Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
NISO Lightning Overview:
Privacy Law & Libraries
Micah Altman
Director of Research
MIT Libraries
Prepared for
NISO Worksho...
DISCLAIMER
These opinions are my own, they are not the
opinions of MIT, Brookings, any of the project
funders, nor (with t...
Collaborators & Co-Conspirators
 Privacy Tools for Sharing Research Data Team
(Salil Vadhan, P.I.)
http://privacytools.se...
Related Work
Main Project:
 Privacy Tools for Sharing Research Data
http://privacytools.seas.harvard.edu/
Related publica...
Legal Constraints are Complicated
Contract Intellectual
Property
Access
Rights Confidentiality
Copyrigh
t
Fair Use
DMCA
Da...
Some Overarching Principles for Consideration
Privacy Law & Libraries
 Fair Information
Practice:
 Notice/awareness
 Ch...
General Categories of Regulatory Action
Privacy Law & Libraries
 Technical requirements
 Common restrictions: storage, t...
General Triggers for Regulatory Concern
Privacy Law & Libraries
 Data collector / controller characteristics:
 E.g.: Loc...
Example Controls Across Lifecycle
Privacy Law & Libraries
 Lifecycle stage
 collection controls
(consent, purpose);
 tr...
Laws Most Commonly Relevant to Patron Information
Privacy Law & Libraries
 Federal
 FERPA.
Protects student “records” – ...
Possible Approach to Meeting Legal Requirements
Privacy Law & Libraries
 PII Control
 Define PII to include:
HIPAA ident...
Possible Approach
Privacy Law & Libraries
 Caveats
 Although 201 CMR 15 is appears to require the most
extensive set of ...
References
Privacy Law & Libraries
 Altman, M., A. Wood, D O’Brien, U. Gasser,
Forthcoming, Towards a Modern Approach to
...
Questions?
E-mail: escience@mit.edu
Web: informatics.mit.edu
Privacy Law & Libraries
Creative Commons License
This work. Managing Confidential
information in research, by Micah Altman
(http://redistricting.i...
Appendix: “Good Practice”
Privacy Law & Libraries
 System setup
 Use a virus checker
 Use a host-based firewall
 Stron...
Appendix: State Law Summary
Privacy Law & Libraries
 No specific statutory protection:
KY, TX, UT,HI
 Protected from FOI...
Upcoming SlideShare
Loading in …5
×

