IAM Procedure #2 – Uniform Guideline for Information Technology Services that Must Accommodate Privacy Assertions – DRAFTPROVISIONAL
Historically many higher education institutions including UW-Milwaukee have developed solutions to provide personally identifiable data to the public. Over the years, these solutions have evolved, been integrated into other systems, and have expanded in scope to address usage cases that were not initially considered. Meanwhile compliance and attitudes toward privacy have changed substantially.
As the institution pursues increasing usage of different information technology, the pressure to have a robust, yet secure central repository of personally identifiable information becomes essential for efficient operation. This requires a uniform understanding of the requirements around the use of this information as well as how an individual member of the UW-Milwaukee community asserts privacy for a given service.
In the fall of 2010, a sub-committee of the Account and Access Management Operational Team was chartered to review the issues around asserting privacy during deployment of information technology services. The committee had a goal of re-establishing a baseline of the requirements for asserting privacy from “first principles” of the legal requirements of the institution. The desired outcome was a recommendation for a uniform set of IT service requirements guidelines that could guide future information technology IT service deployments as well as provide guidance for the review of current Information technology services. Appendices A through D also provide further discussions that support the rational for the guidelines.
Scope of Data
The scope of the personally identifiable information covered by this guideline is limited to the following directory elements sourced or derived from the ePantherACCOUNT People Registry:
- Legal Name
- Home Address of Record
- Home Phone Number of Record
- Student Enrollment Status, Year in School, and Major Field of Study
- UW-Milwaukee issued electronic Identifier (i.e. ePantherID, UID, eduPersonPrincipleName and equivalent representations)
- UW-Milwaukee issued email address
- Fine grained affiliations (i.e. uwmRWIClassification)
- Fine grained entitlements (i.e. isMemberOf or isMember)
Scope of Compliance
The scope of Information technology services covered by these requirements guidelines will be information technology services storing or consuming in-scope personally identifiable data elements. Other formal arrangements to govern the exchange of data are not otherwise defined/covered.
Scope of Privacy Assertion
The scope of the privacy assertion covered by this guideline is limited to the following privacy assertions maintained in the ePantherACCOUNT People Registry:
- FERPA Privacy Assertion – A “Y” or “N” indicator indicating a Family Educational Rights and Privacy Act (FERPA) directory privacy assertion.
- WPRL Privacy Assertion – A “Y” or “N” indicator indicating an employee initiated Wisconsin Public Records Law (WPRL) directory privacy assertion.
- Self-Asserted Privacy Assertion – A “Y” or “N” indicator indicating a self-asserted wish to not be presented in publicly visible directories.
The following is assumed:
- Each service storing directory information and each service receiving directory information must have a service owner accountable for the support of the service.
- The following data elements are assumed to not be personally identifiable information and may be made available for all individuals, regardless of privacy asserted:
- System Specific Opaque Identifiers (i.e. eduPersonTargetedID)
- Course Grained Affiliations (i.e. eduPersonScopedAffiliation)
- Course Grained Entitlements (i.e. eduPersonEntitlement)
- Employee work location (i.e. building number, room number, appointing department)
The following are constraints:
- Guidelines must comply with the Federal Education Rights Privacy Act (FERPA) as implemented by UWMilwaukee 
- Guidelines must comply with Wisconsin Public Records Law (WPRL) as implemented by UWMilwaukee 
- Requirements must be uniform for an individual when holding multiple affiliations at the same time (i.e. holding both an employee and a student affiliation)
The following guidelines will be implemented by the UW-Milwaukee UITS Middleware and Identity Management Group:
- UW-Milwaukee UITS Middleware and Identity Management Group will be responsible for the maintenance of privacy indicators to track the in- scope privacy assertions defined by this guideline.
- UW-Milwaukee UITS Middleware and Identity Management Group in conjunction with the UWM Information Security Office will inform the UWM Community of the presence of the UWM Directory Privacy Assertion, how to assert it, and that it may or may not be honored based on a service by service basis.
