SlideShare a Scribd company logo

Niso library law

Download as PPTX, PDF
Micah Altman
Micah Altman

Pre

Law
1 of 17
NISO Lightning Overview: Privacy Law & Libraries Micah Altman Director of Research MIT Libraries Prepared for NISO Workshop on Patron Privacy Online June 2015
DISCLAIMER These opinions are my own, they are not the opinions of MIT, Brookings, any of the project funders, nor (with the exception of co-authored previously published work) my collaborators Secondary disclaimer: “It’s tough to make predictions, especially about the future!” -- Attributed to Woody Allen, Yogi Berra, Niels Bohr, Vint Cerf, Winston Churchill, Confucius, Disreali [sic], Freeman Dyson, Cecil B. Demille, Albert Einstein, Enrico Fermi, Edgar R. Fiedler, Bob Fourer, Sam Goldwyn, Allan Lamport, Groucho Marx, Dan Quayle, George Bernard Shaw, Casey Stengel, Will Rogers, M. Taub, Mark Twain, Kerr L. White, etc. Privacy Law & Libraries
Collaborators & Co-Conspirators  Privacy Tools for Sharing Research Data Team (Salil Vadhan, P.I.) http://privacytools.seas.harvard.edu/people  Research Support Supported in part by NSF grant CNS-1237235 Privacy Law & Libraries
Related Work Main Project:  Privacy Tools for Sharing Research Data http://privacytools.seas.harvard.edu/ Related publications:  Novak, K., Altman, M., Broch, E., Carroll, J. M., Clemins, P. J., Fournier, D., Laevart, C., et al. (2011). Communicating Science and Engineering Data in the Information Age. Computer Science and Telecommunications. National Academies Press  Vadhan, S., et al. 2011. “Re: Advance Notice of Proposed Rulemaking: Human Subjects Research Protections.”  Altman, M., D. O’Brien, S. Vadhan, A. Wood. 2014. “Big Data Study: Request for Information.”  O'Brien, et al. 2015. “When Is Information Purely Public?” (Mar. 27, 2015) Berkman Center Research Publication No. 2015-7.  Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research Publication No. 2014-12  Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to Privacy- Aware Government Data Releases, Berkeley Journal of law and Technology Slides and reprints available from: informatics.mit.edu Privacy Law & Libraries
Legal Constraints are Complicated Contract Intellectual Property Access Rights Confidentiality Copyrigh t Fair Use DMCA Database Rights Moral Rights Intellectua l Attribution Trade Secret Patent Trademark Common Rule 45 CFR 26HIPA AFERP A EU Privacy Directive Privacy Torts (Invasion, Defamation) Rights of Publicity Sensitive but Unclassified Potentially Harmful (Archeologica l Sites, Endangered Species, Animal Testing, …) Classifie d FOIA CIPSE A State Privacy Laws EA R State FOI Laws Journal Replication Requirements Funder Open Access Contract License Click-Wrap TOU ITA Export Restriction s Privacy Law & Libraries
Some Overarching Principles for Consideration Privacy Law & Libraries  Fair Information Practice:  Notice/awareness  Choice/consent  Access/participatio n (verification, accuracy, correction)  Integrity/security  Enforcement/redre ss  Self-regulation, private remedies; government enforcements  Privacy by design:  Proactive not reactive; Preventative not remedial  Privacy as the default setting  Privacy embedded into design  Full Functionality – Positive-Sum, not Zero-Sum  End-to-End Security – Full Lifecycle Protection  Visibility and Transparency – Keep it Open  Respect for User Privacy – Keep it User- Centric  OECD Principles  Collection limitation  Data quality  Purpose specification  Use limitation  Security Safeguards  Openness  Individual participation  Accountability
General Categories of Regulatory Action Privacy Law & Libraries  Technical requirements  Common restrictions: storage, transmission, destruction  Example: 201 CMR 15 requires encrypted transmission  Process requirements  Common restrictions: vetting, audit, notification  Example: HIPAA breach notification  Civil and criminal  Common: right of civil action, fines  Example: Title 13, Criminal penalties
General Triggers for Regulatory Concern Privacy Law & Libraries  Data collector / controller characteristics:  E.g.: Location of business entity, nexus of business activity, certification of controller, classification of controller  Data subject characteristics:  E.g.: location of residence of individual; age of individual; business relationship with individual  Data characteristics:  E.g.: scope / domain; identifiability; sensitivity See: Wood et al. 2014
Example Controls Across Lifecycle Privacy Law & Libraries  Lifecycle stage  collection controls (consent, purpose);  transformation controls (encryption, redaction);  retention controls (breach notification, firewalls);  access controls (date usage agreement, access control)  Post-access(auditing)  Control Type  Procedural, Educational , Legal, Technical, Physical  Specificity  Principle > Family > Control > Implementation> Product Collection • Ingestion, acquisition, receipt, or acceptance • Includes context of collection Transformation • Processing of the data prior to non-transient storage • Includes structural transformations such as encryption, and semantic transformations such as data reduction Retention • Non-transient storage by entity • Includes storage by third party acting under direction of entity Access/Release • Access to data by a party not acting under the direction of the entity • Includes access to transformation, subsets, aggregates and derivatives such as model results and visualizations Post-Access • Availability and operations on data (and subsets, etc.) that has been passed to third parties • Include any subsequent downsteam access See: Altman et al., 2015
Laws Most Commonly Relevant to Patron Information Privacy Law & Libraries  Federal  FERPA. Protects student “records” – covers most information collected from or describing students within institutions receiving federal funding  Patriot Act Expand government surveillance powers  COPPA Applies to online collection of personal information from children under 13.  Torts. Public disclosure of embarrassing private facts. (General tort, but requires nexus between specific harm, specific data release, and specific person.)  State Law  Library Records. Specific state laws affecting library records. Ranges from no protection to, exemption from FOI to confidentiality. (Almost always focuses only on disclosure of identified information. Often does not specify enforcement)  Privacy / Personal information. Typically imposes controls on core financial information, use of official identifiers such as SSN’s, drivers licenses, collected in state / from state residents  Freedom of Information (FOI) Gives rights to access information collected by state institutions, such as state universities – libraries sometimes carved out under library record law  Contract  PCI  Credit card/payment information controls , imposed by credit card vendors  Individual contracts. For infrastructure/service/software/content licenses See: R.E. Smith 2013 for an
Possible Approach to Meeting Legal Requirements Privacy Law & Libraries  PII Control  Define PII to include: HIPAA identifiers 4-17, full addresses, full birthdates)  Perform a inventory to identify PII being collected: review processes, systems (including licensed 3rd party systems) for PII collection  Reduce PII at collection  Redact PII before long-term retention where possible  Redact PII before access/dissemination by 3rd parties  Technical controls  Use whole-disk/filesystem encryption to protect PII at rest  Use end-to-end encryption to protect PII in motion  Use good practice as defined by to protect systems  Scan for sensitive information regularly  Build/configure to checklist  Be thorough in disposal of information  Process controls  Develop privacy policy that covers: notice, collection, retention, destruction, access, notification  Develop third-party contract riders; patron privacy notices;  Publish public privacy notices; publish privacy policy  Develop procedures, incorporating good practice, for: system build/configure to checklist; staff training; breach notification; incident response; records request response; auditing and monitoring internal system/third party  For “good practice”  Use MA 201 CMR 17 as a baseline for process and technical controls
Possible Approach Privacy Law & Libraries  Caveats  Although 201 CMR 15 is appears to require the most extensive set of technical requirements among state privacy laws -- no published analysis exists that describes requirements for meeting all state laws collectively  Redaction likely sufficient for state laws, may not be sufficient in all circumstances for FERPA, protection against torts, or to prevent harm from disclosure, all international laws  Need for redaction may be avoided in many cases by prior obtaining consent for sharing of information  Law in other countries varies  may require different practices – although likely similar  may require explicit for specific uses at collection
References Privacy Law & Libraries  Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to Privacy-Aware Government Data Releases, Berkeley Journal of law and Technology  Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research Publication No. 2014-12  Smith, R.E. 2013 (supplemented 2015), Compilation of State and Federal Privacy Laws, Privacy Journal.
Questions? E-mail: escience@mit.edu Web: informatics.mit.edu Privacy Law & Libraries
Creative Commons License This work. Managing Confidential information in research, by Micah Altman (http://redistricting.info) is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by- sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. Privacy Law & Libraries
Appendix: “Good Practice” Privacy Law & Libraries  System setup  Use a virus checker  Use a host-based firewall  Strong credentials”  Use a locking screen-saver  Lock default/open accounts  Regularly scan for sensitive information  Update your software regularly: OS, apps, virus definitions  Disposal:  Physical: Place in designated, locked, shredder bin;Use a cross-cut shredder  Digital Use whole disk encryption from cradle-to grave OR use a certified/verified secure disk eraser  Server Setup  Passwords should never be shared across accounts or people  Password guessing restrictions  Idle session locking (or used on all client)  No password retrieval  Keep access logs  Behavior  Don’t share accounts or passwords  Don’t use administrative accounts all the time  Don’t run programs from untrusted sources  Don’t give out your password to anyone  Have a process for revoking user access when no longer needed/authorized  Documented breach reporting procedure  Users should have appropriate training  Credential Management  Store passwords in a manner that can’t be retrieved  Never transmit passwords unencrypted  Protect against password interactive guessing  Choose passwords that cannot be easily guessed  *Force change of server-assigned passwords  *Enforce password complexity requirements (checks w/dictionaries, dates, common algorithms)  * Passwords length minimum 8 characters; 12 if feasible for logins; 16 for passphrases used as part of decryption/encryption  *Key length min: 256bits (private key); 2048 bits (public key)  *Use multi factor authentication where feasible Based on : 201 CMR 17, with additions marked by *
Appendix: State Law Summary Privacy Law & Libraries  No specific statutory protection: KY, TX, UT,HI  Protected from FOI/gov. public records: CA, CO, IA, MD, ND, OR, VT, VA, WA  Not public: DE, IN (not releasable), MA, MN (private), RI, WY (not open for inspection)  Confidential – except for court order: AK, AZ, DC, FL, LA, ME, MI, MS (except minors), MO, MT, NB, NH (other statutory exceptions), NJ, NM (except minors), NY (specific records), NC, PA, SC, SD (except minors), TN (except for seeking reimbursement), WV (Protected, except minors), WU  Confidential: AL, AR, CT, GA, IL, KS, NE, OK (shall not disclose)

