Edward Snowden became a household name after he leaked top secret documents that demonstrated the vast scope of our government’s domestic surveillance programs. Much of this work is outsourced to private companies–such as Booz Allen Hamilton, owned by the Carlyle Group, a US-based investment fund with $176 billion in assets.

But the “war on terrorism” and the long arm of the Patriot Act (passed by Congress in October, 2001) go beyond telephone and Internet communications. Government and law enforcement now have unparalleled access to student records and medical records.

It’s been the perfect storm for business to swoop into pubic coffers to mine personal data.  “Authorized representatives” and “business associates” access personally identifiable information in both education records and “Protected” Health Information (PHI) in our medical records. In the meantime, state agencies collect this data in big databases–without attention to fair information practices and principals, the central contribution of an HEW (Health, Education, Welfare) Advisory Committee on Automated Data Systems in 1972.

Unfortunately there are no Edward Snowdens among education and healthcare technocrats. They seem to be both smitten with data utopia and tempted by “free” services of the digital economy. The train with our education and medical data collected without our consent has already left the station.

Case in point: The Los Angeles Unified School District has spent more than $130 million on a student information system, which has become a technological disaster. Ron Chandler, the district’s Internet technology officer, said that once the problems are ironed out, the system will free the district from the consent decree and provide a valuable tool for tracking and boosting student success.

A parallel explosion of big data since 2001 is not coincidental. Big data utopians proclaim better integration of fragmented health and education sectors and data analysis will improve outcomes and improve value. The question never seems to be asked, “For whom?”

The P in HIPAA does not stand for privacy.

HIPAA is the Health Insurance Portability and Accountability Act. For one brief year in 2001, newly implemented HIPAA privacy rules meant “…a covered healthcare provider must obtain the individual’s consent, in accordance with this section, prior to using or disclosing protected health information to carry out treatment, payment or health care operations.” That all changed in 2002 when Health and Human Services eliminated the right of consent and replaced it with a “new provision…that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, or health care operations.”

Traditional (doctors, pharmacists, hospitals, health plans, Medicare/Medicaid etc.) and not-so-traditional (just what is a clearinghouse?) covered entities must comply with HIPAA privacy and security rules, enacted in 2002. Businesses that contract with covered entities gain access to our PHI, without our consent, by signing a business associate agreement to comply with these rules.

It’s impossible to create a detailed map of where sensitive personal health information flows from prescription records, to DNA, to diagnoses. And without a “chain of custody,” it’s also impossible to know who uses our data or why. Dr. Deborah Peel from Patient Privacy Rights points out in a recent TEDx talk, if the 2002 HIPAA were supposed to improve care and cut costs, why has the opposite occurred?

Big data simplifies access to data—a win-win for business and government. While corporations learn our secrets, trade secrets simultaneously protect how they profit from data mining our private lives. And it’s far more efficient for the government to obtain confidential information data mining big businesses, thus bypassing teachers and doctors, who would compromise professional ethics when confidentiality is compromised.

Many states have created, or are in the process of creating all payer health care claims databases. The goal is “a regional all payer dataset… (which is) seamless across state lines in terms of being a longitudinal record based on the patient.”

In Oregon, payers (insurance carriers, other third-party payers, or health plan sponsors, such as employers or unions) directly send “patient demographic information such as date of birth, gender, geography, and race/ethnicity” along with “medical and pharmacy insurance claims (that) capture plan payments, member financial responsibility (co-pay, co-insurance, deductible), diagnoses, procedures performed, and numerous other data fields” to Milliman Inc.

Milliman is one of the top purchasers of medical records. Oregon pays this global actuarial firm to collect an incredible amount of confidential data—all done without patient consent. Could Milliman’s computers glean data that could be used to deny life insurance for companies that use Milliman’s services? After all, they boast that, “No firm has a more complete understanding of insurance than Milliman, from the nuances of various regulatory regimes to the patterns in policyholder behavior.”

While Oregon’s goal is to provide information to consumers and purchasers of health care, most states, including Oregon score an F when it comes to price transparency. Trade secrets protections are used to prohibit databases from “revealing proprietary fee schedule amounts for any payer/provider.”

