“We’re From the Government and We’re Here to Help You” Privacy Initiatives at the U.S. Department of Education January 25, 2012 EDUCAUSE Webinar Kathleen M. Styles, Chief Privacy Officer Michael B. Hawes, Statistical Privacy Advisor
Presentation Overview Overview of changes to FERPA regulations Privacy initiatives at ED Priorities for 2012 Interactive polls throughout 2
POLL #1 We’re presuming most of you are in the postsecondary community. Which part of the postsecondary community do you work in specifically? A.IT B.Registrar/Administration/Admissions C.Faculty D.Other postsecondary role E.Your assumption is wrong! I’m not part of the postsecondary community 3
Background: Student Privacy FERPA enacted 1974 Move to electronic records State longitudinal databases 2009 Fordham report New risks and vulnerabilities 4
Breaches by Educational Institutions All varieties: hacking, loss of portable device, unintentional, insider breach, etc. Year Number of Breaches Number of Records ,886, ,019, , ,107, ,062, ,575, ,008 Source: Privacy Rights Clearinghouse 5
6 Received in an “You know how sometimes FERPA can tie your brain in a knot trying to think through it all?” Our Favorite FERPA Quote
Poll #2 Question: Which answer best characterizes your prior experience with FERPA? A.I’m a pro! I work with the statute and regs all the time B.I work with FERPA, but find it confusing C.I know what FERPA is, but don’t work with it often D.FERPA? What’s FERPA? 7
FERPA & Postsecondary Ed FERPA Basics Health and safety emergencies Intersection with state and local laws 8
Early 2011 – ED Privacy Initiatives Begin FERPA Notice of Proposed Rulemaking Best Practices -- NCES Technical Briefs Privacy Technical Assistance Center (PTAC) Chief Privacy Officer 9
Late 2011: Building on Progress Regulatory changes PTAC best practice documents Privacy Advisory Committee Soliciting input 10
FERPA Regulatory Changes 274 Comments received Final FERPA regulatory changes – December 2, 2011 Federal RegisterFederal Register – Effective January 3, 2012 The new regulations serve to: – Strengthen enforcement – Help ensure student privacy – Improve program effectiveness 11
New Definitions for Audits and Evaluations Authorized Representative – Any entity or individual designated by a State or local educational authority or an agency headed by an official… to conduct—with respect to Federal- or State-supported education programs—any audit or evaluation, or any compliance or enforcement activity in connection with Federal legal requirements that relate to these programs (FERPA regulations, § 99.3). Education Program – Any program principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, and any program that is administered by an educational agency or institution (FERPA regulations § 99.3). 12
FERPA Regulatory Changes – Audit and Evaluation Authorized Representative Written Agreements Reasonable Methods “Guidance on Reasonable Methods and Written Agreements” 13
FERPA Regulatory Changes – Studies Exception State educational authorities acting on behalf of their constituent schools Requirement for written agreements 14
POLL – Directory Information Does your institution currently have a directory information policy? A.Yes, we have a directory information policy B.Sort-of. We have a policy, but it could use improvement C.No, we don’t have a directory information policy D.Directory information? What’s that? 15
FERPA Regulatory Changes – Directory Information ID badges Limited directory information 16
POLL – FERPA and Directory Information In light of the recent FERPA reg changes, do you think your institution will change its directory information policy? A.Yes B.Maybe C.No D.We don’t have a policy 17
FERPA Regulatory Changes - Enforcement Enforcement against entities without students 5 year ban 18
Priorities for 2012 Guidance and Best Practices Inter-Agency Collaboration Publishing Data While Protecting PII 19
Guidance! PTAC Initiatives – Move to CPO Office – Expansion to LEAs – Coordination with FPCO – Site visits and regional meetings – Helping organizations come into compliance Guidance Documents and Training Resources Case studies 20
Best Practices and Guidance Resources Guidance on Reasonable Methods and Written Agreements Guidance on Reasonable Methods and Written Agreements Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records Responding to IT Security Audits: Improving Data Security Practices Responding to IT Security Audits: Improving Data Security Practices Data Security: Top Threats to Data Protection Data Security: Top Threats to Data Protection Data Security Checklist Data Security Checklist Data Governance and Stewardship Data Governance and Stewardship Data Governance Checklist Data Governance Checklist Data Security and Management Training: Best Practice Considerations Data Security and Management Training: Best Practice Considerations 21
Inter-Agency Collaboration Agriculture: Free and reduced price lunch data Federal Trade Commission: Child ID theft Health and Human Services: Early Childhood programs Department of Justice: Patriot Act amendments to FERPA 22
Data Release Policy Utility vs. privacy in data tables Disclosure avoidance in an information-rich world A need for more uniformity and rigor Strong public interest Data Release Working Group 23
Unsettled Questions Cloud Computing Video Recordings 24
Privacy AND Transparency Culture of confidentiality Maintaining transparency 25
Have Questions? 26 Family Policy Compliance Office Telephone:(202) FAX:(202) Website: Privacy Technical Assistance Center Telephone:(855) FAX:(855) Website:
Contact Information Kathleen Styles Chief Privacy Officer U.S. Department of Education (202) Michael Hawes Statistical Privacy Advisor U.S. Department of Education (202)
Poll - Feedback Question: How helpful did you find today’s webinar? A.Very helpful! B.Somewhat helpful. C.Not at all helpful. 28