Recommended

Laura Quilter NISO Privacy Meeting #4 - June 19, 2015
Laura Quilter NISO Privacy Meeting #4 - June 19, 2015Laura Quilter NISO Privacy Meeting #4 - June 19, 2015
Laura Quilter NISO Privacy Meeting #4 - June 19, 2015
National Information Standards Organization (NISO)
 
BROWN BAG TALK WITH MICAH ALTMAN, SOURCES OF BIG DATA FOR SOCIAL SCIENCES
BROWN BAG TALK WITH MICAH ALTMAN, SOURCES OF BIG DATA FOR SOCIAL SCIENCESBROWN BAG TALK WITH MICAH ALTMAN, SOURCES OF BIG DATA FOR SOCIAL SCIENCES
BROWN BAG TALK WITH MICAH ALTMAN, SOURCES OF BIG DATA FOR SOCIAL SCIENCES
Micah Altman
 
June2014 brownbag privacy
June2014 brownbag privacyJune2014 brownbag privacy
June2014 brownbag privacy
Micah Altman
 
Managing confidential data
Managing confidential dataManaging confidential data
Managing confidential data
Micah Altman
 
SemTech West 2011 - Digital Provenance
SemTech West 2011 - Digital ProvenanceSemTech West 2011 - Digital Provenance
SemTech West 2011 - Digital Provenance
gvj4v
 
