent analysis and novel uses of data. Which factors are essential for consideration in an ethical process?
What is the proper role of consent in data-driven research environment?
Papers for presentation will be selected by an academic advisory board and published in the online edition of the Washington and Lee Law Review. Four papers will be selected to serve as “firestarters” for the December workshop, awarding each author with a $1000 stipend.
Submissions must be 2,500 to 3,500 words, with minimal footnotes and in a readable style accessible to a wide audience.
Submissions must be made no later than October 25, 2015, at 11:59 PM ET, to [email protected]. Publication decisions and workshop invitations will be sent in November.
[1] Ryan Calo, Consumer Subject Review Boards: A Thought Experiment, 66 Stan. L. Rev. Online 97 (2013).
[2] White House Consumer Privacy Bill of Rights Discussion Draft, Section 103(c) (2015).
[3] Jules Polonetsky, Omer Tene, & Joseph Jerome, Beyond the Common Rule: Ethical Structures for Data Research in Non-Academic Settings, 13 Colo. Tech. L. J. 333 (2015).
[4] Mike Schroepfer, CTO, Research at Facebook (Oct. 2, 2014), http://newsroom.fb.com/news/2014/10/research-at-facebook/.
2015 National Student Privacy Symposium
FUTURE OF PRIVACY FORUM, DATA QUALITY CAMPAIGN TO HOST 2015 NATIONAL STUDENT PRIVACY SYMPOSIUM
IN WASHINGTON, D.C. ON SEPTEMBER 21, 2015
Leading Education & Privacy Experts to Discuss, Explore the Benefits and Risks of Student Data and Technology in Schools
WASHINGTON, D.C. – August 18, 2105 – As students, parents, teachers and school administrators gear up for the start of another academic year, the Future of Privacy Forum and the Data Quality Campaign today announced plans to host a forum to explore the impact of student data in K-12 education. National leaders will convene to discuss a wide range of data and privacy issues, including the challenges and opportunities of using data for education research, civil rights, personalized learning, parental engagement and more.
The event will also feature the unveiling of a new, major national survey of parent attitudes about student data and privacy issues.
The 2015 National Student Privacy Symposium will take place from 8 a.m. – 6:30 p.m. on Monday, September 21, 2015 at The Mayflower Renaissance Hotel in Washington, D.C. The event is free.
The symposium will engage research experts, education leaders, privacy and security professionals, advocacy groups, parents and government leaders in an open and honest debate about how to best serve our youth.
In addition to core student data privacy issues – education, privacy, security, and civil rights leaders will also discuss the benefits and risks of data use for underserved student populations – and its impact on inequality and discrimination.
The Keynote speaker is Kati Haycock, President of the Education Trust, a leading national non-profit education advocacy organization. Haycock is a civil rights champion and one of the nation’s top advocates for high academic achievement for all students, especially low-income students and students of color.
Support and funding for the event has been provided by: the Bill & Melinda Gates Foundation; the Digital Trust Foundation; the National Association of State School Boards of Education; the Consortium for School Networking (CoSN); the Houston Independent School District; iKeepSafe; and AASA: The School Superintendents Association.
Space is limited, so attendees are asked to register by September 16.
For more information on the event, contact Kobie Pruitt, Education Policy Manager, Future of Privacy Forum, [email protected] or Jon-Michael Basile, Data Quality Campaign, [email protected].
About FPF
The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups. For more information, visit fpf.org
About DQC
The Data Quality Campaign is a national, nonprofit organization leading the effort to bring every part of the education community together to empower educators, parents, and policymakers with quality information to make decisions that ensure students achieve their best. For more information, go to www.dataqualitycampaign.org and follow us on Twitter @EdDataCampaign.
Beyond the Common Rule: IRBs for Big Data and Beyond?
In the wake of last year’s news about the Facebook “emotional contagion” study and subsequent public debate about the role of A/B Testing and ethical concerns around the use of Big Data, FPF Senior Fellow Omer Tene participated in a December symposum on corporate consumer research hosted by Silicon Flatirons. This past month, the Colorado Technology Law Journal published a series of papers that emerged out of the symposium, including “Beyond the Common Rule: Ethical Structures for Data Research in Non-Academic Settings.”
“Beyond the Common Rule,” by Jules Polonetsky, Omer Tene, and Joseph Jerome, continues the Future of Privacy Forum’s effort to build on the notion of consumer subject review boards first advocated by Ryan Calo at FPF’s 2013 Big Data symposium. It explores how researchers, increasingly in corporate settings, are analyzing data and testing theories using often sensitive personal information. Many of these new uses of PII are simply natural extensions of current practices, and are either within the expectations of individuals or the bounds of the FIPPs. Yet many of these projects could involve surprising applications or uses of data, exceeding user expectations, and offering notice and obtaining consent could may not be feasible.
