Niso library law

NISO Lightning Overview:
Privacy Law & Libraries
Micah Altman
Director of Research
MIT Libraries
Prepared for
NISO Workshop on Patron Privacy
Online
June 2015

DISCLAIMER
These opinions are my own, they are not the
opinions of MIT, Brookings, any of the project
funders, nor (with the exception of co-authored
previously published work) my collaborators
Secondary disclaimer:
“It’s tough to make predictions, especially about
the future!”
-- Attributed to Woody Allen, Yogi Berra, Niels Bohr, Vint Cerf, Winston
Churchill, Confucius, Disreali [sic], Freeman Dyson, Cecil B. Demille, Albert
Einstein, Enrico Fermi, Edgar R. Fiedler, Bob Fourer, Sam Goldwyn, Allan
Lamport, Groucho Marx, Dan Quayle, George Bernard Shaw, Casey Stengel,
Will Rogers, M. Taub, Mark Twain, Kerr L. White, etc.

Collaborators & Co-Conspirators
 Privacy Tools for Sharing Research Data Team
(Salil Vadhan, P.I.)
http://privacytools.seas.harvard.edu/people
 Research Support
Supported in part by NSF grant CNS-1237235

Related Work
Main Project:
 Privacy Tools for Sharing Research Data
http://privacytools.seas.harvard.edu/
Related publications:
 Novak, K., Altman, M., Broch, E., Carroll, J. M., Clemins, P. J., Fournier, D., Laevart, C., et al.
(2011). Communicating Science and Engineering Data in the Information Age. Computer Science
and Telecommunications. National Academies Press
 Vadhan, S., et al. 2011. “Re: Advance Notice of Proposed Rulemaking: Human Subjects Research
Protections.”
 Altman, M., D. O’Brien, S. Vadhan, A. Wood. 2014. “Big Data Study: Request for Information.”
 O'Brien, et al. 2015. “When Is Information Purely Public?” (Mar. 27, 2015) Berkman Center
Research Publication No. 2015-7.
 Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research
Publication No. 2014-12
 Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to Privacy-
Aware Government Data Releases, Berkeley Journal of law and Technology
Slides and reprints available from:
informatics.mit.edu

Legal Constraints are Complicated
Contract Intellectual
Property
Access
Rights Confidentiality
Copyrigh
t
Fair Use
DMCA
Database Rights
Moral Rights
Intellectua
l
Attribution
Trade
Secret
Patent
Trademark
Common
Rule
45 CFR 26HIPA
AFERP
A
EU Privacy
Directive
Privacy
Torts
(Invasion,
Defamation)
Rights of
Publicity
Sensitive
but
Unclassified
Potentially
Harmful
(Archeologica
l Sites,
Endangered
Species,
Animal
Testing, …)
Classifie
d
FOIA
CIPSE
A
State
Privacy
Laws
EA
R
State
FOI
Laws
Journal
Replication
Requirements
Funder
Open
Access
Contract
License
Click-Wrap
TOU
ITA
Export
Restriction
s

Some Overarching Principles for Consideration
 Fair Information
Practice:
 Notice/awareness
 Choice/consent
 Access/participatio
n
(verification,
accuracy,
correction)
 Integrity/security
 Enforcement/redre
ss
 Self-regulation,
private remedies;
government
enforcements
 Privacy by design:
 Proactive not reactive;
Preventative not
remedial
 Privacy as the default
setting
 Privacy embedded into
design
 Full Functionality –
Positive-Sum, not
Zero-Sum
 End-to-End Security –
Full Lifecycle
Protection
 Visibility and
Transparency – Keep it
Open
 Respect for User
Privacy – Keep it User-
Centric
 OECD
Principles
 Collection
limitation
 Data quality
 Purpose
specification
 Use limitation
 Security
Safeguards
 Openness
 Individual
participation
 Accountability