Comments to FTC on Mobile Data Privacy
Comments to FTC on Mobile Data PrivacyComments to FTC on Mobile Data Privacy
Comments to FTC on Mobile Data Privacy
Micah Altman
 
Big Data & Privacy -- Response to White House OSTP
Big Data & Privacy -- Response to White House OSTPBig Data & Privacy -- Response to White House OSTP
Big Data & Privacy -- Response to White House OSTP
Micah Altman
 
AI and Legal Tech in Context: Privacy and Security Commons
AI and Legal Tech in Context: Privacy and Security CommonsAI and Legal Tech in Context: Privacy and Security Commons
AI and Legal Tech in Context: Privacy and Security Commons
professormadison
 

Recommended

Laura Quilter NISO Privacy Meeting #4 - June 19, 2015
Laura Quilter NISO Privacy Meeting #4 - June 19, 2015Laura Quilter NISO Privacy Meeting #4 - June 19, 2015
Laura Quilter NISO Privacy Meeting #4 - June 19, 2015
National Information Standards Organization (NISO)
 
BROWN BAG TALK WITH MICAH ALTMAN, SOURCES OF BIG DATA FOR SOCIAL SCIENCES
BROWN BAG TALK WITH MICAH ALTMAN, SOURCES OF BIG DATA FOR SOCIAL SCIENCESBROWN BAG TALK WITH MICAH ALTMAN, SOURCES OF BIG DATA FOR SOCIAL SCIENCES
BROWN BAG TALK WITH MICAH ALTMAN, SOURCES OF BIG DATA FOR SOCIAL SCIENCES
Micah Altman
 
June2014 brownbag privacy
June2014 brownbag privacyJune2014 brownbag privacy
June2014 brownbag privacy
Micah Altman
 
Managing confidential data
Managing confidential dataManaging confidential data
Managing confidential data
Micah Altman
 
SemTech West 2011 - Digital Provenance
SemTech West 2011 - Digital ProvenanceSemTech West 2011 - Digital Provenance
SemTech West 2011 - Digital Provenance
gvj4v
 
Comments to FTC on Mobile Data Privacy
Comments to FTC on Mobile Data PrivacyComments to FTC on Mobile Data Privacy
Comments to FTC on Mobile Data Privacy
Micah Altman
 
Big Data & Privacy -- Response to White House OSTP
Big Data & Privacy -- Response to White House OSTPBig Data & Privacy -- Response to White House OSTP
Big Data & Privacy -- Response to White House OSTP
Micah Altman
 
AI and Legal Tech in Context: Privacy and Security Commons
AI and Legal Tech in Context: Privacy and Security CommonsAI and Legal Tech in Context: Privacy and Security Commons
AI and Legal Tech in Context: Privacy and Security Commons
professormadison
 
State of the Art Informatics for Research Reproducibility, Reliability, and...
State of the Art Informatics for Research Reproducibility, Reliability, and... State of the Art Informatics for Research Reproducibility, Reliability, and...
State of the Art Informatics for Research Reproducibility, Reliability, and...
Micah Altman
 
Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"
Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"
Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"
The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics
 
Who owns the data? Intellectual property considerations for academic research...
Who owns the data? Intellectual property considerations for academic research...Who owns the data? Intellectual property considerations for academic research...
Who owns the data? Intellectual property considerations for academic research...
Rebekah Cummings
 
DataONE Education Module 10: Legal and Policy Issues
DataONE Education Module 10: Legal and Policy IssuesDataONE Education Module 10: Legal and Policy Issues
DataONE Education Module 10: Legal and Policy Issues
DataONE
 
Open Government Data: Understanding Open Access vs. Public Domain
Open Government Data: Understanding Open Access vs. Public DomainOpen Government Data: Understanding Open Access vs. Public Domain
Open Government Data: Understanding Open Access vs. Public Domain
Jennifer C. Boettcher
 
Sustainable Legal Framework for Open Access to Research Data
Sustainable Legal Framework for Open Access to Research DataSustainable Legal Framework for Open Access to Research Data
Sustainable Legal Framework for Open Access to Research Data
gideon christian
 
Next generation data services at the Marriott Library
Next generation data services at the Marriott LibraryNext generation data services at the Marriott Library
Next generation data services at the Marriott Library
Rebekah Cummings
 
A Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - FullA Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - Full
gloriakt
 
Privacy in the Digital Age, Helen Cullyer
Privacy in the Digital Age, Helen CullyerPrivacy in the Digital Age, Helen Cullyer
Privacy in the Digital Age, Helen Cullyer
Charleston Conference
 
A Lifecycle Approach to Information Privacy
A Lifecycle Approach to Information PrivacyA Lifecycle Approach to Information Privacy
A Lifecycle Approach to Information Privacy
Micah Altman
 
Introduction to Scholarly Communication and the CSCDC
Introduction to Scholarly Communication and the CSCDCIntroduction to Scholarly Communication and the CSCDC
Introduction to Scholarly Communication and the CSCDC
Center for Scholarly Communication & Digital Curation
 
Privacy in Research Data Managemnt - Use Cases
Privacy in Research Data Managemnt - Use CasesPrivacy in Research Data Managemnt - Use Cases
Privacy in Research Data Managemnt - Use Cases
Micah Altman
 
Digital Methods by Richard Rogers
Digital Methods by Richard RogersDigital Methods by Richard Rogers
Digital Methods by Richard Rogers
Digital Methods Initiative
 
Protecting Private Data: Research Data, Data Sharing, and Privacy
Protecting Private Data: Research Data, Data Sharing, and PrivacyProtecting Private Data: Research Data, Data Sharing, and Privacy
Protecting Private Data: Research Data, Data Sharing, and Privacy
National Information Standards Organization (NISO)
 
Leg 500 assignment 2 the value of digital privacy in an information technolog...
Leg 500 assignment 2 the value of digital privacy in an information technolog...Leg 500 assignment 2 the value of digital privacy in an information technolog...
Leg 500 assignment 2 the value of digital privacy in an information technolog...
munnaslid2
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
Case IQ
 