Patients across the nation are feeling the financial sting when it comes to the not-so-Affordable Care Act. Wanna’ have a baby? A financial counselor may spring a “global fee” on you, which doesn’t include hospital charges or anything else on a long list of exclusions. And while they may point to an “average” cost in the “summary of benefits,” disclaimers allow for actual costs that may be higher.  So much for market-based transformations!

Pushback from parents for student data privacy

Privacy protections in FERPA, the Family Educational Rights and Privacy Act, were gutted with rule changes in 2008 (including those relating to section 507 of the USA Patriot Act) and 2011. US Secretary of Education Arne Duncan, Obama’s basketball buddy, implemented these rule changes and sweetened the pot with stimulus money. States were tasked to create statewide longitudinal data systems that collect and warehouse student data.

Earlier this year, parent activists successfully pushed back in shutting down inBloom. Founded in 2011 with $100 million from the Bill & Melinda Gates Foundation and the Carnegie Corp, this nonprofit was designed to collect confidential and personally identifiable student and teacher data.

This data included student names, addresses, grades, test scores, economic, race, special education status, disciplinary status and more from school districts and states throughout the country… on a data cloud run by Amazon.com, with an operating system by Wireless/Amplify, a subsidiary of Rupert Murdoch’s News Corporation. What’s more, InBloom planned to share this highly sensitive information with software companies and other for-profit vendors.

Constitutional rights to data privacy?

Is data speech, protected by 1st Amendment rights? Or property, protected by the 4th Amendment.

Authors of a recent Stanford Law Review article argued for the former. “When the collection or distribution of data troubles lawmakers, it does so because data has the potential to inform and to inspire new opinions. Data privacy laws regulate minds, not technology.” The authors state that whenever state regulations interfere with the creation of knowledge, that regulation should draw First Amendment scrutiny.

If you think your data is property, protected against unlawful search and seizure with Fourth Amendment protections, think again. As reviewed in the Emory Law Journal, “if a person “volunteers” information to a third party, she loses all constitutional protection for the information, regardless of whether it reflects an underlying autonomy interest that is otherwise protected by the Constitution.” This is the third-party doctrine.

Media conglomerates and bloggers compete for readers to monetize digital content through “behaviorally targeted advertising.”  The third party doctrine allows private companies to track individuals and create single, comprehensive profiles for each user. Campaigns strategically mine our hobbies, passions and vulnerabilities to micro-target a tailored message that effectively sells politics and products. The Federal Trade Commission has taken a hands-off approach when pressuring businesses to self-regulate when it comes to behavioral targeting. So states are responding.

California passed a new student privacy law that “prohibit(s)an operator of an Internet Web site, online service, online application, or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians, using covered information to amass a profile about a K–12 student, selling a student’s information, or disclosing covered information.”

The application of FERPA to data derived from online personalized learning programs is not entirely clear. Are “personalized learning programs,” a hybrid model that combines online and traditional instruction, another type of behavioral targeting? Can the third party doctrine be invoked when districts and universities sign privacy agreements with businesses for these outsourced services?

Should we put faith in industry signatories to a “student privacy pledge“? The Future of Privacy Forum and the Software and Information Industry Association conceived this pledge. Interestingly, Google has not signed the pledge, though they are one of the many data miners supporting the Future of Privacy Forum.

Google Apps for surreptitious user profiles

Google Apps for Education is one of the freebies school districts and universities clamor for.  Bram Bout, the head of Google Apps for Education told the Guardian, “More than 30 million students, teachers and administrators rely on Google Apps for Education every day to communicate and collaborate more efficiently.” But Google presents “take-it-or–leave-it contracts” and a “gag clause” in its negotiations with schools for this service. As such, Berkley IT professionals couldn’t learn “how other campuses protected the privacy of their students and faculty.”

In a lawsuit against Google, students (both as individuals and in a class action complaint) claimed Google violated federal and state wiretap laws by intercepting electronic Gmail messages and data-mining those messages for advertising-related purposes–including the building of “surreptitious user profiles.” Google sought dismissal, saying “automated (non-human) scanning is not illegal ‘interception’ ” and that “the processes at issue are a standard and fully-disclosed part of the Gmail service.”

Judge Lucy Koh, whose jurisdiction is in the heart of Silicon Valley, denied a motion from Google to dismiss the case entirely. She rejected the company’s argument that Gmail users agreed to let their messages be scanned when they accepted subscription service terms and privacy policies.

