SHEEO/NCES Breakout Session: Overview of the Privacy Technical Assistance Center May 5, 2011 Emily Anthony, National Center for Education Statistics Baron Rodriguez, PTAC

2 The Privacy Technical Assistance Center (PTAC) is one component of USED’s comprehensive privacy initiative, which also includes: - Chief Privacy Officer - Technical Briefs - FERPA Notice of Proposed Rulemaking (NPRM) Privacy, Security, and Confidentiality at USED Run in conjunction with the NCES SLDS program as an extension of technical assistance efforts: - Webinars, best practice briefs - Site Visits, Technical Assistance Experts, Personnel Exchange Network

Background: SLDS The Statewide Longitudinal Data Systems (SLDS) Grant Program is designed to aid state education agencies in developing and implementing longitudinal data systems. The data systems developed with these grants are intended to help states, districts, schools, and teachers make data-driven decisions to improve student learning, as well as facilitate research to increase student achievement and close achievement gaps. The focus of the grant program has evolved over the four rounds of SLDS awards ( ), with an early emphasis on K-12 systems expanding to more holistic P-20-WF (pre-kindergarten through workforce) grants to 41 states and DC. As of 2010, total awards of $514 million. 74 grants to 41 states and DC. As of 2010, total awards of $514 million.

What is PTAC? The Privacy Technical Assistance Center at USED… A “one-stop” shop for technical assistance related to best practices on privacy and data security Provides stakeholders with: A set of tools, resources, and other opportunities to receive assistance with privacy, security, and confidentiality of longitudinal data systems. A means for stakeholders to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality. A focal point for queries and responses to the privacy-related needs of state education agencies (SEAs), local education agencies (LEAs), and institutions of higher education (IHEs) in a confidential, safe environment. A set of resources to promote compliance with FERPA and summarize best practices for ensuring the confidentiality and security of personally identifiable information. 4

PTAC Resources 5 "Privacy Toolkit” including Issue Briefs, Security Checklists, FAQs Training Materials, including Webinars Support Center Regional Meetings Technical Assistance Site Visits

The SLDS Technical Briefs This series of Technical Briefs focuses on privacy, confidentiality, and security considerations related to data in student record systems, especially longitudinal data systems. The briefs are intended to inform practitioners responsible for the development, maintenance, protection, or use of student record data. Author: Marilyn Seastrom, Chief Statistician and Acting Deputy Commissioner, NCES. NCES is seeking input and comments on these briefs. If you have any comments or suggestions, please send them to 6

The SLDS Technical Briefs SLDS Technical Brief #1: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records Discusses basic concepts and definitions that establish a common set of terms related to the protection of personally identifiable information, especially in education records in the Statewide Longitudinal Data Systems (SLDS). This Brief also outlines a privacy framework that is tied to Fair Information Practice Principles that have been promulgated in both the United States and international privacy work. 7

The SLDS Technical Briefs 1. Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records. 2. Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records. 3. Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting. 8 Now AVAILABLE at

Frequently Asked Questions ED recognizes that SEAs, LEAs, and IHEs engaged in building SLDSs are asking similar questions about privacy, confidentiality, and security issues. What is needed? Technical assistance that includes responses to frequently asked questions (FAQs) that are: Accurate Consistent Timely User-friendly (clear, concise, and actionable) Trusted 9

Example FAQ – Ensuring Privacy Q) What is personally identifiable information? A) Personally identifiable information, as defined in FERPA, includes, but is not limited to: a student's name; the name of the student's parent or other family members; the address of the student or student's family; a personal identifier, such as the student's Social Security number, student number, or biometric record; other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name; other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; and information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates. 10

Glossary of Terms Biometric Record FERPA regulations define a biometric record as one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting. For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3, available at Indirect Identifier Indirect identifiers include information that can be combined with other information to identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors. Other examples of indirect identifiers include place of birth, race, religion, weight, activities, employment information, medical information, education information, and financial information. See also Direct Identifier. For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records, available at

