User:GibsOfficial/privacy in higher education

 Privacy in Education (from existing page) 

Privacy in education refers to the broad area of ideologies, practices, and legislation that involve the privacy rights of individuals in the education system. Concepts that are commonly associated with privacy in education include the expectation of privacy, the Family Educational Rights and Privacy Act (FERPA), and the Fourth Amendment. The majority of privacy in education concerns are prevalent to the protection of student data, such as educational records and other personal information, both inside and outside the traditional classroom setting. Many scholars are engaging in an academic discussion that covers the scope of students’ privacy rights and the management of student data in an age of rapid information access and dissemination.

- *add more about higher education* // specifically students //

Historical Perspective
Since the 1970's, the commonly held perspective was that the right to privacy was an evaluation of individual worth. Technology, was perceived as having potentially negative effects susceptible to being breached. Yet there were not many violations warranted that would urge legislation to act and shift their attention to protecting privacy in education or primarily individual privacy in general. Technology at the same time was viewed as a source to uncover values, behaviors, motives and thoughts and yet it was perceived that only qualified professionals had access, especially without the existence of the World Wide Web. However, within higher education there was a perspective that individuals were susceptible to having their information breached. Thus, the role of education was viewed as one that safeguarded its students and staff to ensure privacy and yet, even in the 1970's there was a perspective that privacy could be breached given the technology that existed.

College Dormitory Searches (from existing page)
In many public and private colleges and universities across the United States, enrolled students typically live on campus in college-operated dormitories. Since students live in these dormitories for the duration of about one year, many personalize and consider their dormitory rooms as their personal and personalized living space. However, these dormitories are property owned by colleges and often students must waive their right to privacy for college representatives to conduct searches for safety purposes. While some believe that dormitory searches are effective for maintaining a safe community on campus, others believe that these searches are a violation of student privacy. Many cases have been filed by students in which they were caught with illegal substances in their dormitories during searches that these students felt were an invasion of their private living spaces. Additionally, only public or government-related searches with warrants are protected under the Fourth Amendment. Oftentimes college dormitory searches would be regarded as private searches and thus undergo lawsuits that claim a violation of the Fourth Amendment. For example, in the case Morale v. Grigel, a Resident Assistant at the New Hampshire Technical Institute searched a student's room on multiple occasions even though the student was not present in the room at all times. Once the Resident Assistant found marijuana in the room, the student was arrested for possessing illegal substances on college campus property. The student then filed a lawsuit against the Resident Assistant on the grounds that the searches were private and thus violated his Fourth Amendment right to protection from private searches. However, the court concluded that the Resident Assistant's employment status rendered him as a government agent and thus his searches were conducted on behalf of the college, a government-related institution.

Facebook
Technology is able to be used to create one's own social presence through informal settings as well as formal settings that allow for the connection of student and instructors for academic purposes. Students in higher education using Facebook censor or block their information from instructors. A study by Kerry Burner and Vanessa Dennen points out that Facebook is primarily used to interact with friends and family rather than instructors. By blocking their information they believe that they avoid context collapse that may cause confusion of who the person really is. Students prefer to be present in the classroom and have their social life private from formal settings.

Learning Analytics
With the improvement of technology, more data has become available within higher education. Administrators are then able to learn more about students in order to implement forms of improving student's success. Through learning analytics, which is defined as the focus on "students and their learning behaviors, gathering data from course management and student information systems in order to improve student success," administrators are able to obtain real-time empirical data such as insights and responses of student's learning processes.

Yet the privacy issues arise in how student data is collected, stored, analyzed and presented to stakeholders. There arises ethical issues of "location and interpretation of data; informed consent, privacy, and de-identification of data; and classification and management of data."

Students believe that data about them is elaborate and personalized and at the same time hold a conservative view about learning analytics. Learning analytics helps obtain real time data for higher education learning processes but, at the same time may hinder the development of students such as critical thinking and autonomous learning. It is not as simple as saying that learning analytics will benefit students and thus increase their success and retention rates. This is such because procedures to regulate access are put in place while at the same time bias and lack of validity and comprehension affect the ability to obtain data that will then be used for the benefit of students.

