A solid baseline from a standard source: FERPA

[dazzaji]

To the extent educational records are involved, FERPA is the key legal framework governing data sharing. It is also a somewhat generalizable framework for any personal data that is considered as "belonging to" or "owned by" the individual person identified by the data. The FERPA framework has reasonable and quite commonplace guidelines covering both permission based sharing by "informed consent" as well as typical exceptions allowing sharing absent consent for purposes such as audit, program review, research study, law enforcement access, etc. Also, the framework already applies to vast amounts of data about vast numbers of people in each city and the City is already responsible (via public schools in this case) for compliance and regular operationalized management of data flow under these rules.

[dazzaji]

Check out these as a basis for further input to this work:

• http://www2.ed.gov/policy/gen/guid/fpco/pdf/reasonablemtd_agreement.pdf
• http://ptac.ed.gov/sites/default/files/data-sharing-agreement-checklist.pdf

Also of value:

• http://www.neighborhoodindicators.org/library/guides/key-elements-data-sharing-agreements
• https://www.clinicalstudydatarequest.com/Documents/DATA-SHARING-AGREEMENT.pdf
• https://www.ipc.on.ca/images/Resources/model-data-ag.pdf

[dazzaji]

For the hangout tomorrow, I'm working with CommonAccord to factor Data Sharing Agreements which can include informed consent (as per this thread) and which follow the modular and extensible "System Rules" approach along these lines:

1. Three types of content: Business, Legal and Technical
2. Three levels of rules: System Rules, Participation Agreements, Individual Authorizations.
   3,. Three key roles: Individual Participant, System Provider, Third Party Provider

So - it would be good to start with three documents:

1. A Single TopLevel Doc called "System Rules" with Business, Legal and Tech top level sections and with further key subsections under Business for: a) Scope, b) Roles and c) Services;
2. Participation Agreements for a) Individual Participants, b) System Providers and c) Third Party Providers and
3. Individual Authorizations for a) Login to Third Party Provider Site, b) Share Datatype Alpha With Third Party Provider and c) Authorize Electronic Signature With Third Party Provider.