Example of Templates/Tools (coming soon to web site) Security Checklists Sample Memorandums of Understanding Sample Acceptable Use Policies Glossary of Terms Webinar Series (2011) o Summer: NCES Brief – Data Stewardship o Summer: Threats to your data, what you should know o Fall: NPRM – Finalized – Latest News o Winter: FERPA & Interagency data exchange 12

Regional Meetings (2011) South: AERA, New Orleans – April 9 Technical Brief 1: Concepts and Definitions Technical Brief 2: Data Stewardship Technical Brief 3: Statistical Methods for Protecting PII Technical Brief 4: Data Access for External Researchers Northeast: EIMAC, Washington, DC – April 18 FERPA/NPRM News Guest speaker: Kathleen Styles, ED Chief Privacy Officer Cyber Security Session Security Audit Panel West: SHEEO/NCES Network Conference & IPEDS Workshop – May 3 Intro to PTAC Workshop on Security Data Exchanges: Federated Models USED Privacy Update Discussion: Postsecondary perspectives on data sharing, security, and partnership Midwest: Education Information Council – August NCES Events  Summer Data Conference  Annual MIS Conference  SLDS Grantee Conferences  National Forum on Education Statistics 13

Site Visits Voluntary! No cost!! Designed to assist states with their privacy and security needs. Not an audit of security or compliance. Can provide independent, objective, third party assistance in the areas of SLDS and Cyber Security. 14

Site Visit Expert Help Audit response assistance. Independent validation of implementation recommendations as a result of security review. Security policy reviews. Governance assistance (multi-agency). Facilitation of multi-agency privacy/security discussions. If interested, send request to 15

PTAC Help Desk Contact Phone, , or use the form on the PTAC website (see contact info at the end of the presentation). Submit a question, suggest a topic for regional meeting, request a site visit or document review. Issues are logged, clarified, and reviewed by subject matter experts (SMEs) Expect to have any contact with PTAC acknowledged within one business day. If appropriate, the SMEs’ draft responses are forwarded to ED for review. If the PTAC SMEs cannot answer the question, the issue is immediately forwarded to ED for internal review. Issues are reviewed at ED by the Privacy Advisory Committee (PAC). 16

What types of questions are being received? “Is it OK to Share student information with a school to which a student will transfer?” “Has FERPA been passed? From what I have read, it protects student data. Does this law protect student privacy with regards therapy?” 17

Privacy TA Team ED/NCES Program Manager: Emily Anthony Project Director: Baron Rodriguez Subject Matter Experts: Mark Hall, Anthony Bargar, Tom Szuba, Alexandra Henning, Allison Camara Help Desk Support: Dan Boland 18

Types of Resources Available from Privacy TA Center ED Expertise Chief Privacy Officer Family Policy Compliance Office Office of General Council Office of Planning, Evaluation and Policy Development NCES Chief Statistician 19

PTAC Role PTAC and FPCO PTAC: Technical Assistance FPCO: Administers FERPA, authority over FERPA violations & regulations 20

21 Top Data Protection Issues in Education’s Cyberspace Protecting Personally Identifiable Information (PII) As we strive towards a “digital nation,” exposure to risk increases More records online & accessible Identity Theft (10% Children) Keeping pace with Network & Systems Security Protective measures are outpaced by the “bad-guy” Traditional “wack-a-mole” patching doesn’t work anymore Maintaining the foundation of Strategy, Policy, Governance & People Training, Education & Awareness is key Cloud computing complicates traditional security architecture approaches

Current Examples of Cyber Security Support from PTAC Review and comment on network security portion of RFPs. Review audit results and recommendations. Site visits to review security architecture, capabilities and plans. Best practice and security guidance documents. Future: more technically-focused documents and training. 22

Privacy Initiatives Chief Privacy Officer Privacy Technical Assistance Center Technical Briefs FERPA Notice of Proposed Rulemaking 23