This article expands on ideas and suggestions put forward around the recent discussion draft of the White House Consumer Privacy Bill of Rights, which espouses “Privacy Review Boards” as a safety value for noncontextual data uses. It explores how existing institutional review boards within the academy and for human testing research could offer lessons for guiding principles, providing accountability and enhancing consumer trust, and offers suggestions for how companies — and researchers — can pursue both knowledge and data innovation responsibly and ethically.
The Future of Privacy Forum intends to continue the conversation about Big Data review boards. Joseph Jerome will be leading a panel discussion on the topic at the IAPP’s fall Privacy Academy, and FPF will be hosting an invite only workshop this winter with leading researchers, ethicists, and corporate policymakers to address how to build an ethical framework for Big Data research.
FPF has released its newest paper, Student Data and De-Identification: Understanding De-Identification of Education Records and Related Requirements of FERPA. Prepared in partnership with Reg Leichty of Foresight Law + Policy, this paper provides an overview of the different tools used to de-identify data to various degrees, based on the type of information involved, and the determined risk of unintended disclosure of individual identity. Proper data de-identification requires technical knowledge and expertise as well as knowledge of, and adherence to, industry best practice.
“Data de-identification represents one privacy protection strategy that should be in every student data holder’s playbook. Integrated with other robust privacy and security protections, appropriate de-identification – choosing the best de-identification technique based on a given data disclosure purpose and risk level – provides a pathway for protecting student privacy without compromising data’s value. This paper provides a high level introduction to: (1) education records de-identification techniques; and (2) explores the Family Educational Rights and Privacy Act’s (FERPA) application to de-identified education records. The paper also explores how advances in mathematical and statistical techniques, computational power, and Internet connectivity may be making de-identification of student data more challenging and thus raising potential questions about FERPA’s long-standing permissive structure for sharing non-personally identifiable information.”
De-Identification and other issues relating to student privacy will be discussed at our upcoming Student Privacy Symposium on Sept 21. Learn more.
Security Quick Tips for Vendors
As part of our on-going support to vendors, especially start-ups and small business providers in the ed tech market, we have recently published our “Quick Security Tips for Vendors.” This tool, a companion to our “Quick Privacy Tips for Vendors,” is designed to provide a simple baseline of security principles and practices as an ed tech business grows its products and services. Of course, this list of tips does not constitute a complete security policy, but if followed, it will ensure that vendors have taken the best, first steps toward responsible protection of student data, as these tips flag many of the common key concerns. A company that implements student data privacy and security policies and procedures in compliance with these 2 checklists will have a strong foundation moving forward.
Student Privacy Symposium
Student Data Privacy Symposium
with the support of the Bill & Melinda Gates Foundation
Date: September 21, 2015
Location: The Mayflower Renaissance Hotel, Washington, DC
Description: The 2015 Student Data Privacy Symposium will present a thoughtful consideration by leading education and privacy experts on how student data should be collected and used. A series of panels will review the overarching value of technology and data use by educational institutions as demonstrated by current research, as well as the related concerns and risks of such use. Education, privacy, security, and civil rights leaders will discuss the benefits and risks of data use for underserved populations and consider possible strategies for the future. The 2015 Symposium is designed to engage education leaders, privacy and security professionals, advocacy groups, media, foundations, parent leaders, and companies to connect and collaborate for open and honest debate about how to best serve our youth.
(Panelists will be identified as they are confirmed)
8:00 am Registration Opens (Coffee Service)
9:00 am Opening Remarks
Jules Polonetsky, Executive Director, Future of Privacy Forum
Paige Kowalski, Vice President for Policy and Advocacy, Data Quality Campaign
9:10 am Welcome Keynote
9:45-10:45 am Panel 1: Student Data and Research
Leading academic researchers have studied and analyzed student data for many years. This panel gathers leading researchers to describe the results of their studies, with particular focus on studies that examine the use of technology, improving teaching and learning outcomes and understanding school performance.
Macke Raymond, Director, CREDO, Stanford University
10:45-11:00 am Break
11:00-12:00 pm Panel 2: The Potential Risks of Student Data Collection and Use
Advocates and experts examine the possible dangers and pitfalls in collecting and using student data, and discuss way to address their concerns relating to uses of technology.
Dakarai Aarons, Director, Strategic Communications, Data Quality Campaign (Moderator)
Monica Bulger, Researcher, Data and Society Research Institute
Evan Selinger, Professor of Philosophy, Rochester Institute of Technology and Senior Fellow, Future of Privacy Forum
Elana Zeide, Microsoft Research Fellow, Information Law Institute, NYU
12:15-1:30 pm Lunch
Parents’ Views on Technology and Data Use in Education: Survey Results and Discussion
1:30-1:45 Break
1:45-2:45 pm Panel 3: What Is the Future of Technology in the Classroom?
