270 likes | 495 Views
2011 State Data Conference. Privacy, Confidentiality, and Personally Identifiable Information. Christopher Cassel Nebraska Department of Education www.education.ne.gov/nssrs. Scott Summers Nebraska Department of Education www.education.ne.gov. Agenda. Privacy Laws
E N D
2011 State Data Conference Privacy, Confidentiality, and Personally Identifiable Information Christopher Cassel Nebraska Department of Education www.education.ne.gov/nssrs Scott Summers Nebraska Department of Education www.education.ne.gov
Agenda • Privacy Laws • New Federal “Privacy Technical Assistance Center” (PTAC) Resources • FERPA Notice of Proposed Rule Making (NPRM) • Questions
Privacy Laws • Federal Privacy Act • FERPA • Family Education Rights & Privacy Act • U.S. Department of Agriculture • National School Lunch Act • Child Nutrition Act • HIPAA • Health Insurance Portability and Accountability Act • Nebraska State Law
Privacy Technical Assistance Center • New U.S. Department of Education “Chief Privacy Officer” • New “Privacy Technical Assistance Center” (PTAC) • http://nces.ed.gov/programs/ptac • Established by U.S. Department of Education’s National Center for Education Statistics (NCES) • Seeks to be “one-stop” resource for education stakeholders regarding data: • Privacy • Confidentiality • Security practices
PTAC Resources • Glossary • http://nces.ed.gov/programs/ptac/glossary.aspx • Frequently Asked Questions (FAQs) • Technical Briefs • Three published, seven planned
PTAC Technical Brief 1 • “Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records” • NCES 2011-601 • http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011601 • Summary of terminology and issues
PII: FERPA Definition (1 of 3) Personally Identifiable Information (PII) • Student's name • Name of the student's parent or other family members • Address of the student or student's family • A personal identifier, such as the student's Social Security Number, student number, or biometric record
PII: FERPA Definition (2 of 3) [Personally Identifiable Information (PII) definition, continued] • Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name • Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty
PII: FERPA Definition (3 of 3) [Personally Identifiable Information (PII) definition, continued] • Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates
Disclosure • FERPA: “… to permit access to … PII contained in education records … to any party except the party identified …” • Disclosures may be: • Authorized • Unauthorized • Inadvertent
PTAC Technical Brief 2 • “Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records” • NCES 2011-602 • http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011602
Brief 2: Data Stewardship • Defines “Data Stewardship” and recommends actions to ensure confidentiality • Conduct PII inventory • Implement internal controls to protect PII • Provide public notice of education records system • Policies and Procedures
Brief 2: Direct vs. Indirect Identifiers • Direct Identifiers • Information unique the student • Name, address, Social Security Number, NDE Student ID, photographs, etc. • Indirect Identifiers • Information not unique to the student but can be used in combination with other information about the student to identify a specific student • Race/ethnicity, date of birth, place of birth, grade level, participation in a particular program, etc.
Brief 2: Sensitivity • Not all personally identifiable data have the same level of sensitivity. • Sensitivity should be evaluated both in terms of the specific data element and other available personally identifiable data elements. • Note that an individual’s SSN, medical history, or financial account information is generally considered more sensitive than an individual’s phone number or ZIP code.
PTAC Technical Brief 3 • “Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting” • NCES 2011-603 • http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011603
Brief 3: Reporting Rules • Identifies best practices • Recommends reporting rules to avoid unauthorized or inadvertent disclosures • Masking Rules • For examples, see “NDE Data Access and Use Policies and Procedures”
NDE Data Access and Use Policy and Procedures • Available on NSSRS Resources page of Nebraska Student and Staff Record System website (www.education.ne.gov/nssrs) • Establishes NDE procedures for collecting, maintaining, disclosing, and disposing of education records containing PII • NDE masking rules defined
Future PTAC Technical Briefs • Upcoming briefs will focus on: • Different types of data sharing and data use agreements • Electronic data security • Privacy training • Release dates to be determined
FERPA Clarifications • Handout: “Safeguarding Student Privacy” • Notice of Proposed Rule Making (NPRM) • http://www.gpo.gov/fdsys/pkg/FR-2011-04-08/pdf/2011-8205.pdf • Public comment accepted by USDE: • Until May 23, 2011 • At http://www.regulations.gov
Summary of Proposed FERPA Changes • Stronger Enforcement • Ensuring the Safety of Students • Protect students from marketers or criminals • Allow student ID or badge to be worn or presented • Ensuring effectiveness of Publicly Funded Programs • Allow states to enter research agreements with organizations not under their “direct control” • Promoting research on effectiveness • Sharing data on how high school graduates perform academically in college
Reminders • Districts provide much public reporting • Policies and procedures • Communication and a team-based “Data Quality Culture”
Resources • Family Policy Compliance Office (FPCO) • www2.ed.gov/policy/gen/guid/fpco/index.html • Privacy Technical Assistance Center (PTAC) • nces.ed.gov/programs/ptac • NSSRS Information • www.education.ne.gov/nssrs • NDE Bulletins • www.education.ne.gov/ndebulletins
Partnering with Districts for Data Quality Data Quality