Data PrivaCy exam 2
Directory information disclosures - FERPA
"Directory information" can be disclosed without consent. •Students may "opt out" and file a request to prevent disclosure of directory information •If a student opts out, the university will not release any information on a student.
"consumer reports"
"any communication by the agency regarding a consumer's creditworthiness, reputation, and character for purpose of determining eligibility for credit, insurance, or employment."
"consumer reporting agencies"
"any entity that regularly assembles or evaluates consumer credit information for purpose of preparing reports to third parties."
FERPA Family Educational Rights and Privacy Act 1974 - Education privacy
- protects the confidentiality of student educational records.
Most negative infomormation stays on credit report for
7 years bankruptcy for 10 years
How many states have law requiring companies dispose of data after it is not needed
33 states
California Privacy act 2020 covers
Applies to businesses that collect, use, share or otherwise process "personal information" about California residents must also have > $25 million in assets or collect information from > 50,000 customers
First state to pass data breach notification law
California - now all 50 states have it
two states to pass data broker registration laws
California and Vermont
2 types of consumer reports
Credit report and Investigative consumer report
General Data Protection Regulation (GDPR)
Detailed set of requirements aimed at protecting personal data of consumers in 27 countries that are part of the European Union -Became effective in 2018 -Applies to any entity that processes personal data of a consumer located within the EU -"personal data" includes identifiers and other categories of sensitive data -"processing" includes collecting, handling, transmitting, or storing
Fair Credit Reporting Act 1970 (FCRA)
Enacted to promote the accuracy, fairness and privacy of information in credit reporting agency files
•Most employers have adopted policies that warn employees that their privacy rights are limited
Helps defeat employee claims
Types of Employer surveillance
Telephone calls email/internet usage Video surveillance GPS tracking
most common form of identity theft
Theft of financial information
Rights under FERPA
a. to review student's education records b. to correct inaccurate or misleading information c. to control certain disclosures of records d. to file a complaint with Department of Education for alleged violations of FERPA
FERPA covers
any public or private elementary, secondary, or post-secondary school and any state or local education agency that receives federal funds. all public and most private schools
Independent Supervisory Authorities in each member state of GDPR
monitor compliance, conduct investigations and impose fines
Why not store data for long time
risky - can require resources
key consideration of invasion of privacy in the workplace
whether the employee had a reasonable expectation of privacy under the circumstances
FCRA applies only to
•"consumer reporting agencies" that provide "consumer reports"
information brokers
•Businesses that aggregate information from a variety of sources
Obligations of controllers and processors of GDPR
•Conduct data impact assessments and appoint Data Protection Impact officers for sensitive data •Implement technical and organizational methods to ensure security of data •Data breach notification without unreasonable delay and no later than 72 hours after discovery of breach
Basic rights of GDPR
•Consent must be freely given, specific, informed and unambiguous •"Right to be Forgotten"
Investigative Consumer Report
•Contains information about a person's character, general reputation, personal characteristics obtained through personal interviews
How data breach laws can vary
•Definition of personal information •Trigger for Notice: access or reasonable likelihood of harm •Safe harbor if data encrypted Most states do not provide a private cause of action
video surveillance
•Employer can conduct video surveillance of all public work spaces to monitor for productivity, theft or safety •May conduct surveillance of other spaces by notifying employees and obtaining implied consent •Usually does not include bathrooms or locker rooms •Video recordings that also include audio may violate state law in those states that require all parties to consent to audio recording
TELephone calls
•Employer can monitor phone conversations of employees in the ordinary course of business but must stop monitoring as soon as it's evident that call is purely personal (but employee may have consented to broad monitoring) •Wiretap Act requires single-party consent, but 11 states require that both parties consent to recording (employer usually obtains implied consent by announcing call is being monitored)
GPS Tracking
•Employer can use GPS tracking of company-owned vehicles since there is no expectation of privacy •Installing GPS device on personal vehicle may be trespass •Tracking company-owned cell phone may be permissible during work hours •Employer should have clear policies spelling out the parameters of the tracking
emails/internet usage
•Employer generally free to monitor use of company property and email systems •If employer conducts broad monitoring of personal use of work device, should have clear policies outlining the type of monitoring that will occur •Employee has low expectation of privacy when using company device or email system
Two main laws covering financial services
•Fair Credit Reporting Act applies to any consumer reporting agency that furnishes a consumer report •Gramm-Leach Bliley Act applies to all financial institutions
GLBA Privacy rule
•Financial institution must describe how nonpublic personal information is shared with affiliates (no right to opt out) •Financial institution can share nonpublic personal information with nonaffiliates but must provide opt out notice •Must have confidentiality contract with nonaffiliate •Does not limit disclosure to credit reporting agencies
FTC Red Flags Rule
•Financial institutions and creditors must have an Identity Theft Protection Program •Identify red flags •Detect red flags •Prevent fraud •Continually update program
GLBA safeguard/security rule
•Financial institutions must establish physical, administrative and technical information safeguards •Must develop comprehensive written security program and designate employee(s) to coordinate information security program
•These standards are supplemented by industry specific guidelines of
•HIPAA, FERPA, FCRA
•Different Standards Organizations have established security frameworks:
•ISO International Standards Organization •NIST National Institute of Standards and Technology •COBIT Control Objectives for Information or Related Technology
Credit Report includes
•Identifying information •Credit information •Public records •Credit inquiries
Permissible Uses of Consumer Reports -
•In response to court order •To the consumer •To another party who intends to use it in connection with: •extending credit to consumer •employment •insurance •licensing or obtaining a government benefit •other legitimate business needs involving the consumer • Special rules if report used in connection with employment screening
Notice and disclosures of FERPA
•Institutions must provide parents and eligible students notice of FERPA rights every year •Generally, schools must have written permission from the student) to release any information from a student's education record. •FERPA regulations lists the certain conditions under which student records can be disclosed without consent.
