Barmak Nassirian’s quick review of the Markey/Hatch privacy legislation 7.31.2014

This is done too quickly to be comprehensive, but is intended as a first reaction to the Markey/Hatch privacy bill’s language.  – Barmak Nassirian.

  1. The bill is very narrow and does not attempt to address the main objections raised by parents and privacy advocates about the ways in which the 2008 and 2011 FERPA regs undermined educational privacy rights. Specific topics like the 2011 regs’ definition of “education program,” or “authorized representative” are left unresolved, with authorized representative only being referenced (infelicitously at that, since a comma is missing on page 2, line 23 before “and”) as an outside party that would be subject to unspecified security requirements.
  2. On the affirmative front, the language does specifically condition receipt of federal funds on “protection” of personally identifiable information, and requires ed agencies and institutions to impose that same requirement on any “outside parties” to whom they disclose PII. The problem here is that “protection” is undefined, and more importantly, that the issue is not so much protection of records from unauthorized access, but limiting the universe of entities and individuals who may inappropriately be granted authorized access. (Page 2, new section (4)(A) lines 7-19)
  3. The language prohibits receipt of federal funds by programs that use or disclose PII “to advertise or market a product or service.” This language is incomplete and problematic at a couple of levels. First, why not, at the very least, ban all commercial uses of PII? Why only marketing and advertising, but not sale of PII to improve software, develop for-profit tests, or design products? Second, there’s no distinction made between directory and non-directory information. (Would providing a list of students to a photographer taking yearbook pictures be a violations?) Finally, no distinction is made between non-consensual and consensual disclosures. The most comprehensive solution would be to ban all commercial uses as well as non-consensual disclosures to any entity without a legitimate educational interest as that term is defined and applied to school officials. There may have to be targeted exceptions for disclosures like transcripts (involving fees and very sensitive PII) or transactional interactions like the photographer example above. (New Section 5, page 3, lines 3-10)
  4. The amendment imposes new requirements on “outside parties” that are intended to parallel the “inspection, correction, amendment” provisions of existing law, but do so in an unorthodox and problematic way. First, absent a parallel notice requirement to parents and students, how would they even know about disclosure of PII to outside parties? Second, probably inadvertently but maybe not, the rights are provided for parents but not for students themselves, which opens a huge and very messy can of worms particularly with regard to postsecondary students. (I couldn’t review my records at my age, but my parents could?) Third, the language departs from the standard “inspection, correction, or amendment” and expands the list to “challenge,correct, or delete.” While this confusing language may arguably be viewed as an expansion of privacy rights, the rest of the sentence immediately takes back what the bill giveth, by limiting the rights only to “inaccurate, misleading, or otherwise inappropriate data” which are left undefined. Current law, of course, makes no such distinctions, and imposes no such limitations or burdens on students or parents, who may amend the record—with no mandate for adjudicating the veracity of its contents—as they see fit. (Pages 3, line 11 through page 4, line 17)
  5. The new section (7) in the bill explicitly requires data minimization, but proceeds to define it in a most unconventional manner as attempting to respond to “appropriate” (i.e., Legally allowed? Legally required? Something else?) requests for PII through provision of de-identified data, if such de-identified data meet the “effective” purpose of the request. Leaving the obscurity and vagueness of the terms aside, this language is oblivious to the enormous difficulty of robust de-identification (which goes well beyond dropping names and SSNs) and the relative ease of re-identification of putatively anonymized records. Subsection (B) of this section adds a data retention rule, which would require that data be destroyed once the original purpose for their initial disclosure has been met. This is a positive improvement on current law. (Page 4, line 18 through page 5, line 6.)