CSG Winter 2018 – Much Ado About GDPR

We’re in sunny, warm LA for the Winter CSG meeting, hosted by USC.  Last night, Asbed coordinated a group to go out for tacos at http://chichenitzarestaurant.com/ , which was excellent!

This morning we’re starting off with a workshop on GDPR, featuring: Sharif Nijim (Notre Dame), Jim Behm (Michigan), Paul Erickson (Nebraska), Alan Crosswell (Columbia), and Kitty Bridges (NYU)

GDPR = General Data Protection Regulation – 127 days until enforcement on May 25

Membership survey :
87% think GDPR is an institutional risk
58% identified as beginners in GDPR
70% either don’t know or don’t think their institution will be compliant
41% have engaged outside counsel
50% General Counsel and IT partnership to lead compliance initiative.

What is GDPR? Alan Crosswell.

EU regulation on personal data protection, applicable to people, products, or services. Replaces old regulations dating back to 1995. Covers: personal data (relating to people). Examples: IP address, genetic data, health data, research data, video surveillance. Who is covered? EU individuals or any company that offers products/services to EU individuals or collects/processes their personal data (includes non-EU citizens located in EU).

Requirements: Identify personal data; data protection by design; individual rights on data usage (transparency, right to data erasure, right to data portability, etc); obtain proper consent (opt-in); withdrawn consent and the right to be forgotten (opt-out); breach notification; designate data have to designate a protection / privacy officer (DPO).

What does it mean for a student to have the right to be forgotten?

Penalty: Failing to report breaches within 72 hours maximum of 20 million euros or 4% of organizational annual revenue – whichever is greater.

Preparing for GDPR – key steps: Promote awareness; discover PII you hold; implement data protection by design; identify legal basis for processing personal data; review procedures for communicating personal data, individual data rights, data consent, guardian consent for minor’s data, data breach detection, response, and notificaton; designate data protection / privacy officer.

EU Indivdidaul – physically located in an EU member state, both EU citizens and non-EU citizens.
Personal Data – relating to identified natural person. name, ID number, location data, online identifier, address, email, passport, cookies, drivers license, etc
Consent: freely given, unambiguous indication of data subject’s wishes of subject’s wishes.

Question: does this include firewall logs? General agreement that it does.

Comment: This is subject to legal jurisdiction, and the thought that this is generally applicable to everything we do might not be correct.

GDPR Scenarios

Recruiting: NYU recruiter holding open house in Paris for EU people to find out about NYU. Recruiter gathers name, interests, and hands over wifi credentials. Need to give an explicit consent form, saying which elements are collected, what they’ll be used for, and how long they’ll be retained. Has to be provided in the native language. (Is your admissions prospecting software aware of and planning on how to handle GDPR? That’s institutional data – it’s an indemnification issue. What kind of contract language do you have?).

Admissions: Need name, national ID, country of origin, addresses, high school transcripts, etc. to make effective admissions decision. Also use that information for research (see Unizen). How is consent for data tracked through the various systems?  (Common App Organization GDPR adjustment ETA? – “early spring”).

Question – has anyone reached out to European universities on what they’re doing to prepare for GDPR?

Matriculation – example of alleged assault from student abroad. What happens if student exercises GDPR rights to not share data back to the US? Could contracts with partners abroad be affected if we don’t behave according to GDPR? Example of LMS vendor that is spinning up version of LMS in the EU specifically for GDPR – do we keep our data there for EU citizens?

Research – What about information about researchers kept on servers? Do legal federations with agreements help us? GEANT did a study on GDPR impact on Edugain. Emerging attribute release agreements help with GDPR compliance. GEANT is submitting a new code of conduct for GDPR – a way of publishing attributes in an open and transparent way. Coming out later this year. Transparency, documentation, and incident response are critical pieces.

Alumni and Benefactors – What data are collected and where is it? What if they want to be removed? Compliance might be viewed as a revenue issue. There is a notion in GDPR of “legitimate interest” but that isn’t a blanket clause.