Data Breaches
As of 2017, there has been over 30 data breaches since 2005. The susceptibility to breaches creates threats to institutional research (IR) professionals who store and manage student data within the regulatory structure that controls data management. Further than this, student information is then brought to light which can threaten them as well. As vast amounts of data is collected issues arise that involve data breaching through hacking, physical theft, and vendors.

Preventative Measures
Those who study the implications of data breaches emphasize that data should be kept to a minimum and that steps should be taken in order to see who can be trusted to regulate this information in order to keep data private not not accessible to all employees. They also talk about investing in educating employees about what can and cannot be done with data. Further, they state that institutions should use the resources available at their own college/university in order to most effectively implement policies and procedures to keep data private. Exercising caution against third-party vendors that help with data is advised and further that there should be a contract established that defines who exactly who will be working with data, establish the notion that the data is sensitive and thus should be handled with care, that the contract establishes security procedures, and that it should describe the exact responsibility of the vendor just in case data is to be breached.

Essentially, data breaches happen but at the same time writers who investigate data breaches in higher education advise that research professions should understand that data breaches happen but that it is better to take preventative measures and policies in the first place to ensure the security of data.

Family Educational Rights and Privacy Act of 1974 (FERPA) in Higher Education
The Family Education Rights and Privacy Act of 1974 limits the “disclosure of certain information contained in a student’s education record to third parties” which includes parents if the student has not given consent. Third parties can be parents, family, another institution (mental health providers), or pursuants of a subpoena or court order (law enforcement). It gives colleges and universities the right to "inspect and review" educational records that can disclosed if 1) consent is given by the student, 2) if the information falls within the definition of "directory information" (information that is not considered harmful such as name, major and address), 3) if the information is of "legitimate educational interest" (if an official needs to review the education records in order to fulfill their responsibilities within the University), 4) the student is tax dependent, 5) if it regards drugs or alcohol violations, 6) if it involves serious conduct violations, and 7) when it involves health or safety emergencies

For example if a student in a residence hall is diagnosed with a contagious disease (measles), has a serious eating disorder, has suicidal ideation, binge drinks heavily, or has erratic and angry behaviors. Furthermore, information can be released if it entails disciplinary information such as a student who is an “alleged perpetrator of a crime of violence or a non-forcible sex offense." However, there have been cases where troubled students remain in college, without the college or university advising parents about their "strange" behavior, which resulted in students to take their own lives. The cases of Jain v. Iowa, Shin v. Massachusetts Institute of Technology and Mahoney v. Allegheny College exemplify this issue. Nonetheless, according to FERPA, disclosures are considered to be made in “good faith based upon the available facts.”

Educational records are covered by FERPA. They are not just academic records, class schedules or transcripts but also financial records, disciplinary records, "disability accomodation records, photographs, e-mails, and electronic database records." Official documentation is needed to fall under FERPA even if this entails a personal experience or observation.

What is not covered under FERPA are: law enforcement records, treatment records, and sole possession records and instead fall under other laws or considerations.

In Loco Parentis
Due to the influence of FERPA, there has been a shift from in loco parentis, to in sin parentibus, and back to in loco parentis. In sine parentibus means "without parents" meanwhile in loco parentis means "in place of the parent." Thus, as represented by FERPA, the shift to in loco parentis within higher education is the act of the school taking over the legal responsibility of parents. This means that college authorities stand in place of parents.

The role of FERPA is to enhance student achievement through greater parent involvement as well as protecting the private interests of students. Yet, the shift toward in loco parentis also comes with concerns related to educational records. More specifically, there is a concern about the extent to which large and powerful institutions obtain information to their advantage such as data that is gathered by researchers and policymakers. On the other hand there are concerns that relate to the university itself disclosing information. For example, under FERPA, the school can disclose information about students to parents if it includes alcohol and drug related incidents any time if they are under 21. Because of reasons like these, there is a concern that there may be "systematic disclosure policies" that become out of control and thus harm student rights and privacy.

