340 likes | 493 Views
Protecting the Privacy of Student Information—FERPA 101 Privacy Technical Assistance Center. Disclaimer. This presentation is intended to discuss the current FERPA regulations and recent changes.
E N D
Protecting the Privacy of Student Information—FERPA 101 Privacy Technical Assistance Center
Disclaimer This presentation is intended to discuss the current FERPA regulations and recent changes. It is NOT intended to interpret or provide comment on whether sharing of data with other agencies is permissible under other federal, state, or local laws. State and local laws may have MORE stringent protections around privacy and security of education data and other state agency associated data. Remember that for student education data containing PII, FERPA is the floor, not the ceiling, regarding the protection of the privacy of student education records. Provided by the Idaho state department of education
Overview of Today’s Presentation • FERPA Basics and Definitions • Transparency • Data Threats • Data Security Best Practices • Recent Documentation • PTAC’s Website • Questions Provided by the Idaho state department of education
The Family Education Rights Privacy Act (FERPA) What is FERPA? Introduction to FERPA Provided by the Idaho state department of education
Here’s FERPA in Writing The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to consent to the disclosure of personally identifiable information from education records, except as provided by law. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”). Provided by the Idaho state department of education
Key Terms FERPA protects the privacy of students by restricting access to records thatcontain Personally Identifiable Information (PII). FERPA does not permit the Disclosure of PII from education records without consent, except under certain Exceptions. FERPA requires that Reasonable Methods be used to protect the integrity and security of the data being maintained at the school or district. FERPA does permit the disclosure of certain types of PII that is previously designated as Directory Information by the school or district. Provided by the Idaho state department of education
Personally Identifiable Information • What is Personally Identifiable Information (PII)? • PII is information from education records that would make the student’s identity easily recognized (by itself or in combination with other factors). • Some examples of PII: • Full Name • Student ID Number • Grade Level AND Race/Ethnicity Provided by the Idaho state department of education
Disclosure Disclosure means to permit access to or the release, transfer, or other communication of PII by any means. Disclosure can be authorized, such as when a parent or an eligible student gives written consent to share educational records with an authorized party, such as a researcher. Disclosure can also be unauthorized or inadvertent (accidental). FERPA and other federal statues, such as PPRA, restrict the release or collection of different types of sensitive information without prior consent Under FERPA, parents and eligible students have the right to consent to disclosures of PII Rights must be described in the Annual FERPA Notice Provided by the Idaho state department of education
What standard is used to evaluate disclosure risk? • Can a “reasonable person” in the school community who does not have personal knowledge of the relevant circumstances identify an individual in the publicly released data with reasonable certainty? • Paraphrased from 34 CFR §99.3 and §99.31(b)(1) • The “reasonable person” standard • Hypothetical, rational, prudent, average individual in the school community • Does not have personal knowledge of the relevant circumstances • School officials, including teachers, administrators, coaches, and volunteers, are not included Provided by the Idaho state department of education
Senate Bill No. 1372 Idaho Code 33-133 • Local laws apply to student privacy as well, and work in conjunction with FERPA to bolster baseline privacy protections provided by the statute. • This bill, passed by the Idaho State Senate, calls on the Idaho Board of Education to create and oversee policies and data security plans to govern student data systems and authorized access to student data. • The bill defines “student data” and “education record” and specifies what types of information can be considered under those headings. • The bill prohibits any “secondary uses” of student data, including but not limited to sales, marketing or advertising, while allowing the vendor to use data to maintain the product itself • And includes a requirement that the vendor disclose — in detail — any planned secondary uses of student data, including but not limited to sales, marketing or advertising. The board must then obtain parental consent for these uses prior to the start of the vendor contract. Provided by the Idaho state department of education
Why Transparency? Rise in public discourse on data and student privacy Rise in misinformation and confusion about the issues State-level legislative action to restrict data collection, use, and sharing In the absence of information, people will assume the worst Provided by the Idaho state department of education
Transparency – What is Required? • FERPA requires certain information be provided to parents including: • Annual notification listing rights under FERPA including: • Right to inspect and review their education records • Procedure for exercising that right • Criteria for what constitutes a “School Official” and “Legitimate Educational Interest” • Directory Information Policy including • Types of information designated as directory information • Opt out provisions • PPRA requires districts notify parents of their rights annually Provided by the Idaho state department of education
Approaches to Parental Inquiries Keep communications open Review inquiries, concerns, suggestions in a thoughtful manner Timely responses Periodically review old inquiries/resolutions to improve communication/transparency efforts Provided by the Idaho state department of education
FERPA & Data Security FERPA was written back in 1974 when: • Average house price was $38k • Average income was $11k • Federal spending was “only” $269B • You could buy a PC for the low, low price of $20k And… • Disco was cool (think about it) • Education records were papers in the principal’s office FERPA is a survivor because it is not prescriptive. It doesn’t tell you how to protect student data from disclosure, only that you must use “reasonable methods” to protect it. Provided by the Idaho state department of education
FERPA & Data Security FERPA is everywhere in IT, sometimes masquerading as plain old good common sense: • FERPA just lays out the expectations, but leaves the details the experts… that’s you • Being compliant with FERPA can sometimes be as easy as having solid IT policy and good data management practices • The $64,000.00 question is Do you have solid IT policy & good data management practices? Provided by the Idaho state department of education