Stakeholders including teachers, school technology specialists, and administrators demonstrate the impact of personalized learning, digital backpacks, student profiling, and other tools and opportunities offered by increased technology. Panelists will also discuss the controls required for parents and students to effectively manage their data.
Chip Slaven, Counsel to the President and Senior Advocacy Advisor, Alliance for Excellent Education, Center for Digital Learning (Moderator)
Kerry Gallagher, Technology Integration Specialist, St. John’s Prep, Danvers, MA
3:00-4:00 pm Panel 4: The Role of Technology and Data Use for Student Rights
Speakers explore the appropriate use of opt-in and opt-out programs; evaluate data “ownership” by schools, students, and parents, and the role of choice in data sharing and analysis; consider the ways data can identify inequalities, or when it may provide the potential for increased discrimination
Tomeka Hart, Vice President of Programs, Southern Education Foundation
Rafranz Davis, Executive Director of Professional and Digital Learning, Lufkin ISD
4:00-4:15 pm Break
4:15-5:15 pm Panel 5: The Path Ahead: Areas for Discussion and Solutions
With audience participation, this closing panel explores the potential impact of proposed responses: legislative action; changes to contract requirements; increased security standards; the development of industry technical standards; seal or rating programs for schools and/or vendors. Compare best practices from other industry around transparency and communication.
Bob Moore, CoSN Project Director, Protecting Privacy in Connected Learning, (Moderator)
Beth Rorick, Deputy Executive Director, Gov’t Relations and Communications, National PTA
Kathleen Styles, Chief Privacy Officer, U.S. Department of Education
5:15-5:30 Closing Comments
5:30-7:00 pm Reception (China Room)
Beyond IRBs: Designing Ethical Review Processes for Big Data
CALL FOR PAPERS
Beyond IRBs: Designing Ethical Review Processes for Big Data Research
In the age of Big Data, innovative uses of information are continuously emerging in a wide variety of contexts. Increasingly, researchers at companies, not-for-profit organizations and academic institutions use individuals’ personal data as raw material for analysis and research. For research on data subject to the Common Rule, institutional review boards (IRBs) provide an essential ethical check on experimentation. Still, even academic researchers lack standards around the collection and use of online data sources, and data held by companies or in non-federally funded organizations is not subject to such procedures. Research standards for data can vary widely as a result. Companies and non-profits have become subject to public criticism and may elect to keep research results confidential to avoid public scrutiny or potential legal liability.
To prevent unethical data research or experimentation, experts have proposed a range of solutions, including the creation of “consumer subject review boards,”[1] formal privacy review boards,[2] private IRBs,[3] and other ethical processes implemented by individual companies.[4] Organizations and researchers are increasingly encouraged to pursue internal or external review mechanisms to vet, approve and monitor data experimentation and research. However, many questions remain concerning the desirable structure of such review bodies as well as the content of ethical frameworks governing data use. In addition, considerable debate lingers around the proper role of consent in data research and analysis, particularly in an online context; and it is unclear how to apply basic principles of fairness to selective populations that are subject to research.
To address these challenges, the Future of Privacy Forum (FPF) is hosting an academic workshop supported by the National Science Foundation, which will discuss ethical, legal, and technical guidance for organizations conducting research on personal information. Authors are invited to submit papers for presentation at a full-day program to take place on December 10, 2015. Successful submissions may address the following issues:
What are the key ethical questions surrounding data-driven research and consumer testing? Should analysis of online data be treated differently than subject testing generally? Which issues warrant additional review?
What lessons can be learned from existing institutional review boards (IRBs), including both academic panels and standalone private entities? Which features of existing IRB structures are applicable to corporate and non-profit big data research?
Which existing government or industry practices offer insights into how researchers can approach ethical questions for Big Data?
How should organizations structure an ethical review process? Which substantive requirements and principles should govern it? How should organizations ensure independent review? Could review mechanisms be wholly internal or must external stakeholders or committees be involved?
What is the proper scope of review? While IRBs currently focus on human-subject testing, Big Data raises a different set of concerns focusing on subsequent analysis and novel uses of data. Which factors are essential for consideration in an ethical process?
What is the proper role of consent in data-driven research environment?
Papers for presentation will be selected by an academic advisory board and published in the online edition of the Washington and Lee Law Review. Four papers will be selected to serve as “firestarters” for the December workshop, awarding each author with a $1000 stipend.
Submissions must be 2,500 to 3,500 words, with minimal footnotes and in a readable style accessible to a wide audience.
Submissions must be made no later than October 25, 2015, at 11:59 PM ET, to [email protected]. Publication decisions and workshop invitations will be sent in November.
[1] Ryan Calo, Consumer Subject Review Boards: A Thought Experiment, 66 Stan. L. Rev. Online 97 (2013).
[2] White House Consumer Privacy Bill of Rights Discussion Draft, Section 103(c) (2015).
