1 SAFEGUARDING REGULATIONS AND HOW THEY EFFECT US MICHIGAN ASSOCIATION FOR STUDENT FINANACIAL SERVICE ADMINISTRATORS BY: KAREN REDDICK NATIONAL CREDIT MANAGEMENT St. Louis, Missouri
Since SANDBOX RULES This session is open forum Audience participation is encouraged Questions and comments as we move through the presentation are welcome
Since LAWS AND REGULATIONS THAT AFFECT US FERPA: Family Educational Rights and Privacy Act GLBA: Gramm-Leach-Bliley Privacy Act State SSN Privacy Law
Since FERPA FERPA: Family Educational Rights and Privacy Act Statue: 20 U.S.C. 1232(g) Regulations: 34CFR Part 99 The intent of the Act is to protect the rights of students and to insure the privacy and accuracy of education records. Those protected by FERPA are students and former students who have been in attendance at the institution. Rights belong to the student
Since FERPA Primary Rights of Students Under FERPA – Right to inspect and review education records. – Right to seek to amend education records – Right to have some control over the disclosure of information from education records.
Since FERPA Definitions – Student Prior to first day of attendance FERPA does not apply – Educational Records Records containing information that is directly related to student Records maintained by educational institution or by a party acting for the institution – Personally Identifiable Information Name Name of parent or other family member A personal identifier (SS # or Student ID #) List of characteristics or other information that would make the student’s identity easily traceable.
Since FERPA CFR 99.7 Annual Notification – Examples of Notification Student Handbook School Newspaper or catalog Local Newspaper Inclusion in students registration packet – Institutions must annually notify students in attendance of their rights under FERPA: Right to inspect and review education records –Procedures to inspect and review education records –Statement that records may be disclosed to school officials without prior consent including criteria for determining who are schools officials –What constitutes a legitimate educational interests.
Since FERPA 34 CFR Part Under what conditions is prior consent not required to disclose? – (a)An educational institution may disclose personally identifiable information from an educational record of a student without the consent required by 34 CFR Part if the disclosure meets one or more conditions outlined in Part (1) The disclosure is to other school officials within the institution whom the institution has determined to have legitimate educational interests. (2)The disclosure to officials of another school where the student seeks or intends to enroll (3) The disclosure to authorized representatives: –Comptroller General of the United States –The United States Attorney General –The Secretary –State and local educational authorities
Since FERPA (4) The disclosure is in connection w/FA for which the student has applied, the info is necessary for such purposes as to –A) Determine eligibility of Aid –B) Determine amount of FA –C) Determine conditions for the Aid –D) Enforce terms and conditions of the Aid (5) The disclosure is to State and local officials or authorities under certain conditions (6) The disclosure is to organizations conducting studies for or on behalf of educational agencies or institutions (7) The disclosure is to accrediting organizations to carry out their accrediting functions (8) The disclosure is to parents, as defined in 99.3 of a dependent student, as defined in section 152 of the Internal Revenue Code of 1986 (9) The disclosure is to comply with a judicial or subpoena
Since FERPA (10) The disclosure is in connection with a health or safety emergency under the conditions described in CFR (11) The disclosure is information the educational agency or institution has designated as directory information under the conditions described in CFR (12) The disclosure is to the parent of a student who is not an eligible student or to the student (13) The disclosure subject to requirements of CFR is to a victim of an alleged perpetrator of a crime of violence (14) The disclosure subject to requirement of CFR in connection with a disciplinary proceeding at an institution
Since FERPA 34 CFR Part 99 Final Regulations Dated April 21, 2004 Effective May 21, 2004 This Final Rule regulations provide general guidelines for accepting “signed and dated written consent”under FERPA in electronic format. Section is amended by adding a new paragraph (d) to read as follows:
Since FERPA (d) “Signed and dated written consent” under this part may include a record and signature in electronic form that- – (1) Identifies and authenticates a particular person as the source of the electronic consent: and – (2) Indicates such person’s approval of the information contained in the electronic consent. Safe Harbor – Most support the use of FSA standards for electronic signatures in electronic student loan transactions (FSA Standards) as a “Safe Harbor” – Schools are not required by FERPA to follow the FSA Standards. The Feds believe that schools may use the setup and security measures described in the FSA Standards, particularly sections 3 through 7, as guidance for security measures in a system using electronic records and signatures under FERPA – Guidelines to Safe Harbor Rules can be found at
Since FERPA VS. GLBA FERPA - the access of information GLBA – the physical handling of information
Since GLBA GLBA: Gramm-Leach Bliley Act signed into law November – Regulation: Privacy regulations issued by federal agencies. Compliance required as of 7/1/01 – FTC PART 314-Standards for Safeguarding Customer Information (Effective 5/23/-03) – Scope: Regulates the sharing of: “Nonpublic personal information” about individuals who obtain “financial products or services” From “financial institutions” primarily for personal, family or household purposes.
