“Big Data” for Educational Institutions: A Framework for Addressing Privacy Compliance and Legal Considerations
Of course, as one can imagine, Big Data projects using student-related information can implicate significant privacy issues. Schools are regulated under the Family Educational Rights and Privacy Acts Statute, and depending on a school's specific activities may be subject to GLB and HIPAA. In addition, many educational institutions have internal policy and public-facing privacy policies that apply to, and may limit, the collection, use and disclosure of student personal information. The impact of applicable privacy laws and existing privacy-related policies should be taken into account well before engaging in a Big Data project. We have looked at Big Data privacy issues generally before, and the following is a framework for analyzing high level legal considerations and action items for educational institutions considering Big Data projects involving student-related information.
Big Data Privacy Legal Analysis Framework for Educational Institutions
The following considerations, analysis and actions may be appropriate for educational institutions considering Big Data projects involving student-related information:
- Data Element and Flow Analysis. Analyze and understand the source and nature of the data elements that will be disclosed/analyzed as part of the Big Data project. Different types of data elements implicate different compliance and privacy concerns. The source of the data may indicate the compliance regimes and policies that apply to particular data elements, and how particular data elements may be used and disclosed. In addition, after gaining a detailed understanding of the data elements at issue, educational institutions may choose to not use certain data elements or modify their use and disclosure of personal data in order to minimize compliance and privacy concerns.
- FERPA Compliance. Establish a FERPA basis for disclosure of student personally identifiable information. Even if an educational institution does not have student consent a separate legal basis may exist with respect to FERPA that allows for the use and disclosure of student information, usually subject to specific limitations.
- Compliance with other Privacy Laws. If applicable, establish a basis for disclosure of student personally identifiable information with respect to other relevant privacy laws, including without limitation, Gramm-Leach-Bliley and HIPAA.
- Policy Review and Analysis. Review and analyze existing privacy policies (and similar) of the educational institution related to the data elements that will be disclosed/analyzed as part of the Big Data project in order to determine whether any limitations have been communicated concerning the disclosure and use of personally identifiable information.
- Policy Updating and Development. Develop additional privacy notices and/or revise old privacy notices to establish a basis for disclosure and use of personally identifiable information for the project (and future Big Data projects).
- De-Identification Strategies and Considerations. Develop strategies concerning de-identification of personally identifiable information, including without limitation, strategies related to the methodology for de-identification, addressing the risk of re-identification, internal versus external de-identification (via a third party), and bifurcating de-identification and data analysis.
- Student Relations and Legal Risk. Consider student and parent reaction to the Big Data project and how to best communicate with stakeholders to ensure buy-in and decrease legal risk. This is a public relations function, but it can impact the chances of regulatory scrutiny or litigation. Educational institutions should strive to make communications clear, consistent and unified with respect to all channels and policies.
- Third Party Big Data Analytics Providers. If third party vendors are to be used for de-identification and/or analysis, draft and negotiate substantive service agreements and data sharing agreements, including terms establishing a FERPA basis for disclosure of personally identifiable information, limitations on use of personally identifiable information, security requirements, security breach obligations and indemnification and liability provisions related to handling and use of personally identifiable information.
The list is not exhaustive and additional considerations and analysis is necessary to address the specific compliance and legal issues and risk associated with such projects. Each Big Data project will typically present its own set of privacy concerns and legal wrinkles, and analysis of the specific circumstances is necessary in each case. Overall, in the coming months and years, most educational institutions and school administrators should expect to deal with Big Data and advanced analytics, as well as the privacy, compliance and public relations issues associated with it. InfoLawGroup will be tracking these issues and writing about them here, so stay tuned.