Privacy & Social Media
Privacy & Social MediaPrivacy & Social Media
Privacy & Social Media
chuckbt
 
Share: Science Information Life Cycle
Share: Science Information Life CycleShare: Science Information Life Cycle
Share: Science Information Life Cycle
kauberry
 
Tensions between intellectual property and knowledge discovery in the digital...
Tensions between intellectual property and knowledge discovery in the digital...Tensions between intellectual property and knowledge discovery in the digital...
Tensions between intellectual property and knowledge discovery in the digital...
LIBER Europe
 
The Blossoming of the Semantic Web
The Blossoming of the Semantic WebThe Blossoming of the Semantic Web
The Blossoming of the Semantic Web
American Art Collaborative
 
Privacy Audits in Law Libraries
Privacy Audits in Law LibrariesPrivacy Audits in Law Libraries
Privacy Audits in Law Libraries
Rachel Gordon
 
2008 12 08 2008 Privacy
2008 12 08 2008 Privacy2008 12 08 2008 Privacy
2008 12 08 2008 Privacy
Lance Hoffman
 

More Related Content

What's hot

Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"
Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"
Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"
The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics
 
Who owns the data? Intellectual property considerations for academic research...
Who owns the data? Intellectual property considerations for academic research...Who owns the data? Intellectual property considerations for academic research...
Who owns the data? Intellectual property considerations for academic research...
Rebekah Cummings
 
Digital Methods by Richard Rogers
Digital Methods by Richard RogersDigital Methods by Richard Rogers
Digital Methods by Richard Rogers
Digital Methods Initiative
 
Share: Science Information Life Cycle
Share: Science Information Life CycleShare: Science Information Life Cycle
Share: Science Information Life Cycle
kauberry
 

What's hot (20)

State of the Art Informatics for Research Reproducibility, Reliability, and...
State of the Art Informatics for Research Reproducibility, Reliability, and... State of the Art Informatics for Research Reproducibility, Reliability, and...
State of the Art Informatics for Research Reproducibility, Reliability, and...
 
Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"
Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"
Barbara Evans, "Big Data and the Meaning of Individual Autonomy in a Crowd"
 
Who owns the data? Intellectual property considerations for academic research...
Who owns the data? Intellectual property considerations for academic research...Who owns the data? Intellectual property considerations for academic research...
Who owns the data? Intellectual property considerations for academic research...
 
DataONE Education Module 10: Legal and Policy Issues
DataONE Education Module 10: Legal and Policy IssuesDataONE Education Module 10: Legal and Policy Issues
DataONE Education Module 10: Legal and Policy Issues
 
Open Government Data: Understanding Open Access vs. Public Domain
Open Government Data: Understanding Open Access vs. Public DomainOpen Government Data: Understanding Open Access vs. Public Domain
Open Government Data: Understanding Open Access vs. Public Domain
 
Sustainable Legal Framework for Open Access to Research Data
Sustainable Legal Framework for Open Access to Research DataSustainable Legal Framework for Open Access to Research Data
Sustainable Legal Framework for Open Access to Research Data
 
Next generation data services at the Marriott Library
Next generation data services at the Marriott LibraryNext generation data services at the Marriott Library
Next generation data services at the Marriott Library
 
A Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - FullA Case for Expectation Informed Design - Full
A Case for Expectation Informed Design - Full
 
Privacy in the Digital Age, Helen Cullyer
Privacy in the Digital Age, Helen CullyerPrivacy in the Digital Age, Helen Cullyer
Privacy in the Digital Age, Helen Cullyer
 
A Lifecycle Approach to Information Privacy
A Lifecycle Approach to Information PrivacyA Lifecycle Approach to Information Privacy
A Lifecycle Approach to Information Privacy
 
Introduction to Scholarly Communication and the CSCDC
Introduction to Scholarly Communication and the CSCDCIntroduction to Scholarly Communication and the CSCDC
Introduction to Scholarly Communication and the CSCDC
 
Privacy in Research Data Managemnt - Use Cases
Privacy in Research Data Managemnt - Use CasesPrivacy in Research Data Managemnt - Use Cases
Privacy in Research Data Managemnt - Use Cases
 
Digital Methods by Richard Rogers
Digital Methods by Richard RogersDigital Methods by Richard Rogers
Digital Methods by Richard Rogers
 
Protecting Private Data: Research Data, Data Sharing, and Privacy
Protecting Private Data: Research Data, Data Sharing, and PrivacyProtecting Private Data: Research Data, Data Sharing, and Privacy
Protecting Private Data: Research Data, Data Sharing, and Privacy
 
Leg 500 assignment 2 the value of digital privacy in an information technolog...
Leg 500 assignment 2 the value of digital privacy in an information technolog...Leg 500 assignment 2 the value of digital privacy in an information technolog...
Leg 500 assignment 2 the value of digital privacy in an information technolog...
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
Privacy & Social Media
Privacy & Social MediaPrivacy & Social Media
Privacy & Social Media
 
Share: Science Information Life Cycle
Share: Science Information Life CycleShare: Science Information Life Cycle
Share: Science Information Life Cycle
 
Tensions between intellectual property and knowledge discovery in the digital...
Tensions between intellectual property and knowledge discovery in the digital...Tensions between intellectual property and knowledge discovery in the digital...
Tensions between intellectual property and knowledge discovery in the digital...
 