General Categories of Regulatory Action
 Technical requirements
 Common restrictions: storage, transmission,
destruction
 Example: 201 CMR 15 requires encrypted
transmission
 Process requirements
 Common restrictions: vetting, audit, notification
 Example: HIPAA breach notification
 Civil and criminal
 Common: right of civil action, fines
 Example: Title 13, Criminal penalties

General Triggers for Regulatory Concern
 Data collector / controller characteristics:
 E.g.: Location of business entity, nexus of business
activity, certification of controller, classification of
controller
 Data subject characteristics:
 E.g.: location of residence of individual; age of individual;
business relationship with individual
 Data characteristics:
 E.g.: scope / domain; identifiability; sensitivity
See: Wood et al. 2014

Example Controls Across Lifecycle
 Lifecycle stage
 collection controls
(consent, purpose);
 transformation controls
(encryption, redaction);
 retention controls (breach
notification, firewalls);
 access controls (date
usage agreement, access
control)
 Post-access(auditing)
 Control Type
 Procedural, Educational ,
Legal, Technical, Physical
 Specificity
 Principle > Family >
Control >
Implementation> Product
Collection
• Ingestion, acquisition,
receipt, or acceptance
• Includes context of
collection
Transformation
• Processing of the data
prior to non-transient
storage
• Includes structural
transformations such as
encryption, and semantic
transformations such as
data reduction
Retention
• Non-transient storage by
entity
• Includes storage by third
party acting under
direction of entity
Access/Release
• Access to data by a party
not acting under the
direction of the entity
• Includes access to
transformation, subsets,
aggregates and
derivatives such as model
results and visualizations
Post-Access
• Availability and operations
on data (and subsets, etc.)
that has been passed to
third parties
• Include any subsequent
downsteam access
See: Altman et al., 2015

Laws Most Commonly Relevant to Patron Information
 Federal
 FERPA.
Protects student “records” – covers most information collected from or describing students
within institutions receiving federal funding
 Patriot Act
Expand government surveillance powers
 COPPA
Applies to online collection of personal information from children under 13.
 Torts.
Public disclosure of embarrassing private facts.
(General tort, but requires nexus between specific harm, specific data release, and specific
person.)
 State Law
 Library Records.
Specific state laws affecting library records. Ranges from no protection to, exemption from FOI to
confidentiality.
(Almost always focuses only on disclosure of identified information. Often does not specify enforcement)
 Privacy / Personal information.
Typically imposes controls on core financial information, use of official identifiers such as SSN’s, drivers
licenses, collected in state / from state residents
 Freedom of Information (FOI)
Gives rights to access information collected by state institutions, such as state universities – libraries
sometimes carved out under library record law
 Contract
 PCI
 Credit card/payment information controls , imposed by credit card vendors
 Individual contracts.
For infrastructure/service/software/content licenses See: R.E. Smith 2013 for an

Possible Approach to Meeting Legal Requirements
 PII Control
 Define PII to include:
HIPAA identifiers 4-17, full addresses, full birthdates)
 Perform a inventory to identify PII being collected:
review processes, systems (including licensed 3rd party systems) for PII collection
 Reduce PII at collection
 Redact PII before long-term retention where possible
 Redact PII before access/dissemination by 3rd parties
 Technical controls
 Use whole-disk/filesystem encryption to protect PII at rest
 Use end-to-end encryption to protect PII in motion
 Use good practice as defined by to protect systems
 Scan for sensitive information regularly
 Build/configure to checklist
 Be thorough in disposal of information
 Process controls
 Develop privacy policy that covers:
notice, collection, retention, destruction, access, notification
 Develop third-party contract riders; patron privacy notices;
 Publish public privacy notices; publish privacy policy
 Develop procedures, incorporating good practice, for:
system build/configure to checklist; staff training; breach notification; incident response; records
request response; auditing and monitoring internal system/third party
 For “good practice”
 Use MA 201 CMR 17 as a baseline for process and technical controls

