Niso library law

17
NISO Lightning Overview: Privacy Law & Libraries Micah Altman Director of Research MIT Libraries Prepared for NISO Workshop on Patron Privacy Online June 2015

Transcript of Niso library law

Page 1: Niso library law

NISO Lightning Overview: Privacy Law & Libraries

Micah Altman

Director of Research

MIT Libraries

Prepared for

NISO Workshop on Patron Privacy

Online

June 2015

Page 2: Niso library law

Privacy Law & Libraries

DISCLAIMERThese opinions are my own, they are not the opinions of MIT, Brookings, any of the project funders, nor (with the exception of co-authored previously published work) my collaborators

Secondary disclaimer:

“It’s tough to make predictions, especially about the future!”

-- Attributed to Woody Allen, Yogi Berra, Niels Bohr, Vint Cerf, Winston Churchill, Confucius, Disreali [sic], Freeman Dyson, Cecil B. Demille, Albert Einstein, Enrico Fermi, Edgar R. Fiedler, Bob Fourer, Sam Goldwyn, Allan

Lamport, Groucho Marx, Dan Quayle, George Bernard Shaw, Casey Stengel, Will Rogers, M. Taub, Mark Twain, Kerr L. White, etc. 

Page 3: Niso library law

Privacy Law & Libraries

Collaborators & Co-Conspirators Privacy Tools for Sharing Research Data Team

(Salil Vadhan, P.I.)http://privacytools.seas.harvard.edu/people

Research SupportSupported in part by NSF grant CNS-1237235

Page 4: Niso library law

Privacy Law & Libraries

Related Work

Main Project: Privacy Tools for Sharing Research Data

http://privacytools.seas.harvard.edu/

Related publications: Novak, K., Altman, M., Broch, E., Carroll, J. M., Clemins, P. J., Fournier, D., Laevart, C., et al.

(2011). Communicating Science and Engineering Data in the Information Age. Computer Science and Telecommunications. National Academies Press

Vadhan, S., et al. 2011. “Re: Advance Notice of Proposed Rulemaking: Human Subjects Research Protections.”

Altman, M., D. O’Brien, S. Vadhan, A. Wood. 2014. “Big Data Study: Request for Information.” O'Brien, et al. 2015. “When Is Information Purely Public?” (Mar. 27, 2015) Berkman Center

Research Publication No. 2015-7. Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research

Publication No. 2014-12 Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to

Privacy-Aware Government Data Releases, Berkeley Journal of law and Technology

Slides and reprints available from:informatics.mit.edu

Page 5: Niso library law

Privacy Law & Libraries

Legal Constraints are ComplicatedContract Intellectual

Property

Access

RightsConfidentiali

ty

Copyright

Fair Use

DMCA

Database Rights

Moral Rights

Intellectual

Attribution

Trade SecretPatent

Trademark

Common Rule

45 CFR 26HIPAAFERPA

EU Privacy Directive

Privacy Torts

(Invasion, Defamation)

Rights of

Publicity

Sensitive but

Unclassified

Potentially Harmful

(Archeological Sites,

Endangered Species, Animal

Testing, …)

Classified

FOIA

CIPSEA

State Privacy Laws

EAR

State FOI

Laws

Journal Replication Requiremen

ts

Funder Open

Access

Contract

License

Click-WrapTOU

ITAR

Export Restrictio

ns

Page 6: Niso library law

Privacy Law & Libraries

Some Overarching Principles for Consideration

Fair Information Practice: Notice/awareness Choice/consent Access/

participation(verification, accuracy, correction)

Integrity/security Enforcement/

redress Self-regulation,

private remedies; government enforcements

Privacy by design: Proactive not reactive;

Preventative not remedial

Privacy as the default setting

Privacy embedded into design

Full Functionality – Positive-Sum, not Zero-Sum

End-to-End Security – Full Lifecycle Protection

Visibility and Transparency – Keep it Open

Respect for User Privacy – Keep it User-Centric

OECD Principles Collection

limitation Data quality Purpose

specification Use limitation Security

Safeguards Openness Individual

participation Accountability

Page 7: Niso library law

Privacy Law & Libraries

General Categories of Regulatory Action

Technical requirements Common restrictions: storage,

transmission, destruction Example: 201 CMR 15 requires

encrypted transmission Process requirements

Common restrictions: vetting, audit, notification

Example: HIPAA breach notification Civil and criminal

Common: right of civil action, fines Example: Title 13, Criminal penalties

Page 8: Niso library law

General Triggers for Regulatory Concern

Privacy Law & Libraries

Data collector / controller characteristics: E.g.: Location of business entity, nexus of business

activity, certification of controller, classification of controller

Data subject characteristics: E.g.: location of residence of individual; age of

individual; business relationship with individual Data characteristics:

E.g.: scope / domain; identifiability; sensitivity

See: Wood et al. 2014

Page 9: Niso library law

Privacy Law & Libraries

Example Controls Across Lifecycle

Lifecycle stage collection controls

(consent, purpose); transformation controls

(encryption, redaction); retention controls (breach

notification, firewalls); access controls (date usage

agreement, access control) Post-access(auditing)

Control Type Procedural, Educational ,

Legal, Technical, Physical Specificity

Principle > Family > Control > Implementation> Product

Collection• Ingestion,

acquisition, receipt, or acceptance

• Includes context of collection

Transformation• Processing of the

data prior to non-transient storage

• Includes structural transformations such as encryption, and semantic transformations such as data reduction

Retention• Non-transient

storage by entity• Includes storage by

third party acting under direction of entity

Access/Release• Access to data by a

party not acting under the direction of the entity

• Includes access to transformation, subsets, aggregates and derivatives such as model results and visualizations

Post-Access• Availability and

operations on data (and subsets, etc.) that has been passed to third parties

• Include any subsequent downsteam access

See: Altman et al., 2015

Page 10: Niso library law

Privacy Law & Libraries

Laws Most Commonly Relevant to Patron Information Federal

FERPA.Protects student “records” – covers most information collected from or describing students within institutions receiving federal funding

Patriot ActExpand government surveillance powers

COPPAApplies to online collection of personal information from children under 13.

