170 likes | 334 Views
Privacy In Academia. Prepared for Florida State University Susan Blair, MSJ, MBA, CIPP, CCEP, CIA UF Chief Privacy Officer University of Florida January 26, 2012. Why establish a Privacy Office?. Manage student, faculty, staff, and third party privacy expectations
E N D
Privacy In Academia Prepared for Florida State University Susan Blair, MSJ, MBA, CIPP, CCEP, CIA UF Chief Privacy Officer University of Florida January 26, 2012
Why establish a Privacy Office? • Manage student, faculty, staff, and third party privacy expectations • Either an accepted business practice or possible regulatory requirement • Reduce institutional risk by encouraging compliance • Become mainstream action; network of 70 university and college CPOs • Impending US Department of Education site visits and audits
Goals of this Meeting • To provide rationale for establishing a Privacy Office • To describe the Role of the Chief Privacy Officer • To define restricted information and identify the scope of UF’s Privacy Office • To make you aware of the most relevant privacy laws and their impact on UF • To outline UF’s greatest privacy risks • To answer your questions about establishing a Privacy Office at FSU
Structure & Organization Vice President For Human Resources Shands Privacy Initiatives UF Information Security Initiatives Chief Privacy Officer UF Medical Components IRB’s and Privacy Board (Research) UF Medical Affiliated Entities All Other UF Colleges, Departments, and Affiliates UF Jacksonville
Role of UF’s Chief Privacy Officer • Required by healthcare regulation, effective April 2003; expanded to campus-wide scope in 2007 • Analyze relevant privacy regulations; assess institution privacy-related risks; provide oversight for regulatory compliance; track results • Develop and implement strategies, policies, and procedures • Act as central contact and investigation authority for privacy complaints, alleged breaches and notifications • Recommend disciplinary actions, up to and including dismissal
What is Restricted Information? • Any and all personal identification information, protected health information, financial information, and other information protected by law in any format (paper, electronic, or other). • Examples include: • Medical records and medical record numbers; • Student UFID numbers, grades, schedules, records, and reports; • Human resource data, including disciplinary actions; • Florida Drivers License numbers; • Social security numbers; and • Any financial account information, including credit and debit card numbers.
Privacy & Confidentiality Defined • Privacy • Freedom from intrusion or observation • Maintaining control over personal information • Not a US Constitutional right – but it is in the Florida Constitution: • (Article One, Section 23) “Every natural person has the right to be let alone and free from governmental intrusion into the person's private life”; exception: Not to limit the public's right of access to public records and meetings as provided by law. • Confidentiality • Only permitting certain authorized persons to have information, with the understanding that they will not share the information except to other authorized persons
Scope of Privacy Regulations at UF - Federal • Federal Statutes • Family Educational Rights and Privacy Act (FERPA) • Privacy Act of 1974 • Patriot Act • Graham-Leach-Bliley Act • Fair Credit Reporting Act • Right to Financial Privacy Act • Children’s Online Privacy Protection Act (COPPA) • Electronic Communications Privacy Act • Stored Wire and Electronic Communications Act • Cable Communications Policy Act • Health laws • Health Insurance Portability & Accountability Act (HIPAA) for medical components: Faculty practice plans, HSC Colleges, CLAS, IFAS, Student Health Care Center, Institutional Review Boards, Benefit and Disability Plans, and UF Foundation • Americans with Disabilities Act
Scope of Privacy Regulations at UF - State • Florida Statutes with privacy requirements • Chapter 90: Evidence • Chapter 119: Public Records • Chapter 381.004: HIV Testing • Chapter 384: Sexually Transmissible Diseases • Chapter 385: Chronic Diseases (Cancer Registry) • Chapter 392: TB Control • Chapter 393: Developmental Disabilities • Chapter 394: Mental Health • Chapter 395: Hospitals • Chapter 397: Substance Abuse • Chapter 400: Nursing Homes, Hospices • Chapter 405: Medical Research • Chapter 440: Workers’ Compensation • Chapter 456-468: Health Professions • Chapter 501: Consumer Protection • Chapter 817: Privacy Breach Notification • Chapter 1002-1006: Education Records
Scope – National & International • National Industry Standards • Payment Credit Industry Data Security Standards • International Privacy Laws • US: Department of Commerce’s Safe Harbor Privacy Principles • Europe: Council of Europe Convention for the Protection of Human Rights and Fundamental Freedom, EU Data Protection Directive, Art.1-33 • Canada: Personal Information Protection & Electronic Documents Act • Additional Regulations: Argentina, Australia, Hungary, Iceland, Ireland, Japan, the Netherlands, and elsewhere • Emerging Regulatory Changes • American Reinvestment and Recovery Act/HITECH • State Attorney General prosecutions under HIPAA HITECH • FTC “Privacy Framework”
Upcoming Legislative Actions • Eighteen ‘proposed’ federal privacy legislation, which would affect higher education including Data Privacy & Security Act of 2011 (3 versions in US Senate) • Implementation of NIST’s 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) • FTC Investigations of Privacy and Security Complaints, i.e. Facebook cookies • FERPA Revision - Fall, 2011 • PCIDSS Guideline Revisions, 2012 • New International Privacy Laws, i.e. India, Korea • International Debate on Privacy of Ancient Human Remains, or “Do Mummies Have the Right to Privacy?”
Five Privacy Protection Principles • Controls: Limited, Role–based Access to Data • Define individuals and roles permitted to access Restricted Data • Appoint Data Custodians to manage systems used with Restricted Data • Boundaries: Authorizations to Use or Disclose Data • Authorize systems permitted for use with Restricted Data • Authorize locations where Restricted Data can be used • Authorize purposes and scope of Restricted Data disclosures • Safeguards:Measures to protect Restricted Data • Administrative: Staffing, Policies & Procedures, Training • Physical: Locks, Barriers, Screens, etc. • Technical: Computer Accounts, Passwords, Audits • Accountability: Uniformly enforce UF policies to protect Restricted Data • Immediately report exposures of Restricted Data to the UF Privacy Office • Consistently apply Sanctions and Penalties • Balance: Individual Privacy and University Interests
Top Three Danger Zones • Family Educational Rights and Privacy Act (FERPA): Student Records • Authorizes Secretary of Education to end all federal funding if a university fails to comply with federal statute • Health Insurance Portability & Accountability Act (HIPAA): Protected Health Information • Civil penalties and DOJ criminal prosecutions, which may result in penalties and up to ten years of jail time • Payment Credit Industry Data Security Standard (PCIDSS): Credit Card Information • Noncompliant entities may be fined $500,000 per incident if cardholder information is compromised, and processing privileges may be revoked • Upcoming FTC Red Flags and Privacy Framework
Number One Crisis All varieties of educational institutional related data breaches: hacking, loss of portable device, unintentional, insider breach, etc. Source: Privacy Rights Clearinghouse
It’s Not Alphabet Soup … COPPA facta GLBA CFAA DPPA HIPAA ADA ITADA The Privacy Act FERPA TCFAPA ECPA CPNI pcidss REDFLAGS
When in Doubt … Call First • Susan Blair, CPO Room G24, Tigert Hall (352) 273-1212 • Hotline: 866-876-4472 • Website: http://privacy.ufl.edu • Emails: sablair@ufl.edu or privacy@ufl.edu