Since GLBA-Implementing the Safeguards Rule The Gramm Leach Bliley Act requires financial institutions to ensure the security and confidentiality of customer personal information. The Federal Trade Commission (FTC) implemented GLBA by issuing the Privacy Rule and the Safeguards Rule. Colleges and universities are considered “financial institutions”primarily due to student loan making activities.
Since GLBA-Implementing the Safeguards Rule Safeguards Rule requires all financial institutions to develop an information security program to protect customer information. The three areas where safeguards must be considered: – Administrative – Physical – Technical
Since GLBA- Implementing the Safeguards Rule We must ensure the security and confidentiality of student (customer) records and information. We must protect against any anticipated threats or hazards to the security or integrity of such records. We must protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any student
Since GLBA- How to Implement the Rule The Rule, which took effect on May 23, 2003, requires financial institutions over which the FTC has jurisdiction to develop, implement, and maintain a written information security program that contains comprehensive administrative, technical, and physical safeguards.
Since GLBA- Implementing the Safeguards Rule As part of its program, each financial institutional must: – Designate an employee or employees to coordinate its information security program. – Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise or information, and assess the sufficiency of any safeguards in place to control the risks
Since GLBA- Implementing the Safeguards Rule – Design and implement safeguards to control reasonably foreseeable risks, and monitor the effectiveness of these safeguards. – Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information and require them, by contract, to implement and maintain such safeguards. Deadline for 3 rd party providers to implement security plan was May 24, – Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business arrangements or operations, or the results of testing and monitoring of safeguards.
Since GLBA- Securing Information Three areas that are particularly important to information security are the following: – Employee Training – Information Systems – Managing System Failures
Since SSN STATE PRIVACY LAWS – May not print SSN on any card required to access products or services – May not require transmission of SSN over an un- secure Internet Connection – May not require the SSN to access an Internet web site unless other unique identification or authentication is used – May not print SSN on any material mailed to the individual unless state or federal law requires the SSN to be on the document, applications and forms excluded (example: 1098T’s)
Since SSN STATE PRIVACY LAWS 7 States have adopted law Michigan is the newest state to implement law – Social Security Number Privacy Act 454 of 2004 – Effective March 1, 2005 – The Act required Universities to have privacy policy in place by January 1, 2006 – Enacted to prevent identity theft in the state of MI, it limits the use of Social Security Numbers as an identifier of students and employees, unless necessary – Best practice is convert to use of just the last 4 digits or to some other, non SSN system is recommended
Since SSN Privacy Law– Solution Create environment that will accommodate all state laws
Since CONTACT INFORMATION GLBA Laura D. Berger, Attorney Division of Financial Practices FTC (202) NACUBO FERPA Family Policy Compliance Office LeRoy Rooker, Director of Family Policy (202) Karen Reddick (800) , ext 229 Free Credit Report Legislative Council, State of MI