FERPA Rules: Maintaining the Security and Privacy of Student Data

FERPA Rules:
Maintaining the Security and
Privacy of Student Data
West Virginia Department of Education
Carla Howe, Ph.D.
August 4, 2014
Introduction
• You have access to data tools that allow you to
view individual student records for performing
your official duties.
• You are legally and ethically obliged to safeguard
the confidentiality of these student records.
• There are many tools for exploring data; those
that access student-level data must be secured.
• The purpose of this presentation is to inform you
of your responsibilities to protect student privacy.
Responsibilities
• Protect the privacy of students and the
confidentiality of student data.
• Comply with state and federal laws, and
district policy, to maintain the confidentiality
of student data.
• Use confidential student data only as
necessary for legitimate educational purposes.
• Keep your password confidential.
Consequences
• Student education data may not be released
except under specific circumstances.
Improper release of these data expose you
and your district to potential criminal and
civil liability, and loss of federal funds.
• Student-specific information gathered from
secure tools may be shared only with
authorized school personnel.
Protecting
Confidential Information
• Be careful to prevent unauthorized people
from viewing your screen while you are
accessing confidential information.
• When you are finished with the data tools,
log off and close any windows containing
data or reports.
Sharing Reports
• Printed reports can be shared publicly only after
you’ve reviewed them to ensure that no student
could be identified from the report (for example,
in conjunction with other information that is
available).
• If a reasonable person from your community could
identify a student from a report, directly or
indirectly, then you should store that report in a
secure place. Share the report only with those with
a legitimate educational interest – as determined
by your school board, or district leadership.
Foundational Concepts Critical to
Data Training and Use
March 2014
What is FERPA?
Family Educational Rights and Privacy Act of 1974,
as amended (FERPA)
• Federal regulations that govern access to and
release of personally identifiable information
about students found in education records
• Applies to all schools that receive funds under
applicable programs of the USED
• Does not apply to private schools whose
students or teachers receive services from an
LEA or SEA, unless the private school also
receives federal funds
8
FERPA: Two Purposes
Access to
Educational Records
Limit on Disclosure
Parents &
Students
Prior Written
Consent
Authorized
Representatives
Consent
Exceptions
9
Annual notice of
FERPA rights
Schools must notify parents of their rights under
FERPA on an annual basis.
• Directory information designation
– What information does the entity designate as
directory?
• Location of records
• Right to inspect records, file a complaint,
consent to disclosure, amend records
• Military Recruiters
– Schools must provide recruiters with student name,
address, phone number and access to campus
10
Student Record
Information
• May be disclosed to the student with proper authentication
– Amended FERPA requires the use of reasonable methods to
determine the identity of intended and authorized recipient of
information AND authenticate or ensure that recipient is, in fact,
who he/she purports to be
• Parent Access Procedures
– Right to “inspect and review”
– 45-day timeline to provide the records
– May charge “reasonable fee” for copies, but not to search or retrieve
• Exceptions
– Letters of recommendation for which the student has waived the
right to review
– Information about other students
11
FERPA requires
Educational Providers to:
Educational
Providers
Protect student rights
Ensure that third parties do not
redisclose personally
identifiable information
Keep records of certain requests
and disclosures of student
education records
Notify students/parents of their
rights annually
State Education
Agency
Protect student rights
Ensure that third parties do not
redisclose personally
identifiable information
Keep records of certain requests
and disclosures of student
education records
12
Basic Concepts
• Education Record
• Directory Information
• Personally Identifiable Information
13
Education Record
Education Record
• A record which is maintained by the institution from which the student
can be identified (Directory Information)
• Directly related to a student
• Maintained by an educational agency or institution (or party acting on
behalf of the agency)
• For elementary and secondary level students
• Records maintained on special education students including records on
services provided to those students
EXCEPT: Records of School Personnel which are:
• Kept in the record maker’s sole possession
• Used only as a memory aid
• Not accessible or revealed to anyone except temporary substitute for
record maker
14
Directory information
Information in an education record of a student that would
not generally be considered harmful or an invasion of privacy
if disclosed
As defined in Policy 4350, Directory Information can include:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Student's name
Address
Telephone listing
Email address
Photograph
Date and place of birth
Major field of study
Dates of attendance (for school)
Grade level
10. Participation in officially
recognized activities and sports
11. Weight and height of members of
athletic teams
12. Dates of attendance (for athletics)
13. Degrees and awards received, and
14. The most recent previous
educational agency or institution
attended by the student.