Exceptions to ECPA
•Interceptions or access to electronic communications are permitted if prior consent is granted •Employer must obtain express or implied consent to avoid ECPA violations •Employer typically has employee acknowledge receipt of policy describing employer monitoring and surveillance policies
invasion of Privacy Torts - invasion of privacy at work
•Intrusion upon seclusion •Public disclosure of private facts •Appropriation of a name or likeness
click-wrap agreement
•May be problematic if Terms of Service do not protect student privacy
Education Technology/EDtech - Wiley or cengage
•PII from student record can be shared with 3rd party provider, either with student's consent or pursuant to one of the exceptions that do not require consent •Most common is school official exception •De-identified data is not protected
Bramm leach Bailey act
•Protects consumer financial privacy by limiting when a "financial institution" may disclose "nonpublic personal information" to nonaffiliated third parties.
•Under the school official exception, schools may disclose PII from students' education records to a provider as long as:
•Provider receiving the PII is a "school official" with a "legitimate educational interest" as set forth in the school's annual FERPA notification, and •The service provider is under the "direct control" of the school using the PII for unauthorized purposes
FERPA in allowed to disclose without consent to -
•School officials with legitimate educational interest •Other schools to which a student is transferring •Appropriate parties in connection with financial aid to a student •Organizations conducting certain studies on behalf of the school •Accrediting organizations •To comply with a judicial order or lawfully issued subpoena •Appropriate officials in cases of health and safety emergencies
Enforcement of FERPA
•Secretary of Education investigates any complaints filed by student or parent •FERPA violations may result in termination of federal funding for the school
EU-US Privacy Shield
•Seeks to impose strong obligations on US companies to protect the personal data of EU residents. •Framework allowed companies to agree to increased data protection in order to allow transfers of EU user data to US.
problems with data brokers
•Some do not view predictive or inferred data as personal information •Data collected by data brokers largely exists in a regulatory vacuum
FERPA does not require a written agreement with the designated "school official" but
•Terms of Service agreement typically covers the "direct control" element
Federal Law - Electronic Communications Privacy Act (ECPA)
•The ECPA has been used to challenge employer intrusions into the privacy of electronic communications. •Under the ECPA, employers and others are prohibited from intentionally intercepting wire, oral, or electronic communications (Wiretap Act) or from accessing stored electronic communications (Stored Communications Act)
•Privacy Shield framework recently questioned by EU court bc
•US companies can still utilize standard contractual provisions to strengthen data protection and allow transfer of data outside EU.
Other state laws similar to California
•Virginia Consumer Data Protection •Colorado Privacy Act •Utah Consumer Privacy Act
Consumer rights of FCRA
•be notified if a company takes any adverse action based on information in a consumer report •know what is in their file •obtain copy of credit report annually for free and ask for a credit score (for a fee) •dispute incomplete or inaccurate information and have inaccurate information corrected or deleted by a CRA (CRAs must conduct reasonable investigation) •limit pre-screened offers of credit and insurance •obtain a free credit freeze •one-call fraud alert
Privacy
•concerns personal data and an individual's right to determine whether, when, how and to whom an entity will collect, use and/or disclose his or her personal data.
SECURITy
•concerns the safeguards and controls used by an organization to protect the confidentiality, availability and integrity of data as stored, transmitted and used.
Consumer Financial Protection Bureau (CFPB)
•created under Dodd Frank Act •CFPB shares enforcement authority with FTC in area of financial data privacy
FERPA applies to
•educational records" •records containing information that directly relates to a student maintained by an educational institution or by a party acting for the institution. •Personally identifiable information (PII) contained in educational records is protected
Best practices for evaluating click wrap agreements
•limit types of data collected •specify ownership of data •assign responsibilities in the event of a breach •limit data usage to specified purposes •specify time period for data retention and destruction •prohibit unilateral amendments to Terms of Service
can only transfer data between countries if
•those countries deemed to provide adequate safeguards for data •Can also utilize standard contractual clauses to govern data transfers