D — Privacy, Ethics, and Data Stewardship

Appendix X. Privacy, Ethics, and Data Stewardship (FCC ULS–Informed Research)¶

Purpose of this appendix¶

This appendix documents the privacy, ethics, and data stewardship approach for any research activities that make use of FCC Universal Licensing System (ULS) records as an input to sampling, outreach, or aggregate analysis. It is designed to address common concerns about privacy intrusion when public licensing records are used in research, and to ensure that this work is executed with clear purpose limitation, strong controls, and conservative reporting practices.

X.1 Core principles (privacy-by-design)¶

This project will follow privacy-by-design practices anchored in five principles:

Purpose limitation FCC ULS data will be used only for research operations that directly support this project’s decision questions (e.g., sampling and outreach) and for high-level, aggregate analysis. It will not be used for individual profiling, monitoring, or any activity unrelated to the research objectives.
Data minimization We will use only the minimum data elements required to conduct outreach and to perform analysis at an appropriate level of aggregation.
Separation of functions Direct identifiers used for outreach (e.g., name/address where applicable) will be separated from analysis data. Researchers will work from de-identified datasets whenever feasible.
No new directory / no re-publication This project will not create, publish, or distribute any enhanced directory of licensees, nor will it release row-level extracts of FCC ULS data or any “augmented” contact list.
Conservative disclosure controls All reporting will be aggregated and will follow minimum cell-size suppression and other safeguards to prevent inadvertent re-identification.

X.2 Intended use of FCC ULS data in this project¶

Where FCC ULS records are used, their use will be bounded to the following purposes:

Sampling frame construction (e.g., defining the population of interest and stratification variables such as broad geography or license class).
Outreach operations (e.g., mailing invitations or providing an invitation channel for participation).
Aggregate benchmarking (e.g., ensuring results are interpreted against the distribution of the broader population).

FCC ULS data will not be used to:

identify or target individuals for non-research communications,
create or distribute a new list of licensees,
publish person-level findings or case studies derived from ULS.

X.3 Operational design: separation of outreach from analysis¶

To reduce privacy risk and avoid unnecessary handling of personally identifying information (PII) by the research team, this project will implement a functional separation between outreach operations and analysis.

X.3.1 Outreach operations (controlled handling of identifiers)¶

If a mail-to-web or similar outreach approach is used:

Outreach may be executed by a bonded mail house or survey operations vendor, or via a tightly controlled internal function, using only the fields necessary to deliver invitations.
Access to direct identifiers will be restricted to a small number of authorized personnel with a defined role.
The outreach function will generate a random response identifier (RID) for each invitee. The RID will be used to track response status without exposing identity to analysts.

X.3.2 Analysis dataset (de-identified)¶

The analysis dataset provided to researchers will exclude direct identifiers and will contain only:

the RID,
response data,
minimal stratification tags required for weighting and interpretation (e.g., license class, broad geography bucket, years-since-grant bucket), and
project-specific variables collected through the research instrument.

Direct identifiers will not be used in analysis except in rare cases where required for operations (e.g., deduplication), and then only within the controlled outreach function.

X.4 Data elements: allowed vs. disallowed¶

This project will adopt clear rules about what data may be retained in each environment.

X.4.1 Allowed in the outreach environment (minimum necessary)¶

Only data required to contact invitees and manage fieldwork, such as:

name (if needed for mailing),
postal address (if mailing),
and minimal sampling attributes required to manage stratification.

X.4.2 Disallowed in the analysis environment¶

The analysis environment will not contain:

name,
street address,
email address,
phone number,
or any other direct identifier.

X.4.3 Restrictions on augmentation¶

This project will not augment ULS records with third-party data that increases identifiability (e.g., consumer data enrichment). Any optional linkage for benchmarking will be performed only at an aggregate level.

X.5 Security controls (baseline requirements)¶

All datasets used in this project will be managed under standard security practices appropriate for sensitive research operations, including:

Access control: least-privilege access; role-based permissions; limited number of authorized users.
Encryption: encryption at rest and in transit for any stored or transmitted data.
Logging: access logging for systems that store outreach data and analysis data.
Secure transfer: secure file transfer methods (no email attachments for datasets).
Vendor controls (if applicable): contractual requirements for confidentiality, secure handling, and deletion.

X.6 Reporting safeguards to prevent re-identification¶

All reporting will be designed to prevent inadvertent re-identification through small cells or unique combinations of traits (“mosaic effect”).

X.6.1 Minimum cell-size rules¶

Results will not be reported for subgroups below a minimum sample size threshold (e.g., n < 25 or a higher threshold as appropriate).
When necessary, categories will be combined (e.g., broader geography buckets) to meet suppression thresholds.

X.6.2 Geographic and attribute coarsening¶

Reporting will avoid overly precise geography (e.g., city or street-level detail).
Time-based metrics may be bucketed (e.g., years-since-grant ranges) rather than exact dates.

X.6.3 No person-level outputs¶

No person-level tables, extracts, or case narratives derived from ULS data will be produced as deliverables.

Even when a public record is used for outreach, this project will treat participation as voluntary and will emphasize transparency.

X.7.1 Invitation transparency¶

Invitations will include:

a plain-language statement of the project purpose,
why the recipient is being contacted (e.g., selected from publicly available licensing records),
who is conducting the research,
how the results will be used, and
contact information for questions.

X.7.2 Opt-out / suppression¶

Invitations will provide an opt-out mechanism (e.g., a URL/code or email) so recipients can request not to be contacted again. The project will maintain a suppression list used solely for preventing further outreach in this study (and not for any other purpose).

X.8 Retention and deletion schedule¶

This project will define and follow a retention schedule consistent with minimizing privacy exposure:

Outreach identifiers: deleted once fieldwork is complete and reconciliation is finished (typically within 30–90 days after close).
De-identified analysis dataset: retained only as long as needed for analysis, reporting, and auditability; retained datasets will remain de-identified.
Suppression list: retained only as long as necessary to honor opt-out requests for this study.

If a vendor is used, deletion will be contractually required and confirmed.

X.9 Governance and review¶

To ensure accountable decision-making and to address privacy concerns proactively:

The project will conduct a Data Protection Impact Assessment (DPIA)-style review prior to launch, documenting data flows, risks, and mitigations.
A designated reviewer (e.g., ARDC project lead or an independent ethics/privacy reviewer) will approve the data handling plan before outreach begins.
Any material changes to data use or scope will trigger a review and update to this appendix.

X.10 Plain-language commitment¶

This project acknowledges that public licensing records can feel sensitive in practice even when legally public. Accordingly:

We will not create or distribute any enhanced directory of licensees. We will use FCC ULS data only to support sampling and outreach and to interpret results at an aggregated level. Direct identifiers will be kept out of the analysis dataset, access will be tightly controlled, and reporting will use conservative suppression rules to prevent re-identification.