Instead of waiting for lawmakers, IT officials say higher education should lead on privacy rules
WASHINGTON -- As long as federal and state-level authorities drag their feet on updating privacy standards, higher education institutions and their private sector partners have an opportunity to lead on the issue and drag governments to the negotiating table.
Privacy experts and IT officials delivered that call to action on Thursday during a roundtable discussion that also explored privacy issues in health care and K-12 education. Once the topic turned to higher education, however, panelists were quick to express their frustrations with the aging Family Educational Rights and Privacy Act and the concerns posed by technologies such as cloud storage solutions.
Specifically, the panelists expressed a need for clearer guidelines that would help colleges and universities understand how student data is stored and transmitted -- although it was unclear where the guidelines will come from.
“Who is responsible for setting the rules around privacy?” said Tracy Mitrano, director of IT policy at Cornell University (and a blogger for Inside Higher Ed). “No one is really clear about that answer -- or even clear about a process. It’s obviously not going to be one sector that’s going to settle the rules for everybody.”
When a university outsources one or more of its services to a commercial provider -- signing a contract with Google to use its email and productivity suite, for example -- it risks compromising student data. Since violating FERPA can lead to a financially devastating loss of federal funding, navigating contract negotiations can sometimes be a tricky legal process.
“Suddenly, the institution is responsible for these records that literally did not used to exist,” Mitrano said. “The question that the institutions has is, ‘All right, how am I supposed to do this and not get in trouble with the Department of Education?’ When there’s no regulatory law that automatically comes in to help you out with that, it is left up, then, to the institution to find partners who are willing to collaborate -- and largely beginning at the contractual level -- with these rules that we think are going to keep us safe and out of court.”
Microsoft, which hosted Thursday’s roundtable, has previously worked with universities to create a standard outsourcing contract that complies with FERPA and its health care equivalent, the Health Insurance Portability and Accountability Act, or HIPAA.
Mitrano commended Microsoft for its work, saying such partnerships can set the tone for a broader conversation about privacy guidelines that could eventually lead to comprehensive legislation.
“In the absence of guiding principles or frameworks to be thinking about privacy in its broadest sense..., all these sectors are going to have to start to work together to find a process and a way we can really begin to set the framework,” Mitrano said. “Yes, there will be competing interests -- the transparency is critical there to be sure that everyone understands that -- but there has to be a lot of room for consensus.”
Instead of waiting for Congress to act, Steve Mutkoski, Microsoft’s worldwide policy director, said state legislatures could provide another route to put privacy on the agenda. “With all that is going on in the federal government, I don’t get the sense that there’s an appetite to solve this there,” he said.
Mutkoski pointed to a model bill authored by the American Legislative Exchange Council, an association of Republican legislators and businesses, as one such example, even though he described it as “not substantive.”
“I think it’s a good bill from the standpoint of it calls for more structure and more debate about transparency,” Mutkoski said. “So to the extent it sets up a process in a state to have a discussion about legal and community norms, yeah, that’s a good thing.”
Robust privacy guidelines could even open the way for a federal student-level record system, panelists said. Although such a "unit record" system is banned today, some politicians and advocacy have warmed to the idea. Being able to track students throughout their educational careers would for example make President Obama’s plan to hold college and universities accountable for student success more feasible.
A push to overturn the ban could accompany a larger effort to clarify privacy rules. “I think you do both at the same time,” Mitrano said. “You work with the detailed issues as best you can -- because they’re in front of you and you have to do something about it -- at the same time that you’re thinking what is the largest context and working it on down.”