Chris Wolf at Data Privacy Day

At Thursday’s Data Privacy Day event in Washington, Passcode joined privacy and security experts to explore US consumers’ evolving attitudes about digital privacy.

“Consumers will not do business with companies that don’t respect their privacy, companies they don’t trust,” said Chris Wolf, cochair of the Future of Privacy Forum. Mr. Wolf spoke on a panel Thursday at the National Cyber Security Alliance’s “Data Privacy Day” event of which Passcode was a media partner.

Full article here.

FPF Welcomes New Senior Fellow – Ira Rubinstein

FPF is proud to welcome its newest Senior Fellow, Ira Rubinstein. Ira will be working with FPF staff, fellows and members on a number of cross-Atlantic privacy issues and will be collaborating with EU academics and institutions on projects focused on de-identification, ethics, big data, and other issues.

Ira Rubinstein is a Senior Fellow at the Information Law Institute (ILI) of the New York University School of Law. His research interests include Internet privacy, electronic surveillance law, big data, and voters’ privacy. Rubinstein lectures and publishes widely on issues of privacy and security and has testified before Congress on these topics on several occasions. Recent papers include a study of Voter Privacy in the Age of Big Data; a research report on Systematic Government Access to Personal Data: A Comparative Analysis, prepared for the Center for Democracy and Technology and co-authored with Ron Lee and Greg Nojeim; Big Data: The End of Privacy or a New Beginning; published in International Data Privacy Law in 2013 and presented at the 2013 Computer Privacy and Data Protection conference in Brussels; and Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents, co-authored with Nathan Good, which won the IAPP Privacy Law Scholars Award at the 5th Annual Privacy Law Scholars Conference in 2012.

Prior to joining the ILI, Rubinstein spent 17 years in Microsoft’s Legal and Corporate Affairs department, most recently as Associate General Counsel in charge of the Regulatory Affairs and Public Policy group. Before coming to Microsoft, he was in private practice in Seattle, specializing in immigration law. From 2010-2016, he joined the Board of Directors of the Center for Democracy and Technology. He also serves on the Board of Advisers of the American Law Institute for the Restatement Third, Information Privacy Principles; the Organizing Committee of the Privacy by Design Workshops sponsored by the Computing Research Association; and he served as Rapporteur for the EU-US Privacy Bridges Project, which was presented at the 2015 International Conference of Privacy and Data Protection Commissioners in Amsterdam. Rubinstein graduated from Yale Law School in 1985.

We are excited and proud to have Ira on the FPF team!

Full press release here.

Chris Wolf Moderates Panel at CES 2016

Innovating Privacy: New Frameworks for Changing Technology

Chris led the discussion by this excellent panel at this year’s CES.  Full panel discussion can be viewed here(link expired).
Consumers are enjoying the benefits of connected devices while navigating (grappling with!) new privacy issues. Industry and regulators alike are working to understand consumer preferences while preserving creativity and flexibility to innovate with data. How can we adapt existing frameworks to respond to consumer concerns?

Moderator:

Speaker:

This year was a record breaking CES, with over 170,000 attendees and 3,800+ exhibitors throughout 2.47 million net square feet of exhibit space. Around 50,000 of attendees were international, representing over 150 countries.

 

Algorithmic transparency: Examining from within and without

As the volume of consumer data grows, an increasing number of decisions previously made by humans are now made by algorithms. Many thought leaders have called for algorithmic transparency to ensure that these decisions aren’t leading to unfair or discriminatory outcomes, but algorithmic transparency is tricky to implement. Last December, FTC Commissioner Julie Brill acknowledged the challenge in creating public-facing algorithmic transparency, calling on companies to proactively look internally to identify unfair, unethical, or discriminatory effects of their data use. Read more in the post on IAPP.

