Student Privacy in Higher Education: Federal Updates › media › filer_public › 07 › 63 ›...

United States Department of Education Privacy Technical Assistance Center

Michael HawesDirector of Student Privacy Policy

U.S. Department of Education

Student Privacy in Higher Education:

Federal Updates

Legal Issues in Higher Education ConferenceNorman, OklahomaSeptember 19, 2018

2United States Department of Education, Privacy Technical Assistance Center2

The U.S. Department of Education’s Role in Protecting Student Privacy

• Administering and enforcing federal laws governing the privacy of student information

• Family Educational Rights and Privacy Act (FERPA)• Protection of Pupil Rights Amendment (PPRA)

• Raising awareness of privacy challenges• Providing technical assistance to schools, districts, and states• Promoting privacy & security best practices

2


What we’ll cover today:

• Recent FERPA guidance• Big data, predictive analytics, and apps on campus• GDPR• Student privacy and financial aid data• Data security• Resources and technical assistance• Your questions


Keeping up with Recent DevelopmentsRecommend that you sign up for PTAC updates or check these pages regularly:

https://studentprivacy.ed.gov/• Letter to Agora Cyber Charter School (contracting for online educational

services)• Letter to Wachter (video surveillance of multiple students)• FAQs on Photos and Videos under FERPA

ifap.ed.gov/eannouncements/Cyber.htmlFSA data security webpage

https://studentprivacy.ed.gov/

https://ifap.ed.gov/eannouncements/Cyber.html


Since You (didn’t) Ask ….The most common phone call relating to higher edis from an irate parent because a college won’t share his/her child’s grades/information.

5

And FERPA is NOT the reason for this


Big Data in Higher ED

Campuses can be “data factories”Traditional student information (grades, attendance, etc.)Mobile device information (geolocation, e.g.)Online “clickstream” dataUniversity hospitals and clinicsResearch data Badge and swipe information

6

And yes – by their nature, students can be challenging data subjects.


What are the data being used for?Think beyond traditional school functions to include:

• Accountability• Civil rights• Personalized learning • Improving outcomes• Improving safety

7


Predictive AnalyticsIHEs and their third party vendors are increasingly relying on predictive analytics, e.g.:• Companies offering statistical predictions on who will be a

perpetrator or victim of sexual assault on campus.• Student Success Systems – steering students into pathways

more likely to lead to graduation.• While FERPA’s school official exception often will allow data

use, don’t just think about statutory compliance. Consider Fair Information Practice Principles and Ethics.

8


Apps on Campus – The School Official Exception

IHEs can use FERPA’s School Official exception to disclose education records to a third party provider if the provider:

• Performs a service/function for the IHE for which it would otherwise use its own employees

• Is under the direct control of the IHE with regard to the use/maintenance of the education records

• Uses education data in a manner consistent with the definition of the “school official with a legitimate educational interest,” specified in the IHE’s annual notification of rights under FERPA

• Does not re-disclose or use education data for unauthorized purposes

9


“Click-wrap” Agreements and “Free” Apps

Traditional, written, and signed 2-party contracts are ideal, but not always feasible.

When reviewing “click-wrap” agreements, schools should also: Check amendment provisions Print (or save) the Terms of Service Understand permitted data uses Specify authority within your institution to accept click-

wrap agreements

10


“Unregulated” Faculty and Apps• In the K-12 arena, districts are taking steps to manage apps

and student data; for the most part institutions of higher education ARE NOT.

• Schools cannot require students to waive their FERPA rights as a condition of acceptance or receipt of educational training or services.

11


GDPR Readiness

Effective Date: May 25, 2018

You Are Not Alone


GDPR Readiness

What is GDPR? EU General Data Protection Regulation

Does GDPR Apply To U.S. Educational Institutions? POTENTIALLY Does your institution process personal data of EU residents in the

course of offering goods or services?


GDPR Readiness• Study-Abroad Programs and Overseas Offices• Distance Learning• Admissions Office• Alumni and Development Office• Registrar/Student Records• Research Centers• Vendors


Understanding Financial Aid Data Use


What Kinds of Financial Aid Data?