The Blossoming of the Semantic Web
The Blossoming of the Semantic WebThe Blossoming of the Semantic Web
The Blossoming of the Semantic Web
 

Similar to Niso library law

hel29999999999999999999999999999999999999999999.ppt
hel29999999999999999999999999999999999999999999.ppthel29999999999999999999999999999999999999999999.ppt
hel29999999999999999999999999999999999999999999.ppt
gealehegn
 
Christopher Millard Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard Legally Compliant Use Of Personal Data In E Social ScienceChristopher Millard Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard
 
How to share and publish data: resources, law, and policy
How to share and publish data: resources, law, and policyHow to share and publish data: resources, law, and policy
How to share and publish data: resources, law, and policy
UC Berkeley Office of Scholarly Communication Services
 
Amcto presentation final
Amcto presentation finalAmcto presentation final
Amcto presentation final
Dan Michaluk
 
Stallings ch18 privacy
Stallings ch18 privacyStallings ch18 privacy
Stallings ch18 privacy
salehnia
 
Privacy Gaps in Mediated Library Services: Presentation at NERCOMP2019
Privacy Gaps in Mediated Library Services: Presentation at NERCOMP2019Privacy Gaps in Mediated Library Services: Presentation at NERCOMP2019
Privacy Gaps in Mediated Library Services: Presentation at NERCOMP2019
Micah Altman
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
CTIN
 
Managing Confidential Information – Trends and Approaches
Managing Confidential Information – Trends and ApproachesManaging Confidential Information – Trends and Approaches
Managing Confidential Information – Trends and Approaches
Micah Altman
 

Similar to Niso library law (20)

Privacy Audits in Law Libraries
Privacy Audits in Law LibrariesPrivacy Audits in Law Libraries
Privacy Audits in Law Libraries
 
2008 12 08 2008 Privacy
2008 12 08 2008 Privacy2008 12 08 2008 Privacy
2008 12 08 2008 Privacy
 
hel29999999999999999999999999999999999999999999.ppt
hel29999999999999999999999999999999999999999999.ppthel29999999999999999999999999999999999999999999.ppt
hel29999999999999999999999999999999999999999999.ppt
 
Levine - Data Curation; Ethics and Legal Considerations
Levine - Data Curation; Ethics and Legal ConsiderationsLevine - Data Curation; Ethics and Legal Considerations
Levine - Data Curation; Ethics and Legal Considerations
 
Managing Confidential Information in Research
Managing Confidential Information in ResearchManaging Confidential Information in Research
Managing Confidential Information in Research
 
Christopher Millard Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard Legally Compliant Use Of Personal Data In E Social ScienceChristopher Millard Legally Compliant Use Of Personal Data In E Social Science
Christopher Millard Legally Compliant Use Of Personal Data In E Social Science
 
Data Sharing & Data Citation
Data Sharing & Data CitationData Sharing & Data Citation
Data Sharing & Data Citation
 
How to share and publish data: resources, law, and policy
How to share and publish data: resources, law, and policyHow to share and publish data: resources, law, and policy
How to share and publish data: resources, law, and policy
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Yale ISP, Sensors, Journalism, Laws, Ethics and Provocations
Yale ISP, Sensors, Journalism, Laws, Ethics and ProvocationsYale ISP, Sensors, Journalism, Laws, Ethics and Provocations
Yale ISP, Sensors, Journalism, Laws, Ethics and Provocations
 
Amcto presentation final
Amcto presentation finalAmcto presentation final
Amcto presentation final
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systems
 
SXSW 2023 Submission Supplement.pptx
SXSW 2023 Submission Supplement.pptxSXSW 2023 Submission Supplement.pptx
SXSW 2023 Submission Supplement.pptx
 
Stallings ch18 privacy
Stallings ch18 privacyStallings ch18 privacy
Stallings ch18 privacy
 
A Look at CESSDA and Data Re-use Licenses
A Look at CESSDA and Data Re-use LicensesA Look at CESSDA and Data Re-use Licenses
A Look at CESSDA and Data Re-use Licenses
 
DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?
DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?
DATA MANAGEMENT – WHAT DOES IT MEAN FOR RESEARCHERS?
 
Overcoming obstacles to sharing data about human subjects
Overcoming obstacles to sharing data about human subjectsOvercoming obstacles to sharing data about human subjects
Overcoming obstacles to sharing data about human subjects
 
Privacy Gaps in Mediated Library Services: Presentation at NERCOMP2019
Privacy Gaps in Mediated Library Services: Presentation at NERCOMP2019Privacy Gaps in Mediated Library Services: Presentation at NERCOMP2019
Privacy Gaps in Mediated Library Services: Presentation at NERCOMP2019
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Managing Confidential Information – Trends and Approaches
Managing Confidential Information – Trends and ApproachesManaging Confidential Information – Trends and Approaches
Managing Confidential Information – Trends and Approaches
 

More from Micah Altman

Can We Fix Peer Review
Can We Fix Peer ReviewCan We Fix Peer Review
Can We Fix Peer Review
Micah Altman
 
A History of the Internet :Scott Bradner’s Program on Information Science Talk
A History of the Internet :Scott Bradner’s Program on Information Science Talk A History of the Internet :Scott Bradner’s Program on Information Science Talk
A History of the Internet :Scott Bradner’s Program on Information Science Talk
Micah Altman
 
SAFETY NETS: RESCUE AND REVIVAL FOR ENDANGERED BORN-DIGITAL RECORDS- Program ...
SAFETY NETS: RESCUE AND REVIVAL FOR ENDANGERED BORN-DIGITAL RECORDS- Program ...SAFETY NETS: RESCUE AND REVIVAL FOR ENDANGERED BORN-DIGITAL RECORDS- Program ...
SAFETY NETS: RESCUE AND REVIVAL FOR ENDANGERED BORN-DIGITAL RECORDS- Program ...
Micah Altman
 
Labor And Reward In Science: Commentary on Cassidy Sugimoto’s Program on Info...
Labor And Reward In Science: Commentary on Cassidy Sugimoto’s Program on Info...Labor And Reward In Science: Commentary on Cassidy Sugimoto’s Program on Info...
Labor And Reward In Science: Commentary on Cassidy Sugimoto’s Program on Info...
Micah Altman
 
Utilizing VR and AR in the Library Space:
Utilizing VR and AR in the Library Space:Utilizing VR and AR in the Library Space:
Utilizing VR and AR in the Library Space:
Micah Altman
 