States and the District of Columbia Introduce ACLU Sponsored Legislation to Address Student Privacy

Recently, the ACLU, in partnership with the Tenth Amendment Center, created model legislation for states to “take control of their privacy in a digital age.” On January 20th, 2016 the ACLU coordinated with legislators in 16 states and the District of Columbia to roll out a variety of privacy bills simultaneously, many of which addressed the topic of educational data directly. After the passage of California’s SOPIPA, many states have proposed legislation directly targeting ed tech vendors for new responsibilities regarding the handling of student data. However, the ACLU’s model bill is a hybrid that specified new requirements for both schools and vendors to ensure protections and responsibility for student data privacy.

ACLU’s model legislation, which was proposed in various forms in the different participating states, includes several excellent ideas. The most important provision is the proposal that allows parents to specifically authorize that their child’s data be sent to the educational service providers they choose to provide additional educational purposes. This allows parents to supplement their child’s education by allowing a tutor to access data, or to export data to a tool that provides and enhanced or personalized curriculum.  A student could download data an educational game, or download to an app that would allow them to take data with them for use in college or a workplace.

At a time when learning is increasingly taking place 24/7, it allows parents to help students take their education records with them to be used for the additional educational purposes they choose.  Unfortunately, many bills passed in other states only allow parents to enable the sharing of data for college applications or scholarships, making it illegal for schools or vendors to use a program that would enable such onward transfers.  Parents in those states have to request access to their student’s data from a school authority, hope it is provided digitally and then transfer it to third parties.

Why are those states imposing such limits?  Some of them are worried that school service providers will convince parents to share data for marketing purposes. The ACLU bill addresses that concern by ensuring the consent needed is quite explicit and specific and can only be for educational purposes.  (In fact the consent requirements are so strict, that they may not be feasible for most services to achieve and will need some wordsmithing to be both protective and feasible)

Another key provision in the ACLU bill is the training requirement. Training for teachers to ensure that they have an adequate understanding of student privacy and how to comply with the law is critical. Restrictions placed on school data would be useless if school staff does not fully understand the rules or are not trained to follow them. The CoSN Trusted Learning Environment program should provide a useful training resource for many schools, as are the extensive materials at FERPA|Sherpa.

Fortunately, this model legislation avoids one of the unintended pitfalls of some recent state bills which have such strict language that they can inadvertently restrict schools from providing needed information to school photographers, yearbook publishers and spiritwear providers.

Another proposal in the model bill allows schools to bar parental access to confidential student data, if allowing access would risk the safety of the student.  For example, if a student confidentially disclosed to a guidance counselor that they were gay or lesbian but feared for their safety if  parent(s) requested access to this data, the school could respect their need for confidentiality, even if the data was included as a student record. However, this provision can only be effective if implemented at the federal level, since currently FERPA does not contain such an exception, and otherwise requires that parents have access to the entire student educational record. Such a “zone of confidentiality” should be an integral part of the student privacy conversation moving forward.

However, there are many other provisions in the bill that create significant problems for schools.  These would need revisions to be effective.

The bill defines Personally Identifiable information (PII) as “Any aggregate or de-identified student data that is capable of being de-aggregated or reconstructed to the point that individual students can be identified.”  And in some places the bill requires data be both aggregated and de-identified, further raising the bar.

Since no de-identification method is 100% perfect, this definition would restrict the uses of many very effectively de-identified data sets.  Without de-identified longitudinal data sets, which require record level data, states can’t measure how well schools perform. In order to identify discriminatory practices, among other useful applications of de-identified but not aggregated data, it is necessary to include levels of detail about race, geography, grades, discipline and other data that can leave a data set well de-identified, but not impossible to re-identify.  In fact, FERPA specifically allows sharing of data that may include a limited identifier, as long as the use is limited to research.  A better standard for de-identification is the “reasonable” standard used in the Student Privacy Pledge. Or, so that schools didn’t have to deal with multiple de-identification standards, the bill could seek to be consistent with FERPA’s de-identification standard, which we analyzed in our recent whitepaper.

The bill treats college students the same as kindergarten students. This is too broad a brush. College students are legal adults and can safely be treated differently than a student who has yet to reach the age of majority. While certain protections are still appropriate, a college student has the ability to make informed decisions based on their educational needs to a much greater extent than a young child.

