HigherEd Records Must be Compliant

Policy makers in the European Union took on an on-going concern from citizens about the use and privacy of personal data by companies, governments and other entities.  Back in 2015, they agreed to a brand new set of policies and put it into legislation for the first time in more than 20 years.  They gave a legal foundation to ensuring that residents of the EU had a right to a private life when it comes to their personal information.  By 2016, the policies were approved and named General Data Protection Regulations (GDPR) and the law goes into effect on May 25th of 2018.

There are a number of provisions in the GDPR that will impact higher education across the world.  While the law is in effect for the EU, it does mean that any institution, anywhere in the world, that recruits students from the EU, or sends students to the EU, will have to comply with GDPR.   While many institutions have in place policies that address all or most of the new provisions due to country-specific regulations (FERPA, HIPPA, etc), all institutions across the globe must establish complete systems and protocols for student data compliance consistent with GDPR provisions.

One provision that seemingly rubs against new blockchain applications in highered is the expectation that universities abide to the “right to be forgotten” article.

As we know, blockchains are secure due to the indelible time-stamp that is shared among “nodes” across multiple computers, if not thousands, in such a way that in order to change anything that is stored on the blockchain, one would have to change each block in every node.  This is of course the most beloved aspect of security, as hacking thousands of computers to make a change would be nearly impossible.  However if a student wants his or her data deleted (“the right to be forgotten”), how does this happen?

One one hand, blockchain may not meet GDPR Standards

One Oxford University attorney claims that the GDPR regs present a significant weakness to blockchain technology.  Michele Finck expressed that while data can be encrypted on a blockchain, that data may still qualify as personal data under EU law as it is only pseudonymized, and not irreversibly anonymized.   However, this is not an absolute, and along with a number of other practical cases, is in desperate need of clarification – which may only happen through litigation and court debates, or legislative memos of guidance appended as the cases are brought to light.

On the other hand, blockchain absolutely will meet GDPR Standads.

In November of 2017, Lexing Alain Bensoussan, a specialist in data law and new technologies fashioned a legal opinion concerning blockchain compliance solution in relation to GDPR noting that the cryptographic nature of blockchain will most likely reconcile personal data and storage on a public blockchain, so long as the proposed algorithm sufficiently shows security to those that oversee and interpret GDPR regulations.

Regulators should accept the destruction of a key as an erasure for the purposes of the GDPR, so long as the destruction is done in accordance with best practices and in an auditable ways.

Greg McMullen

Encryption and Key Destruction Lead to Compliance

As Greg McMullen, lawyer specializing in blockchain and privacy noted, “Assuming personal information is encrypted before it is written to a blockchain, destroying the key renders the data unreadable. But is this enough to comply with the right to be forgotten, if the data is technically still there? Regulators should accept the destruction of a key as an erasure for the purposes of the GDPR, so long as the destruction is done in accordance with best practices and in an auditable way.” Ben Corpus University of Texas Ben Corpus NCAA Ben Corpus Baruch College NCAA

Leave a Reply