On May 1, 2014, the President’s Council of Advisors on Science and Technology (PCAST) released a report entitled Big Data and Privacy: A Technological Perspective. (See “PCAST Releases Report on Big Data and Privacy.”) Education is specifically mentioned in the report, although briefly, and many of the observations and recommendations have direct implications for higher education administrators, especially those involved in Information technology.
There are two or three techniques that colleges and universities have relied upon for privacy protection which PCAST believes “do not now seem sufficiently robust to be a dependable basis for privacy protection where big data is concerned” (xi). These techniques include anonymization, the framework of notice and consent, and polices limiting collection and retention of data. Of these, the area with the largest impact for higher education is anonymization, because it is the main technique underlying FERPA:
Anonymization . . . is not robust against near‐term future reidentification methods [and thus no longer] . . . a useful basis for policy. Unfortunately, anonymization is already rooted in the law, sometimes giving a false expectation of privacy where data lacking certain identifiers are deemed not to be personally identifiable information and therefore not covered by such laws as the Family Educational Rights and Privacy Act (FERPA). (p.39)
Anonymization (or de-identification), PCAST points out, “is increasingly easily defeated by the very techniques that are being developed for many legitimate applications of big data” (xi).
Another widely used technique, notice-and-consent, draws criticism because it “places the burden of privacy protection on the individual. . . . . The provider offers a complex, take‐it‐or‐leave‐it set of terms, while the user, in practice, can allocate only a few seconds to evaluating the offer” (xii). Rather, PCAST argues, the responsibility for personal data protection should rest with the provider rather than the user.
Also, there are problems with attempting to limit the collection and retention of data: there is the fact that data, once collected, may persist in unintended areas; that “big data” may include information other than the information targeted; and that archived datasets are of legitimate value to data collectors..
In keeping with its charge, PCAST did not recommend specific policy changes, merely indicating areas in which policy changes are needed. It does not attempt to provide solutions. Consistent with that approach, the report is remarkably free from anything approaching legal language,
In its Final Remarks, PCAST’s reaffirms the concept of privacy as “an important human value,” one which ought to be preserved and protected. The implications for strategic planning in higher education would seem to be very large. Privacy is reaffirmed as a desirable goal, but the techniques which higher education institutions are currently using to ensure it will be rendered ineffective in the near future. One can expect considerable debate in Congress and in the DOE, with new regulations eventually working their way into new accreditation requirements.