The following guidelines must be implemented by any information technologyIT Service at UW-Milwaukee that contains or presents personally identifiable information to the public or a third party without an explicit contract addressing the release of personally identifiable information:
- Information technology services that provide personally identifiable information to other Information technology services must maintain a registration of services receiving personally identifiable information. The registration must use an auditable business process supervised by UW-Milwaukee staff holding an active, non-student employment appointment with the institution. Information technology services that provide personally identifiable information to other iInformation technology services are accountable for the accuracy of these registration records.
- Information technology services needing data elements other than those defined in the scope section must have an explicit data usage agreement in place. The data usage agreement should be approved by appropriate data custodians. Information technology services external to UW-Milwaukee must have a contract in place that enforces the data usage agreement.
- Information technology services that provide data for consumption by other information technology services must recognize both a FERPA compliance privacy assertion and a WPRL privacy assertion. Personally identifiable information is not to be released to consuming Information technology services for individuals asserting a FERPA or WPRL compliance privacy assertion unless authorized by the Department of Enrollment Services or Department of Human Resources respectively.
- Information technology services that receive approval by either the Department of Enrollment Services or Department of Human Resources to release or receive personally identifiable information for individuals asserting a FERPA or WPRL compliance privacy assertions are accountable for the specifically negotiated terms and conditions of usage.
- Information technology services that provide data for consumption by other information technology services must release the electronic identifier and UW-Milwaukee email address for individuals holding student-employee dual affiliation and asserting a FERPA privacy assertion. This is authorized by designating the electronic identifier and UWMilwaukee email address as an employment record under FERPA and thus excluding them from the educational record.
- Information technology services that consume personally identifiable information and receive authorization to receive protected information from Department of Enrollment Services or Department of Human Resources must recognize compliance privacy assertions in the following manner:
- Individual students or holders of dual student-employee affiliation asserting a FERPA compliance privacy assertion shall not be visible in a directory lookup function.
- Individual employees asserting a WPRL compliance privacy assertion shall not have home address or home phone of record visible in a directory lookup function.
- Individuals holding ad hoc required affiliations that mimic either a student affiliation or an employee affiliation can assert the same compliance privacy assertions respectively.
- Information technology services that consume personally identifiable information and provide a directory lookup function may choose to recognize self-asserted privacy assertions by suppressing:
- home address
- home phone number
- email address
- Information technology services that consume personally identifiable information, provide a directory lookup function and choose not to recognize self-asserted privacy assertions must publish to the public the statement “The <name of service> does not enforce the UWM Self-Asserted Privacy Assertion.”
- Information technology services that consume personally identifiable information and then provide that data to other services must comply with guidelines GS.1., GS.3., and GS.5. using a chain-of-ownership model preserving the state of the privacy assertions set by the ePantherACCOUNT People Registry. Use of GS.4. to authorize release of data based on an upstream terms and conditions is prohibited unless specifically authorized in the terms and conditions.
The following are recommendations to information technology services as “good practices” but are not required to comply with this guideline:
- It is strongly recommended that information technology services that consume personally identifiable information must explicitly differentiate the use of the electronic identifier from the email address.
- It is strongly recommended that information technology services that consume personally identifiable information favor the use of system specific opaque identifiers, course grained affiliations, and course grained entitlements over the use of personally identifiable information where possible.
- It is strongly recommended that information technology services with the need for personally identifiable information provide an interface that enables the community member to release personally identifiable information to the service in an “opt-in” manner.
The guidelines for responding to privacy assertions for information technology services outlined in this document will be enforced under Section III-D of The UWMilwaukee Information Security Policy . Information technology services found to not comply with this guideline will be referred to the UWMilwaukee Information Security Office. The UWMilwaukee Information Security Office will treat non-compliance as a security incident and work with appropriate service owners to address non-compliance issues. The Information Security Office may designate the Middleware and Identity Management Group or other agents to assist with compliance.
The following are recommendations for implementation:
- The document to be vetted by UWMilwaukee Office of Legal Affairs, Department of Enrollment Services, Department of Human Resources, Information Security Office, and University Information Technology Services. The following roles will be asked for a formal endorsement of the guideline:
- Director & Senior University Legal Counsel
- Executive Director of Enrollment Services
- Director of Human Resources
- Custodian of Public Records
- Director of Internal Audit
- UWM Information Security Officer
- Director of UITS / CIO
- The document to be formally adopted by the IAM Steering Committee after vetting.