Creative Data Literacy: Bridging the Gap Between Data-Haves and Have-Nots
Creative Data Literacy: Bridging the Gap Between Data-Haves and Have-NotsCreative Data Literacy: Bridging the Gap Between Data-Haves and Have-Nots
Creative Data Literacy: Bridging the Gap Between Data-Haves and Have-Nots
Micah Altman
 
SOLARSPELL: THE SOLAR POWERED EDUCATIONAL LEARNING LIBRARY - EXPERIENTIAL LEA...
SOLARSPELL: THE SOLAR POWERED EDUCATIONAL LEARNING LIBRARY - EXPERIENTIAL LEA...SOLARSPELL: THE SOLAR POWERED EDUCATIONAL LEARNING LIBRARY - EXPERIENTIAL LEA...
SOLARSPELL: THE SOLAR POWERED EDUCATIONAL LEARNING LIBRARY - EXPERIENTIAL LEA...
Micah Altman
 
Making Decisions in a World Awash in Data: We’re going to need a different bo...
Making Decisions in a World Awash in Data: We’re going to need a different bo...Making Decisions in a World Awash in Data: We’re going to need a different bo...
Making Decisions in a World Awash in Data: We’re going to need a different bo...
Micah Altman
 

More from Micah Altman (20)

Selecting efficient and reliable preservation strategies
Selecting efficient and reliable preservation strategiesSelecting efficient and reliable preservation strategies
Selecting efficient and reliable preservation strategies
 
Well-Being - A Sunset Conversation
Well-Being - A Sunset ConversationWell-Being - A Sunset Conversation
Well-Being - A Sunset Conversation
 
Matching Uses and Protections for Government Data Releases: Presentation at t...
Matching Uses and Protections for Government Data Releases: Presentation at t...Matching Uses and Protections for Government Data Releases: Presentation at t...
Matching Uses and Protections for Government Data Releases: Presentation at t...
 
Well-being A Sunset Conversation
Well-being A Sunset ConversationWell-being A Sunset Conversation
Well-being A Sunset Conversation
 
Can We Fix Peer Review
Can We Fix Peer ReviewCan We Fix Peer Review
Can We Fix Peer Review
 
Academy Owned Peer Review
Academy Owned Peer ReviewAcademy Owned Peer Review
Academy Owned Peer Review
 
Redistricting in the US -- An Overview
Redistricting in the US -- An OverviewRedistricting in the US -- An Overview
Redistricting in the US -- An Overview
 
A Future for Electoral Districting
A Future for Electoral DistrictingA Future for Electoral Districting
A Future for Electoral Districting
 
A History of the Internet :Scott Bradner’s Program on Information Science Talk
A History of the Internet :Scott Bradner’s Program on Information Science Talk A History of the Internet :Scott Bradner’s Program on Information Science Talk
A History of the Internet :Scott Bradner’s Program on Information Science Talk
 
SAFETY NETS: RESCUE AND REVIVAL FOR ENDANGERED BORN-DIGITAL RECORDS- Program ...
SAFETY NETS: RESCUE AND REVIVAL FOR ENDANGERED BORN-DIGITAL RECORDS- Program ...SAFETY NETS: RESCUE AND REVIVAL FOR ENDANGERED BORN-DIGITAL RECORDS- Program ...
SAFETY NETS: RESCUE AND REVIVAL FOR ENDANGERED BORN-DIGITAL RECORDS- Program ...
 
Labor And Reward In Science: Commentary on Cassidy Sugimoto’s Program on Info...
Labor And Reward In Science: Commentary on Cassidy Sugimoto’s Program on Info...Labor And Reward In Science: Commentary on Cassidy Sugimoto’s Program on Info...
Labor And Reward In Science: Commentary on Cassidy Sugimoto’s Program on Info...
 
Utilizing VR and AR in the Library Space:
Utilizing VR and AR in the Library Space:Utilizing VR and AR in the Library Space:
Utilizing VR and AR in the Library Space:
 
Creative Data Literacy: Bridging the Gap Between Data-Haves and Have-Nots
Creative Data Literacy: Bridging the Gap Between Data-Haves and Have-NotsCreative Data Literacy: Bridging the Gap Between Data-Haves and Have-Nots
Creative Data Literacy: Bridging the Gap Between Data-Haves and Have-Nots
 
SOLARSPELL: THE SOLAR POWERED EDUCATIONAL LEARNING LIBRARY - EXPERIENTIAL LEA...
SOLARSPELL: THE SOLAR POWERED EDUCATIONAL LEARNING LIBRARY - EXPERIENTIAL LEA...SOLARSPELL: THE SOLAR POWERED EDUCATIONAL LEARNING LIBRARY - EXPERIENTIAL LEA...
SOLARSPELL: THE SOLAR POWERED EDUCATIONAL LEARNING LIBRARY - EXPERIENTIAL LEA...
 
Ndsa 2016 opening plenary
Ndsa 2016 opening plenaryNdsa 2016 opening plenary
Ndsa 2016 opening plenary
 
Making Decisions in a World Awash in Data: We’re going to need a different bo...
Making Decisions in a World Awash in Data: We’re going to need a different bo...Making Decisions in a World Awash in Data: We’re going to need a different bo...
Making Decisions in a World Awash in Data: We’re going to need a different bo...
 
Software Repositories for Research-- An Environmental Scan
Software Repositories for Research-- An Environmental ScanSoftware Repositories for Research-- An Environmental Scan
Software Repositories for Research-- An Environmental Scan
 
The Open Access Network: Rebecca Kennison’s Talk for the MIT Prorgam on Infor...
The Open Access Network: Rebecca Kennison’s Talk for the MIT Prorgam on Infor...The Open Access Network: Rebecca Kennison’s Talk for the MIT Prorgam on Infor...
The Open Access Network: Rebecca Kennison’s Talk for the MIT Prorgam on Infor...
 