[3] Jules Polonetsky, Omer Tene, & Joseph Jerome, Beyond the Common Rule: Ethical Structures for Data Research in Non-Academic Settings, 13 Colo. Tech. L. J. 333 (2015).
[4] Mike Schroepfer, CTO, Research at Facebook (Oct. 2, 2014), http://newsroom.fb.com/news/2014/10/research-at-facebook/.
Beyond the Common Rule
As part of a symposium on corporate consumer research, Jules Polonetsky, Omer Tene, and Joseph Jerome published “Beyond the Common Rule: Ethical Structures for Data Research in Non-Academic Settings” in volume 13, issue 2, of the Colorado Technology Law Journal. At corporations, not-for-profits, and academic institutions, researchers are analyzing data and testing theories that often rely on data about individuals. Many of these new uses of personal information are natural extensions of current practices, well within the expectations of individuals and the boundaries of traditional Fair Information Practice Principles. In other cases, data use may exceed expectations, but organizations can provide individuals with additional notice and choice. However, in some cases enhanced notice and choice is not feasible, despite the considerable benefit to consumers if personal information were to be used in an innovative way. This article addresses the processes required to authorize noncontextual data uses at corporations or not-for-profit organizations in the absence of additional notice and choice. Although many of these challenges are also relevant to academic researchers, their work will often be guided by the oversight of Internal Review Boards (which are required for many — but not all — new research uses of personal information).
Today, FPF has released its newest paper, Student Data and De-Identification: Understanding De-Identification of Education Records and Related Requirements of FERPA. Prepared in partnership with Reg Leichty of Foresight Law + Policy, this paper provides an overview of the different tools used to de-identify data to various degrees, based on the type of information involved, and the determined risk of unintended disclosure of individual identity. Proper data de-identification requires technical knowledge and expertise as well as knowledge of, and adherence to, industry best practice.
“Data de-identification represents one privacy protection strategy that should be in every student data holder’s playbook. Integrated with other robust privacy and security protections, appropriate de-identification – choosing the best de-identification technique based on a given data disclosure purpose and risk level – provides a pathway for protecting student privacy without compromising data’s value. This paper provides a high level introduction to: (1) education records de-identification techniques; and (2) explores the Family Educational Rights and Privacy Act’s (FERPA) application to de-identified education records. The paper also explores how advances in mathematical and statistical techniques, computational power, and Internet connectivity may be making de-identification of student data more challenging and thus raising potential questions about FERPA’s long-standing permissive structure for sharing non-personally identifiable information.”
De-Identification and other issues relating to student privacy will be discussed at our upcoming Student Privacy Symposium on Sept 21. Learn more.
Student Privacy Pledge – Hits 150!
Ed Tech Student Privacy Pledge reaches 150 signatories
The Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) are pleased to recognize that the Student Privacy Pledge reached the milestone of 150 education technology companies who have signed. The Pledge represents industry’s public commitment to the responsible handling of student data and provides accountability for signatory school service providers. The result is a bolstering of the public trust necessary for continued technology access for school operations and student learning – technology that is critical to the nation’s continued educational and economic competitiveness.
The K-12 Student Privacy Pledge was introduced by FPF and SIIA in October 2014 with 14 original signatories and took effect in January 2015 as a legally enforceable agreement for companies that provide services to schools. The twelve specific commitments in the Pledge detail ongoing industry practices that both meet the demands of families and schools and track key federal and state laws. By signing the Pledge, school service providers clearly articulate their adherence to these practices to schools and parents regarding the collection, use, maintenance, and retention of student data.
Signatories of the Student Privacy Pledge promise to:
Not sell student information
Not behaviorally target advertising
Use data for authorized education purposes only
Not materially change privacy policies without notice and choice
Enforce strict limits on data retention
Support parental access to, and correction of errors in, their children’s information
Provide comprehensive security standards to protect student data
Be transparent about collection and use of data
The Pledge adds to an existing framework of student data protections, which also include existing laws, contracts, and company privacy policies. A company’s security and other commitments made under the Student Privacy Pledge are legally enforceable under Section 5 of the federal Consumer Protection Act.
“Although many states have passed student privacy laws, the Pledge creates an instantly enforceable and nationally applicable commitment to student data privacy. The Pledge, provides a baseline for communication between companies and end users that builds trust,” said Kobie Pruitt, education policy manager, FPF.
“The Pledge demonstrates the industry’s commitment to these strict legally enforceable best practices for data security and the safeguarding of student privacy,” said Mark Schneiderman, senior director of education policy, SIIA.
FPF and SIIA are proud to facilitate the efforts of education technology companies to take leadership in protecting student privacy by signing the Student Privacy Pledge. We look forward to a continual increase in the number of companies joining this effort, and agreeing to be held publically accountable to the student information safeguards embodied in the Pledge.