The model bill only makes student data available to school employees. This could potentially bar parents who volunteer for school activities and part-time coaches from having access to student data. FERPA allows sharing with all school officials, although direct control is needed over whoever it is shared with. This bill would require a special contract for coaches, parents, and other school representatives that are not designated as “school employees.”

The bill defines a Student Service System (SIS) as any “software application and/or cloud based service that allows an educational institution to input, maintain, manage, and/or retrieve student data and/or personally identifiable student information, including applications that track and/or share personally identifiable student information in real time.” This provision covers any service that can be used by a student, which in effect means every business in the world that doesn’t have a way to identify and screen out students or doesn’t even know a student is using the product is covered by this bill. This is likely to be unconstitutional and is obviously impractical.  Most state laws and the Student Privacy Pledge cover products that are designed and marketed to schools.

Of particular concern, the proposed language would allow privacy litigation against teachers or parent volunteers. Schools hold a heavy responsibility to train, provide resources, and manage the use of ed tech in the educational process, but the way to ensure accountability for this is not to put teachers at personal legal risk.  Schools must have reasonable review and implementation processes in place for using technology and protecting data.  Teachers who violate school rules in general or put students at risk should be subject to appropriate management actions or discipline. But a teacher who misreads a privacy policy shouldn’t face litigation.

We applaud the work of the ACLU and their partners in these states to clearly address some of the challenges of student data privacy as ed tech applications continue to be implemented in schools, and look forward to working on these same issues with them, and with policymakers at the state and federal level.

Announcing the Launch of ResearchChoices.org

“Research Choices is an important step forward for research companies and will help consumers better understand how data is used to make decisions by a wide range of organizations.” – Jules Polonetsky

From the ESOMAR Press Release

Amsterdam, January 28, 2016: Top market research agencies comScore, GfK, Kantar, and Nielsen announced today the launch of a joint initiative to boost transparency and choice for online audience measurement research.

This joint initiative and the associated portal are being facilitated by ESOMAR, the World Association for Market, Social, and Opinion Research at the behest of the founding Research Choices participants.

“I welcome the launch of Research Choices, as the first world-wide and industry-wide initiative designed to reiterate our profession’s undertakings, and its self-regulatory strength. Initially focusing on the audience measurement sector, it is the sector’s hope and intention to progressively broaden the service to cover all digital research activities,” said Laurent Flores, ESOMAR President.

When completed, the web-based portal, accessible online at http://researchchoices.org, will provide the general public educational content initially demonstrating how online audience measurement research and online market research generally is conducted as well as highlighting participating companies’ privacy policies and tools to exercise opt-out and choice.

See full press announcement here. And visit Research Choices to learn more about it!

Student Privacy Boot Camp for Ed Tech Vendors

FPF is continuing its series of Boot Camp training sessions for ed tech start-ups and small to medium companies – with the next event scheduled for March 3 in San Francisco.  Slots are limited, so apply to attend now!

Need a fast and furious intro to what it takes to do privacy – and security – right as a player in the ed tech market? Curious about what laws applies to schools, what laws apply to vendors, and what other regulations matter too?  Need access to the greatest one-stop shop for resources on all questions for student privacy, geared toward parents, policymakers, schools, and of course, vendors?

Then this event is for you!

Speakers include the Chief Privacy Officer from the US Department of Education, security specialists from companies like Clever, and education and student data privacy experts from iKeepSafe, PlaywWell LLC, Data Quality Campaign, and many others.

In addition, privacy reps from FPF member companies with long experience in this market will  be on site to run “unconference” sessions and answer all your specific questions.

For a full description, complete agenda, and to register or become a sponsor, click here.

