InC-Student: Notes from 9/19/2008
----------------------------------------------
Andrea Beesing, Cornell
Brendan Bellina, USC
Renee Frost, Internet2
Ken Klingenstein, Internet2
Angela Mennitto, Cornell
RL Bob Morgan, Washington
Renee Shuey, Penn State
Ann West, Internet/EDUCAUSE (scribe)
Action Items
-----------------
- Ann will ask Charlie Leonhardt (PESC EA chair) to join our next call.
- Karen and Angela will forward out their directory URLs.
- Angela will discuss FERPA and international students/satellite locations with David Yeh and forward the results to the group.
- Ken will update his draft for the next call.
Next Call
------------
Next call is Friday October 3 at 3:00 pm Eastern.
Notes
--------
Notes from 9/5 were approved
Action item review - The action items from 9/5 were all completed
CAMP Update -
The draft title and abstract were circulated to the list.
PESC EA2 -
Nancy asked the group to discuss suggestions for the PESC EA2 group (http://www.pesc.org/interior.php?page_id=123) in preparation for their October meeting. The membership comprises a diverse group representing higher ed, government, corporate. What is that group uniquely positioned to do?
-- Get agreement on general themes (methods of privacy protection, life cycle, how information flows across entities)
-- Look at the horizontals that run across sectors.
-- Do they have interest in K12? This group is increasingly being mentioned in discussions about federations.
[AI] Ann will ask Charlie Leonhardt (PESC EA2 chair) to join our next call.
Discussion of Ken's Attributes Issues Paper -
Click on Attributes and FERPA under Working Group documents
See the note from 9/5 for background on the development of this paper.
Ken provided a quick overview of the issues he raised in the document.
1) Whether or not attribute-release consent is needed depends on many things, such as institutional policy, national privacy policy, and personal preferences. Are there legal constraints about the release of information beyond FERPA?
2) What if a service provider receives a collection of attributes that taken alone are not PII, but view together are? Is this an issue with FERPA? Not currently. FERPA is concerned primarily with identifying public attributes (collectively called directory information). [AI] Karen and Angela will forward out their directory URLs.
3) What about US students studying in Oman? Is the Oman institution bound by FERPA? What if the institution is a satellite of a US university? Does it follow FERPA rules then? Currently, no one had an instance where a foreign student had approached a US institution and asked that their home privacy policy be followed. [AI] Angela will discuss this with David Yeh and forward the results to the group.
4) The UK has developed a privacy framework where if information release is necessary to support the contract with the student, then the institution doesn't have to seek permission to do so. This action is covered under the contract that the student has approved. In all other cases, the institution must ask for release consent.
Regarding the UK framework, it sounds similar to FERPA: if a third party is under contract with the institution to perform a function that university would normally do, then institution can release the information without consent.
According to FERPA, you can release public directory information to anyone without student consent. However, the institution may have stricter rules and may not, say, release lists of email student addresses to third parties.
Ken K asked about the process to review third-party agreements and whether any data release obligations have raised privacy concerns. At Penn State, the purchasing dept uses contract boiler-plate language and, if needed, sends the contract in question to risk management and the privacy office for a ruling. Has the process ever ended with a recommendation to get users consent before releasing their information? No because if we are contracting for a service with a legitimate educational interest that the school would normally provide for themselves, the release is allowed under FERPA. Confidentiality doesn't stop someone from participating in a course using an off-campus homework service, for instance.
But what about vendors such as StudentsOnly that sell discounted items to enrolled students? They are not an educational service that the campus would provide, but would like enrollment and name verification from the institution. UWash is working with them to develop an approach that's based on consent through interaction: StudentsOnly displays a privacy policy to the student that informs the person that the company will be asking the institution for "some personal information" and indicates that clicking to proceed verifies that this is okay. So far, the attorneys have made no comments on this approach and UWash is going ahead with this approach.
How do you decide what's directory information? At PSU, items would be discussed between the registrar and privacy officer. At Cornell, the registrar meets with legal council almost every year to tweak their definition. For instance, they just added student photo to their list of public directory information.
The problem comes when students suppress the release of directory information, but don't understand what the implications are. Under this rule, no one outside the institution can access any of the person's information without his or her consent---the suppress flag restricts their directory information across the board. Some feel that this needs to be finer grained, so if individuals are interested in protecting one datum, they can do that. However, we may want to think about this as a timing issue: the consent should occur at the time of the release so there's a transaction context. For instance, "I'll release my name to StudentsOnly, but not to Scientific American" for instance.
Ken also asked whether there should be work done to make FERPA directory information consistent across higher ed. Folks speculated that most/many of the directory fields are the same across HE, but that there is a need to have the local customization because of mission and other differences.
The discussion closed with the notion that federations are bringing consistency across identity management infrastructures across R&E. This may not bring normalization of FERPA across the community, but if there are advantages to defining directory information in a particular way, maybe these community practices will incent others to do the same. [AI] Ken will update his draft for the next call.