Exercises: Sector-Specific Governance: Finance, Health, Education

Claude (AI-Generated Textbook)

Exercises: Sector-Specific Governance: Finance, Health, Education

These exercises progress from concept checks to challenging applications. Estimated completion time: 3-4 hours.

Difficulty Guide: - ⭐ Foundational (5-10 min each) - ⭐⭐ Intermediate (10-20 min each) - ⭐⭐⭐ Challenging (20-40 min each) - ⭐⭐⭐⭐ Advanced/Research (40+ min each)

Part A: Conceptual Understanding ⭐

Test your grasp of core concepts from Chapter 24.

A.1. Explain the rationale for sector-specific governance as described in Section 24.1. Why are general-purpose data protection laws like the GDPR insufficient for governing data in finance, health, and education?

A.2. Describe the concept of "layered governance" (Section 24.1.2). Use a specific example — a European fintech company — to explain how general-purpose regulation (GDPR) and sector-specific regulation (PSD2, PCI-DSS) interact as layers.

A.3. List the three components of HIPAA discussed in this chapter (Privacy Rule, Security Rule, Breach Notification Rule) and explain, in one sentence each, what each component governs.

A.4. Explain the "minimum necessary" standard under HIPAA's Privacy Rule. How does it restrict the use and disclosure of protected health information, and why does the chapter describe it as more stringent than the GDPR's data minimization principle in practice?

A.5. What is FERPA, and who does it protect? Explain the key rights it grants to parents and eligible students, and describe the "school official exception" that allows disclosure without consent.

A.6. Define "open banking" as implemented under the EU's Payment Services Directive 2 (PSD2). How does PSD2 shift the balance of power between traditional banks and fintech companies?

A.7. What is the Payment Card Industry Data Security Standard (PCI-DSS)? Is it a government regulation or an industry standard? Who enforces it, and what are the consequences of non-compliance?

Part B: Applied Analysis ⭐⭐

Analyze scenarios using concepts from Chapter 24.

B.1. VitraMed is preparing for a HIPAA audit. Mira has been tasked with reviewing the company's data handling practices. Identify at least five specific HIPAA requirements that VitraMed must demonstrate compliance with, considering that it: (a) stores patient health records, (b) uses predictive analytics on patient data, (c) has employees who work remotely, (d) shares data with hospital clients, and (e) recently expanded to 50 employees.

B.2. A university deploys a learning analytics platform that tracks students' login times, page views, assignment submission times, quiz scores, and library database usage. The data is used to identify "at-risk" students and trigger automated interventions (emails from advisors, suggested tutoring). Analyze this scenario under FERPA: (a) What data qualifies as "education records"? (b) Does the automated intervention system require additional consent? (c) What rights do students have to access the analytics data about them?

B.3. A fintech startup offers a budgeting app that connects to users' bank accounts via open banking APIs (PSD2). The app reads transaction data to categorize spending and provide financial advice. Analyze the governance obligations this company faces from: (a) PSD2, (b) the GDPR, (c) PCI-DSS (if applicable), and (d) consumer protection law. Where do these obligations overlap, and where do they create distinct requirements?

B.4. A hospital uses an AI system to prioritize emergency room patients. The system ingests clinical data (vital signs, symptoms, medical history) and assigns a triage priority score. Analyze this system's governance requirements under: (a) HIPAA (data handling), (b) the EU AI Act (if deployed in Europe, risk classification), and (c) the data quality framework from Chapter 22 (what quality failures would be most dangerous?).

B.5. An ed-tech company sells a "student engagement platform" to school districts. The platform collects: student names, grades, attendance, behavioral incident reports, and — through an optional "wellbeing check" feature — self-reported mood data. A parent discovers that the company has been sharing aggregated (but potentially re-identifiable) student data with a marketing analytics firm. Analyze the governance failures in this scenario under FERPA, COPPA (if students are under 13), and the CCPA/CPRA (if the school district is in California).

B.6. Section 24.5 identifies cross-sector patterns in data governance. Using a specific organization that operates across multiple sectors (e.g., Amazon, which operates in finance via Amazon Pay, health via Amazon Pharmacy, and education via AWS Educate), identify at least three governance challenges created by operating across sector boundaries. How should such an organization structure its governance to address these challenges?

Part C: Real-World Application Challenges ⭐⭐-⭐⭐⭐

These exercises ask you to investigate real-world sector-specific governance.