- The document to be approved by the UWMilwaukee Information Security Office as a security procedure under Section III-D of The UWMilwaukee Information Security Policy.
- The guideline to be communicated to the campus community in a manner to be determined by the IAM Steering Committee.
- The guideline to be published on the Middleware and Identity Management GroupUW-Milwaukee Information Security Office public web site.
- Subsequent changes to this guideline must be approved by the IAM Steering Committee after a period of campus consultation and then published on the Middleware and Identity Management Group public web site.
- The ePantherACCOUNT People Registry service shall implement the 3 indicated privacy assertions within 9 months of approval of this document. Services existing at the time of approval of this document shall have an 18 month grace period to reach compliance or negotiate a different schedule to reach compliance with the UWMilwaukee Information Security Office. A formal audit of compliance will not be conducted; however service owners are accountable for compliance after the 18 month grace period. The UWMilwaukee Information Security Office may extend the grace period as needed to meet the operational constraints of the institution.
The following are further recommendations upon approval of this document:
- The UWMilwaukee FERPA Manual to be amended to explicitly define the FERPA rights of student employees.
[Affiliation] – A recognized association with UW-Milwaukee tracked by the ePantherACCOUNT.
[Privacy Assertion] – Information provided by a member of the UW-Milwaukee community to the institution and stored by the ePantherACCOUNT People Registry indicating a privacy preference.
[Course Grained Affiliations] – An affiliation broad enough to not convey personally identifiable information unless attached to a specific record. Examples would include but not be limited to “student”, “employee” or “faculty” affiliations.
[Course Grained Entitlements] – An entitlement broad enough to not convey personally identifiable information unless attached to a specific record. Examples would include but not be limited to “UWM WiFi Access”, “Library Access” or “Email Access” entitlements.
[Directory Information] – Personally identifiable information sourced from the ePantherACCOUNT People Registry service. This service provides a consolidated identity record for all students, employees and sponsored individuals of the UWM community. In the context of this guideline, directory information is constrained to data defined in the scope section.
[Directory Lookup Function] – Functionality of a service that allows an individual utilizing the service to access in scope data elements for other individuals.
[Electronic Identifier] – A string of characters or structured data that may be used to reference an electronic identity. The ePantherID and its derivatives are the electronic identifier for the UW-Milwaukee community.
[Entitlement] – A right or authorization to use a service granted to a member of the UW-Milwaukee community and tracked by the ePantherACCOUNT.
[ePantherACCOUNT People Registry] – Service responsible for establishing a unique identity record for each member of the UW-Milwaukee community. The service receives data from student administration and human resource systems. This information is consolidated using automated processes and augmented with sponsorship information for additional individuals that need access to Information technology services.
[Personally Identifiable Information] – Information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.
[System Specific Opaque Identifiers] – A string of characters or structured data that can be provided to a service as a method to uniquely identify a member of the UW-Milwaukee community but does not use personally identifiable information. When used in conjunction with course grained affiliations or entitlements, system specific opaque identifiers facilitate secure and personalized access to services while still preserving privacy.
 – UWMilwaukee FERPA Manual, +http://www4.uwm.edu/current_students/records_grades/upload/ferpa_manual.pdf+
 – Wisconsin Public Records Law, http://www.uwsa.edu/gc-off/deskbook/wprl.htm
 – Personal communication with Eric Goodman (firstname.lastname@example.org) of UC Santa Cruz, 3/22/2011
 – The UWMilwaukee Information Security Policy, http://www4.uwm.edu/secu/acad+admin_policies/S-59.pdf
Appendix A – The UW-Milwaukee Community
For the purposes of this discussion, the following segments of the UW-Milwaukee community must be considered:
- Employee Affiliation – Individuals either currently or historically holding any type of employment appointment with the institution. This includes faculty, staff and student employment appointments.
- Student Affiliation – Individuals either currently attending or previously have attended any educational program at UW-Milwaukee, whether credit, non-credit, degree, or non-degree.
- Ad Hoc Required (Sponsored Member) Affiliation – Individuals who do not meet the qualifications of an employee or student affiliation but have been issued a UW-Milwaukee ePantherACCOUNT for the purposes of utilizing the same services as an employee or a student. Ad Hoc Required Affiliations are meant to address usage cases where there are formal organizational arrangements that mimic an employee or a student affiliation.
