(4kgSkgQ8kgvlOkg) 'Il 551 aooa FAX (0763)82-6572 FÆI.C J ...
Student Privacy in Higher Education: Federal Updates › media › filer_public › 07 › 63 ›...
Transcript of Student Privacy in Higher Education: Federal Updates › media › filer_public › 07 › 63 ›...
United States Department of Education Privacy Technical Assistance Center
Michael HawesDirector of Student Privacy Policy
U.S. Department of Education
Student Privacy in Higher Education:
Federal Updates
Legal Issues in Higher Education ConferenceNorman, OklahomaSeptember 19, 2018
2United States Department of Education, Privacy Technical Assistance Center2
The U.S. Department of Education’s Role in Protecting Student Privacy
• Administering and enforcing federal laws governing the privacy of student information
• Family Educational Rights and Privacy Act (FERPA)• Protection of Pupil Rights Amendment (PPRA)
• Raising awareness of privacy challenges• Providing technical assistance to schools, districts, and states• Promoting privacy & security best practices
2
2United States Department of Education, Privacy Technical Assistance Center3
What we’ll cover today:
• Recent FERPA guidance• Big data, predictive analytics, and apps on campus• GDPR• Student privacy and financial aid data• Data security• Resources and technical assistance• Your questions
2United States Department of Education, Privacy Technical Assistance Center4
Keeping up with Recent DevelopmentsRecommend that you sign up for PTAC updates or check these pages regularly:
https://studentprivacy.ed.gov/• Letter to Agora Cyber Charter School (contracting for online educational
services)• Letter to Wachter (video surveillance of multiple students)• FAQs on Photos and Videos under FERPA
ifap.ed.gov/eannouncements/Cyber.htmlFSA data security webpage
2United States Department of Education, Privacy Technical Assistance Center5
Since You (didn’t) Ask ….The most common phone call relating to higher edis from an irate parent because a college won’t share his/her child’s grades/information.
5
And FERPA is NOT the reason for this
2United States Department of Education, Privacy Technical Assistance Center6
Big Data in Higher ED
Campuses can be “data factories”Traditional student information (grades, attendance, etc.)Mobile device information (geolocation, e.g.)Online “clickstream” dataUniversity hospitals and clinicsResearch data Badge and swipe information
6
And yes – by their nature, students can be challenging data subjects.
2United States Department of Education, Privacy Technical Assistance Center7
What are the data being used for?Think beyond traditional school functions to include:
• Accountability• Civil rights• Personalized learning • Improving outcomes• Improving safety
7
2United States Department of Education, Privacy Technical Assistance Center8
Predictive AnalyticsIHEs and their third party vendors are increasingly relying on predictive analytics, e.g.:• Companies offering statistical predictions on who will be a
perpetrator or victim of sexual assault on campus.• Student Success Systems – steering students into pathways
more likely to lead to graduation.• While FERPA’s school official exception often will allow data
use, don’t just think about statutory compliance. Consider Fair Information Practice Principles and Ethics.
8
2United States Department of Education, Privacy Technical Assistance Center9
Apps on Campus – The School Official Exception
IHEs can use FERPA’s School Official exception to disclose education records to a third party provider if the provider:
• Performs a service/function for the IHE for which it would otherwise use its own employees
• Is under the direct control of the IHE with regard to the use/maintenance of the education records
• Uses education data in a manner consistent with the definition of the “school official with a legitimate educational interest,” specified in the IHE’s annual notification of rights under FERPA
• Does not re-disclose or use education data for unauthorized purposes
9
2United States Department of Education, Privacy Technical Assistance Center10
“Click-wrap” Agreements and “Free” Apps
Traditional, written, and signed 2-party contracts are ideal, but not always feasible.
When reviewing “click-wrap” agreements, schools should also: Check amendment provisions Print (or save) the Terms of Service Understand permitted data uses Specify authority within your institution to accept click-
wrap agreements
10
2United States Department of Education, Privacy Technical Assistance Center11
“Unregulated” Faculty and Apps• In the K-12 arena, districts are taking steps to manage apps
and student data; for the most part institutions of higher education ARE NOT.
• Schools cannot require students to waive their FERPA rights as a condition of acceptance or receipt of educational training or services.
11
2United States Department of Education, Privacy Technical Assistance Center12
GDPR Readiness
Effective Date: May 25, 2018
You Are Not Alone
2United States Department of Education, Privacy Technical Assistance Center13
GDPR Readiness
What is GDPR? EU General Data Protection Regulation
Does GDPR Apply To U.S. Educational Institutions? POTENTIALLY Does your institution process personal data of EU residents in the
course of offering goods or services?
