1 / 16

Insights on the Legal Landscape for Data Privacy in Higher Education

Gain valuable insights into the legal landscape for data privacy in higher education, including constitutional rights, federal and state laws, liability, and ethical considerations.

rponce
Download Presentation

Insights on the Legal Landscape for Data Privacy in Higher Education

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator EDUCAUSE

  2. IT Policy Framework Law Constitution, federal & state laws, liability Values academic freedomcommunity expectations privacy vs. access Ethics responsible use stewardship Morality absolutes

  3. Agenda Topics • U.S. Constitution • Federal Law and Regulation • State Law and Regulation • Contractual Obligations • Emerging Case Law • Emerging Policy Issues

  4. Dimensions of Privacy • Personal Privacy – the right or interest for individuals to keep their personal information, communications, and facts concerning them out of the hands of unauthorized parties. • Privacy Protection – the responsibility or stewardship role of a 3rd party that holds personal data concerning an individual that has been entrusted to them.

  5. Data and the Constitution • 14th Amendment:No state shall . . . deprive any person of life, liberty, or property, without due process of law. • 4th Amendment:People have the right . . . to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures . . . no warrants shall issue [without] probable cause . . .

  6. Federal Law • Electronic Communications Privacy Act (ECPA) • Family Educational Rights and Privacy Act (FERPA) • Federal Information Security Management Act (FISMA) • Foreign Intelligence Surveillance Act (FISA) • Gramm-Leach-Bliley Act (GLBA) • Health Information Portability and Accountability Act (HIPAA)

  7. FTC Regulatory Enforcement • ChoicePoint – settlement for $10 million in civil penalties and $5 million to be used to reimburse consumers for expenses due to identity theft caused by the security breach. • BJ’s Wholesale Club – ordered to “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” • Guidance Software, Inc. - settled for its failure to take reasonable security measures to protect sensitive customer data, contradicted security promises made on its Web site, and violated federal law. The data-security failure allowed hackers to access sensitive credit card information for thousands of consumers. The settlement will require the company to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 10 years.

  8. State Law • Data Incident (Breach) Notification Laws • Define what constitutes a “breach” • Establish procedures for “notifications” • Qualified by exceptions and protections • Privacy Policies for Websites • Applies to collection of “personal records” • Specifies “notice” requirements • Websites only

  9. “Notice” and Other Principles • The purpose for which the personal information is collected; • Any specific consequences to the person for refusal to provide the personal information; • The person’s right to inspect, amend, or correct personal records, if any; • Whether the personal information is generally available for public inspection; • Whether the personal information is made available or transferred to or shared with any entity other than the official custodian.

  10. Fair Information Practices • Notification • Minimization • Secondary Use • Nondisclosure and Consent • Need to Know • Data Accuracy, Inspection, and Review • Information Security, Integrity, and Accountability • Education

  11. Contractual Obligations • Contract law is a function of state law and “common law” • Procurement of Hardware and Software • Outsourced Services (data handling, email, etc.) • Government Contracts and Grants (e.g., NASA, NIH, NSF, ED, etc.) • Payment Card Industry – Data Security Standard (PCI DSS)

  12. Desktop Configuration

  13. Case Law • Based upon Tort/Negligence Law • Duty • Breach of Duty • Damages • Foreseeable Risks

  14. Public Policy • Identity Theft • Social Security Number use • Data Privacy and Security Proposals • FISA Amendments • Communications Assistance for Law Enforcement Act • Data Retention

  15. For More Information • EDUCAUSE/Internet2 Security Task Forcehttp://www.educause.edu/security • EDUCAUSE Washington Officehttp://www.educause.edu/policy • Rodney PetersenEmail: rpetersen@educause.eduPhone: 202.331.5368

More Related