U's breach suggests too much data is being collected

Opinion editor's note: Star Tribune Opinion publishes a mix of national and local commentaries online and in print each day. To contribute, click here.

•••

A Friday letter writer raises some great questions ("Why is our data even needed?" Sept. 22). Some of the answers revolve around our state Data Practices Act (DPA) which began as a "data privacy" law in 1974. At that time, thoughtful people anticipated what is happening at the University of Minnesota and elsewhere and tried to form public policy to deal with the new reality of an information society, including establishing significant rights for individuals.

The writer asks why the populace is willing to provide so much data. The DPA tries to help the public decide how much data they should provide by requiring governments, including the U, to provide notice to individuals as to how data will be used, whether providing it is mandatory and voluntary and who else will have access to the data.

This provision attempts to put the protection of personal privacy in the hands of the individual. However, this protection only works if the individual receives the full and accurate notice the statute requires and then acts to provide or not provide the data requested. The answer to the writer's question may very well be found in whether or not the U, whenever it asked individuals to provide data, actually provided proper notices.

The DPA also tries to limit the collection of personal information by requiring government entities to collect only those data that are necessary to manage programs specifically authorized by the Legislature or local governing body — in the case of the U, the Board of Regents. It will be interesting to see, particularly in the pending lawsuits, if the U is able to justify the collection of much of the data that was breached.

The writer urges government officials to make personal information private. In this particular instance, all of the data collected about students is made private by the DPA, Minnesota Statutes Section 13.32, and by the federal Family Educational Rights and Privacy Act (FERPA). FERPA also puts limits on the dissemination of educational data. Some data collected about employees is also made private by the DPA's section 13.43.

A key element of data that seems to have been captured by the U and then by the hackers are the Social Security numbers (SSN) of students, employees and others. The SSN has always been treated with special sensitivity in data privacy law because it is a key to invading privacy, creating false identities, etc. The regulation of the collection and use of the SSN by any government has two important facets.

First, any SSN found anywhere in government is required by law to be treated as private data. Second, in enacting the Federal Privacy Act of 1974, Congress was so aware of potential problems that it placed strong limits on the collection and use of the SSN. First, government can only require an individual to provide their SSN for certain specified government programs, for example tax collection. The Privacy Act also imposes a special notice requirement when any government asks individuals to provide their SSNs. The government must tell the individual whether providing the number is voluntary or mandatory, under what authority the number is being requested and what uses will be made of the number. This part of the federal Privacy Act concludes by saying that an individual cannot be denied any right, benefit or privilege if the individual refuses to provide the SSN unless providing it is mandatory.

According to news reports the U had millions of SSNs in its files. Any of those SSNs collected from students should not have been required because the federal Privacy Act does not allow educational institutions to require students to provide the SSN. However, I know from my previous work in government, including discussions with students and U personnel, that the U required students to provide the SSN and actually used it as the student's ID number. Whether those numbers were collected after the students received the notices required by state and federal law should be a fact question determined in the pending lawsuits. The state university system also collected the SSN and used it as a student ID for a number of years until that practice was challenged.

A popular commercial for a Twin Cities firm reminds us all to "know your rights." The rights described above have been state and federal law for almost 50 years, Unfortunately, too many Minnesotans do not know they have those rights, let alone exercise them.

Remember that the next time a government agency asks you for your SSN or other private personal data.

Donald Gemberling, of St. Paul, is a semiretired data privacy expert.