2United States Department of Education, Privacy Technical Assistance Center14
GDPR Readiness• Study-Abroad Programs and Overseas Offices• Distance Learning• Admissions Office• Alumni and Development Office• Registrar/Student Records• Research Centers• Vendors
2United States Department of Education, Privacy Technical Assistance Center15
Understanding Financial Aid Data Use
2United States Department of Education, Privacy Technical Assistance Center16
What Kinds of Financial Aid Data?
• Free Application for Federal Student Aid (FAFSA)• Student and parent demographic & financial information
• Institutional Student Information Record (ISIR)• Contains processed student information reported on FAFSA and NSLDS financial aid history
information
• National Student Loan Data System (NSLDS)• Student enrollment, demographic, and loan information
• Student Records• Any records that directly relate to the student and are maintained by (or on behalf of) an
educational agency or institution
2United States Department of Education, Privacy Technical Assistance Center17
Applicable Laws & Agreements
• Family Educational Rights and Privacy Act (FERPA)
• Higher Education Act (HEA)
• Privacy Act
• Student Aid Internet Gateway (SAIG) Agreement
• Consolidated Appropriations Act of 2018
2United States Department of Education, Privacy Technical Assistance Center18
Higher Education Act
• The HEA authorizes numerous federal aid programs that provide support to both individuals pursuing a postsecondary education and institutions of higher education.
• The HEA applies to both NSLDS data and FAFSA/ISIR data, but places additional provisions on NSLDS data.
2United States Department of Education, Privacy Technical Assistance Center19
Higher Education Act
FAFSA data, and any data derived from FAFSA data (including data in the NSLDS) may only be used for the application, award and administration of aid awarded under Federal student aid programs, state aid, or aid awarded by eligible institutions or such entities as the Department may designate.
The guidance clarifies that “administration of aid” includes audits and program evaluations necessary for the efficient and effective administration of those aid programs.
2United States Department of Education, Privacy Technical Assistance Center20
Higher Education Act
The HEA also applies the following provisions to NSLDS data
• Prohibits nongovernmental researchers and policy analysts from accessing personally identifiable information
• Prohibits use of NSLDS data for marketing purposes
2United States Department of Education, Privacy Technical Assistance Center21
Privacy ActProhibits Federal agencies from disclosing records from systems of records unless (among other exceptions) the disclosure is for a specified routine use or:• to a recipient who has provided written assurance that the record
will be used solely as a statistical research or reporting record and the record is to be transferred in a form that is not individually identifiable (5 USC §552a(b)(5)
2United States Department of Education, Privacy Technical Assistance Center22
SAIG AgreementUnder the SAIG Agreement, access, disclosure and use of data is limited to “authorized personnel.”
The Department interprets “authorized personnel” to include individuals in your own institution, but also, when appropriate, individuals outside your institution who are permitted access to the information under applicable statutes and regulations.
2United States Department of Education, Privacy Technical Assistance Center23
Remember…
In instances where more than one law or regulation applies, the most restrictive provisions from each will jointly apply.
2United States Department of Education, Privacy Technical Assistance Center24
FAFSA
University
ISIR
NSLDS
Education Records
SAIG
2United States Department of Education, Privacy Technical Assistance Center25
Scenario 1
Can an institution use financial aid information provided by a student on the (FAFSA) to recruit a student who has not yet enrolled or tried to enroll at the institution?
a) Yes!b) No!c) It depends ….
2United States Department of Education, Privacy Technical Assistance Center26
Scenario 2
Can an institution’s housing office obtain FAFSA/ISIR data to determine if a student qualifies for a housing fee deferral pending financial aid disbursement?
a) Yes!b) No!c) It depends ….
2United States Department of Education, Privacy Technical Assistance Center27
Scenario 3
Can an institution provide student financial aid data obtained directly from the NSLDS and is de-identified to a researcher not affiliated with the institution?
a) Yes!b) No!c) It depends ….
2United States Department of Education, Privacy Technical Assistance Center28
Think Twice Before Sharing
Even when permissible under applicable federal laws, institutions should consider whether each proposed use of PII is consistent with institutional values, as well as state and local law.
2United States Department of Education, Privacy Technical Assistance Center29
Poll – Data Security
Who has had a data breach at your school in the last 12 months?(Answer for your school, or most schools if you’re not employed by a school)
a) Yup. We’ve had at least one.b) No. We’ve been lucky. No breaches.c) We may have; I just don’t know.d) I don’t trust the anonymity of the polling software and I’m not
telling you!
2United States Department of Education, Privacy Technical Assistance Center30
Who needs to worry about data security?
President & Board of Directors/Regents
Registrars, Comptrollers, and Treasurers
Financial Aid VP/Director
Financial Aid ProfessionalsParents
Staff & Faculty
Users
Students
Applicants
CIO, CISO Staff
2United States Department of Education, Privacy Technical Assistance Center31
Why do I need to worry about data security?
Educational institutions are specifically being targeted because of the current state of ad-hoc security coupled with the educational environment being a rich trove of emails, information and research.
