In an interconnected world, where data collected for one purpose can be easily transferred and used for new, unforeseen purposes, we must be vigilant to protect consumers from uses of their data that do not match their expectations.
Transparency is the cornerstone of the modern privacy regime. An individual has the right to understand what data is being collected about him and to make informed choices about how that data is going to be used.
Last July, the U.S. Department of Education (ED) proposed its “Gainful Employment Rule,” which seeks to establish complex measures for determining whether education programs at proprietary postsecondary education institutions (and vocational programs at nonprofit colleges) lead to gainful employment in a recognized occupation. Under the proposed rule, a program’s eligibility for federal student financial aid under Title IV of the Higher Education Act would be based on meeting certain metrics related to student loan debt. ED recently sent a revised version of this regulation to the Office of Management and Budget, the agency in charge of reviewing regulations before they are made final. The revised rule could be out any day.
One measure that the Education Department proposes to use assesses whether a program’s annual loan payment is either 8 percent or less of the average annual earnings of program completers or 20 percent or less of discretionary income of program completers. These ratios might change in the final rule. In order to calculate average annual earnings and discretionary income, ED proposes that the Social Security Administration (SSA) would take the actual incomes of all students who completed a program and aggregate the students’ incomes into a number that ED would use to make the gainful-employment calculation.
Unfortunately, the proposed Gainful Employment Rule suffers from a fatal privacy flaw: it fails to provide transparency into how the federal government will collect and treat student data required to implement the rule. There is much to be applauded in the department’s effort to address loan debt and employment; the problem is not in these goals but in the methods the ED is planning to use to achieve them.
The first problem with the proposed regulation is that the details of how ED will receive student income data and how this data will be treated have not been resolved. Based on a preliminary agreement between ED and SSA, released by Social Security Commissioner Michael Astrue in response to an inquiry by Senator Orrin Hatch, it appears that the Education Department is planning for SSA to provide student income data to ED. However, there are no details as to exactly what additional data SSA will be collecting about students and what technical and administrative safeguards the agency will have in place to protect the increased data collection. ED and SSA must provide transparency into this process. Students and institutions need to know how SSA will handle their data.
Further, in his letter to Senator Hatch, Commissioner Astrue seeks to ease the Senator’s privacy concerns by stating that the data provided by SSA to ED will be “strictly statistical.” However, this raises additional transparency problems as both students and institutions will not have the ability to see how data about them is being used to make decisions that may be detrimental to their interests.
Without understanding what data went into the Education Department’s calculation, institutions and students will simply be informed of ED’s conclusion that they failed to meet a certain threshold and that they will no longer be eligible for federal financial aid. This black box calculation flies in the face of the uniformly accepted privacy principle of transparency.
This lack of transparency would also lead to further data collection by the institutions. As institutions would be unable to obtain the same data that the SSA used to make a calculation, in order to contest an adverse ED decision, an institution would have to provide income data that it has collected about its former students and potentially collect even more information than it had previously collected in order to perform its own income calculations.
In addition to the lack of transparency, the additional data that would be collected and maintained about students raises further privacy and security concerns. By collecting and linking more information about a student, the information the government already holds about a student will become more available should an errant government employee desire to misuse this information or should an unauthorized individual gain access to the data as a result of a data breach.
The consequences of a data breach can be profound – just ask Sony or Epsilon. And the government is not immune to these risks. In 2010, there were 104 reported government/military data breaches according to the Identity Theft Resources Center. Nineteen of these breaches were at federal agencies or military organizations, including the General Services Administration, the Department of the Interior, the Veterans Affairs Department, the State Department, and the IRS.
In short, any Education Department regulation that seeks to collect and use data about students must be fully transparent. Students and institutions must know what additional information is being collected, who is collecting this data, and exactly how the data is being used. This process cannot result in a privacy black hole. Any calculations that impact students and institutions must be done in a way that both protects student privacy while also giving the students and the institutions the ability to review and challenge unjust results.