The doctrine of harmonious construction under Interpretation of statute
Niso library law
1. NISO Lightning Overview:
Privacy Law & Libraries
Micah Altman
Director of Research
MIT Libraries
Prepared for
NISO Workshop on Patron Privacy
Online
June 2015
2. DISCLAIMER
These opinions are my own, they are not the
opinions of MIT, Brookings, any of the project
funders, nor (with the exception of co-authored
previously published work) my collaborators
Secondary disclaimer:
“It’s tough to make predictions, especially about
the future!”
-- Attributed to Woody Allen, Yogi Berra, Niels Bohr, Vint Cerf, Winston
Churchill, Confucius, Disreali [sic], Freeman Dyson, Cecil B. Demille, Albert
Einstein, Enrico Fermi, Edgar R. Fiedler, Bob Fourer, Sam Goldwyn, Allan
Lamport, Groucho Marx, Dan Quayle, George Bernard Shaw, Casey Stengel,
Will Rogers, M. Taub, Mark Twain, Kerr L. White, etc.
Privacy Law & Libraries
3. Collaborators & Co-Conspirators
Privacy Tools for Sharing Research Data Team
(Salil Vadhan, P.I.)
http://privacytools.seas.harvard.edu/people
Research Support
Supported in part by NSF grant CNS-1237235
Privacy Law & Libraries
4. Related Work
Main Project:
Privacy Tools for Sharing Research Data
http://privacytools.seas.harvard.edu/
Related publications:
Novak, K., Altman, M., Broch, E., Carroll, J. M., Clemins, P. J., Fournier, D., Laevart, C., et al.
(2011). Communicating Science and Engineering Data in the Information Age. Computer Science
and Telecommunications. National Academies Press
Vadhan, S., et al. 2011. “Re: Advance Notice of Proposed Rulemaking: Human Subjects Research
Protections.”
Altman, M., D. O’Brien, S. Vadhan, A. Wood. 2014. “Big Data Study: Request for Information.”
O'Brien, et al. 2015. “When Is Information Purely Public?” (Mar. 27, 2015) Berkman Center
Research Publication No. 2015-7.
Wood, et al. 2014. “Long-Term Longitudinal Studies” (July 22, 2014). Berkman Center Research
Publication No. 2014-12
Altman, M., A. Wood, D O’Brien, U. Gasser, Forthcoming, Towards a Modern Approach to Privacy-
Aware Government Data Releases, Berkeley Journal of law and Technology
Slides and reprints available from:
informatics.mit.edu
Privacy Law & Libraries
5. Legal Constraints are Complicated
Contract Intellectual
Property
Access
Rights Confidentiality
Copyrigh
t
Fair Use
DMCA
Database Rights
Moral Rights
Intellectua
l
Attribution
Trade
Secret
Patent
Trademark
Common
Rule
45 CFR 26HIPA
AFERP
A
EU Privacy
Directive
Privacy
Torts
(Invasion,
Defamation)
Rights of
Publicity
Sensitive
but
Unclassified
Potentially
Harmful
(Archeologica
l Sites,
Endangered
Species,
Animal
Testing, …)
Classifie
d
FOIA
CIPSE
A
State
Privacy
Laws
EA
R
State
FOI
Laws
Journal
Replication
Requirements
Funder
Open
Access
Contract
License
Click-Wrap
TOU
ITA
Export
Restriction
s
Privacy Law & Libraries
6. Some Overarching Principles for Consideration
Privacy Law & Libraries
Fair Information
Practice:
Notice/awareness
Choice/consent
Access/participatio
n
(verification,
accuracy,
correction)
Integrity/security
Enforcement/redre
ss
Self-regulation,
private remedies;
government
enforcements
Privacy by design:
Proactive not reactive;
Preventative not
remedial
Privacy as the default
setting
Privacy embedded into
design
Full Functionality –
Positive-Sum, not
Zero-Sum
End-to-End Security –
Full Lifecycle
Protection
Visibility and
Transparency – Keep it
Open
Respect for User
Privacy – Keep it User-
Centric
OECD
Principles