15
Personally identifiable
information
Personally Identifiable Information
• Student’s name, parent or family member names, student’s
address, or other information that would allow a reasonable
person in the school or its community, who does not have
personal knowledge of the relevant circumstances, to identify
the student with reasonable certainty.
• Indirect identifiers such as date and place of birth and mother’s
maiden name.
Personally Identifiable Information – Further Defined
• Other information that, alone or in combination, is linked or
linkable to a specific student that would allow a reasonable
person in the school community, who does not have personal
knowledge of the relevant circumstances, to identify the
student with reasonable accuracy
16
Directory Information
Directory Info IS NOT
• Social Security Number
• Student ID
WOW Student Screen
• Lists Directory Information
• Student history details require an enrollment
record
17
Restricting Directory Information
• Parents can “Opt Out” of sharing directory
information
• For example, if a student in a post-secondary
institution “opts-out”, then the National Student
Clearinghouse cannot redisclose student level
information to the state for that student
• Students do not have the option to “opt-out” for
required reporting to the state
• Students cannot opt out of wearing or
presenting a student ID or badge
18
How do you
authenticate identity?
• Regulations require a school to use reasonable
methods to identify and authenticate the identity of
parents, students, school officials, and other parties
before disclosing education records.
Sample Verification Process for Parent
Requests
Check student
enrollment in
the Student
Information
System
Submit
verification form
to the district of
enrollment to
verify there are
no court orders to
prevent parent
from seeing
records
Require parent
to pick up the
data in person,
show proof of
identify, sign
verification
form
19
Reasonable Methods
• Regulations require the use of “reasonable methods” to
ensure access is only given to only those education records
in which the official has a legitimate educational interest.
• Reasonable methods include:
– Physical controls (locked filing cabinets)
– Technological controls (role-based access controls for
electronic records)
– Administrative policies (must be effective in ensuring
compliance)
• This also means no student data are transferred off-site
using portable media (thumb drives to work at home) or are
sent via email unless in a password-protected or deidentified file.
20
Consent Exceptions
• May be disclosed to school officials with “legitimate
educational interest”
• Authorized government officials
– Regulations expand the school official exception to include
contractors, consultants, volunteers, and other parties to whom a
school has outsourced services or functions under certain
circumstances:
• The party is under the direct control of the SEA or LEA (contract);
• The party is subject to the same conditions governing the use and redisclosure of education records applicable to other school officials;
• WVDE requires these parties to also sign security agreements
21
Disclosure Exception:
Organizations conducting studies
• The school must have a written agreement with the
receiving organization that specifies:
– the purposes of the study;
– the information may only be used to meet the purposes of the
study stated in the agreement;
– the restriction on re-disclosure of the information;
– the requirement for destruction of the information when no
longer needed.
– Clarifies requirements that information disclosed under this
exception is used only to meet the purposes of the study, and
that all re-disclosure and destruction requirements are met.
• WVDE uses a Institutional Review Board and Research
Review Committee process and has specific forms that data
requestors must fill out
22
Disclosure Exceptions:
To Parents of kids 18+
• Regulations clarify that disclosure of education records
without consent is permitted to parents in some
circumstances:
– When a student is a dependent student under the IRS tax
code;
– When the student has violated a law or the school’s rules
or policies governing alcohol or substance abuse, if the
student is under 21 years old;
– When the information is needed to protect the health or
safety of the student or other individuals in an emergency.
– Ensures that schools understand that FERPA does not block
information sharing with parents if any of the above
exceptions apply.
23
Keeping records of
disclosures
• At the SEA and LEA, must record name and legitimate
interest in cases such as these
– Information disclosed without student’s written consent
– To the parent of an eligible student
– In response to a lawfully issued court order or subpoena
• However there must still be an attempt to notify the parent in these
cases unless it is in response to a threat on the student’s safety
– For external research purposes where individual students have
been identified
– In response to an emergency
• Emergencies do not require parental notification
• These include endangerment to the health or well-being of a student
• Note this is why WVDE has the Research Proposal
Application (and its process) and Data Security Agreements
24
More Exceptions
Financial Aid
• To persons or organizations providing student financial aid,
or determining financial aid decisions
Enrollment
• To officials at institutions in which a student seeks to enroll
or has enrolled so long as the disclosure is in connection
with the student’s enrollment
Judicial Order /
Subpoena
• Note that a reasonable attempt at parental notification is
required!
