90 likes | 231 Views
What is personally i dentifiable i nformation (PII)?. KDE Employee Training Data Security Video Series 1 of 3 October 2014. Don’t become a headline!. City Herald Dispatch [ YOUR NAME ] , KDE employee accidentally placed personal data of over 600 thousand Kentucky students at risk!.
E N D
What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014
Don’t become a headline! City Herald Dispatch [ YOUR NAME ], KDE employee accidentally placed personal data of over 600 thousand Kentucky students at risk! Protecting personal information is everybody’s job!
What defines and regulates PII? Family Educational Rights and Privacy Act (FERPA) gives parents protections with regard to their children’s education records and allows education agencies to disclose those records to parties under certain conditions. KRS 61.932 (HB 5) addresses the safety and security of personal information held by public agencies, and requires public agencies and nonaffiliated third parties to implement, maintain, and update security procedures and practices. This includes taking any appropriate corrective action to safeguard against security breaches. KRS 61.933 (HB 232) requires consumer notification when a data breach reveals personally identifiable information. It also requires cloud computing service providers contracting with educational institutions to maintain security of student data and allows the KBE to promulgate regulations as needed.
Family Educational Rights & Privacy Act (FERPA) Protects the privacy of student education records. It applies to education agencies that receive funds under programs of the U.S. Dept. of Education. FERPA defines personally identifiable information as: the student’s nameand name of the student’s parent or other family members; address of the student or student’s family; a personal identifier, such as social security number or student number and, other indirect identifiers, such as student’s date of birth, place of birth, and mother’s maiden name. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.
FERPA exceptions allow disclosure of PII • Local and state education agencies may ONLY re-disclose PII if the disclosure falls under one of the permitted exceptions to the consent requirement. • The most commonly used exceptions are: • Directory Information (for local agencies) • School Official (for local agencies) • Studies • Audit/evaluation * Studies and Audit/Evaluation exceptions require written agreements.
Kentucky’s data security requirements - HB 5 KRS 61.932 defines personal information as a person’s (not just students’) first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:. • Account numberor credit/debit card number, that in combination with any required security/access code or password would permit access to an account; • social security number; taxpayer ID number that incorporates a social security no.; • driver’s license number, state ID card number or other individual ID number; • passport number or other ID number issued by the United States government; or • individually identifiable health information, except for education records covered by FERPA.
Kentucky’s data security requirements – HB 232 KRS 61.933 defines personally identifiable information as an individual’s first name or first initial and last name in combination with any one of the following: • Social security number • Driver’s license number • Account number, credit or debit card number, in combination with any security code, access code, or password required to permit access to the financial account
What do I need to remember about PII? Understand the confidentiality of PII Learn to identify PII in its many forms. Keep a “clean house.” Read, understand and follow state and federal privacy, security and confidentiality requirements and policies. Learn more about the best practices covered in part-two of this training series, Data Access and Data Sharing.
Have a question? Want more information? We appreciate your feedback, questions and comments. We can be reached through the KDE Data Request mailbox. Explore other resources on the KDE Data Governance Web page. Thank you!