• Free Application for Federal Student Aid (FAFSA)• Student and parent demographic & financial information

• Institutional Student Information Record (ISIR)• Contains processed student information reported on FAFSA and NSLDS financial aid history

information

• National Student Loan Data System (NSLDS)• Student enrollment, demographic, and loan information

• Student Records• Any records that directly relate to the student and are maintained by (or on behalf of) an

educational agency or institution


Applicable Laws & Agreements

• Family Educational Rights and Privacy Act (FERPA)

• Higher Education Act (HEA)

• Privacy Act

• Student Aid Internet Gateway (SAIG) Agreement

• Consolidated Appropriations Act of 2018


Higher Education Act

• The HEA authorizes numerous federal aid programs that provide support to both individuals pursuing a postsecondary education and institutions of higher education.

• The HEA applies to both NSLDS data and FAFSA/ISIR data, but places additional provisions on NSLDS data.



FAFSA data, and any data derived from FAFSA data (including data in the NSLDS) may only be used for the application, award and administration of aid awarded under Federal student aid programs, state aid, or aid awarded by eligible institutions or such entities as the Department may designate.

The guidance clarifies that “administration of aid” includes audits and program evaluations necessary for the efficient and effective administration of those aid programs.



The HEA also applies the following provisions to NSLDS data

• Prohibits nongovernmental researchers and policy analysts from accessing personally identifiable information

• Prohibits use of NSLDS data for marketing purposes


Privacy ActProhibits Federal agencies from disclosing records from systems of records unless (among other exceptions) the disclosure is for a specified routine use or:• to a recipient who has provided written assurance that the record

will be used solely as a statistical research or reporting record and the record is to be transferred in a form that is not individually identifiable (5 USC §552a(b)(5)


SAIG AgreementUnder the SAIG Agreement, access, disclosure and use of data is limited to “authorized personnel.”

The Department interprets “authorized personnel” to include individuals in your own institution, but also, when appropriate, individuals outside your institution who are permitted access to the information under applicable statutes and regulations.


Remember…

In instances where more than one law or regulation applies, the most restrictive provisions from each will jointly apply.


FAFSA

University

ISIR

NSLDS

Education Records

SAIG


Scenario 1

Can an institution use financial aid information provided by a student on the (FAFSA) to recruit a student who has not yet enrolled or tried to enroll at the institution?

a) Yes!b) No!c) It depends ….


Scenario 2

Can an institution’s housing office obtain FAFSA/ISIR data to determine if a student qualifies for a housing fee deferral pending financial aid disbursement?



Scenario 3

Can an institution provide student financial aid data obtained directly from the NSLDS and is de-identified to a researcher not affiliated with the institution?



Think Twice Before Sharing

Even when permissible under applicable federal laws, institutions should consider whether each proposed use of PII is consistent with institutional values, as well as state and local law.


Poll – Data Security

Who has had a data breach at your school in the last 12 months?(Answer for your school, or most schools if you’re not employed by a school)

a) Yup. We’ve had at least one.b) No. We’ve been lucky. No breaches.c) We may have; I just don’t know.d) I don’t trust the anonymity of the polling software and I’m not

telling you!


Who needs to worry about data security?

President & Board of Directors/Regents

Registrars, Comptrollers, and Treasurers

Financial Aid VP/Director

Financial Aid ProfessionalsParents

Staff & Faculty

Users

Students

Applicants

CIO, CISO Staff


Why do I need to worry about data security?

Educational institutions are specifically being targeted because of the current state of ad-hoc security coupled with the educational environment being a rich trove of emails, information and research.


Why do I need to worry about data security?

Starting in FY18, GLBA information security safeguards will be audited to ensure administrative capability. Draft audit language:

Audit Objectives – Determine whether the IHE designated an individual to coordinate the information security program; performed a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) and documented safeguards for identified risks.Suggested Audit Procedures

a. Verify that the IHE has designated an individual to coordinate the information security program.b. Obtain the IHE risk assessment and verify that it addresses the three required areas noted in 16 CFR 314.4 (b).c. Obtain the documentation created by the IHE that aligns each safeguard with each risk identified from step b above, verifying that the IHE has identified a safeguard for each risk.


What are the data security requirements?