Niso library law

1,881 views

Published on

Pre

Published in: Law
  • Be the first to comment

  • Be the first to like this

Niso library law

  1. 1. NISO Lightning Overview: Privacy Law & Libraries Micah Altman Director of Research MIT Libraries Prepared for NISO Workshop on Patron Privacy Online June 2015
  2. 2. DISCLAIMER These opinions are my own, they are not the opinions of MIT, Brookings, any of the project funders, nor (with the exception of co-authored previously published work) my collaborators Secondary disclaimer: “It’s tough to make predictions, especially about the future!” -- Attributed to Woody Allen, Yogi Berra, Niels Bohr, Vint Cerf, Winston Churchill, Confucius, Disreali [sic], Freeman Dyson, Cecil B. Demille, Albert Einstein, Enrico Fermi, Edgar R. Fiedler, Bob Fourer, Sam Goldwyn, Allan Lamport, Groucho Marx, Dan Quayle, George Bernard Shaw, Casey Stengel, Will Rogers, M. Taub, Mark Twain, Kerr L. White, etc. Privacy Law & Libraries
  3. 3. Collaborators & Co-Conspirators  Privacy Tools for Sharing Research Data Team (Salil Vadhan, P.I.) http://privacytools.seas.harvard.edu/people  Research Support Supported in part by NSF grant CNS-1237235 Privacy Law & Libraries
  4. 4. Related Work Main Project:  Privacy Tools for Sharing Research Data http://privacytools.seas.harvard.edu/ Related publications:  Novak, K., Altman, M., Broch, E., Carroll, J. M., Clemins, P. J., Fournier, D., Laevart, C., et al. (2011). Communicating Science and Engineering Data in the Information Age. Computer Science and Telecommunications. National Academies Press  Vadhan, S., et al. 2011. “Re: Advance Notice of Proposed Rulemaking: Human Subjects Research Protections.”  Altman, M., D. O’Brien, S. Vadhan, A. Wood. 2014. “Big Data Study: Request for Information.”  O'Brien, et al. 2015. “When Is Information Purely Public?” (Mar. 27, 2015) Berkman Center Research Publication No. 2015-7.  Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research Publication No. 2014-12  Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to Privacy- Aware Government Data Releases, Berkeley Journal of law and Technology Slides and reprints available from: informatics.mit.edu Privacy Law & Libraries
  5. 5. Legal Constraints are Complicated Contract Intellectual Property Access Rights Confidentiality Copyrigh t Fair Use DMCA Database Rights Moral Rights Intellectua l Attribution Trade Secret Patent Trademark Common Rule 45 CFR 26HIPA AFERP A EU Privacy Directive Privacy Torts (Invasion, Defamation) Rights of Publicity Sensitive but Unclassified Potentially Harmful (Archeologica l Sites, Endangered Species, Animal Testing, …) Classifie d FOIA CIPSE A State Privacy Laws EA R State FOI Laws Journal Replication Requirements Funder Open Access Contract License Click-Wrap TOU ITA Export Restriction s Privacy Law & Libraries
  6. 6. Some Overarching Principles for Consideration Privacy Law & Libraries  Fair Information Practice:  Notice/awareness  Choice/consent  Access/participatio n (verification, accuracy, correction)  Integrity/security  Enforcement/redre ss  Self-regulation, private remedies; government enforcements  Privacy by design:  Proactive not reactive; Preventative not remedial  Privacy as the default setting  Privacy embedded into design  Full Functionality – Positive-Sum, not Zero-Sum  End-to-End Security – Full Lifecycle Protection  Visibility and Transparency – Keep it Open  Respect for User Privacy – Keep it User- Centric  OECD Principles  Collection limitation  Data quality  Purpose specification  Use limitation  Security Safeguards  Openness  Individual participation  Accountability
  7. 7. General Categories of Regulatory Action Privacy Law & Libraries  Technical requirements  Common restrictions: storage, transmission, destruction  Example: 201 CMR 15 requires encrypted transmission  Process requirements  Common restrictions: vetting, audit, notification  Example: HIPAA breach notification  Civil and criminal  Common: right of civil action, fines  Example: Title 13, Criminal penalties
  8. 8. General Triggers for Regulatory Concern Privacy Law & Libraries  Data collector / controller characteristics:  E.g.: Location of business entity, nexus of business activity, certification of controller, classification of controller  Data subject characteristics:  E.g.: location of residence of individual; age of individual; business relationship with individual  Data characteristics:  E.g.: scope / domain; identifiability; sensitivity See: Wood et al. 2014
  9. 9. Example Controls Across Lifecycle Privacy Law & Libraries  Lifecycle stage  collection controls (consent, purpose);  transformation controls (encryption, redaction);  retention controls (breach notification, firewalls);  access controls (date usage agreement, access control)  Post-access(auditing)  Control Type  Procedural, Educational , Legal, Technical, Physical  Specificity  Principle > Family > Control > Implementation> Product Collection • Ingestion, acquisition, receipt, or acceptance • Includes context of collection Transformation • Processing of the data prior to non-transient storage • Includes structural transformations such as encryption, and semantic transformations such as data reduction Retention • Non-transient storage by entity • Includes storage by third party acting under direction of entity Access/Release • Access to data by a party not acting under the direction of the entity • Includes access to transformation, subsets, aggregates and derivatives such as model results and visualizations Post-Access • Availability and operations on data (and subsets, etc.) that has been passed to third parties • Include any subsequent downsteam access See: Altman et al., 2015