C.1. ⭐⭐ HIPAA Business Associate Agreement. Research the concept of a HIPAA Business Associate Agreement (BAA). Draft an outline of a BAA between VitraMed and a cloud computing provider, identifying the key provisions that must be included. Explain why a BAA is necessary and what happens if VitraMed's cloud provider experiences a data breach.

C.2. ⭐⭐⭐ Open Banking Comparison. Compare the open banking frameworks in the EU (PSD2), the UK (Open Banking Implementation Entity), and Australia (Consumer Data Right). For each, identify: (a) the legal basis, (b) who can access bank data, (c) what consumer protections exist, and (d) the current state of adoption. Write a one-page comparative analysis.

C.3. ⭐⭐ FERPA Audit Scenario. You are an auditor reviewing a university's FERPA compliance. Create a checklist of at least ten items you would assess, organized by category (student rights, institutional obligations, third-party sharing, data security).

C.4. ⭐⭐⭐ Ed-Tech Privacy Assessment. Select a real ed-tech platform used by your institution (e.g., Canvas, Blackboard, Turnitin, Proctorio). Research its privacy policy and data practices. Write a one-page assessment covering: (a) what student data it collects, (b) how it uses that data, (c) who it shares data with, (d) how it claims to comply with FERPA, and (e) any governance concerns you identify.

Part D: Synthesis & Critical Thinking ⭐⭐⭐

These questions require integration of multiple concepts.

D.1. The chapter identifies a pattern: sector-specific governance frameworks were typically created in response to specific crises or scandals (HIPAA after healthcare fraud, PCI-DSS after payment card breaches, FERPA after government record misuse). Evaluate whether crisis-driven regulation produces good governance. What are the advantages of legislating in response to a specific harm? What are the disadvantages? Is proactive regulation preferable, and if so, why is it so rare?

D.2. Mira observes that HIPAA, designed in 1996, was not built for the world of AI-driven health analytics, wearable devices, and health apps that share data with advertising networks. Evaluate this critique. In what specific ways is HIPAA inadequate for modern health data governance? Propose three specific reforms that would update HIPAA for the current health-tech landscape.

D.3. The "school official exception" under FERPA allows schools to share student data with contractors who perform services that the school would otherwise perform — without student consent. Ed-tech companies rely heavily on this exception. Evaluate whether this exception has been stretched beyond its original intent. When a school contracts with an ed-tech company that collects detailed behavioral data and uses it to train machine learning models, does the school official exception still apply?

D.4. Dr. Adeyemi raises the concept of "regulatory arbitrage" in the sector-specific context: companies structuring their operations to fall under the least restrictive sector-specific framework. A health app that provides "wellness" rather than "medical" advice may avoid HIPAA. A financial service that is technically not a "bank" may avoid banking regulation. Analyze this phenomenon. How should regulators address entities that are functionally within a sector but technically outside its governance framework?

D.5. Sofia Reyes argues that sector-specific governance often protects institutions more than individuals — that HIPAA protects hospitals from liability more than it empowers patients, and that FERPA protects schools from disclosure requirements more than it gives students control over their data. Evaluate Sofia's argument with specific examples from the chapter.

Part E: Research & Extension ⭐⭐⭐⭐

Open-ended projects for deeper engagement.

E.1. The European Health Data Space. Research the European Health Data Space (EHDS) proposal. Write a 1,000-word analysis covering: (a) its objectives, (b) its relationship to the GDPR, (c) its provisions for primary use (clinical care) and secondary use (research), (d) the governance mechanisms it establishes, and (e) the controversies it has generated.

E.2. Algorithmic Trading Regulation. Research how financial regulators (SEC, ESMA, MiFID II) govern algorithmic and high-frequency trading. Write an 800-word analysis of the governance challenges that automated trading systems present, including: market manipulation risks, flash crash prevention, algorithmic accountability, and the challenge of regulating systems that operate faster than human oversight can function.

E.3. Student Privacy in the Age of AI. Research how AI is being used in K-12 education — including adaptive learning platforms, automated grading, behavioral monitoring, and predictive analytics. Write a 1,000-word analysis of the governance gaps these technologies create under current FERPA and COPPA frameworks, and propose governance reforms.

Solutions

Selected solutions are available in appendices/answers-to-selected.md.