Accreditation
• To accrediting organizations and other entities conducting
educational studies
Health & Safety
Emergency
• When necessary to protect the health or safety of the
student or other persons
25
More Exceptions
USA Patriot Act
Campus Sex Crimes Prevention
Act
Clery Act
School Officials with a
legitimate educational interest
Specified officials for audit or
evaluation purposes
• information relevant to an investigation or prosecution
of an act of terrorism
• Schools are permitted to disclose information about
registered sex offenders
• Requires a school to inform the accuser and the accused of the outcome of
a school’s disciplinary proceeding of an alleged sex offense (name, violation,
and sanction imposed).
• A school may not require the accuser to execute a non-disclosure
agreement.
http://www.ed.gov/policy/gen/guid/fpco/ferp
a/index.html
26
FERPA & HIPAA
• At the elementary or secondary school level,
students’ immunization and other health records
that are maintained by a school district or individual
school, including a school-operated health clinic, that
receives funds under any program administered by
the U.S. Department of Education are “education
records” subject to FERPA, including health and
medical records maintained by a school nurse who is
employed by or under contract with a school or
school district.
27
What Can –
and Can’t – Be Released
• Individual student data can never be publicly published or
released.
• Summary (aggregated) data can be released, but only if
the group size is large enough (>10) to protect the privacy
of individual members of the group.
• When the identity of an individual student could be
inferred due to small group size in a report, treat that
report as confidential.
The summary reports to which you have access may contain
small group sizes, and should therefore be treated as
confidential.
Unauthorized
disclosures of PII
• Unauthorized disclosures of PII may result in
being prohibited from accessing PII for at least
five years
• The entity from which the data originated is
responsible for the prohibition of access
• Most recent FERPA provisions require
documentation and mandatory provisions for
written agreements
29
State Level Security
• Policy 4350 & HB 4316
• WVBE Data Security and Privacy Resolution
• WVDE Data Access & Management Guidance
(available online on the WVDE website under
the Data tab)
• Limited access at WVDE to WOW through jobrelated duties justification, supervisor sign-off,
and assurance to adhere to FERPA regulations.
30
Remember
 Email is now encrypted in transit nor at rest whether on a work
device or a personal device – BUT be cautious
– Attachments & messages opened on personal devices will
not be secure
– Sensitive data stored on a personal device is a security
breach
– Emails on personal devices that are work-related are subject
to FOIA
– Errors are easy with auto-complete names
31
Remember
• Remind your colleagues that disclosing PII is a
violation of state and federal law and policy.
School districts are local units of government
subject to the same laws and acceptable use
policies.
• Do not allow family members or others to use
your work devices.
Coming Soon
• Guidance for the “Alert” screen in WOW
– Primarily for student safety
• Life-threatening allergy information
• Custody/family information if student safety is at stake
• Local rules can still be applied, but some
general guidance will come from WVDE
Family Policy
Compliance Office
• U.S. Department of Education
– Phone: (202) 260-3887 Fax: (202) 260-9001
– Email: FERPA@ed.gov
• www.ed.gov/fpco
– FERPA Final Regulations
– Revised Regulation Overviews for LEAs, Parents, Students
– FAQs
• Privacy Technical Assistance Center
– www.ptac.ed.gov
– Webinars, Publications, Case Studies
– FERPA 101 Webinar Recording and Transcript
34
Check your Quiz!
1. True
2. True
3. True
4. False – annually
5. True
6. False – if he/she HAS legal rights
7. False – do have authority
8. True
9. Grade Level
10. False – social security, cannot be direction
information
Check Your Quiz!
11. False – by student ID or other identifier
12. True
13. True
14. True
15a. Yes
15b. Yes
15c. No
15d. No
15e. No
15f. Yes
New Information
• Data Access & Management Guidance
document
– Available online on the WVDE homepage under
the Data tab
• HB 4316 - Student Data Accessibility,
Transparency and Accountability Act
• ZoomWV – West Virginia’s source for
accurate, K-12 education information –
Coming Soon
37
Contact Information
• For questions about data privacy and security,
please contact
Carla Howe, Ph.D.
Data Governance Manager.
chowe@k12.wv.us
304-558-7881