Introduction[1]
Yale has launched procedures for reviewing requests for the collection and secondary use of personally identifiable information (PII) held by the University. In particular, this document describes the factors to be considered in assessing whether a detriment to privacy is warranted in light of the anticipated benefit of the proposed use.
The University must balance its respect for individual privacy with its legal, policy, and administrative obligations and its academic interests. As used here, privacy includes (i) an individual’s ability to conduct activities unobserved and without fear of surveillance and (ii) the appropriate protection, use, and disclosure of information about individuals. Unconstrained use of University data poses risks of data uses in violation of University policy as well as regulatory and data subject expectations.
This document proposes a Privacy Balancing Process that will examine proposals for collecting and using data to ensure they align with University privacy principles and sound practices of higher education, including the Fair Information Practice Principles (FIPPs). Yale’s collection and use of data is largely guided by sound moral and ethical principles. This process is being established so that Yale uses a documented, repeatable process to evaluate proposals for the secondary use of data.
Privacy Balancing Process
The table below defines the factors to be considered in determining whether the benefits of a proposed data collection or use outweigh the potential detriment to privacy.
Factor |
Definition |
Privacy Objective |
Utility |
The purposes and benefits of the data collection or use. |
The proposed activity should be sufficiently likely to achieve its stated benefits. |
Alternatives |
Other means to achieve the purposes and benefits of the activity. |
The proposed activity should be the alternative that imposes the least burden on privacy interests. |
Data Minimization |
Data to be collected or used is limited to that which is directly relevant and necessary to accomplish the activity. |
The data collected or used should be constrained to the minimum necessary to achieving the documented goal. |
Access and Disclosure |
The means by which the data will be examined (e.g., automated or manual) and the number of people who will have access to the data, including practices undertaken to minimize further disclosure or unrelated uses. |
The data should be available to the fewest number of people necessary to achieve the purpose of the activity. |
Retention Period |
The length of time the data will be retained. |
Data should be retained for the minimum time necessary to achieve the purpose of the activity. |
Security |
Protection of the data from improper use, access, disclosure, or alteration. |
Data should be physically and electronically secured, both while in use and in storage. |
Transparency & Accountability |
Publication of data collection and use practices, preservation of records of data collection and use, and monitoring of compliance with published practices. |
Subjects of data collection and use should be informed of data collection and use practices, and supervisors should have the records and tools necessary to monitor compliance. |
Compliance |
Use of data in accordance with applicable legal, regulatory, policy, contractual, and ethical requirements. |
Data should be used in accordance with applicable requirements. |
Practices not subject to privacy balancing
Most existing data uses will not require review through the Privacy Balancing process because they involve widely accepted activities and are considered to be standard practices necessary to meet the operational needs of an academic institution. To be considered an accepted practice, meaningful notice of these standard practices is either provided to the data subjects or the activity is commonly expected, such as security cameras in public locations. University officials authorized to grant access to University information (see Yale Policy 1601 Information Access and Security) are considered to be the Data Stewards of their respective institutional data and should develop written documentation of what constitutes accepted practices for the data under the Stewards’ purview and submit the documentation to the Privacy Office (submit online here). Where appropriate, the data uses should be included in the university privacy statement or a unit-specific notice. Only data uses not included in the accepted practices document would need further review as described here.
The following are some examples of monitoring practices and data uses that do not require further review through the Privacy Balancing Process. Note that this is not intended to be an all-encompassing list but serves to provide examples of standard practices which wouldn’t require further review.
· Monitoring of web sites and traffic to determine website engagement and anonymous web browsing metrics. (For more info see Yale Privacy Notice section g2)
· Tracking signed-out library resources for purposes of managing library resources.
· Email traffic patterns, such as flow to and from servers and packet size leaving the University network, used to identify malicious activity.
· Security cameras in public locations for promoting campus safety.
· Caching of student financial information for the purpose of providing financial aid, creating billing statements, direct deposit, etc.
· Review of systems and system logs as necessary to enforce university policies and applicable legal requirements when authorized by the Office of the General Counsel.
· Review of de-identified data where there is no reasonable means to identify an individual or group, and the monitoring unit and anyone to whom the data may be shared attests that data will not be re-identified and will not be joined with identified data.
· Use of data consistent with the data subject’s explicit, freely-given consent for the data collection or use.
· Data collection or use approved by an Institutional Review Board authorized by the Yale Human Research Protections Program in accordance with Yale human research protection policies.
Governance & Approvals
Data Stewards and their data managers are responsible for review of proposed data requests to determine if the request is within the scope of documented accepted uses or widely accepted data practices relevant to the data under their purview. Proposed data uses outside the bounds of documented accepted uses should be reviewed with respect to the Privacy Balancing Factors by the Data Steward and where appropriate, escalated to the Privacy Officer or the Privacy Advisory Council. Review mechanisms include expedited approval by the University Privacy Officer or may be escalated for full review by the Data Governance Executive Council or the Privacy Advisory Council (PAC) who may approve or deny the request.
Expedited Review:
Expedited review process are appropriate for data collection and use involving low risk activities including:
· Internal use of aggregate data where the identities are adequately obscured;
· Security monitoring of high-risk data (see https://cybersecurity.yale.edu/data-classification) including monitoring data traffic to or from high risk systems with the goal of ensuring the enhanced protections needed for high risk data held on University systems or networks.
· Time-sensitive requests such as public health and campus safety emergencies, or cybersecurity incidents which will be exacerbated by delay. These requests may be provisionally approved pending a full review by the Privacy Advisory Council or Data Governance Executive Council.
Full Review:
Data requests not eligible for expedited review are those outside the normal expectations of the data subjects and merit review by a broadly-constituted institutional authority such as the Privacy Advisory Council or Data Governance Executive Council. Where appropriate, such review will include consultation with individuals or organizations representative of the anticipated data subjects such as students, faculty or staff. In cases with broad impact, the reviewing Council may require that the proposed data use be circulated to the Yale community for comment. Outcomes of review will be provided to the data requestor, including any limitations on the proposal or the rationale for denial as appropriate.
Appeal Process:
Requestors may resubmit a request provided that the resubmission is responsive to the vetting committee’s initial concerns. In the event there is a vehement disagreement on the vetting decision the issue may be escalated to the Audit, Risk, and Compliance Committee for adjudication
[1] This process is built off the pioneering work of The University of California Privacy and Information Security Initiative Steering Committee described in their 2013 report at https://www.ucop.edu/privacy-initiative/uc-privacy-and-information-security-steering-committee-final-report.pdf