But she later denied the plaintiffs’ motion to turn the suit into a class action on the grounds that it would be impossible to determine which email users consented to Google’s privacy policies. This means email users must sue individually or in small groups, lowering recoveries and boosting costs.

Joel R Reidenberg, a law professor at Fordham University, told Education Week, “The complexity of these arrangements exceeds what FERPA is really capable of addressing.” The 40-year-old FERPA does not adequately define what constitutes an education record at a time when previously unthinkable amounts of digital data about students proliferate.

With this lawsuit in mind, should patients feel reassured by Google’s Business Associate Agreement that offers “HIPAA compliant online services for covered entities”?

Data breaches, big data and identity theft

Then there are the inevitable breaches. The Office of Civil Rights must investigate and post health record breaches of over 500. The many flavors include hacking/IT incident, improper disposal, loss, theft, unauthorized access/disclosure, unknown and other.

One of the most recent breaches reported (and not yet in the database) affected 4.5 million patients served by the for-profit hospital chain, Community Health Systems Inc. Investigators believe the attack was the work of Chinese hackers that exploited the Heartbleed bug. Affected patients must worry about identity theft.

As USA Today reports, medical identity theft is epidemic and we should all be on the alert for that possibility. Having experienced tax related identity theft this past March, I assume my husband and I will never understand how our identity was stolen. This is especially disturbing when one considers that child identity theft rates are fifty-one times higher than adults. While these digital natives are savvier with technology, they are more vulnerable as well.

Furthermore, there is “no private right of action” when unlawful access, use or disclosure of protected health information or student’s protected information occurs. In other words, you can’t sue under HIPAA or FERPA laws when your personal data has been compromised.

Heath, Education and Welfare?

The Department of Health Education and Welfare was a Cabinet post from 1953-1979, when the Department of Education was created. But these departments still intersect. Joint guidance on the application of FERPA and HIPAA to student health records was published in 2008.

Schools use assessments for special education eligibility and 504 accommodations (such as for ADD/ADHD). The monopoly on these tests is London-based Pearson, the largest education company and book publisher in the world. Since last year, Pearson Clinical has been using Q-global to score and store tests. This decreased administrative burden is attractive for districts that are increasingly choosing the Q-Global option instead of scoring manually or with software.

Students who receive special education or 504 accommodations are afforded confidentiality provisions under IDEA, the Individuals with Disabilities Education Act. How could parents feel reassured that safeguards and policies to destroy information will be enforced?

Should Pearson Q-Global have the right to glean data for and use “non-personally identifiable statistically aggregated data raw test data and other information collected in the testing process for our research, quality control, operations management, security and internal marketing purposes and to enhance, develop or improve tests and testing processes”? Or transfer the data “in connection with a sale, joint venture or other transfer of some or all of the assets of NCS Pearson, Inc.” or “to our contractors or agents who are committed or obliged to protect the privacy of Personal Information in a manner consistent with this Privacy Policy“?

Conclusion: Without strong privacy and security protections for individuals, the costs of 21st Century digital disruption appear to outweigh benefits. Our identity is fundamentally our intellectual and spiritual property. Corporations protect their intellectual property with trade secret laws, yet laws don’t afford the same privacy rights to people. 

We must demand the right to privacy. As such, we should support the Student Privacy Bill of Rights, (conceived by the Electronic Privacy Information Center) as an enforceable student privacy and data security framework. The Patient’s Bill of Rights, implemented in 2010, doesn’t address privacy–reflecting the need to modernize HIPAA.

In June 2014 Joel R Reidenberg testified before two Congressional sub-committees on “How Data Mining Threatens Student Privacy.” His four recommendations equally apply to patient privacy. (Suggested modifications are in parentheses.)