FERPA & Data Security What is a good Data Security program? • Strong security policy & governance structure that establishes a framework for managing risk to information systems and data • Sets standards & procedures which implement generally accepted data security best practices and controls • Manages system and data lifecycle, procurement, maintenance and decommissioning • Measures program effectiveness against baseline standards Provided by the Idaho state department of education
FERPA & Data Security Provided by the Idaho state department of education
Protecting Student Privacy while Using Online Educational Services • Schools and districts are increasingly contracting out school functions such as Student Information Systems • Many online services do not utilize the traditional 2-party written contractual business model • Increasing concern about the commercialization of personal information and behavioral marketing • As educators we need to use that data effectively and appropriately, while still protecting students’ privacy Provided by the Idaho state department of education
Is student information used in online educational services protected by FERPA? • It depends! • Some data used in online educational services is protected by FERPA. • Other data may not be. • Schools and Districts will typically need to evaluate the use of online educational services on a case by case basis to determine if FERPA-protected information is implicated. Provided by the Idaho state department of education
What does FERPA require if PII is disclosed to a provider? • Parental consent for the disclosure; OR • Disclosure is permitted under one of FERPA’s exceptions to the consent requirement. Typically, either: • Directory Information exception • Remember parents’ right to “opt-out” • School Official exception • Annual FERPA notice • Direct control • Use for authorized purposes only • Limitation on re-disclosure • Remember parents’ right to access their student’s education records Provided by the Idaho state department of education
Threats to Education Data • Criminal hackers and scammers • 100+ billion dollars a year • Most damaging attacks involve web based applications and insiders • Responsible for most external data breaches • Botnets, malware, data breaches • They will not advertise their success • Most breaches are discovered long after the damage is done Organized Criminal Enterprises Provided by the Idaho state department of education
Threats to Education Data • Motivated by ideology or political agenda • Largely decentralized, ad hoc organizational structure • Favor DDoS, Phishing and Application attacks • Historically focus on industrial, financial and political targets • Increasingly targeting schools and school districts • Hacktivists want to tell everybody about their exploits Hacktivism * Hacktivism (a portmanteau of hack and activism) is the use of computers and computer networks as a means of protest to promote political ends. * http://en.wikipedia.org/wiki/Hacktivism Provided by the Idaho state department of education
Threats to Education Data • Cyber-espionage, cyber-warfare by foreign governments • Spying, stealing intellectual property • View schools and districts as proxies for their real targets • Highly advanced, very sophisticated • Virtually unlimited budget • Stealth and longevity are priorities Nation-State Threats Provided by the Idaho state department of education
Threats to Education Data • Internet provider for thousands of hackers… ahem… students • Lose laptops, USB drives • Do business / learn via email • Use unapproved third party apps • BYOD – “Bring Your Own Device” • Wi-Fi Everything!!!!!!! • We have no idea where all of our “stuff” is The REAL risk is with US! Provided by the Idaho state department of education
Threats to Education Data What do “they” want with my data? • Identity information like SSNs, banking info, names and other PII • Prove a point, make a statement • Bypass student content filters (surf freely) • Alter grades, access test info, cause disruption in service Provided by the Idaho state department of education
Threats to Education Data • Open source and free tools • Hacker training online • Cyber-theft commoditized • Black market trading in identity data • “Do-It-Yourself” malware kits • Underground economy where tools are built and sold to order • Still developing flawed software • SQLi, XSS, CSRF, etc • Poor authentication / session mgmt. Sophistication of Attacks Attacker Skill Required Provided by the Idaho state department of education
Countering the Threat • Starts with leadership buy-in • Create a strong information security policy & governance architecture that is reflective of reality • Dedicate resources to security, put someone in charge • Implement tools, technology and automation • Develop meaningful metrics to measure the effectiveness of your program Provided by the Idaho state department of education
Countering the Threat Additional Steps • Use a layered approach (“defense-in-depth) to security which forces attackers to traverse multiple layers of security controls like firewalls, Web Application Firewalls (WAFs), Intrusion Detection / Prevention Systems (IDPS), antivirus, access controls, etc. • Keep systems patched, practice vulnerability management. • Account and Password Management: complex passwords, balanced security requirements. (Don’t overburden your staff! They’ll just find ways around the requirements.) Provided by the Idaho state department of education
Countering the Threat Data Security Best Practices Make what you already have work better People are the key, training and awareness is a powerful weapon Monitor & Manage your data Collect logs that make sense Retain information to help reconstruct events which may have occurred in the past Lots of free security tools exist to help you protect your data Be ready to respond Have a response plan Identify response team in advance and set aside the resources needed Periodically test response capability with simulated events Provided by the Idaho state department of education
Be the Data Security You Wish to See in the World • Parents, students and the public care about privacy • Be transparent with how you secure their data, tell them what they can expect • Explain where the data goes and how it is used • Get feedback GET THE WORD OUT! Provided by the Idaho state department of education
Visit ptac.ed.gov Today! • PTAC’s website, http://ptac.ed.gov is a wealth of resources and documentation on all things data-sharing. • Interactive training modules are available for staff. Modules range from beginning to advanced on a range of different topics. • Submit questions to PTAC easily through our online submission form. Provided by the Idaho state department of education
New Resources Transparency Best Practices for Schools and Districts FERPA/IDEA Crosswalk Heartbleed FAQ Protecting Student Privacy while Using Online Educational Services Data Destruction Best Practices FERPA Exceptions Cheat Sheet Provided by the Idaho state department of education
Questions? *Remember, you can always submit questions to PTAC later! Provided by the Idaho state department of education
Contact Information Family Policy Compliance Office Telephone: (202) 260-3887 Email: FERPA@ed.gov FAX: (202) 260-9001 Website: www.ed.gov/fpco • Privacy Technical Assistance Center • Telephone: (855) 249-3072 • Email: privacyTA@ed.gov • FAX: (855) 249-3073 • Website: http://ptac.ed.gov Provided by the Idaho state department of education