Privacy and Confidentiality
Within student records there is a differentiate between what is privacy and what is confidentiality. Privacy is more of a legal concept and is defined as the "right of a person to withhold himself and his property from public scrutiny if he so chooses." Thus privacy gives the individual the right to be let alone which means that the university itself does not have the right to pry into student's personal affairs or reveal student information unless there are explicit and valid reasons in doing so or permission has been granted by the student. Yet even giving permission does not mean that the student has given permission to have all of their information revealed from then on but rather than permission is granted within the particular circumstance.

On the other hand, confidentiality means that files and records of students are not authorized to be disclosed to third parties such as not disclosing information that is received in confidence from a patient and physician. Given this, authors who focus on confidentiality ask questions such as:

1) Does the communication originate in confidence?

2) Is the element of confidentiality essential to the full and satisfactory maintenance of the relationship between the parties?

3) Is the relationship one that must be fostered??

4) Will there result an injury that is greater than any benefits which may be gained from that disclosure?

If the answers are "yes" then the university may be legally bound to not disclose information unless it overrides the interest.

Medical Records
Maintaining confidentiality and privacy has become an issue when it comes to medical records.

Health Insurance Portability and Accountability Act of 1996
The Health Insurance Portability and Accountability Act of 1996 provides privacy to data that is related to medical or mental health records that are legally more restrictive than FERPA in regards to confidentiality. HIPAA includes provisions that “intend to facilitate the creation of a national system for the electronic transmission and exchange of medical record information” such as access to information that is individually identifiable like health plans and health care. The act “defined protected health information so as to exclude individually identifiable health information that is included in education records covered by FERPA and that is in treatment records that are exempted from FERPA.”  The different between educational records and treatment records is that treatment records fall under federal and state law while educational records fall under FERPA. Nevertheless, the documentation of patient and caregiver is confidential meaning that medical records will not be disclosed unless consent is given or their is a belief that disclosing records is crucial. Furthermore, generally, health care providers do not disclose information unless they meet a standard that falls above the required FERPA health or safety exception, or consent is given, and thus is limited in providing information within the constraints of the confidentiality among patient and provider.

Integration of Mental and Physical Records
In some instances, college campuses have begun to integrate physical and mental health needs of patients. This means that medical records are becoming more shared among physicians as well as counselors or psychologists that work with students. Yet, medical providers, separately, have the obligation to withhold confidential information as an ethical duty and state privacy regulations. For example, health providers such as counselors, also have the obligation to be confidential and not disclose private information. However, as medical providers move towards integrated care, such that mental and physical records are shared amongst themselves, there arises a confidentiality challenge that may lead to college students to fall behind in school. Since confidentiality is compromised as information is disclosed among providers that use this method of continuity care, less students utilize therapy because they refuse to disclose private information that can then be shared with others. This simultaneously fuels the stigma towards college counseling. Thus, as more information becomes disclosed, less college students seek counseling due to lack of confidentiality as medical records of patients are disclosed between medical providers, when legally the obligation of these medical providers is to abide and guarantee privacy and confidentiality by withholding patient's information unless under specific circumstances.

Further, outside of sharing information among medical providers, there is also the issue of sharing information with researchers. They claim that medical records are difficult to access but when they are, it opens up the door for research. Yet, at the same time it opens the door to privacy and confidentiality risks.

Electronic Health Records
Since technology continues to revolutionize, medical records have become accessible as electronic health records. This allows information to be shared more easily but appears to create a challenge for stigma management and disclosing information during medical appointments.

An in-depth interview study called "Negotiating stigma in health care: disclosure and the role of electronic health records" was made that took into account sexual minority men (gay, bisexual, and other men who have sex with men) in the U.S. to seek how they viewed electronic health records. What the study found is that there were concerns of privacy in terms of how the electronic aspect creates a barrier to be open and talk about seemingly confidential information as well as how it may challenge the right to confidentiality and privacy. On the other hand, the study also found that electronic health records may benefit by improving communication among providers when sharing information and further, to provide better care especially after the Health Information Technology for Economic and Clinical and Health Act invested billions in the adoption of electronic health records to improve the quality of care. The study concludes that technology may enhance medical care yet at the same time fuel the stigma that seeking medical help is bad and thus would hinder patients to make appointments, to attend counseling with certain providers, or disclose personal information such as sexual identity and HIV status that they believe will be shared to others without their consent.