Collection
limitation
Data quality
Purpose
specification
Use limitation
Security
Safeguards
Openness
Individual
participation
Accountability
7. General Categories of Regulatory Action
Privacy Law & Libraries
Technical requirements
Common restrictions: storage, transmission,
destruction
Example: 201 CMR 15 requires encrypted
transmission
Process requirements
Common restrictions: vetting, audit, notification
Example: HIPAA breach notification
Civil and criminal
Common: right of civil action, fines
Example: Title 13, Criminal penalties
8. General Triggers for Regulatory Concern
Privacy Law & Libraries
Data collector / controller characteristics:
E.g.: Location of business entity, nexus of business
activity, certification of controller, classification of
controller
Data subject characteristics:
E.g.: location of residence of individual; age of individual;
business relationship with individual
Data characteristics:
E.g.: scope / domain; identifiability; sensitivity
See: Wood et al. 2014
9. Example Controls Across Lifecycle
Privacy Law & Libraries
Lifecycle stage
collection controls
(consent, purpose);
transformation controls
(encryption, redaction);
retention controls (breach
notification, firewalls);
access controls (date
usage agreement, access
control)
Post-access(auditing)
Control Type
Procedural, Educational ,
Legal, Technical, Physical
Specificity
Principle > Family >
Control >
Implementation> Product
Collection
• Ingestion, acquisition,
receipt, or acceptance
• Includes context of
collection
Transformation
• Processing of the data
prior to non-transient
storage
• Includes structural
transformations such as
encryption, and semantic
transformations such as
data reduction
Retention
• Non-transient storage by
entity
• Includes storage by third
party acting under
direction of entity
Access/Release
• Access to data by a party
not acting under the
direction of the entity
• Includes access to
transformation, subsets,
aggregates and
derivatives such as model
results and visualizations
Post-Access
• Availability and operations
on data (and subsets, etc.)
that has been passed to
third parties
• Include any subsequent
downsteam access
See: Altman et al., 2015
10. Laws Most Commonly Relevant to Patron Information
Privacy Law & Libraries
Federal
FERPA.
Protects student “records” – covers most information collected from or describing students
within institutions receiving federal funding
Patriot Act
Expand government surveillance powers
COPPA
Applies to online collection of personal information from children under 13.
Torts.
Public disclosure of embarrassing private facts.
(General tort, but requires nexus between specific harm, specific data release, and specific
person.)
State Law
Library Records.
Specific state laws affecting library records. Ranges from no protection to, exemption from FOI to
confidentiality.
(Almost always focuses only on disclosure of identified information. Often does not specify enforcement)
Privacy / Personal information.
Typically imposes controls on core financial information, use of official identifiers such as SSN’s, drivers
licenses, collected in state / from state residents
Freedom of Information (FOI)
Gives rights to access information collected by state institutions, such as state universities – libraries
sometimes carved out under library record law
Contract
PCI
Credit card/payment information controls , imposed by credit card vendors
Individual contracts.
