v.01 - Ken K.
There are several ways in which the emerging world of rich attribute exchange interacts with FERPA.
With the ability to send individual attributes about a person without reveal their actual name (DisplayName in attribute-speak), the question comes up about what specific attributes are personally identifiable information or FERPA controlled. Examples include login name (EPPN or eduPersonPrincipalName), email address, DisplayName, unique but opaque identifiers (EPTID or eduPersonTargetedID in attribute-speak), classes, clubs or activities, majors, etc. (Note: For the details on the attributes to which Ken is referring in this paragraph, see the eduPerson Object Class Specification.)
One of the ways that privacy can be attacked in an attribute-oriented world is to have a site (or several conspiring sites) collect a set of attributes about an individual, no one of which is personally-identifiable but the collection is. (a so-called denial of privacy attack). Does FERPA have anything to say about such issues?
In the international setting of the R&E community, many exchanges of identity and attributes involve several countries and therefore compound privacy laws. One activity underway in Europe is a "normalization" of what is considered to be PII in different countries. What correlation is there between FERPA and this emerging normalized PII?
In the international setting of the R&E community, US students can study abroad, either at US institutions with overseas campuses or at local institution. How do FERPA considerations interact with students abroad?
Processing/release of personal data is allowed in Europe subject to the following guidelines, Are they consistent with US practice and FERPA requirements?
• Required to perform contact with data subject, or
• Required to satisfy legal duty, or
• If data subject gives free, informed consent
- And does not withdraw it
* Different conditions apply to each of these
The translation of EC policy to US institutions might include the following. Is it consistent with US practices
• Must identify which services are necessary for education/research
- Must consider whether personally identifiable information is necessary for those services, or whether anonymous identifiers or attributes are sufficient;
- Must inform users what information will be released to which service providers, for what purpose(s).
- May release that necessary personally identifiable information to those services;
• May seek users' informed, free consent to release personal data to other services that are not necessary for education/research
- Must inform users what information will be released to which service providers, for what purpose(s);
- Must maintain records of individuals who have consented;
- Must allow consent to be withdrawn at any time;
- Must only release personal information where consent is currently in effect.
• Should have a data processor/data controller agreement with all service providers to whom personally identifiable data is released.
• Must ensure adequate protection of any data released to services outside the European Economic Area.