Gary Price, MIT Program on Information Science
Gary Price, MIT Program on Information ScienceGary Price, MIT Program on Information Science
Gary Price, MIT Program on Information Science
 
Attribution from a Research Library Perspective, on NISO Webinar: How Librari...
Attribution from a Research Library Perspective, on NISO Webinar: How Librari...Attribution from a Research Library Perspective, on NISO Webinar: How Librari...
Attribution from a Research Library Perspective, on NISO Webinar: How Librari...
 

Recently uploaded

CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
Aurora Consulting
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
RRR Chambers
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
Airst S
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
seri bangash
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
ShashankKumar441258
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
PoojaGadiya1
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
Airst S
 
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
bd2c5966a56d
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
MollyBrown86
 
Contract law. Indemnity
Contract law. IndemnityContract law. Indemnity
Contract law. Indemnity
mahikaanand16
 

Recently uploaded (20)

CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
 
Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
 
$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...
$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...
$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
How do cyber crime lawyers in Mumbai collaborate with law enforcement agencie...
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
 
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
 
The doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteThe doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statute
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
Contract law. Indemnity
Contract law. IndemnityContract law. Indemnity
Contract law. Indemnity
 
Police Misconduct Lawyers - Law Office of Jerry L. Steering
Police Misconduct Lawyers - Law Office of Jerry L. SteeringPolice Misconduct Lawyers - Law Office of Jerry L. Steering
Police Misconduct Lawyers - Law Office of Jerry L. Steering
 

