390 likes | 540 Views
FERPA Rules: Maintaining the Security and Privacy of Student Data. West Virginia Department of Education Carla Howe, Ph.D. August 4, 2014. Introduction. You have access to data tools that allow you to view individual student records for performing your official duties.
E N D
FERPA Rules:Maintaining the Security and Privacy of Student Data West Virginia Department of Education Carla Howe, Ph.D. August 4, 2014
Introduction • You have access to data tools that allow you to view individual student records for performing your official duties. • You are legally and ethically obliged to safeguard the confidentiality of these student records. • There are many tools for exploring data; those that access student-level data must be secured. • The purpose of this presentation is to inform you of your responsibilities to protect student privacy.
Responsibilities • Protect the privacy of students and the confidentiality of student data. • Comply with state and federal laws, and district policy, to maintain the confidentiality of student data. • Use confidential student data only as necessary for legitimate educational purposes. • Keep your password confidential.
Consequences • Student education data may not be released except under specific circumstances. Improper release of these data expose you and your district to potential criminal and civil liability, and loss of federal funds. • Student-specific information gathered from secure tools may be shared only with authorized school personnel.
ProtectingConfidential Information • Be careful to prevent unauthorized people from viewing your screen while you are accessing confidential information. • When you are finished with the data tools, log off and close any windows containing data or reports.
Sharing Reports • Printed reports can be shared publicly only after you’ve reviewed them to ensure that no student could be identified from the report (for example, in conjunction with other information that is available). • If a reasonable person from your community could identify a student from a report, directly or indirectly, then you should store that report in a secure place. Share the report only with those with a legitimate educational interest – as determined by your school board, or district leadership.
Foundational Concepts Critical to Data Training and Use March 2014
What is FERPA? Family Educational Rights and Privacy Act of 1974, as amended (FERPA) • Federal regulations that govern access to and release of personally identifiable information about students found in education records • Applies to all schools that receive funds under applicable programs of the USED • Does not apply to private schools whose students or teachers receive services from an LEA or SEA, unless the private school also receives federal funds
Annual notice of FERPA rights Schools must notify parents of their rights under FERPA on an annual basis. • Directory information designation • What information does the entity designate as directory? • Location of records • Right to inspect records, file a complaint, consent to disclosure, amend records • Military Recruiters • Schools must provide recruiters with student name, address, phone number and access to campus
Student Record Information • May be disclosed to the student with proper authentication • Amended FERPA requires the use of reasonable methods to determine the identity of intended and authorized recipient of information AND authenticate or ensure that recipient is, in fact, who he/she purports to be • Parent Access Procedures • Right to “inspect and review” • 45-day timeline to provide the records • May charge “reasonable fee” for copies, but not to search or retrieve • Exceptions • Letters of recommendation for which the student has waived the right to review • Information about other students
Basic Concepts • Education Record • Directory Information • Personally Identifiable Information
Directory information • Information in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed • As defined in Policy 4350, Directory Information can include: • Student's name • Address • Telephone listing • Email address • Photograph • Date and place of birth • Major field of study • Dates of attendance (for school) • Grade level • Participation in officially recognized activities and sports • Weight and height of members of athletic teams • Dates of attendance (for athletics) • Degrees and awards received, and • The most recent previous educational agency or institution attended by the student.
Restricting Directory Information • Parents can “Opt Out” of sharing directory information • For example, if a student in a post-secondary institution “opts-out”, then the National Student Clearinghouse cannot redisclose student level information to the state for that student • Students do not have the option to “opt-out” for required reporting to the state • Students cannot opt out of wearing or presenting a student ID or badge
How do you authenticate identity? • Regulations require a school to use reasonable methods to identify and authenticate the identity of parents, students, school officials, and other parties before disclosing education records. Sample Verification Process for Parent Requests
Reasonable Methods • Regulations require the use of “reasonable methods” to ensure access is only given to only those education records in which the official has a legitimate educational interest. • Reasonable methods include: • Physical controls (locked filing cabinets) • Technological controls (role-based access controls for electronic records) • Administrative policies (must be effective in ensuring compliance) • This also means no student data are transferred off-site using portable media (thumb drives to work at home) or are sent via email unless in a password-protected or de-identified file.
