Niso library law
-
Upload
micah-altman -
Category
Law
-
view
844 -
download
0
Transcript of Niso library law
NISO Lightning Overview: Privacy Law & Libraries
Micah Altman
Director of Research
MIT Libraries
Prepared for
NISO Workshop on Patron Privacy
Online
June 2015
Privacy Law & Libraries
DISCLAIMERThese opinions are my own, they are not the opinions of MIT, Brookings, any of the project funders, nor (with the exception of co-authored previously published work) my collaborators
Secondary disclaimer:
“It’s tough to make predictions, especially about the future!”
-- Attributed to Woody Allen, Yogi Berra, Niels Bohr, Vint Cerf, Winston Churchill, Confucius, Disreali [sic], Freeman Dyson, Cecil B. Demille, Albert Einstein, Enrico Fermi, Edgar R. Fiedler, Bob Fourer, Sam Goldwyn, Allan
Lamport, Groucho Marx, Dan Quayle, George Bernard Shaw, Casey Stengel, Will Rogers, M. Taub, Mark Twain, Kerr L. White, etc.
Privacy Law & Libraries
Collaborators & Co-Conspirators Privacy Tools for Sharing Research Data Team
(Salil Vadhan, P.I.)http://privacytools.seas.harvard.edu/people
Research SupportSupported in part by NSF grant CNS-1237235
Privacy Law & Libraries
Related Work
Main Project: Privacy Tools for Sharing Research Data
http://privacytools.seas.harvard.edu/
Related publications: Novak, K., Altman, M., Broch, E., Carroll, J. M., Clemins, P. J., Fournier, D., Laevart, C., et al.
(2011). Communicating Science and Engineering Data in the Information Age. Computer Science and Telecommunications. National Academies Press
Vadhan, S., et al. 2011. “Re: Advance Notice of Proposed Rulemaking: Human Subjects Research Protections.”
Altman, M., D. O’Brien, S. Vadhan, A. Wood. 2014. “Big Data Study: Request for Information.” O'Brien, et al. 2015. “When Is Information Purely Public?” (Mar. 27, 2015) Berkman Center
Research Publication No. 2015-7. Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research
Publication No. 2014-12 Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to
Privacy-Aware Government Data Releases, Berkeley Journal of law and Technology
Slides and reprints available from:informatics.mit.edu
Privacy Law & Libraries
Legal Constraints are ComplicatedContract Intellectual
Property
Access
RightsConfidentiali
ty
Copyright
Fair Use
DMCA
Database Rights
Moral Rights
Intellectual
Attribution
Trade SecretPatent
Trademark
Common Rule
45 CFR 26HIPAAFERPA
EU Privacy Directive
Privacy Torts
(Invasion, Defamation)
Rights of
Publicity
Sensitive but
Unclassified
Potentially Harmful
(Archeological Sites,
Endangered Species, Animal
Testing, …)
Classified
FOIA
CIPSEA
State Privacy Laws
EAR
State FOI
Laws
Journal Replication Requiremen
ts
Funder Open
Access
Contract
License
Click-WrapTOU
ITAR
Export Restrictio
ns
Privacy Law & Libraries
Some Overarching Principles for Consideration
Fair Information Practice: Notice/awareness Choice/consent Access/
participation(verification, accuracy, correction)
Integrity/security Enforcement/
redress Self-regulation,
private remedies; government enforcements
Privacy by design: Proactive not reactive;
Preventative not remedial
Privacy as the default setting
Privacy embedded into design
Full Functionality – Positive-Sum, not Zero-Sum
End-to-End Security – Full Lifecycle Protection
Visibility and Transparency – Keep it Open
Respect for User Privacy – Keep it User-Centric
OECD Principles Collection
limitation Data quality Purpose
specification Use limitation Security
Safeguards Openness Individual
participation Accountability
Privacy Law & Libraries
General Categories of Regulatory Action
Technical requirements Common restrictions: storage,
transmission, destruction Example: 201 CMR 15 requires
encrypted transmission Process requirements
Common restrictions: vetting, audit, notification
Example: HIPAA breach notification Civil and criminal
Common: right of civil action, fines Example: Title 13, Criminal penalties
General Triggers for Regulatory Concern
Privacy Law & Libraries
Data collector / controller characteristics: E.g.: Location of business entity, nexus of business
activity, certification of controller, classification of controller
Data subject characteristics: E.g.: location of residence of individual; age of
individual; business relationship with individual Data characteristics:
E.g.: scope / domain; identifiability; sensitivity
See: Wood et al. 2014
Privacy Law & Libraries
Example Controls Across Lifecycle
Lifecycle stage collection controls
(consent, purpose); transformation controls
(encryption, redaction); retention controls (breach
notification, firewalls); access controls (date usage
agreement, access control) Post-access(auditing)
Control Type Procedural, Educational ,
Legal, Technical, Physical Specificity
Principle > Family > Control > Implementation> Product
Collection• Ingestion,
acquisition, receipt, or acceptance
• Includes context of collection
Transformation• Processing of the
data prior to non-transient storage
• Includes structural transformations such as encryption, and semantic transformations such as data reduction
Retention• Non-transient
storage by entity• Includes storage by
third party acting under direction of entity
Access/Release• Access to data by a
party not acting under the direction of the entity
• Includes access to transformation, subsets, aggregates and derivatives such as model results and visualizations
Post-Access• Availability and
operations on data (and subsets, etc.) that has been passed to third parties
• Include any subsequent downsteam access
See: Altman et al., 2015
Privacy Law & Libraries
Laws Most Commonly Relevant to Patron Information Federal
FERPA.Protects student “records” – covers most information collected from or describing students within institutions receiving federal funding
Patriot ActExpand government surveillance powers
COPPAApplies to online collection of personal information from children under 13.