Possible Approach
 Caveats
 Although 201 CMR 15 is appears to require the most
extensive set of technical requirements among state
privacy laws -- no published analysis exists that
describes requirements for meeting all state laws
collectively
 Redaction likely sufficient for state laws, may not be
sufficient in all circumstances for FERPA, protection
against torts, or to prevent harm from disclosure, all
international laws
 Need for redaction may be avoided in many cases by
prior obtaining consent for sharing of information
 Law in other countries varies
 may require different practices – although likely similar
 may require explicit for specific uses at collection

References
 Altman, M., A. Wood, D O’Brien, U. Gasser,
Forthcoming, Towards a Modern Approach to
Privacy-Aware Government Data Releases,
Berkeley Journal of law and Technology
 Wood, et al. 2014. “Long-Term Longitudinal
Studies” (July 22, 2014). Berkman Center
Research Publication No. 2014-12
 Smith, R.E. 2013 (supplemented 2015),
Compilation of State and Federal Privacy Laws,
Privacy Journal.

Questions?
E-mail: escience@mit.edu
Web: informatics.mit.edu

Creative Commons License
This work. Managing Confidential
information in research, by Micah Altman
(http://redistricting.info) is licensed under
the Creative Commons Attribution-Share
Alike 3.0 United States License. To view a
copy of this license, visit
http://creativecommons.org/licenses/by-
sa/3.0/us/ or send a letter to Creative
Commons, 171 Second Street, Suite 300,
San Francisco, California, 94105, USA.

Appendix: “Good Practice”
 System setup
 Use a virus checker
 Use a host-based firewall
 Strong credentials”
 Use a locking screen-saver
 Lock default/open accounts
 Regularly scan for sensitive information
 Update your software regularly: OS, apps, virus
definitions
 Disposal:
 Physical: Place in designated, locked, shredder bin;Use a
cross-cut shredder
 Digital Use whole disk encryption from cradle-to
grave OR use a certified/verified secure disk
eraser
 Server Setup
 Passwords should never be shared across
accounts or people
 Password guessing restrictions
 Idle session locking (or used on all client)
 No password retrieval
 Keep access logs
 Behavior
 Don’t share accounts or passwords
 Don’t use administrative accounts all the time
 Don’t run programs from untrusted sources
 Don’t give out your password to anyone
 Have a process for revoking user access when
no longer needed/authorized
 Documented breach reporting procedure
 Users should have appropriate training
 Credential Management
 Store passwords in a manner that can’t be
retrieved
 Never transmit passwords unencrypted
 Protect against password interactive guessing
 Choose passwords that cannot be easily
guessed
 *Force change of server-assigned passwords
 *Enforce password complexity requirements
(checks w/dictionaries, dates, common
algorithms)
 * Passwords length minimum 8 characters; 12
if feasible for logins; 16 for passphrases used
as part of decryption/encryption
 *Key length min: 256bits (private key); 2048
bits (public key)
 *Use multi factor authentication where feasible
Based on : 201 CMR 17, with additions marked
by *

Appendix: State Law Summary
 No specific statutory protection:
KY, TX, UT,HI
 Protected from FOI/gov. public records:
CA, CO, IA, MD, ND, OR, VT, VA, WA
 Not public:
DE, IN (not releasable), MA, MN (private), RI, WY (not open for
inspection)
 Confidential – except for court order:
AK, AZ, DC, FL, LA, ME, MI, MS (except minors), MO, MT, NB, NH
(other statutory exceptions), NJ, NM (except minors), NY (specific
records), NC, PA, SC, SD (except minors), TN (except for seeking
reimbursement), WV (Protected, except minors), WU
 Confidential:
AL, AR, CT, GA, IL, KS, NE, OK (shall not disclose)

Niso library law

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Niso library law

Similar a Niso library law (20)

Más de Micah Altman

Más de Micah Altman (20)

Último

Último (20)

Niso library law