For infrastructure/service/software/content licenses See: R.E. Smith 2013 for an
11. Possible Approach to Meeting Legal Requirements
Privacy Law & Libraries
PII Control
Define PII to include:
HIPAA identifiers 4-17, full addresses, full birthdates)
Perform a inventory to identify PII being collected:
review processes, systems (including licensed 3rd party systems) for PII collection
Reduce PII at collection
Redact PII before long-term retention where possible
Redact PII before access/dissemination by 3rd parties
Technical controls
Use whole-disk/filesystem encryption to protect PII at rest
Use end-to-end encryption to protect PII in motion
Use good practice as defined by to protect systems
Scan for sensitive information regularly
Build/configure to checklist
Be thorough in disposal of information
Process controls
Develop privacy policy that covers:
notice, collection, retention, destruction, access, notification
Develop third-party contract riders; patron privacy notices;
Publish public privacy notices; publish privacy policy
Develop procedures, incorporating good practice, for:
system build/configure to checklist; staff training; breach notification; incident response; records
request response; auditing and monitoring internal system/third party
For “good practice”
Use MA 201 CMR 17 as a baseline for process and technical controls
12. Possible Approach
Privacy Law & Libraries
Caveats
Although 201 CMR 15 is appears to require the most
extensive set of technical requirements among state
privacy laws -- no published analysis exists that
describes requirements for meeting all state laws
collectively
Redaction likely sufficient for state laws, may not be
sufficient in all circumstances for FERPA, protection
against torts, or to prevent harm from disclosure, all
international laws
Need for redaction may be avoided in many cases by
prior obtaining consent for sharing of information
Law in other countries varies
may require different practices – although likely similar
may require explicit for specific uses at collection
13. References
Privacy Law & Libraries
Altman, M., A. Wood, D O’Brien, U. Gasser,
Forthcoming, Towards a Modern Approach to
Privacy-Aware Government Data Releases,
Berkeley Journal of law and Technology
Wood, et al. 2014. “Long-Term Longitudinal
Studies” (July 22, 2014). Berkman Center
Research Publication No. 2014-12
Smith, R.E. 2013 (supplemented 2015),
Compilation of State and Federal Privacy Laws,
Privacy Journal.
15. Creative Commons License
This work. Managing Confidential
information in research, by Micah Altman
(http://redistricting.info) is licensed under
the Creative Commons Attribution-Share
Alike 3.0 United States License. To view a
copy of this license, visit
http://creativecommons.org/licenses/by-
sa/3.0/us/ or send a letter to Creative
Commons, 171 Second Street, Suite 300,
San Francisco, California, 94105, USA.
Privacy Law & Libraries
16. Appendix: “Good Practice”
Privacy Law & Libraries
System setup
Use a virus checker
Use a host-based firewall
Strong credentials”
Use a locking screen-saver
Lock default/open accounts
Regularly scan for sensitive information
Update your software regularly: OS, apps, virus
definitions
Disposal:
Physical: Place in designated, locked, shredder bin;Use a
cross-cut shredder
Digital Use whole disk encryption from cradle-to
grave OR use a certified/verified secure disk
eraser
Server Setup
Passwords should never be shared across
accounts or people
Password guessing restrictions
Idle session locking (or used on all client)
No password retrieval
Keep access logs
Behavior
Don’t share accounts or passwords
Don’t use administrative accounts all the time
Don’t run programs from untrusted sources
Don’t give out your password to anyone
Have a process for revoking user access when
no longer needed/authorized
Documented breach reporting procedure
Users should have appropriate training
Credential Management
Store passwords in a manner that can’t be
retrieved
Never transmit passwords unencrypted
Protect against password interactive guessing
Choose passwords that cannot be easily
guessed
*Force change of server-assigned passwords
*Enforce password complexity requirements
(checks w/dictionaries, dates, common
algorithms)
* Passwords length minimum 8 characters; 12
if feasible for logins; 16 for passphrases used
as part of decryption/encryption
*Key length min: 256bits (private key); 2048
bits (public key)
*Use multi factor authentication where feasible
Based on : 201 CMR 17, with additions marked
by *
17. Appendix: State Law Summary
Privacy Law & Libraries
No specific statutory protection:
KY, TX, UT,HI
Protected from FOI/gov. public records:
CA, CO, IA, MD, ND, OR, VT, VA, WA
Not public:
DE, IN (not releasable), MA, MN (private), RI, WY (not open for
inspection)
Confidential – except for court order:
AK, AZ, DC, FL, LA, ME, MI, MS (except minors), MO, MT, NB, NH
(other statutory exceptions), NJ, NM (except minors), NY (specific
records), NC, PA, SC, SD (except minors), TN (except for seeking
reimbursement), WV (Protected, except minors), WU
Confidential:
AL, AR, CT, GA, IL, KS, NE, OK (shall not disclose)