Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Quick Review of New Markey-Hatch FERPA Amendment

    Încărcat de

    Barmak Nassirian
    109 vizualizări2 pagini
    FERPA privacy SLDS Markey Hatch

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    DOCX, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    FERPA privacy SLDS Markey Hatch

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    109 vizualizări2 pagini

    Quick Review of New Markey-Hatch FERPA Amendment

    Încărcat de

    Barmak Nassirian
    FERPA privacy SLDS Markey Hatch

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 2

    MEMO

    To: Interested Colleagues


    From: Barmak Nassirian
    Subject: Quick Review of Markey-Hatch FERPA Amendment
    Date: July 30, 2014

    This is done too quickly to be comprehensive, but is intended as a first reaction to the language.

    1- The bill is very narrow and does not attempt to address the main objections raised by parents and
    privacy advocates about the ways in which the 2008 and 2011 FERPA regs undermined
    educational privacy rights. Specific topics like the 2011 regs definition of education program,
    or authorized representative are left unresolved, with authorized representative only being
    referenced (infelicitously at that, since a comma is missing on page 2, line 23 before and) as an
    outside party that would be subject to unspecified security requirements.
    2- On the affirmative front, the language does specifically condition receipt of federal funds on
    protection of personally identifiable information, and requires ed agencies and institutions to
    impose that same requirement on any outside parties to whom they disclose PII. The problem
    here is that protection is undefined, and more importantly, that the issue is not so much
    protection of records from unauthorized access, but limiting the universe of entities and
    individuals who may inappropriately be granted authorized access. (Page 2, new section (4)(A)
    lines 7-19)
    3- The language prohibits receipt of federal funds by programs that use or disclose PII to advertise
    or market a product or service. This language is incomplete and problematic at a couple of
    levels. First, why not, at the very least, ban all commercial uses of PII? Why only marketing and
    advertising, but not sale of PII to improve software, develop for-profit tests, or design products?
    Second, theres no distinction made between directory and non-directory information. (Would
    providing a list of students to a photographer taking yearbook pictures be a violations?) Finally,
    no distinction is made between non-consensual and consensual disclosures. The most
    comprehensive solution would be to ban all commercial uses as well as non-consensual
    disclosures to any entity without a legitimate educational interest as that term is defined and
    applied to school officials. There may have to be targeted exceptions for disclosures like
    transcripts (involving fees and very sensitive PII) or transactional interactions like the
    photographer example above. (New Section 5, page 3, lines 3-10)
    4- The amendment imposes new requirements on outside parties that are intended to parallel the
    inspection, correction, amendment provisions of existing law, but do so in an unorthodox and
    problematic way. First, absent a parallel notice requirement to parents and students, how would
    they even know about disclosure of PII to outside parties? Second, probably inadvertently but
    maybe not, the rights are provided for parents but not for students themselves, which opens a
    huge and very messy can of worms particularly with regard to postsecondary students. (I couldnt
    review my records at my age, but my parents could?) Third, the language departs from the
    standard inspection, correction, or amendment and expands the list to challenge, correct, or
    delete. While this confusing language may arguably be viewed as an expansion of privacy rights,
    the rest of the sentence immediately takes back what the bill giveth, by limiting the rights only to
    inaccurate, misleading, or otherwise inappropriate data which are left undefined. Current law,
    of course, makes no such distinctions, and imposes no such limitations or burdens on students or
    parents, who may amend the recordwith no mandate for adjudicating the veracity of its
    contentsas they see fit. (Pages 3, line 11 through page 4, line 17)
    5- The new section (7) in the bill explicitly requires data minimization, but proceeds to define it in a
    most unconventional manner as attempting to respond to appropriate (i.e., Legally allowed?
    Legally required? Something else?) requests for PII through provision of de-identified data, if
    such de-identified data meet the effective purpose of the request. Leaving the obscurity and
    vagueness of the terms aside, this language is oblivious to the enormous difficulty of robust de-
    identification (which goes well beyond dropping names and SSNs) and the relative ease of re-
    identification of putatively anonymized records. Subsection (B) of this section adds a data
    retention rule, which would require that data be destroyed once the original purpose for their
    initial disclosure has been met. This is a positive improvement on current law. (Page 4, line 18
    through page 5, line 6.)

    S-ar putea să vă placă și