State Laws
Federal regulations allow states to place their own regulations, to either increase or decrease the requirements for disclosure, but states who do are few.


 * Minnesota State Law

In 1996 the state of Minnesota placed a law regarding medical records that appeared to be more stringent than HIPAA. Minnesota law attempted to obtain a "written general authorization for such release from the patient" as a form to impede the activities of researchers or providers to share information without given consent. Hospitals in Minnesota even made brochures that highlight patient's rights to confidentiality and that they can give consent in writing if they allow for their medical records to be released outside of the facility. Thus, the law required health care providers to obtain a written consent and authorization from patients in order for medical records to be released and used for research. However, researchers themselves campaigned against the law and the law was not successful in enforcing the right that patients have to refuse their information to be released. Meanwhile the patients themselves wanted information as to what information is being used within their medical records.

As of 2006, under Minnesota's state rights, individuals have the right to: see and get a copy of their medical records, have information added to their medical records in order to make them accurate, file a complaint, and importantly, sue in state court for violations of their rights under state law.


 * Massachusetts State Law

The Massachusetts state law imposed the requirement that a person has the right against the unreasonable interference of privacy and states that the superior court shall have jurisdiction to enforce a person's right and thus must award damages if need be. According to the law there are strict privacy protections classified as medical. Records are considered educational records unless there exists there need be hightened confidentiality such as child abuse, AIDS, substance abuse, immigration status, pregnancy and abortion. Further, it is considered a medical record if a school based clinic is under “operation of an outside entity or by a physician under any employment arrangement” and considered educational records if not considered for heightened confidentiality.

If an individual believes that their right to privacy they have the right to file a complaint with the Officer for Civil Rights, U.S. Department of Health and Human services against health care providers, with the Massachusetts Board of Registration in Medicine against doctors and with the Department of Public Health against hospitals.


 * California State Law

The Confidentiality of Medical Information Act (CMIA) is a California state law that includes more information than HIPAA in regards to medical records. The main function is to protect confidentiality of identifiable medical information obtained by an individual's health care provider. It applies to licenses providers such as physicians and nurses. It prohibit medical providers to disclose medical information without obtaining authorization first and that any medical information about an individual is preserved in confidentiality by anyone who comes in contact with it. An individual whose confidentiality is not respected may obtain $1,000 and the amount of actual damages and for the person or entity that discloses confidential information is liable for an administrative fine.

Students With Disabilities
Tension on campus arises because as of the event of 9/11 some people on campus are fearful or overreact in demanding to know which students have conduct records or a disability accommodation. There is a tension of whether the information will be used to discriminate or treat students unfairly. Nevertheless, the distribution of this information is not limited by FERPA among school officials as long as the disclosure is done due to "legitimate educational interests."

Foreign Students
The event of 9/11 impacted the release of information of students with visas and leads to the questioning of the responsibility and obligation of universities to report foreign student's information. Foreign individuals granted the opportunity to study in the U.S. for a period of time are given one of three visas: F-1 for academic studying, J-1 for exchange visitors, and M-1 for vocational training.

However, the government claims that there are no accurate records of the then 547,000 individuals holding student status (as of 2003). Meanwhile, universities are supposed to report information the information of F-1 and M-1 students to the Immigration and Naturalization Service (INS) such as their name, date and place of birth, current address, student status, degree program, field of study, etc. For those with J-1 visas, the sponsoring organization is to report information such as the individuals activities and compliance. Yet, if they do not necessarily report the information they are at least required to keep track of their foreign student's information.

Importantly, regulations are not addressed in regards to how FERPA applies. The school may release information if the student is no longer enrolled, if it needs to comply with judicial order, if it lawfully issues a subpoena, or if there are "specific and articulable facts” that show that a student’s education record may contain information relevant to investigation or prosecution . Information can also be disclosed if it includes the protection of health or safety of students, especially if it is to “protect the health and safety of Americans.” Further, students who were issued I-20A or I-20M forms (F-1 and M-1 students) or DS-2019 forms (J-1 students) automatically grant consent to any information needed to determine immigrant’s status or release information that's related to the individual’s compliance with the Exchange Visitor Program. Yet, this information is stated to be only given to certain organizations such as the INS or the Department of State.

