It's Elementary Privacy, Watson!

In today's (mostly) digital world, maintaining data privacy and data security should be an ongoing discussion in all businesses, especially those developing applications, both internal business shops and software shops selling solutions.

That said, compliance and privacy issues are not restricted to just digitally-stored data and may, in fact, be a larger issue for older, analog records that aren't as front-and-center as I realized this past weekend.

Discovery

My wife and I made a weekend trip to visit friends in Des Moines, Iowa. We stopped by an architectural salvage shop discovered on a previous trip that has more than just architectural salvage: a console stereo system from the 1960s, furniture of different sizes, usage, and vintage; luggage; wall-hung school maps; even an old phone switchboard if you want to play operator. Well-curated, easy-to-navigate, and fun places to visit; they even host weddings.

An oldish-looking bound book caught my attention: approximately 10"x6" containing the late 1940s/early 1950s academic records for students in a mid-sized Iowa school district.  Each pre-printed page represents a single student with her or his information hand-written: name, birth date, parent's name(s) and occupation(s), their previous school district (if any), and year-by-year academic records from kindergarten through junior high.

For whatever inexplicable reason, I flipped through the pages, fascinated: by subjects upon which students graded (including conduct and effort); female vs. male grades (generally lower grades for males, especially in reading); attendance. The demographics gathered give insight into the town at the time: birth date and place, parent's job (mostly father's, occasionally mother's), current residence, phone number, original school district, and date starting in this school district.  The handwriting changes by the student and by year, depending on who enters the information.

And then I realized: this contains personal information!

Questions

As I considered this potential data breach, I realized that questions needed to be answered:

• Are academic records protected? The Family Educational Rights and Privacy ACT of 1974 (FERBA) applies to any institution that receives funding from the United States Department of Education. I don't know specifics, but the state government likely receives federal funds that are then distributed to local school districts. I assume that FERBA included existing academic records then possessed by the school district; otherwise, it would take decades before its intent was fulfilled.
• Is personally identifiable information protected? Definitely, starting with the Federal Privacy Act of 1974 — which only applies to government agencies — and extended or amended in any number of ways.  As what is considered personally may differ by circumstance and country, I can't point to anything specific; however, I'm fairly confident there is something.
• Does media matter? No, compliance regulations appear to apply equally to digital vs. analog media, though sure there are nuances to consider.; The first compliance or privacy regulations pre-date the ubiquitous digital world we live in today.  Your decades-old medical records remain undigitized and stored in boxes in a warehouse; however, you assume their confidentiality is maintained in the same way as online medical records.
• Does timeframe matter? Is the school district still responsible if it was no longer in possession of the records when the privacy acts passed?  Definitely requires a real legal understanding, but — since speculation is fun —I guess whoever possessed the records at the time of an act's coming into effect is responsible for the records' confidentiality going forward.
• Does it matter more than seventy years later? Probably not, as those students are now senior citizens — if still alive — more focused on retirement and living on fixed incomes than their second-grade grades. Their descendants might not be as nonplussed when their great-grandfather's second-grade reading grades pop up on Ancestry.com!

Conclusion

This timeline shows how privacy was incorporated into the Bill of Rights in the United States Constitution but only since the advent of big data to correlate large quantities of data has privacy become a common discussion, even among non-techies.  Of course, the news constantly reports on the mishandling or loss of one's personal data, which could lead to future identity theft.  

I'm neither a lawyer, Chief Information Security Officer, nor Chief Privacy Officer, but I have learned/heard enough to know it's really important: the last thing any organization wants is to be called out in public forums. So while most of us are not in a position to decide compliance or privacy issues within our shop, we should at least ask questions when concerned and continually learn what is or is not acceptable.