1. Modernize FERPA (and HIPAA) to protect and limit the use of all student (and patient) information whether held by schools (and covered entities) or vendors (and business associates)—including a prohibition on non-educational (and non-medical) uses of student (and patient) information and graduated enforcement remedies such as private rights of action.
2. Require that the processing of student (and patient) data under any federally financed educational (and health care) program be prohibited unless there is a written agreement spelling out the purposes for the processing, restricting the processing to the minimum amount of data necessary for those purposes, restricting the processing to permissible educational (and health care) uses, mandating (enhanced) data security, requiring data deletion at the end of the contract, and providing for schools’ (and covered entities’) audit and inspection rights with respect to vendors (and business associates).
3. Require that states adopt an oversight mechanism for the collection and use of student (and patient) data by local and state (educational) agencies. A Chief Privacy Officer (in state departments of education) is essential to provide transparency to the public, assistance for local school districts (and coveredentities) to meet their privacy responsibilities, and oversight for compliance with privacy requirements.
4. Provide support to the Departments of Education (and Health and Human Services) and to the research community to address privacy in the context of rapidly evolving educational technologies, including support for a clearing center to assist schools (and covered entities) and vendors (and business associates) find appropriate best practices for their needs.

The Chief Privacy Officer (CPO) should be independent of the state agency involved. One state serves as a potential model: Ohio.

Further, an advisory group that includes agency representatives and citizens from stakeholder groups should help the CPO develop privacy policies. We need to restore full consent and notification of confidential data sharing and oversee data collection that include longitudinal data systems, created in direct response to various federal programs. Meetings should be open to the public to foster participation. These steps are essential to restoring trust in our government.

To be a free and democratic and globally responsive society, power should be in the hands of the people and not the 1%. We need digital innovations that put people in control of their data. We should repeal the Patriot Act and demand net neutrality.  With that power, we can battle the huge problems facing us—including climate change, Ebola and poverty.

These are not simple solutions. We need to learn more and to get involved. For more information, go to Patient Privacy Rights and the Parent Coalition for Student Privacy.

For Immediate Release: October 7, 2014

For more information contact:
Leonie Haimson, [email protected]; 917-435-9329
Rachael Stickland, [email protected]; 303-204-1272

While parents and advocates involved defeating inBloom are appreciative that the voluntary pledge released today by members of the software industry bars the selling of student data and its use for targeting ads, its provisions fall far short of what would be necessary to uphold the rights of parents to control access to their children’s personal information and protect their privacy. It appears that technology vendors and their supporters are trying to forestall stronger federal and state laws that would really hold them accountable.

The provisions do not include any parental consent or notification requirements before schools disclose the highly sensitive personal data of their children to vendors, and contain no specific security or enforcement standards for its collection, use or transmission. It would also allow for the infinite disclosure or sale of the data from one company to another, when the first one goes bankrupt, is merged or acquired by another corporation.

Leonie Haimson, Executive Director of Class Size Matters based in NYC and co-chair of the Parent Coalition for Student Privacy, said: “We need legally enforceable provisions requiring parental notification and consent for the disclosure and redisclosure of personal student data, as well as rigorous security protocols. This pledge will not achieve these goals, and will not satisfy most parents, deeply concerned about protecting their children from rampant data sharing, data-mining and data breaches.”

As Rachael Stickland, Colorado parent and co-chair of the Coalition pointed out, “The pledge explicitly allows for the use of student personal information for ‘adaptive learning.’ Parents are very worried that predictive analytics will lead to stereotyping, profiling and undermining their children’s future chance of success. At the least, industry leaders should support full disclosure of the specific student data elements employed for these purposes, and understand the need for informed parental consent.”

Said Melissa Westbrook, moderator of the Seattle Schools Community Forum and co-founder of Washington State’s Student Privacy Now, “This so-called pledge, filled with mumbo-jumbo, has one glaring item missing – legally enforceable punishment for K-12 service providers who don’t protect student data. Without that, students and their data have no real protections. ”

Concluded Josh Golin, Associate Director for the Campaign for Commercial-Free Childhood, “Across industries, self-regulation has been proven inadequate when it comes to protecting children, and there is absolutely no reason to believe that students’ most sensitive information can be safeguarded through voluntary pledges. Only federal and state legislation that have clear enforcement mechanisms and penalties will give students the protections – and parents the peace of mind – they deserve. It’s disappointing the ed tech industry’s main takeaway from the inBloom fiasco is that they need better PR.”

###

This is done too quickly to be comprehensive, but is intended as a first reaction to the Markey/Hatch privacy bill’s language.  – Barmak Nassirian.