Consent Exceptions • May be disclosed to school officials with “legitimate educational interest” • Authorized government officials • Regulations expand the school official exception to include contractors, consultants, volunteers, and other parties to whom a school has outsourced services or functions under certain circumstances: • The party is under the direct control of the SEA or LEA (contract); • The party is subject to the same conditions governing the use and re-disclosure of education records applicable to other school officials; • WVDE requires these parties to also sign security agreements
Disclosure Exception: Organizations conducting studies • The school must have a written agreement with the receiving organization that specifies: • the purposes of the study; • the information may only be used to meet the purposes of the study stated in the agreement; • the restriction on re-disclosure of the information; • the requirement for destruction of the information when no longer needed. • Clarifies requirements that information disclosed under this exception is used only to meet the purposes of the study, and that all re-disclosure and destruction requirements are met. • WVDE uses a Institutional Review Board and Research Review Committee process and has specific forms that data requestors must fill out
Disclosure Exceptions: To Parents of kids 18+ • Regulations clarify that disclosure of education records without consent is permitted to parents in some circumstances: • When a student is a dependent student under the IRS tax code; • When the student has violated a law or the school’s rules or policies governing alcohol or substance abuse, if the student is under 21 years old; • When the information is needed to protect the health or safety of the student or other individuals in an emergency. • Ensures that schools understand that FERPA does not block information sharing with parents if any of the above exceptions apply.
Keeping records of disclosures • At the SEA and LEA, must record name and legitimate interest in cases such as these • Information disclosed without student’s written consent • To the parent of an eligible student • In response to a lawfully issued court order or subpoena • However there must still be an attempt to notify the parent in these cases unless it is in response to a threat on the student’s safety • For external research purposes where individual students have been identified • In response to an emergency • Emergencies do not require parental notification • These include endangerment to the health or well-being of a student • Note this is why WVDE has the Research Proposal Application (and its process) and Data Security Agreements
More Exceptions http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
FERPA & HIPAA • At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic, that receives funds under any program administered by the U.S. Department of Education are “education records” subject to FERPA, including health and medical records maintained by a school nurse who is employed by or under contract with a school or school district.
What Can – and Can’t – Be Released • Individualstudent data can never be publicly published or released. • Summary (aggregated) data can be released, but only if the group size is large enough (>10) to protect the privacy of individual members of the group. • When the identity of an individual student could be inferred due to small group size in a report, treat that report as confidential. The summary reports to which you have access may contain small group sizes, and should therefore be treated as confidential.
Unauthorized disclosures of PII • Unauthorized disclosures of PII may result in being prohibited from accessing PII for at least five years • The entity from which the data originated is responsible for the prohibition of access • Most recent FERPA provisions require documentation and mandatory provisions for written agreements
State Level Security • Policy 4350 & HB 4316 • WVBE Data Security and Privacy Resolution • WVDE Data Access & Management Guidance (available online on the WVDE website under the Data tab) • Limited access at WVDE to WOW through job-related duties justification, supervisor sign-off, and assurance to adhere to FERPA regulations.
Remember • Email is now encrypted in transit nor at rest whether on a work device or a personal device – BUT be cautious • Attachments & messages opened on personal devices will not be secure • Sensitive data stored on a personal device is a security breach • Emails on personal devices that are work-related are subject to FOIA • Errors are easy with auto-complete names
Remember • Remind your colleagues that disclosing PII is a violation of state and federal law and policy. School districts are local units of government subject to the same laws and acceptable use policies. • Do not allow family members or others to use your work devices.
Coming Soon • Guidance for the “Alert” screen in WOW • Primarily for student safety • Life-threatening allergy information • Custody/family information if student safety is at stake • Local rules can still be applied, but some general guidance will come from WVDE
Family Policy Compliance Office • U.S. Department of Education • Phone: (202) 260-3887 Fax: (202) 260-9001 • Email: FERPA@ed.gov • www.ed.gov/fpco • FERPA Final Regulations • Revised Regulation Overviews for LEAs, Parents, Students • FAQs • Privacy Technical Assistance Center • www.ptac.ed.gov • Webinars, Publications, Case Studies • FERPA 101 Webinar Recording and Transcript
Check your Quiz! • True • True • True • False – annually • True • False – if he/she HAS legal rights • False – do have authority • True • Grade Level • False – social security, cannot be direction information
Check Your Quiz! 11. False – by student ID or other identifier 12. True 13. True 14. True 15a. Yes 15b. Yes 15c. No 15d. No 15e. No 15f. Yes
New Information • Data Access & Management Guidance document • Available online on the WVDE homepage under the Data tab • HB 4316 - Student Data Accessibility, Transparency and Accountability Act • ZoomWV – West Virginia’s source for accurate, K-12 education information – Coming Soon
Contact Information • For questions about data privacy and security, please contact Carla Howe, Ph.D. Data Governance Manager. chowe@k12.wv.us 304-558-7881