Comment: We should follow advice of counsel on how to approach GDPR. It may not be worth a lot of worry at this point about how much this impacts us. Just because it’s over the Internet doesn’t make it different than any other issue between countries and how citizens are treated. We all need to decide what our risk posture will be.

How many campuses operate summer camps with people under 16 from EU countries?

If institutions are backing away from collecting citizenship data (from concern about undocumented people), does that impede our effort to comply?

Educause and GDPR: Trying to curate best resources – see page at: https://library.educause.edu/topics/policy-and-law/eu-general-data-protection-regulation-gdpr

Good to start with JISC resources. https://www.jisc.ac.uk/gdpr

Territoriality – we higher ed institutions generally have enough business links that we should surmise that GDPR might apply in some way.

Educause is working with other US higher ed groups (NACUA, etc) on GDPR guidance. It’s slow going, and all organizations are struggling with what advice to give members.

Notre Dame – Initial meeting with General Counsel (8/2017); Elevated to information governance committee (9/2017); Assigned to IT by institutional risk committee (10/2017); Compliance questionnaire circulated (11/2017); Questionnaire data aggregated and analyzed (1/2018) – Hard to collect data across the institution – will need help from general counsel in complying with collection. The vision is that data stewards will be accountable for the data in their areas. Impossible to collect every last piece of data, but important to show due diligence and have a process for dealing with issues.

NYU – Have hired external counsel – issuing questionnaires. In data collection mode, focused on central administrative entities. Don’t yet know what the institutional posture will be. General Counsel will advise. Will likely think of this as responsibility of business offices, who have been involved in discussions. IT is a key partner, knowing how things are connected together. First thing to focus on: Documenting identity data; movements of data between systems; prioritizing what to worry about first (biggest risk). Especially tricky areas are warehousing, analytics, and logs. Logs: operational logs (IP addresses, MAC addresses, authentication logs, DB logs, application logs) used for troubleshooting and trending. Can they even be made anonymous? Audit logs – understanding who has access, understanding really how long things need to be kept in identifiable form.

Nebrasksa: Bringing together multiple conversations around GDPR – General Counsel coordinating. Work in progress – expect to at least have posture before deadline. NACUA webinar was very helpful. Distance ed group started early on. Good test of relationships across campus – IT as implementer. Research group is interested in GDPR to help guide data governance. Indemnifaction – example of SaaS contract where vendor struck out “global standards.”

UMich – Started this past summer – taking a “cautious approach”. Concern about the extent to which regulations will apply to US institutions. Group led by General Counsel with representation across campus. Counsel has hired a consultant to help guide campus through the process. There’s enough gray areas that it’s unlikely that campuses will be held accountable in May. For state institutions, it may be the state that is accountable, not the institution. Might not be the case at Michigan.

Rice – Chief Compliance Officer leads a working group with the CISO. Creating an institutional web site for information.

UVa and Va Tech – very early in process. Conversations with General Counsel.  State AG’s office has hired counsel who should be issuing guidance for state higher ed.

Ron – IT is the only organization that touches every other organization in multiple domains – so it falls to us to be of service.

Minnesota – Counsel leading effort, still assessing impact and how much needs to be done.

Iowa – In due diligence approach, with Counsel taking lead. Will be naming a privacy officer. Creating a plan for operations that take place in the EU, which is a relatively small set.

CMU – very early on. Taking gap analysis approach.

Sharif – taking the approach that much institutional data is “legitimate interest” vs. asking specific consent. But that still requires transparency. How far does legitimate interest go?

Maybe this worry is overblown (like we did with CALEA)? It’s primarily targeting Googles and Facebooks, not higher ed.

Should we be reviewing cloud contracts for how GDPR is or isn’t covered? Could Educause help come up with a checklist for review? To what extent does it affect Net+ contracts? (e.g. LMS).  We could have an area on the CSG site for sharing information.

We may be likely to see something analogous in the US, so this won’t be wasted effort. Much of what we need to do for GDPR are just good enterprise data practices.

It’s not an IT project, it’s about institutional risk. Should be part of that regular assessment process.