1. The bill is very narrow and does not attempt to address the main objections raised by parents and privacy advocates about the ways in which the 2008 and 2011 FERPA regs undermined educational privacy rights. Specific topics like the 2011 regs’ definition of “education program,” or “authorized representative” are left unresolved, with authorized representative only being referenced (infelicitously at that, since a comma is missing on page 2, line 23 before “and”) as an outside party that would be subject to unspecified security requirements.
2. On the affirmative front, the language does specifically condition receipt of federal funds on “protection” of personally identifiable information, and requires ed agencies and institutions to impose that same requirement on any “outside parties” to whom they disclose PII. The problem here is that “protection” is undefined, and more importantly, that the issue is not so much protection of records from unauthorized access, but limiting the universe of entities and individuals who may inappropriately be granted authorized access. (Page 2, new section (4)(A) lines 7-19)
3. The language prohibits receipt of federal funds by programs that use or disclose PII “to advertise or market a product or service.” This language is incomplete and problematic at a couple of levels. First, why not, at the very least, ban all commercial uses of PII? Why only marketing and advertising, but not sale of PII to improve software, develop for-profit tests, or design products? Second, there’s no distinction made between directory and non-directory information. (Would providing a list of students to a photographer taking yearbook pictures be a violations?) Finally, no distinction is made between non-consensual and consensual disclosures. The most comprehensive solution would be to ban all commercial uses as well as non-consensual disclosures to any entity without a legitimate educational interest as that term is defined and applied to school officials. There may have to be targeted exceptions for disclosures like transcripts (involving fees and very sensitive PII) or transactional interactions like the photographer example above. (New Section 5, page 3, lines 3-10)
4. The amendment imposes new requirements on “outside parties” that are intended to parallel the “inspection, correction, amendment” provisions of existing law, but do so in an unorthodox and problematic way. First, absent a parallel notice requirement to parents and students, how would they even know about disclosure of PII to outside parties? Second, probably inadvertently but maybe not, the rights are provided for parents but not for students themselves, which opens a huge and very messy can of worms particularly with regard to postsecondary students. (I couldn’t review my records at my age, but my parents could?) Third, the language departs from the standard “inspection, correction, or amendment” and expands the list to “challenge,correct, or delete.” While this confusing language may arguably be viewed as an expansion of privacy rights, the rest of the sentence immediately takes back what the bill giveth, by limiting the rights only to “inaccurate, misleading, or otherwise inappropriate data” which are left undefined. Current law, of course, makes no such distinctions, and imposes no such limitations or burdens on students or parents, who may amend the record—with no mandate for adjudicating the veracity of its contents—as they see fit. (Pages 3, line 11 through page 4, line 17)
5. The new section (7) in the bill explicitly requires data minimization, but proceeds to define it in a most unconventional manner as attempting to respond to “appropriate” (i.e., Legally allowed? Legally required? Something else?) requests for PII through provision of de-identified data, if such de-identified data meet the “effective” purpose of the request. Leaving the obscurity and vagueness of the terms aside, this language is oblivious to the enormous difficulty of robust de-identification (which goes well beyond dropping names and SSNs) and the relative ease of re-identification of putatively anonymized records. Subsection (B) of this section adds a data retention rule, which would require that data be destroyed once the original purpose for their initial disclosure has been met. This is a positive improvement on current law. (Page 4, line 18 through page 5, line 6.)

For immediate release: July 30, 2014

Rachael Stickland, 303-204-1272; [email protected]

Leonie Haimson: 917-435-9329; [email protected]

On the Markey/Hatch student privacy bill

Rachael Stickland, co-chair of the Parent Coalition for Student Privacy, said: “Though we appreciate the effort that Senators Markey and Hatch have undertaken on behalf of better privacy protections for students, their proposed legislative fix falls short of what’s needed; it sets no specific security standards for the storage or transmission of children’s personal information, allows unlimited disclosures and redisclosures  to for-profit vendors and other third parties without parental consent as long as the data isn’t used for marketing purposes, and doesn’t even require that schools and districts inform parents as to what personal information is being shared with which particular vendors.  Thus the clause that requires that parents be able to amend the information held by the vendor is nonsensical as its unclear how they would even know who to contact.” 

Said Leonie Haimson, the other co-chair of the Parent Coalition, “Nothing in this bill would have stopped the outrageous data-grab of inBloom, or any of the other companies set to take its place. We need a far stronger bill to do the job that parents are demanding:  protecting their children’s privacy and safety from breaches and  unwarranted data-mining.”

###

The link to the “Protecting Student Privacy Act ” is here.