Niso library law

  • 1. NISO Lightning Overview: Privacy Law & Libraries Micah Altman Director of Research MIT Libraries Prepared for NISO Workshop on Patron Privacy Online June 2015
  • 2. DISCLAIMER These opinions are my own, they are not the opinions of MIT, Brookings, any of the project funders, nor (with the exception of co-authored previously published work) my collaborators Secondary disclaimer: “It’s tough to make predictions, especially about the future!” -- Attributed to Woody Allen, Yogi Berra, Niels Bohr, Vint Cerf, Winston Churchill, Confucius, Disreali [sic], Freeman Dyson, Cecil B. Demille, Albert Einstein, Enrico Fermi, Edgar R. Fiedler, Bob Fourer, Sam Goldwyn, Allan Lamport, Groucho Marx, Dan Quayle, George Bernard Shaw, Casey Stengel, Will Rogers, M. Taub, Mark Twain, Kerr L. White, etc. Privacy Law & Libraries
  • 3. Collaborators & Co-Conspirators  Privacy Tools for Sharing Research Data Team (Salil Vadhan, P.I.) http://privacytools.seas.harvard.edu/people  Research Support Supported in part by NSF grant CNS-1237235 Privacy Law & Libraries
  • 4. Related Work Main Project:  Privacy Tools for Sharing Research Data http://privacytools.seas.harvard.edu/ Related publications:  Novak, K., Altman, M., Broch, E., Carroll, J. M., Clemins, P. J., Fournier, D., Laevart, C., et al. (2011). Communicating Science and Engineering Data in the Information Age. Computer Science and Telecommunications. National Academies Press  Vadhan, S., et al. 2011. “Re: Advance Notice of Proposed Rulemaking: Human Subjects Research Protections.”  Altman, M., D. O’Brien, S. Vadhan, A. Wood. 2014. “Big Data Study: Request for Information.”  O'Brien, et al. 2015. “When Is Information Purely Public?” (Mar. 27, 2015) Berkman Center Research Publication No. 2015-7.  Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research Publication No. 2014-12  Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to Privacy- Aware Government Data Releases, Berkeley Journal of law and Technology Slides and reprints available from: informatics.mit.edu Privacy Law & Libraries
  • 5. Legal Constraints are Complicated Contract Intellectual Property Access Rights Confidentiality Copyrigh t Fair Use DMCA Database Rights Moral Rights Intellectua l Attribution Trade Secret Patent Trademark Common Rule 45 CFR 26HIPA AFERP A EU Privacy Directive Privacy Torts (Invasion, Defamation) Rights of Publicity Sensitive but Unclassified Potentially Harmful (Archeologica l Sites, Endangered Species, Animal Testing, …) Classifie d FOIA CIPSE A State Privacy Laws EA R State FOI Laws Journal Replication Requirements Funder Open Access Contract License Click-Wrap TOU ITA Export Restriction s Privacy Law & Libraries
  • 6. Some Overarching Principles for Consideration Privacy Law & Libraries  Fair Information Practice:  Notice/awareness  Choice/consent  Access/participatio n (verification, accuracy, correction)  Integrity/security  Enforcement/redre ss  Self-regulation, private remedies; government enforcements  Privacy by design:  Proactive not reactive; Preventative not remedial  Privacy as the default setting  Privacy embedded into design  Full Functionality – Positive-Sum, not Zero-Sum  End-to-End Security – Full Lifecycle Protection  Visibility and Transparency – Keep it Open  Respect for User Privacy – Keep it User- Centric  OECD Principles  Collection limitation  Data quality  Purpose specification  Use limitation  Security Safeguards  Openness  Individual participation  Accountability
  • 7. General Categories of Regulatory Action Privacy Law & Libraries  Technical requirements  Common restrictions: storage, transmission, destruction  Example: 201 CMR 15 requires encrypted transmission  Process requirements  Common restrictions: vetting, audit, notification  Example: HIPAA breach notification  Civil and criminal  Common: right of civil action, fines  Example: Title 13, Criminal penalties
  • 8. General Triggers for Regulatory Concern Privacy Law & Libraries  Data collector / controller characteristics:  E.g.: Location of business entity, nexus of business activity, certification of controller, classification of controller  Data subject characteristics:  E.g.: location of residence of individual; age of individual; business relationship with individual  Data characteristics:  E.g.: scope / domain; identifiability; sensitivity See: Wood et al. 2014
  • 9. Example Controls Across Lifecycle Privacy Law & Libraries  Lifecycle stage  collection controls (consent, purpose);  transformation controls (encryption, redaction);  retention controls (breach notification, firewalls);  access controls (date usage agreement, access control)  Post-access(auditing)  Control Type  Procedural, Educational , Legal, Technical, Physical  Specificity  Principle > Family > Control > Implementation> Product Collection • Ingestion, acquisition, receipt, or acceptance • Includes context of collection Transformation • Processing of the data prior to non-transient storage • Includes structural transformations such as encryption, and semantic transformations such as data reduction Retention • Non-transient storage by entity • Includes storage by third party acting under direction of entity Access/Release • Access to data by a party not acting under the direction of the entity • Includes access to transformation, subsets, aggregates and derivatives such as model results and visualizations Post-Access • Availability and operations on data (and subsets, etc.) that has been passed to third parties • Include any subsequent downsteam access See: Altman et al., 2015
  • 10. Laws Most Commonly Relevant to Patron Information Privacy Law & Libraries  Federal  FERPA. Protects student “records” – covers most information collected from or describing students within institutions receiving federal funding  Patriot Act Expand government surveillance powers  COPPA Applies to online collection of personal information from children under 13.  Torts. Public disclosure of embarrassing private facts. (General tort, but requires nexus between specific harm, specific data release, and specific person.)  State Law  Library Records. Specific state laws affecting library records. Ranges from no protection to, exemption from FOI to confidentiality. (Almost always focuses only on disclosure of identified information. Often does not specify enforcement)  Privacy / Personal information. Typically imposes controls on core financial information, use of official identifiers such as SSN’s, drivers licenses, collected in state / from state residents  Freedom of Information (FOI) Gives rights to access information collected by state institutions, such as state universities – libraries sometimes carved out under library record law  Contract  PCI  Credit card/payment information controls , imposed by credit card vendors  Individual contracts. For infrastructure/service/software/content licenses See: R.E. Smith 2013 for an
  • 11. Possible Approach to Meeting Legal Requirements Privacy Law & Libraries  PII Control  Define PII to include: HIPAA identifiers 4-17, full addresses, full birthdates)  Perform a inventory to identify PII being collected: review processes, systems (including licensed 3rd party systems) for PII collection  Reduce PII at collection  Redact PII before long-term retention where possible  Redact PII before access/dissemination by 3rd parties  Technical controls  Use whole-disk/filesystem encryption to protect PII at rest  Use end-to-end encryption to protect PII in motion  Use good practice as defined by to protect systems  Scan for sensitive information regularly  Build/configure to checklist  Be thorough in disposal of information  Process controls  Develop privacy policy that covers: notice, collection, retention, destruction, access, notification  Develop third-party contract riders; patron privacy notices;  Publish public privacy notices; publish privacy policy  Develop procedures, incorporating good practice, for: system build/configure to checklist; staff training; breach notification; incident response; records request response; auditing and monitoring internal system/third party  For “good practice”  Use MA 201 CMR 17 as a baseline for process and technical controls
  • 12. Possible Approach Privacy Law & Libraries  Caveats  Although 201 CMR 15 is appears to require the most extensive set of technical requirements among state privacy laws -- no published analysis exists that describes requirements for meeting all state laws collectively  Redaction likely sufficient for state laws, may not be sufficient in all circumstances for FERPA, protection against torts, or to prevent harm from disclosure, all international laws  Need for redaction may be avoided in many cases by prior obtaining consent for sharing of information  Law in other countries varies  may require different practices – although likely similar  may require explicit for specific uses at collection
  • 13. References Privacy Law & Libraries  Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to Privacy-Aware Government Data Releases, Berkeley Journal of law and Technology  Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research Publication No. 2014-12  Smith, R.E. 2013 (supplemented 2015), Compilation of State and Federal Privacy Laws, Privacy Journal.
  • 15. Creative Commons License This work. Managing Confidential information in research, by Micah Altman (http://redistricting.info) is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by- sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. Privacy Law & Libraries
  • 16. Appendix: “Good Practice” Privacy Law & Libraries  System setup  Use a virus checker  Use a host-based firewall  Strong credentials”  Use a locking screen-saver  Lock default/open accounts  Regularly scan for sensitive information  Update your software regularly: OS, apps, virus definitions  Disposal:  Physical: Place in designated, locked, shredder bin;Use a cross-cut shredder  Digital Use whole disk encryption from cradle-to grave OR use a certified/verified secure disk eraser  Server Setup  Passwords should never be shared across accounts or people  Password guessing restrictions  Idle session locking (or used on all client)  No password retrieval  Keep access logs  Behavior  Don’t share accounts or passwords  Don’t use administrative accounts all the time  Don’t run programs from untrusted sources  Don’t give out your password to anyone  Have a process for revoking user access when no longer needed/authorized  Documented breach reporting procedure  Users should have appropriate training  Credential Management  Store passwords in a manner that can’t be retrieved  Never transmit passwords unencrypted  Protect against password interactive guessing  Choose passwords that cannot be easily guessed  *Force change of server-assigned passwords  *Enforce password complexity requirements (checks w/dictionaries, dates, common algorithms)  * Passwords length minimum 8 characters; 12 if feasible for logins; 16 for passphrases used as part of decryption/encryption  *Key length min: 256bits (private key); 2048 bits (public key)  *Use multi factor authentication where feasible Based on : 201 CMR 17, with additions marked by *
  • 17. Appendix: State Law Summary Privacy Law & Libraries  No specific statutory protection: KY, TX, UT,HI  Protected from FOI/gov. public records: CA, CO, IA, MD, ND, OR, VT, VA, WA  Not public: DE, IN (not releasable), MA, MN (private), RI, WY (not open for inspection)  Confidential – except for court order: AK, AZ, DC, FL, LA, ME, MI, MS (except minors), MO, MT, NB, NH (other statutory exceptions), NJ, NM (except minors), NY (specific records), NC, PA, SC, SD (except minors), TN (except for seeking reimbursement), WV (Protected, except minors), WU  Confidential: AL, AR, CT, GA, IL, KS, NE, OK (shall not disclose)