  10. 10. Laws Most Commonly Relevant to Patron Information Privacy Law & Libraries  Federal  FERPA. Protects student “records” – covers most information collected from or describing students within institutions receiving federal funding  Patriot Act Expand government surveillance powers  COPPA Applies to online collection of personal information from children under 13.  Torts. Public disclosure of embarrassing private facts. (General tort, but requires nexus between specific harm, specific data release, and specific person.)  State Law  Library Records. Specific state laws affecting library records. Ranges from no protection to, exemption from FOI to confidentiality. (Almost always focuses only on disclosure of identified information. Often does not specify enforcement)  Privacy / Personal information. Typically imposes controls on core financial information, use of official identifiers such as SSN’s, drivers licenses, collected in state / from state residents  Freedom of Information (FOI) Gives rights to access information collected by state institutions, such as state universities – libraries sometimes carved out under library record law  Contract  PCI  Credit card/payment information controls , imposed by credit card vendors  Individual contracts. For infrastructure/service/software/content licenses See: R.E. Smith 2013 for an
  11. 11. Possible Approach to Meeting Legal Requirements Privacy Law & Libraries  PII Control  Define PII to include: HIPAA identifiers 4-17, full addresses, full birthdates)  Perform a inventory to identify PII being collected: review processes, systems (including licensed 3rd party systems) for PII collection  Reduce PII at collection  Redact PII before long-term retention where possible  Redact PII before access/dissemination by 3rd parties  Technical controls  Use whole-disk/filesystem encryption to protect PII at rest  Use end-to-end encryption to protect PII in motion  Use good practice as defined by to protect systems  Scan for sensitive information regularly  Build/configure to checklist  Be thorough in disposal of information  Process controls  Develop privacy policy that covers: notice, collection, retention, destruction, access, notification  Develop third-party contract riders; patron privacy notices;  Publish public privacy notices; publish privacy policy  Develop procedures, incorporating good practice, for: system build/configure to checklist; staff training; breach notification; incident response; records request response; auditing and monitoring internal system/third party  For “good practice”  Use MA 201 CMR 17 as a baseline for process and technical controls
  12. 12. Possible Approach Privacy Law & Libraries  Caveats  Although 201 CMR 15 is appears to require the most extensive set of technical requirements among state privacy laws -- no published analysis exists that describes requirements for meeting all state laws collectively  Redaction likely sufficient for state laws, may not be sufficient in all circumstances for FERPA, protection against torts, or to prevent harm from disclosure, all international laws  Need for redaction may be avoided in many cases by prior obtaining consent for sharing of information  Law in other countries varies  may require different practices – although likely similar  may require explicit for specific uses at collection
  13. 13. References Privacy Law & Libraries  Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to Privacy-Aware Government Data Releases, Berkeley Journal of law and Technology  Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research Publication No. 2014-12  Smith, R.E. 2013 (supplemented 2015), Compilation of State and Federal Privacy Laws, Privacy Journal.
  14. 14. Questions? E-mail: escience@mit.edu Web: informatics.mit.edu Privacy Law & Libraries
  15. 15. Creative Commons License This work. Managing Confidential information in research, by Micah Altman (http://redistricting.info) is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by- sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. Privacy Law & Libraries
  16. 16. Appendix: “Good Practice” Privacy Law & Libraries  System setup  Use a virus checker  Use a host-based firewall  Strong credentials”  Use a locking screen-saver  Lock default/open accounts  Regularly scan for sensitive information  Update your software regularly: OS, apps, virus definitions  Disposal:  Physical: Place in designated, locked, shredder bin;Use a cross-cut shredder  Digital Use whole disk encryption from cradle-to grave OR use a certified/verified secure disk eraser  Server Setup  Passwords should never be shared across accounts or people  Password guessing restrictions  Idle session locking (or used on all client)  No password retrieval  Keep access logs  Behavior  Don’t share accounts or passwords  Don’t use administrative accounts all the time  Don’t run programs from untrusted sources  Don’t give out your password to anyone  Have a process for revoking user access when no longer needed/authorized  Documented breach reporting procedure  Users should have appropriate training  Credential Management  Store passwords in a manner that can’t be retrieved  Never transmit passwords unencrypted  Protect against password interactive guessing  Choose passwords that cannot be easily guessed  *Force change of server-assigned passwords  *Enforce password complexity requirements (checks w/dictionaries, dates, common algorithms)  * Passwords length minimum 8 characters; 12 if feasible for logins; 16 for passphrases used as part of decryption/encryption  *Key length min: 256bits (private key); 2048 bits (public key)  *Use multi factor authentication where feasible Based on : 201 CMR 17, with additions marked by *
  17. 17. Appendix: State Law Summary Privacy Law & Libraries  No specific statutory protection: KY, TX, UT,HI  Protected from FOI/gov. public records: CA, CO, IA, MD, ND, OR, VT, VA, WA  Not public: DE, IN (not releasable), MA, MN (private), RI, WY (not open for inspection)  Confidential – except for court order: AK, AZ, DC, FL, LA, ME, MI, MS (except minors), MO, MT, NB, NH (other statutory exceptions), NJ, NM (except minors), NY (specific records), NC, PA, SC, SD (except minors), TN (except for seeking reimbursement), WV (Protected, except minors), WU  Confidential: AL, AR, CT, GA, IL, KS, NE, OK (shall not disclose)

×