Essentially Equivalent:

A Comparison of the Legal Orders for Privacy and Data Protection – EU & US

From our friends at Sidley Austin:

“In a milestone decision on transatlantic data protection, the Court of Justice of the European Union (CJEU) issued its judgment in the Schrems case, declaring the Commission decision on the EU-U.S. Safe Harbor agreement invalid. The CJEU declared that such a decision requires a finding that the level of protection of fundamental rights and freedoms in the laws and practices of the third country is “essentially equivalent” to that guaranteed within the EU. Given the CJEU’s decision, the Commission and data protection authorities are now called upon to examine the legal order in the U.S. and compare its level of protection to that within the EU.

“This report provides a roadmap and resource for this comparison. Following the analysis laid out by the CJEU in Schrems, it shows how privacy values deeply embedded in U.S. law and practice have resulted in a system of protection of fundamental rights and freedoms that meets the test of essential equivalency.”

FPF Senior Fellow Peter Swire Debates Max Schrems

Privacy in the EU and the US

Scheduled for Jan 26, 2016 – 12:30 Eastern

FPF is pleased to share the following announcement:

The Brussels Privacy Hub is pleased to announce a pre-CPDP launch event: “Privacy in the EU and US: A debate between Max Schrems and Peter Swire”

* Peter Swire – Huang Professor of Law and Ethics at the Georgia Tech Scheller College of Business and a member of President Obama’s Review Group on Intelligence and Communications Technology

* Max Schrems – PhD student, privacy activist, and the successful plaintiff in the recent EU Court of Justice judgment Schrems v. Data Protection Commissioner;

Annie Machon writer, media commentator and political campaigner

The discussion will be moderated by Prof. Paul de Hert, Brussels Privacy Hub Co-director, and will include a Q&A session, giving participants an opportunity to engage with prominent figures in the data protection and privacy communities.

Recording of full debate here.

Who Exactly IS a "School Official" Anyway?

School Officials and Ed Tech Vendors

The School Official exception to FERPA, the federal student privacy law, allows schools to provide student data to principals, teachers and school employees to use for educational purposes. But what about contractors who may work for the school, like a bus company or an email service provider? The original sponsors of FERPA talked about “schools and their agents” on the Senate floor, but unlike almost all other later privacy laws the law itself does not directly address how to deal with vendors who might run a school cafeteria, or even parent volunteers who access data by working in a class room or calling parents on a class list.  Nevertheless, schools have regularly used third parties of various sorts….bus companies, parent volunteers, year book publishers, photographers…and as tech needs evolved – internet service providers, on-line assignment tools, scheduling programs, emergency alert systems, back up data centers….and more.  Schools and the Department of Education always considered these companies to be acting as de facto school employees providing a service as a vendor.

In 2008, DOE amended the FERPA rule to officially recognize this ongoing practice and to set boundaries around the use of vendors as school officials. DOE took formal comments on this issue as part of the rulemaking process and updated the rule. DOE made it clear that parent volunteers, bus companies, cafeteria operators and technology providers could act as de facto “School Officials”, as long as they perform an institutional service or function for which the agency or institution would otherwise use employees; are under the direct control of the agency or institution with respect to the use and maintenance of education records; and are subject to restrictions governing the use and re-disclosure of personally identifiable information from education records.  In 2011, the rule was updated yet again with further clarifications.

Government agencies of every sort, like public schools today, rely on vendors for a wide range of services. Banks, hospitals, and businesses of every sort rely on vendors to handle tasks that those specialized providers can handle more effectively.. Contractual controls over how the data is collected, used, maintained and destroyed are the key factors to ensure the privacy and safety of data handled by these providers.  Many new state student privacy laws now in effect now legally mandate these privacy rules for vendors.

The FERPA rule specifically calls for schools to have direct control over vendors. Many districts and postsecondary institutions comply with this by using using physical or technological controls to protect education records. Under the final regulations, districts and institutions may rely on contractual and administrative policies for controlling access to education records by school officials. The schools don’t need to be able to walk into the server rooms of vendors such as cloud providers or back up data centers, but they do need legally be in control of what happens to the data.