Torts. Public disclosure of embarrassing private facts. (General tort, but requires nexus between specific harm, specific data release, and specific person.)
State Law Library Records.
Specific state laws affecting library records. Ranges from no protection to, exemption from FOI to confidentiality.(Almost always focuses only on disclosure of identified information. Often does not specify enforcement)
Privacy / Personal information. Typically imposes controls on core financial information, use of official identifiers such as SSN’s, drivers licenses, collected in state / from state residents
Freedom of Information (FOI)Gives rights to access information collected by state institutions, such as state universities – libraries sometimes carved out under library record law
Contract PCI
Credit card/payment information controls , imposed by credit card vendors Individual contracts.
For infrastructure/service/software/content licensesSee: R.E. Smith 2013 for an
Overview
Possible Approach to Meeting Legal Requirements
Privacy Law & Libraries
PII Control Define PII to include:
HIPAA identifiers 4-17, full addresses, full birthdates) Perform a inventory to identify PII being collected:
review processes, systems (including licensed 3rd party systems) for PII collection Reduce PII at collection Redact PII before long-term retention where possible Redact PII before access/dissemination by 3rd parties
Technical controls Use whole-disk/filesystem encryption to protect PII at rest Use end-to-end encryption to protect PII in motion Use good practice as defined by to protect systems Scan for sensitive information regularly Build/configure to checklist Be thorough in disposal of information
Process controls Develop privacy policy that covers:
notice, collection, retention, destruction, access, notification Develop third-party contract riders; patron privacy notices; Publish public privacy notices; publish privacy policy Develop procedures, incorporating good practice, for:
system build/configure to checklist; staff training; breach notification; incident response; records request response; auditing and monitoring internal system/third party
For “good practice” Use MA 201 CMR 17 as a baseline for process and technical controls
Privacy Law & Libraries
Possible Approach
Caveats Although 201 CMR 15 is appears to require the
most extensive set of technical requirements among state privacy laws -- no published analysis exists that describes requirements for meeting all state laws collectively
Redaction likely sufficient for state laws, may not be sufficient in all circumstances for FERPA, protection against torts, or to prevent harm from disclosure, all international laws
Need for redaction may be avoided in many cases by prior obtaining consent for sharing of information
Law in other countries varies may require different practices – although likely similar may require explicit for specific uses at collection
Privacy Law & Libraries
References
Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to Privacy-Aware Government Data Releases, Berkeley Journal of law and Technology
Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research Publication No. 2014-12
Smith, R.E. 2013 (supplemented 2015), Compilation of State and Federal Privacy Laws, Privacy Journal.
Privacy Law & Libraries
Creative Commons License
This work. Managing Confidential information in research, by Micah Altman (http://redistricting.info) is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.
Appendix: “Good Practice”
Privacy Law & Libraries
System setup Use a virus checker Use a host-based firewall Strong credentials” Use a locking screen-saver Lock default/open accounts Regularly scan for sensitive information Update your software regularly: OS, apps, virus
definitions Disposal:
Physical: Place in designated, locked, shredder bin;Use a cross-cut shredder
Digital Use whole disk encryption from cradle-to grave OR use a certified/verified secure disk eraser
Server Setup Passwords should never be shared across
accounts or people Password guessing restrictions Idle session locking (or used on all client) No password retrieval Keep access logs
Behavior Don’t share accounts or passwords Don’t use administrative accounts all the time Don’t run programs from untrusted sources
Don’t give out your password to anyone Have a process for revoking user access when no
longer needed/authorized Documented breach reporting procedure Users should have appropriate training
Credential Management Store passwords in a manner that can’t be
retrieved Never transmit passwords unencrypted Protect against password interactive guessing Choose passwords that cannot be easily guessed *Force change of server-assigned passwords *Enforce password complexity requirements
(checks w/dictionaries, dates, common algorithms)
* Passwords length minimum 8 characters; 12 if feasible for logins; 16 for passphrases used as part of decryption/encryption
*Key length min: 256bits (private key); 2048 bits (public key)
*Use multi factor authentication where feasible
Based on : 201 CMR 17, with additions marked by *
Privacy Law & Libraries
Appendix: State Law Summary No specific statutory protection:
KY, TX, UT,HI
Protected from FOI/gov. public records: CA, CO, IA, MD, ND, OR, VT, VA, WA
Not public: DE, IN (not releasable), MA, MN (private), RI, WY (not open for inspection)
Confidential – except for court order: AK, AZ, DC, FL, LA, ME, MI, MS (except minors), MO, MT, NB, NH (other statutory exceptions), NJ, NM (except minors), NY (specific records), NC, PA, SC, SD (except minors), TN (except for seeking reimbursement), WV (Protected, except minors), WU
Confidential: AL, AR, CT, GA, IL, KS, NE, OK (shall not disclose)