Privacy In Academia

Prepared for Florida State University

Susan Blair, MSJ, MBA, CIPP, CCEP, CIAUF Chief Privacy Officer

University of Florida

January 26, 2012

Why establish a Privacy Office?

• Manage student, faculty, staff, and third party privacy expectations

• Either an accepted business practice or possible regulatory requirement

• Reduce institutional risk by encouraging compliance

• Become mainstream action; network of 70 university and college CPOs

• Impending US Department of Education site visits and audits

Goals of this Meeting

• To provide rationale for establishing a Privacy Office

• To describe the Role of the Chief Privacy Officer

• To define restricted information and identify the scope of UF’s Privacy Office

• To make you aware of the most relevant privacy laws and their impact on UF

• To outline UF’s greatest privacy risks

• To answer your questions about establishing a Privacy Office at FSU

Structure & Organization

Vice PresidentFor Human Resources

Chief Privacy Officer

UF Jacksonville

IRB’s andPrivacy Board

(Research)

UF MedicalAffiliated Entities

UF MedicalComponents

Shands PrivacyInitiatives

All Other UF Colleges,Departments, and

Affiliates

UF InformationSecurity Initiatives

Role of UF’s Chief Privacy Officer

• Required by healthcare regulation, effective April 2003; expanded to campus-wide scope in 2007

• Analyze relevant privacy regulations; assess institution privacy-related risks; provide oversight for regulatory compliance; track results

• Develop and implement strategies, policies, and procedures

• Act as central contact and investigation authority for privacy complaints, alleged breaches and notifications

• Recommend disciplinary actions, up to and including dismissal

What is Restricted Information?

• Any and all personal identification information, protected health information, financial information, and other information protected by law in any format (paper, electronic, or other).

• Examples include: – Medical records and medical record numbers; – Student UFID numbers, grades, schedules, records, and reports; – Human resource data, including disciplinary actions; – Florida Drivers License numbers;– Social security numbers; and – Any financial account information, including credit and debit card

numbers.

Privacy & Confidentiality Defined

• Privacy– Freedom from intrusion or observation– Maintaining control over personal information– Not a US Constitutional right – but it is in the Florida Constitution:

• (Article One, Section 23) “Every natural person has the right to be let alone and free from governmental intrusion into the person's private life”; exception: Not to limit the public's right of access to public records and meetings as provided by law.

• Confidentiality– Only permitting certain authorized persons to have information,

with the understanding that they will not share the information except to other authorized persons

Scope of Privacy Regulations at UF - Federal

• Federal Statutes– Family Educational Rights and Privacy Act (FERPA)– Privacy Act of 1974– Patriot Act– Graham-Leach-Bliley Act– Fair Credit Reporting Act– Right to Financial Privacy Act– Children’s Online Privacy Protection Act (COPPA)– Electronic Communications Privacy Act– Stored Wire and Electronic Communications Act– Cable Communications Policy Act– Health laws

• Health Insurance Portability & Accountability Act (HIPAA) for medical components: Faculty practice plans, HSC Colleges, CLAS, IFAS, Student Health Care Center, Institutional Review Boards, Benefit and Disability Plans, and UF Foundation

• Americans with Disabilities Act

Scope of Privacy Regulations at UF - State

• Florida Statutes with privacy requirements– Chapter 90: Evidence– Chapter 119: Public Records– Chapter 381.004: HIV Testing– Chapter 384: Sexually Transmissible Diseases– Chapter 385: Chronic Diseases (Cancer Registry)– Chapter 392: TB Control– Chapter 393: Developmental Disabilities– Chapter 394: Mental Health– Chapter 395: Hospitals– Chapter 397: Substance Abuse– Chapter 400: Nursing Homes, Hospices– Chapter 405: Medical Research– Chapter 440: Workers’ Compensation– Chapter 456-468: Health Professions– Chapter 501: Consumer Protection– Chapter 817: Privacy Breach Notification– Chapter 1002-1006: Education Records

Scope – National & International

• National Industry Standards– Payment Credit Industry Data Security Standards

• International Privacy Laws– US: Department of Commerce’s Safe Harbor Privacy Principles– Europe: Council of Europe Convention for the Protection of Human

Rights and Fundamental Freedom, EU Data Protection Directive, Art.1-33– Canada: Personal Information Protection & Electronic Documents Act– Additional Regulations: Argentina, Australia, Hungary, Iceland, Ireland,

Japan, the Netherlands, and elsewhere

• Emerging Regulatory Changes– American Reinvestment and Recovery Act/HITECH– State Attorney General prosecutions under HIPAA HITECH– FTC “Privacy Framework”

Upcoming Legislative Actions

Eighteen ‘proposed’ federal privacy legislation, which would affect higher education including Data Privacy & Security Act of 2011 (3 versions in US Senate)

Implementation of NIST’s 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

FTC Investigations of Privacy and Security Complaints, i.e. Facebook cookies

FERPA Revision - Fall, 2011

PCIDSS Guideline Revisions, 2012

New International Privacy Laws, i.e. India, Korea

International Debate on Privacy of Ancient Human Remains, or “Do Mummies Have the Right to Privacy?”

Five Privacy Protection Principles

• Controls: Limited, Role–based Access to Data– Define individuals and roles permitted to access Restricted Data– Appoint Data Custodians to manage systems used with Restricted Data

• Boundaries: Authorizations to Use or Disclose Data– Authorize systems permitted for use with Restricted Data– Authorize locations where Restricted Data can be used– Authorize purposes and scope of Restricted Data disclosures

• Safeguards: Measures to protect Restricted Data– Administrative: Staffing, Policies & Procedures, Training– Physical: Locks, Barriers, Screens, etc.– Technical: Computer Accounts, Passwords, Audits

• Accountability: Uniformly enforce UF policies to protect Restricted Data– Immediately report exposures of Restricted Data to the UF Privacy Office– Consistently apply Sanctions and Penalties

• Balance: Individual Privacy and University Interests

Top Three Danger Zones

• Family Educational Rights and Privacy Act (FERPA): Student Records– Authorizes Secretary of Education to end all federal funding if a

university fails to comply with federal statute

• Health Insurance Portability & Accountability Act (HIPAA): Protected Health Information– Civil penalties and DOJ criminal prosecutions, which may result in

penalties and up to ten years of jail time

• Payment Credit Industry Data Security Standard (PCIDSS): Credit Card Information– Noncompliant entities may be fined $500,000 per incident if cardholder

information is compromised, and processing privileges may be revoked

• Upcoming FTC Red Flags and Privacy Framework

Number One Crisis

All varieties of educational institutional related data breaches: hacking, loss of portable device, unintentional, insider breach, etc.

YearNumber of Breaches

Number of Records

2005 64 1,886,8412006 103 2,019,1192007 107 791,9382008 103 1,107,0012009 71 1,062,2752010 73 1,575,698

2011 57 394,008

Source: Privacy Rights Clearinghouse

Total UF Incidents: 2005 - 2011

It’s Not Alphabet Soup …

When in Doubt … Call First

• Susan Blair, CPORoom G24, Tigert Hall(352) 273-1212

• Hotline: 866-876-4472

• Website: http://privacy.ufl.edu

• Emails: sablair@ufl.edu or privacy@ufl.edu