privacy in academia
Post on 19-Jan-2016
33 Views
Preview:
DESCRIPTION
TRANSCRIPT
Privacy In Academia
Prepared for Florida State University
Susan Blair, MSJ, MBA, CIPP, CCEP, CIAUF Chief Privacy Officer
University of Florida
January 26, 2012
Why establish a Privacy Office?
• Manage student, faculty, staff, and third party privacy expectations
• Either an accepted business practice or possible regulatory requirement
• Reduce institutional risk by encouraging compliance
• Become mainstream action; network of 70 university and college CPOs
• Impending US Department of Education site visits and audits
Goals of this Meeting
• To provide rationale for establishing a Privacy Office
• To describe the Role of the Chief Privacy Officer
• To define restricted information and identify the scope of UF’s Privacy Office
• To make you aware of the most relevant privacy laws and their impact on UF
• To outline UF’s greatest privacy risks
• To answer your questions about establishing a Privacy Office at FSU
Structure & Organization
Vice PresidentFor Human Resources
Chief Privacy Officer
UF Jacksonville
IRB’s andPrivacy Board
(Research)
UF MedicalAffiliated Entities
UF MedicalComponents
Shands PrivacyInitiatives
All Other UF Colleges,Departments, and
Affiliates
UF InformationSecurity Initiatives
Role of UF’s Chief Privacy Officer
• Required by healthcare regulation, effective April 2003; expanded to campus-wide scope in 2007
• Analyze relevant privacy regulations; assess institution privacy-related risks; provide oversight for regulatory compliance; track results
• Develop and implement strategies, policies, and procedures
• Act as central contact and investigation authority for privacy complaints, alleged breaches and notifications
• Recommend disciplinary actions, up to and including dismissal
What is Restricted Information?
• Any and all personal identification information, protected health information, financial information, and other information protected by law in any format (paper, electronic, or other).
• Examples include: – Medical records and medical record numbers; – Student UFID numbers, grades, schedules, records, and reports; – Human resource data, including disciplinary actions; – Florida Drivers License numbers;– Social security numbers; and – Any financial account information, including credit and debit card
numbers.
Privacy & Confidentiality Defined
• Privacy– Freedom from intrusion or observation– Maintaining control over personal information– Not a US Constitutional right – but it is in the Florida Constitution:
• (Article One, Section 23) “Every natural person has the right to be let alone and free from governmental intrusion into the person's private life”; exception: Not to limit the public's right of access to public records and meetings as provided by law.
• Confidentiality– Only permitting certain authorized persons to have information,
with the understanding that they will not share the information except to other authorized persons
Scope of Privacy Regulations at UF - Federal
• Federal Statutes– Family Educational Rights and Privacy Act (FERPA)– Privacy Act of 1974– Patriot Act– Graham-Leach-Bliley Act– Fair Credit Reporting Act– Right to Financial Privacy Act– Children’s Online Privacy Protection Act (COPPA)– Electronic Communications Privacy Act– Stored Wire and Electronic Communications Act– Cable Communications Policy Act– Health laws
• Health Insurance Portability & Accountability Act (HIPAA) for medical components: Faculty practice plans, HSC Colleges, CLAS, IFAS, Student Health Care Center, Institutional Review Boards, Benefit and Disability Plans, and UF Foundation
• Americans with Disabilities Act
Scope of Privacy Regulations at UF - State
• Florida Statutes with privacy requirements– Chapter 90: Evidence– Chapter 119: Public Records– Chapter 381.004: HIV Testing– Chapter 384: Sexually Transmissible Diseases– Chapter 385: Chronic Diseases (Cancer Registry)– Chapter 392: TB Control– Chapter 393: Developmental Disabilities– Chapter 394: Mental Health– Chapter 395: Hospitals– Chapter 397: Substance Abuse– Chapter 400: Nursing Homes, Hospices– Chapter 405: Medical Research– Chapter 440: Workers’ Compensation– Chapter 456-468: Health Professions– Chapter 501: Consumer Protection– Chapter 817: Privacy Breach Notification– Chapter 1002-1006: Education Records
Scope – National & International
• National Industry Standards– Payment Credit Industry Data Security Standards
• International Privacy Laws– US: Department of Commerce’s Safe Harbor Privacy Principles– Europe: Council of Europe Convention for the Protection of Human
Rights and Fundamental Freedom, EU Data Protection Directive, Art.1-33– Canada: Personal Information Protection & Electronic Documents Act– Additional Regulations: Argentina, Australia, Hungary, Iceland, Ireland,
Japan, the Netherlands, and elsewhere
• Emerging Regulatory Changes– American Reinvestment and Recovery Act/HITECH– State Attorney General prosecutions under HIPAA HITECH– FTC “Privacy Framework”
Upcoming Legislative Actions
Eighteen ‘proposed’ federal privacy legislation, which would affect higher education including Data Privacy & Security Act of 2011 (3 versions in US Senate)
Implementation of NIST’s 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
FTC Investigations of Privacy and Security Complaints, i.e. Facebook cookies
FERPA Revision - Fall, 2011
PCIDSS Guideline Revisions, 2012
New International Privacy Laws, i.e. India, Korea
International Debate on Privacy of Ancient Human Remains, or “Do Mummies Have the Right to Privacy?”
Five Privacy Protection Principles
• Controls: Limited, Role–based Access to Data– Define individuals and roles permitted to access Restricted Data– Appoint Data Custodians to manage systems used with Restricted Data
• Boundaries: Authorizations to Use or Disclose Data– Authorize systems permitted for use with Restricted Data– Authorize locations where Restricted Data can be used– Authorize purposes and scope of Restricted Data disclosures
• Safeguards: Measures to protect Restricted Data– Administrative: Staffing, Policies & Procedures, Training– Physical: Locks, Barriers, Screens, etc.– Technical: Computer Accounts, Passwords, Audits
• Accountability: Uniformly enforce UF policies to protect Restricted Data– Immediately report exposures of Restricted Data to the UF Privacy Office– Consistently apply Sanctions and Penalties
• Balance: Individual Privacy and University Interests
Top Three Danger Zones
• Family Educational Rights and Privacy Act (FERPA): Student Records– Authorizes Secretary of Education to end all federal funding if a
university fails to comply with federal statute
• Health Insurance Portability & Accountability Act (HIPAA): Protected Health Information– Civil penalties and DOJ criminal prosecutions, which may result in
penalties and up to ten years of jail time
• Payment Credit Industry Data Security Standard (PCIDSS): Credit Card Information– Noncompliant entities may be fined $500,000 per incident if cardholder
information is compromised, and processing privileges may be revoked
• Upcoming FTC Red Flags and Privacy Framework
Number One Crisis
All varieties of educational institutional related data breaches: hacking, loss of portable device, unintentional, insider breach, etc.
YearNumber of Breaches
Number of Records
2005 64 1,886,8412006 103 2,019,1192007 107 791,9382008 103 1,107,0012009 71 1,062,2752010 73 1,575,698
2011 57 394,008
Source: Privacy Rights Clearinghouse
Total UF Incidents: 2005 - 2011
It’s Not Alphabet Soup …
When in Doubt … Call First
• Susan Blair, CPORoom G24, Tigert Hall(352) 273-1212
• Hotline: 866-876-4472
• Website: http://privacy.ufl.edu
• Emails: sablair@ufl.edu or privacy@ufl.edu
top related