UW-Milwaukee does provide electronic identities for other individuals that enable access to various campus services. The usage cases under which these are provisioned vary considerably. Generally speaking, the amount of personally identifiable information available beyond the electronic identifier and email address that is in scope is a legal name.
Appendix B – Overlap of Employee and Student Affiliation
The Federal Education Rights Privacy Act  and Wisconsin Public Records Law  provide frameworks to govern the release of personally identifiable information for students and employees of the organization respectively. Unfortunately, neither directly enumerates how to handle the overlapping condition that exists in a consolidated identity repository when an individual holds both a student and an employee affiliation.
FERPA does give some guidance on the handling of employment records but that is exclusive to the employment role  and does not speak to the dual role case. It is left to the discretion of the custodian of the personnel records to weigh the public interest in disclosure against the public’s interest in nondisclosure of personnel records . This is interpreted to mean the custodian of the personnel records has some discretion in establishing the requirements for release of personally identifiable information in the dual role case but this appears to have not been formalized for UW-Milwaukee.
The unfortunate result of this gap in policy is the case of dual affiliation is not handled in a uniform way nor is the expectation well-articulated to the UW-Milwaukee community. An exchange with UC Santa Cruz  confirms this issue is not unique to UW-Milwaukee. In the case for UC Santa Cruz, they defined several student-employee cases and established precedence for each. While certainly an option, it does complicate the individual community member experience.
Similar discussions with other institutions result in a recurring theme of precedence setting, expectation setting, and/or risk management options to address the case in a manner that is compatible with the institution’s community culture. To address this, UW-Milwaukee will have to decide on a method to address this case. Unless done by the institution, confusion will continue to persist. The proposed requirements presented in this document seek to address this issue for the narrow scope of this document.
Appendix C – Electronic Identifier versus Email Address
Historically, the electronic identifier at UW-Milwaukee matched the email address. However, there is a difference in usage that is relevant to privacy assertion. The email address is specific to a service and relevant in terms of communicating with the individual. The electronic identifier is used by the individual to access services and is broadly needed by services offered by UW-Milwaukee to enable this access.
While the reasons that the electronic identifier aligns with the email address are outside the scope of this document, it is relevant that this is an institutional decision and not a technical requirement. As such, it may be desirable from a privacy assertion perspective to have different release procedures for the electronic identity and email address, regardless of the current state of matching values that exists at this time.
Appendix D – The Role of Customer Service
Beyond the compliance aspects of needing to accept certain privacy assertions, it can be argued that there is a customer service aspect as well. Giving an individual an interface that allows them to control the release of their personally identifiable information can provide a positive customer experience. The challenge is both making the user experience transparent enough to be meaningful and also to set expectations such that they are sustainable for the organization.
It can be helpful to view the sharing of personally identifiable information as an economic transaction. Individuals should have a good understanding of what they are getting in exchange for sharing their personally identifiable information. Likewise, unless the total organizational costs of maintaining the privacy assertion are factored in, there can be a tendeancy to give individuals too much choice, allowing them to over-assert privacy in a way that hinders the delivery of services for the broader community.
It can be argued that in the interest of trying to address all possible privacy concerns for the UWMilwaukee community, the process of asserting a directory privacy hold has become totoo complex. In doing so, the process is difficult to communicate to the user community accurately and is also difficult to administer organizationally. The requirements presented streamline the privacy assertion options in an attempt to move to a state that addresses critical usage cases while also being sustainable and transparent to the customer community.
- Original – RANKM – 20110816
- REV 1 Edits based on feedback from CSPADA and SAB2 – RANKM – 20110906
- Global edits – RANKM – 20110909
- REV 2 Edits based on feedback from sub-committee – RANKM – 20111019
- REV 3 Edits based on feedback from sub-committee – RANKM – 20111121
- Released REV3 for public comment – RANKM – 20111121
- REV 4 Edits based on feedback from public comment period – RANKM -– 20120210
- Provisional Final Draft for vetting – RANKM – 20120706
- move to wordpress 20140515