• Title IV schools are financial institutions per Gramm-Leach-Bliley Act (GLBA, 2002) • Per FSA PPA & SAIG agreements, these schools must have GLBA safeguards in place.

Schools without GLBA safeguards may be found administratively incapable (unable to properly administer Title IV funds).

• GLBA Safeguards are: • Develop, implement, & maintain documented data security (info-sec) program• Designate an employee(s) to coordinate the program

https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying


What are the data security requirements? cont’d

34

• Identify reasonably foreseeable internal and external risks to data security via formal, documented risk assessments of: 1) Employee training and management2) Information systems, including network and software design,

as well as information processing, storage, transmission, and disposal

3) Detecting, preventing and responding to attacks, intrusions, or other systems failures

• Control the risks identified, by designing and implementing information safeguards and regularly test /monitor their effectiveness.



35

• Oversee service providers, by:1) Taking reasonable steps to select and retain service providers that are

capable of maintaining appropriate safeguards for the FSA, student, & school (customer) information at issue

2) Requiring your service providers by contract to implement and maintain such safeguards.

• Evaluate & adjust school’s info-sec program in light of:• the results of the required testing /monitoring• any material changes to your operations or business arrangements;• any other circumstances that you know may have a material impact on

your information security program.



36

• Title IV schools are subject to the requirements of the FTC Identity Theft Red Flags Rule (72 Fed. Reg. 63718) issued on November 9, 2007

• The “Red Flags Rule” requires an institution to develop and implement a written Identify Theft Prevention Program to: • Detect• Prevent• Respond to patterns, practices, or specific activities that may indicate identity

theft


What is a breach?

37

• Per GLBA, a breach is any unauthorized disclosure, misuse, alteration, destruction or other compromise of information.

• Administrative, technical, and physical safeguards:1) ensure the security & confidentiality of customer

information2) protect against any anticipated threats or hazards to the

security or integrity of such records3) protect against unauthorized access to or use of such

records or information which could result in substantial harm or inconvenience to any customer.

Important items to note:• No minimum size or # of

records• Employee access is not

exempt if wrong • Not strictly digital or

technology-based – paper counts!

• Covers data in storage, in transit or being processed


When do I report a breach?• The Student Aid Internet Gateway (SAIG) Agreement requires that as a condition of

continued participation in the federal student aid programs, Title IV schools are to report suspected/actual data breaches.

• Title IV schools must report on the day of detection when a data breach is even suspected.

• The Department has the authority to fine institutions that do not comply with the requirement to self-report data breaches; up to $54,789 per violation per 34 C.F.R. § 36.2.

• The Department has reminded all institutions of this requirement through Dear Colleague Letters (GEN 15-18, GEN 16-12), electronic announcements, and the annual FSA Handbook.

https://ifap.ed.gov/dpcletters/GEN1518.html

https://ifap.ed.gov/dpcletters/GEN1612.html


How do I report a data breach? (Yes, you!)1. Email [email protected] & copy your data breach team,

executives, per your policy.Data to include in the e-mail:

• Date of breach (suspected or known)• Impact of breach (# of records, etc.)• Method of breach (hack, accidental disclosure, etc.)• Information Security Program Point of Contact

o Email and phone details will be necessary• Remediation Status (complete, in process – with detail)• Next steps (as needed)

2. Call Education Security Operations Center (ED SOC) at 202-245-6550 with above data. ED-SOC operates 7x24.

mailto:[email protected]

United States Department of Education Privacy Technical Assistance Center

PTAC Resources

https://studentprivacy.ed.gov/Help Desk ([email protected])

Guidance and Best Practice Documentso Data Sharing under FERPAo Data Securityo Data Governance…and much, much more.

Videoso FERPA for Parents and Studentso Designing a Privacy Program…and many others.

FSA data security webpage:

ifap.ed.gov/eannouncements/Cyber.html

http://studentprivacy.ed.gov/

mailto:[email protected]

https://ifap.ed.gov/eannouncements/Cyber.html

Student Privacy in Higher Education: Federal Updates › media › filer_public › 07 › 63 ›...

Documents

Transcript of Student Privacy in Higher Education: Federal Updates › media › filer_public › 07 › 63 ›...