2United States Department of Education, Privacy Technical Assistance Center32
Why do I need to worry about data security?
Starting in FY18, GLBA information security safeguards will be audited to ensure administrative capability. Draft audit language:
Audit Objectives – Determine whether the IHE designated an individual to coordinate the information security program; performed a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) and documented safeguards for identified risks.Suggested Audit Procedures
a. Verify that the IHE has designated an individual to coordinate the information security program.b. Obtain the IHE risk assessment and verify that it addresses the three required areas noted in 16 CFR 314.4 (b).c. Obtain the documentation created by the IHE that aligns each safeguard with each risk identified from step b above, verifying that the IHE has identified a safeguard for each risk.
2United States Department of Education, Privacy Technical Assistance Center33
What are the data security requirements?
• Title IV schools are financial institutions per Gramm-Leach-Bliley Act (GLBA, 2002) • Per FSA PPA & SAIG agreements, these schools must have GLBA safeguards in place.
Schools without GLBA safeguards may be found administratively incapable (unable to properly administer Title IV funds).
• GLBA Safeguards are: • Develop, implement, & maintain documented data security (info-sec) program• Designate an employee(s) to coordinate the program
2United States Department of Education, Privacy Technical Assistance Center34
What are the data security requirements? cont’d
34
• Identify reasonably foreseeable internal and external risks to data security via formal, documented risk assessments of: 1) Employee training and management2) Information systems, including network and software design,
as well as information processing, storage, transmission, and disposal
3) Detecting, preventing and responding to attacks, intrusions, or other systems failures
• Control the risks identified, by designing and implementing information safeguards and regularly test /monitor their effectiveness.
2United States Department of Education, Privacy Technical Assistance Center35
What are the data security requirements? cont’d
35
• Oversee service providers, by:1) Taking reasonable steps to select and retain service providers that are
capable of maintaining appropriate safeguards for the FSA, student, & school (customer) information at issue
2) Requiring your service providers by contract to implement and maintain such safeguards.
• Evaluate & adjust school’s info-sec program in light of:• the results of the required testing /monitoring• any material changes to your operations or business arrangements;• any other circumstances that you know may have a material impact on
your information security program.
2United States Department of Education, Privacy Technical Assistance Center36
What are the data security requirements? cont’d
36
• Title IV schools are subject to the requirements of the FTC Identity Theft Red Flags Rule (72 Fed. Reg. 63718) issued on November 9, 2007
• The “Red Flags Rule” requires an institution to develop and implement a written Identify Theft Prevention Program to: • Detect• Prevent• Respond to patterns, practices, or specific activities that may indicate identity
theft
2United States Department of Education, Privacy Technical Assistance Center37
What is a breach?
37
• Per GLBA, a breach is any unauthorized disclosure, misuse, alteration, destruction or other compromise of information.
• Administrative, technical, and physical safeguards:1) ensure the security & confidentiality of customer
information2) protect against any anticipated threats or hazards to the
security or integrity of such records3) protect against unauthorized access to or use of such
records or information which could result in substantial harm or inconvenience to any customer.
Important items to note:• No minimum size or # of
records• Employee access is not
exempt if wrong • Not strictly digital or
technology-based – paper counts!
• Covers data in storage, in transit or being processed
2United States Department of Education, Privacy Technical Assistance Center38
When do I report a breach?• The Student Aid Internet Gateway (SAIG) Agreement requires that as a condition of
continued participation in the federal student aid programs, Title IV schools are to report suspected/actual data breaches.
• Title IV schools must report on the day of detection when a data breach is even suspected.
• The Department has the authority to fine institutions that do not comply with the requirement to self-report data breaches; up to $54,789 per violation per 34 C.F.R. § 36.2.
• The Department has reminded all institutions of this requirement through Dear Colleague Letters (GEN 15-18, GEN 16-12), electronic announcements, and the annual FSA Handbook.
2United States Department of Education, Privacy Technical Assistance Center39
How do I report a data breach? (Yes, you!)1. Email [email protected] & copy your data breach team,
executives, per your policy.Data to include in the e-mail:
• Date of breach (suspected or known)• Impact of breach (# of records, etc.)• Method of breach (hack, accidental disclosure, etc.)• Information Security Program Point of Contact
o Email and phone details will be necessary• Remediation Status (complete, in process – with detail)• Next steps (as needed)
2. Call Education Security Operations Center (ED SOC) at 202-245-6550 with above data. ED-SOC operates 7x24.
United States Department of Education Privacy Technical Assistance Center
PTAC Resources
https://studentprivacy.ed.gov/Help Desk ([email protected])
Guidance and Best Practice Documentso Data Sharing under FERPAo Data Securityo Data Governance…and much, much more.
Videoso FERPA for Parents and Studentso Designing a Privacy Program…and many others.
FSA data security webpage:
ifap.ed.gov/eannouncements/Cyber.html