Privacy Assessment
Librarians themselves take part in protecting the right of library users privacy. Typically, the library itself aims to protect user's information primarily regarding what they do when they use technology, such as using computers to surf the web. According to Michael Zimmer in 2014, 95 percent of librarians agree or strongly agree individuals should control their personal information and many agree that there are threats to the privacy of their users. A survey conducted by the Office for Intellectual Freedom which obtained over 1,000 responses of librarians and library professionals found is that the Library Bill of Rights is honored which believe that everyone is entitled to "freedom of access, freedom to read texts and view images, and freedom of thought and expression" The Librarian's Code of Ethics and the adoption of the Privacy Act of 1974 also illuminate not just on a librarian level but also on a federal level that privacy is to be protected.

Other non-governmental acts that protect the right to privacy and thus limit the information that can be collected are:

Gramm-Leach-Bliley Act

Health Insurance Portability and Accountability Act of 1996

Credit Reporting Act

Further, the Library 2.0 tools and services enhance what the user can do but at the same time track, collect and retain data that then may affect individuals especially since the recent dominance of social media. Yet, because of librarian's belief of protecting the rights of users, they take their own initiative in protecting user's information by destroying access logs daily, posting warning signs, and teaching users about privacy issues. This is especially done in order for information to not be obtained outside of legal restrictions.

Specifically, the Livingston Lord Library (LLL) of Minnesota State University's mission is to support both cultural and academic experiences and to encourage lifelong learning. Thus, their particular library provides resources that allows individuals to enhance their knowledge and skills. At the same time, they work to maintain their image of believing in confidentiality such that people can exercise their First Amendment right. Yet, there is not specific documentation as of 2007 that displays what privacy is to them. Nevertheless, there are examples of librarians exerting effort to ensure confidentiality and privacy by protecting their user's information.

Role of Campus Privacy Officers
Campus Privacy Officers (CPO's) are individuals within the institution who have the the institutional responsibility for anything that regards privacy. Yet they are relatively new in the United States but nevertheless have been growing since 2002. Their role or function in higher education is:

“sustaining an environment where faculty and student are free to inquire, experiment, discover, speak, and participate in discourse is without intimidation, protecting against and responding to modern-day cybersecurity threats, protecting the interests of individuals and assuring they have appropriate influence over data about themselves, pursuing opportunities for use of data in medical treatment, research, and student success, and enabling shared governance”

Their activities include maintaining: data privacy policies, notices, personal data inventory, governance structure and to respond to both complaints and requests from individuals, among other tasks.

A few of the major issues that CPO's focus on are :

Education records and FERPA

HIPAA

"Big data, algorithms, analytics, and usage"

"Contractual agreements"

"Information security monitoring and the privacy impact of surveillance"

Princeton University
In 2002 Princeton University’s admission staff accessed a Yale University website used to inform applicants that they have been admitted. The act of Yale University accessing private information was brought to light. As a result, Yale University responded that it would improve their website with additional security to prevent another breach. Meanwhile Princeton University responded by announcing the resignation of the top Princeton admissions official. Some say that acts like these raise the issues of student record privacy in the digital world.

University of Oregon
In 2015 a woman who said she was raped by three basketball players sued the University of Oregon for disclosing her mental health records to an attorney. This case gave rise to employees from the counseling center to write an open letter to the university community as a form to show that they were disturbed by the university's actions. Yet, officials argue that because the women claimed to have emotional distress then the university had the right to her medical records under FERPA. An attorney named Steve McDonald argued that HIPAA did not apply in this case. Meanwhile Lynn Daggett, a FERPA specialist, stated that the university has the right to get access to student medical records, especially if entails the need for legal defense. This led to Denise Horn, a U.S. Department of Education representative of the time, to write a statement addressing that higher education institutions should comply with FERPA but also respect the expectation of confidentiality between patient and counselor/therapist.