Torts. Public disclosure of embarrassing private facts. (General tort, but requires nexus between specific harm, specific data release, and specific person.)

State Law Library Records.

Specific state laws affecting library records. Ranges from no protection to, exemption from FOI to confidentiality.(Almost always focuses only on disclosure of identified information. Often does not specify enforcement)

Privacy / Personal information. Typically imposes controls on core financial information, use of official identifiers such as SSN’s, drivers licenses, collected in state / from state residents

Freedom of Information (FOI)Gives rights to access information collected by state institutions, such as state universities – libraries sometimes carved out under library record law

Contract PCI

Credit card/payment information controls , imposed by credit card vendors Individual contracts.

For infrastructure/service/software/content licensesSee: R.E. Smith 2013 for an

Overview

Page 11: Niso library law

Possible Approach to Meeting Legal Requirements

Privacy Law & Libraries

PII Control Define PII to include:

HIPAA identifiers 4-17, full addresses, full birthdates) Perform a inventory to identify PII being collected:

review processes, systems (including licensed 3rd party systems) for PII collection Reduce PII at collection Redact PII before long-term retention where possible Redact PII before access/dissemination by 3rd parties

Technical controls Use whole-disk/filesystem encryption to protect PII at rest Use end-to-end encryption to protect PII in motion Use good practice as defined by to protect systems Scan for sensitive information regularly Build/configure to checklist Be thorough in disposal of information

Process controls Develop privacy policy that covers:

notice, collection, retention, destruction, access, notification Develop third-party contract riders; patron privacy notices; Publish public privacy notices; publish privacy policy Develop procedures, incorporating good practice, for:

system build/configure to checklist; staff training; breach notification; incident response; records request response; auditing and monitoring internal system/third party

For “good practice” Use MA 201 CMR 17 as a baseline for process and technical controls

Page 12: Niso library law

Privacy Law & Libraries

Possible Approach

Caveats Although 201 CMR 15 is appears to require the

most extensive set of technical requirements among state privacy laws -- no published analysis exists that describes requirements for meeting all state laws collectively

Redaction likely sufficient for state laws, may not be sufficient in all circumstances for FERPA, protection against torts, or to prevent harm from disclosure, all international laws

Need for redaction may be avoided in many cases by prior obtaining consent for sharing of information

Law in other countries varies may require different practices – although likely similar may require explicit for specific uses at collection

Page 13: Niso library law

Privacy Law & Libraries

References

Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to Privacy-Aware Government Data Releases, Berkeley Journal of law and Technology

Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research Publication No. 2014-12

Smith, R.E. 2013 (supplemented 2015), Compilation of State and Federal Privacy Laws, Privacy Journal.

Page 14: Niso library law

Questions?E-mail: [email protected]

Web: informatics.mit.edu

Privacy Law & Libraries

Page 15: Niso library law

Privacy Law & Libraries

Creative Commons License

This work. Managing Confidential information in research, by Micah Altman (http://redistricting.info) is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.

Page 16: Niso library law

Appendix: “Good Practice”

Privacy Law & Libraries

System setup Use a virus checker Use a host-based firewall Strong credentials” Use a locking screen-saver Lock default/open accounts Regularly scan for sensitive information Update your software regularly: OS, apps, virus

definitions Disposal:

Physical: Place in designated, locked, shredder bin;Use a cross-cut shredder

Digital Use whole disk encryption from cradle-to grave OR use a certified/verified secure disk eraser

Server Setup Passwords should never be shared across

accounts or people Password guessing restrictions Idle session locking (or used on all client) No password retrieval Keep access logs

Behavior Don’t share accounts or passwords Don’t use administrative accounts all the time Don’t run programs from untrusted sources

Don’t give out your password to anyone Have a process for revoking user access when no

longer needed/authorized Documented breach reporting procedure Users should have appropriate training

Credential Management Store passwords in a manner that can’t be

retrieved Never transmit passwords unencrypted Protect against password interactive guessing Choose passwords that cannot be easily guessed *Force change of server-assigned passwords *Enforce password complexity requirements

(checks w/dictionaries, dates, common algorithms)

* Passwords length minimum 8 characters; 12 if feasible for logins; 16 for passphrases used as part of decryption/encryption

*Key length min: 256bits (private key); 2048 bits (public key)

*Use multi factor authentication where feasible

Based on : 201 CMR 17, with additions marked by *

Page 17: Niso library law

Privacy Law & Libraries

Appendix: State Law Summary No specific statutory protection:

KY, TX, UT,HI

Protected from FOI/gov. public records: CA, CO, IA, MD, ND, OR, VT, VA, WA

Not public: DE, IN (not releasable), MA, MN (private), RI, WY (not open for inspection)

Confidential – except for court order: AK, AZ, DC, FL, LA, ME, MI, MS (except minors), MO, MT, NB, NH (other statutory exceptions), NJ, NM (except minors), NY (specific records), NC, PA, SC, SD (except minors), TN (except for seeking reimbursement), WV (Protected, except minors), WU

Confidential: AL, AR, CT, GA, IL, KS, NE, OK (shall not disclose)