Chief Privacy Officer: Organizational Structure Principal Deputy Assistant Secretary for Management Kathleen Styles Chief Privacy Officer Privacy, Information, and Records Management Services Family Policy Compliance Office FOIA ServicesPrivacy Safeguards Information Collection Clearance Records & Documents Management 24

Kathleen Styles’ Background Attorney Certified in government privacy Worked on the 2010 Census and American Community Survey Prior position: Director, Office of Analysis and Executive Support, U.S. Census Bureau 25

CPO Responsibilities Compliance Advice Training Outreach Advocacy 26

Initial Areas of Emphasis Considering comments to FERPA NPRM Process improvements Working with PTAC and the Technical Briefs Open Government/transparency Data management 27

28 Proposed Changes to FERPA Stronger enforcement Ensuring student safety Promote wise investment of taxpayer funds in educational programs Promote effectiveness research

FERPA: Stronger Enforcement Enforcement Authority No clear authority to bring enforcement actions against entities that have no students Department could enforce against entities that receive Department funds, even if no students in attendance CURRENT INTERPRETATION PROPOSED INTERPRETATION 29

FERPA: Ensuring Student Safety Limited Directory Information None Clarify that Educational agencies may specify that Directory Information will be disclosed only for specified purposes. CURRENT INTERPRETATION PROPOSED INTERPRETATION 30

FERPA: Ensuring Student Safety Student ID Badges Unclear whether students can be required to wear ID badges if they opt out of directory information. Clarify that a school may require a student to wear an ID badge that exhibits information that has been designated as directory information. CURRENT INTERPRETATION PROPOSED INTERPRETATION 31

FERPA: Ensuring Program Effectiveness Term Definitions None Education Program Any program principally engaged in education Authorized Representative Any entity designated by educational agency to conduct audit, evaluation or compliance or enforcement activity CURRENT INTERPRETATION PROPOSED INTERPRETATION 32

FERPA: Ensuring Program Effectiveness Legal Authority to Conduct Audit/Evaluations Using PII to conduct an audit or evaluation – requires legal authority Clarifies that authority may be express or implied CURRENT INTERPRETATION PROPOSED INTERPRETATION 33

FERPA: Ensuring Program Effectiveness Written Agreements Written agreements are not required under the audit/evaluation exception Written agreements would be required under the audit/evaluation exception CURRENT INTERPRETATION PROPOSED INTERPRETATION 34

FERPA: Ensuring Program Effectiveness Reasonable Methods NONE Specify that disclosing entities must use reasonable methods to ensure receiving entities are FERPA compliant CURRENT INTERPRETATION PROPOSED INTERPRETATION 35

FERPA: Promoting Research on Effectiveness Authority to Conduct Study Preamble to 2008 Regulations indicates that an SEA may not give PII to a researcher unless the SEA has separate legal authority to act on behalf of LEA Clarify that state educational agencies may enter into agreements with researchers on behalf of LEAs CURRENT INTERPRETATION PROPOSED INTERPRETATION 36

37 Please Comment on the NPRM Submit formal comments:  In writing  By May 23, 2011  According to instructions in the Federal Register  Specific and clear

Postsecondary Leadership Examples States using University Systems’ research capacity for SLDS work. States utilizing Postsecondary infrastructure for scalable SLDS implementations Electronic transcripts – speeding the registration process for students and IHE staff. Student readiness assessments – determining students ability to thrive in postsecondary. 38

Postsecondary Concerns/Challenges What challenges are postsecondary institutions dealing with around security, privacy, and confidentiality? How can PTAC provide assistance/guidance to the postsecondary community? What are the areas that ED should be aware of regarding data exchanges between postsecondary and workforce?

Future Topics? PTAC would like to know what topics, publications, and webinars would be most helpful to you: State Attorney General Training on FERPA? NCES Technical Brief trainings? Security best practices? Others? 40

For more information… Website Help Desk Toll Free Phone: Toll Free FAX: NCES Request assistance Upcoming events Subscribe to list Recently released relevant ED publications Privacy TA Center publications Best practice guidelines Frequently Asked Questions Latest FERPA news Other on-line recommended resources 41