Some have called the school official designation for contractors a “loophole” that creates privacy risks because it allows vendors access to student data. But it is in effect simply a manner of designating a vendor to be acting as an agent of a school, in the same way the web site provider of a bank is in practice the “banker” a consumer is using to check their balance online.

Are vendors being properly restricted by schools, with proper contracts and controls as required? That’s a fair question to ask of schools and vendors. But the school official exception, if implemented properly, is a sound legal concept that is similar in concept to privacy laws in other sectors.

It is useful to re-read the text of the 2008 rulemaking by DOE, which demonstrates that the issues involved with the interpretation of the school official exception were thoroughly discussed. DOE used the interpretation of FERPA to set firm limits on the activities of vendors – who must be under direct control and whose contracts must clearly indicate that vendors can only use data for appropriate education uses

Following are selected portions of the DOE rulemaking discussion: read it for yourself and let us know what you think! (For ease of reading, we have edited out extensive side material that we didn’t think central to this discussion – read the full rulemaking at the link below.)

https://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.html

Outsourcing – Outside Parties Who Qualify as School Officials

Comment: A few commenters disagreed with the proposal to expand the “school officials” exception to include contractors, consultants, volunteers, and other outside parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform. They believed that the modifications undermined the plain language of the statute and congressional intent. Several other commenters supported the proposed regulations, saying that it was helpful to include in the regulations what has historically been the Department’s interpretation of the “school officials” exception. A majority of commenters…raised a number of issues concerning the proposal. Several commenters expressed concern that the requirement that an outside party must perform an institutional service or function for which the agency or institution would otherwise use employees is too restrictive and impractical. …Several commenters asked that we clarify in the regulations that [it] also applies to school transportation officials, school bus drivers, and school bus attendants who need access to education records in order to safely and efficiently transport students. …

Discussion: The Secretary does not agree that the proposed changes go beyond the plain reading of the statute and congressional intent. … FERPA’s broad definition of education records includes records that are maintained by “a person acting for” an educational agency or institution. … We disagree with commenters that the requirement that the outside party must perform an institutional service or function for which the agency or institution would otherwise use employees is too restrictive or unworkable. The requirement serves to ensure that the “school officials” exception does not expand into a general exception to the consent requirement in FERPA that would allow disclosure any time a vendor or other outside party wants access to education records to provide a product or service to schools, parents, and students. …The statutory basis for expanding the “school officials” exception to outside service providers is that they are “acting for” the agency or institution, not selling products and services. …FERPA does not otherwise restrict whether a school may outsource institutional services and functions; it only addresses to whom and under what conditions personally identifiable information from students’ education records may be disclosed. Once a school has determined that an outside party is a “school official” with a “legitimate educational interest” in viewing certain education records, that party may have access to the education records, without consent, in order to perform the required institutional services and functions for the school. These outside parties may include parents and other volunteers who assist schools in various capacities, … where they need access to students’ education records to perform their duties. The disclosure of education records under any of the conditions listed … is permissive and not required. …Therefore, schools should always use good judgment in determining the extent to which volunteers, as well as other school officials, need to have access to education records and to ensure that school officials, including volunteers, do not improperly disclose information from students’ education records. …We think it would be impossible to provide a comprehensive listing and believe that agencies and institutions are in the best position to make these determinations. At the discretion of a school, school officials may include school transportation officials (including bus drivers), school nurses, practicum and fieldwork students, unpaid interns, consultants, contractors, volunteers, and other outside parties providing institutional services and performing institutional functions, provided that each of the requirements … has been met. … The Department has long recognized that FERPA does not prevent schools from outsourcing institutional services and functions …

Changes: None.

Direct Control

Comment: Some commenters asked the Department to clarify what the term “direct control” means …. This section provides that in order to be considered a “school official” an outside party must be under the direct control of the agency or institution. Some commenters asked if this term means that the school must monitor the operations of the outside party, and how it affects an agency’s or institution’s relationship with subcontractors or third- or fourth-party database hosting companies. …One commenter stated that institutions should be required to verify that parties to whom they outsource services have the necessary resources to safeguard education records provided to them. …

Discussion: The term “direct control” … is intended to ensure that an educational agency or institution does not disclose education records to an outside service provider unless it can control that party’s maintenance, use, and redisclosure of education records. This could mean, for example, requiring a contractor to maintain education records in a particular manner and to make them available to parents upon request. … as discussed in the NPRM, educational agencies and institutions are responsible under FERPA for ensuring that they themselves do not have a policy or practice of releasing, permitting the release of, or providing access to personally identifiable information from education records, except in accordance with FERPA. This includes ensuring that outside parties that provide institutional services or functions as “school officials” … do not maintain, use, or redisclose education records except as directed … We believe that the use of the “direct control” standard strikes an appropriate balance in identifying the necessary and proper relationship between the school and its outside parties that are serving as “school officials.” … one way in which schools can ensure that parties understand their responsibilities under FERPA with respect to education records is to clearly describe those responsibilities in a written agreement or contract. Exercising direct control could prove more challenging in some situations than in others. Schools outsourcing information technology services, such as web-based and e-mail services, should make clear in their service agreements or contracts that the outside party may not use or allow access to personally identifiable information from education records, except in accordance with the requirements …

Changes: We have revised (this section) to clarify that the outside party must be under the direct control of the agency or institution with respect to the use and maintenance of information from education records.

Protection of Records by Outside Parties Serving as School Officials

Comment: We received several comments (regarding) an outside party serving as a “school official” … subject to the requirement … regarding the use and redisclosure of personally identifiable information from education records. One commenter stated that …the proposed regulations did not go far enough to clarify that these outside third parties could not use education records …to engage in activities not associated with the service or function they were providing. …

Discussion: An agency or institution must ensure that an outside party providing institutional services or functions does not use or allow access to education records except in strict accordance with the requirements established by the educational agency or institution that discloses the information. …FERPA regulations appl(y) to employees and outside service providers alike and prohibit the recipient from using education records for any purpose other than the purposes for which the disclosure was made. This includes ensuring that outside parties do not use education records in their possession for purposes other than those specified by the institution that disclosed the records. …

Changes: None.

Control of Access to Education Records by School Officials

Comment: Many commenters supported (the) proposed (rule), which requires an educational agency or institution to use reasonable methods to ensure that school officials have access to only those education records in which the official has a legitimate educational interest. In this section, we also proposed that an educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the “legitimate educational interest” requirement. …

Discussion: (This section) requires that a parent or eligible student provide written consent for a disclosure of personally identifiable information from education records unless the circumstances meet one of the exceptions to consent, such as the release of information to a school official with a legitimate educational interest. Thus, a district or institution that makes a disclosure solely on the basis that the individual is a school official violates FERPA if it does not also determine that the school official has a legitimate educational interest. The regulations … are designed to clarify the responsibility of the educational agency or institution to ensure that access to education records by school officials is limited to circumstances in which the school official possesses a legitimate educational interest. We believe that the standard of “reasonable methods” is sufficiently flexible to permit each educational agency or institution to select the proper balance of physical, technological, and administrative controls to effectively prevent unauthorized access to education records, based on their resources and needs. In order to establish a system driven by physical or technological access controls, a school would generally first determine when a school official has a legitimate educational interest in education records and then determine which physical or technological access controls are necessary to ensure that the official can access only those records. …The Department expects that educational agencies and institutions will generally make appropriate choices in designing records access controls, …(as) contractors are subject to the same conditions governing the access and use of records that apply to other school officials. … Schools have the flexibility to decide the method or methods best suited to their own circumstances… The regulations do not designate all volunteers as school officials. Rather, the regulations clarify that schools may designate volunteers as school officials who may be provided access to education records only when the volunteer has a legitimate educational interest. Schools can and should carefully assess and limit access by any school official, including volunteers. … FERPA prohibits school officials from having access to education records unless they have a legitimate educational interest.

Changes: None.