1 / 41

Privacy Beyond Security FERPA, Privacy, and the Importance of Data Governance

Privacy Beyond Security FERPA, Privacy, and the Importance of Data Governance. Secure IT Conference Pomona, CA March 28, 2013. Michael Hawes Statistical Privacy Advisor U.S. Department of Education. Presentation Overview. What is Privacy? Intersection of Privacy and Security

palila
Download Presentation

Privacy Beyond Security FERPA, Privacy, and the Importance of Data Governance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Beyond SecurityFERPA, Privacy, and the Importance of Data Governance Secure IT Conference Pomona, CA March 28, 2013 Michael Hawes Statistical Privacy Advisor U.S. Department of Education

  2. Presentation Overview • What is Privacy? Intersection of Privacy and Security • Growing Demand for Quality Data Online Services, Analytics, Research • Considerations for Data Access, Use, and Sharing Legal, Technical, Procedural • Keeping People Informed… …without scaring them… …and without violating privacy

  3. What is Privacy?

  4. IT Security Privacy Confidentiality Privacy: “the state of being free from intrusion or disturbance in one's private life or affairs” (Random House) Many components of privacy: Information Privacy Bodily Privacy Territorial Privacy Communications Privacy

  5. IT Security Privacy Confidentiality Privacy Principles: Authority and Purpose Accountability Data Quality and Integrity Data Minimization and Retention Individual Participation and Redress Security Transparency Use Limitation NIST Special Publication 800-53, Appendix J www.nist.gov

  6. IT Security Privacy Confidentiality IT Security: “Measures and controls that protect an [information system] against denial of and unauthorized (accidental or intentional) disclosure, modification, or destruction of [information systems] and data.” (Vacca, ed. 2009, Computer and Information Security Handbook) Focused on protecting the: Confidentiality; Integrity; and Availability of information systems

  7. IT Security Privacy Confidentiality Privacy IT Security • Use Limitation • Data Minimization & Retention • Transparency • Individual Participation & Redress • Authority & Purpose • Data Quality • Confidentiality • Integrity • Accountability, Audit, & Risk Management • Avail-ability

  8. Growing Demand for Quality Data

  9. Student Portals • Financial Aid • Communications • Remote Learning • MOOCs Online ServicesNew Ways of Accessing Data • Lower Costs • Extend/Improve Services • Convenience

  10. Learning AnalyticsNew Ways of Using Data “Big Data” meets Education! Customization of the learning process (content, delivery, method) through “large-n” analysis of the “digital breadcrumbs” that students create as they learn.

  11. Research and EvaluationOpening Up Data for Academic & Policy Analysis Growing use of quantitative analysis in the social sciences.

  12. Individual Level • Drop-out prevention • Career Readiness • Targeted intervention Enhancing the learning process, and identifying students in need of additional assistance

  13. Group Level • Equal access and opportunity • School accountability and improvement Tracking cohorts and demographic groups

  14. Institutional Level • Enrollment • Budgets • Accountability • College Scorecards Examine Trends, Predict Future Requirements

  15. Program Level • Curriculum Design • Faculty Staffing Plans • Budgets • Facilities Program Evaluation, Resource Allocation

  16. Finding the Negatives • Personnel evaluations • Budget cuts Data can help us make difficult decisions

  17. Considerations • Legal • Data Security • Authentication • Appropriate Level of Access • Releasing Data to the Public • Best Practices

  18. Family Educational Rights and Privacy Act (FERPA) Key Definitions and Requirements

  19. FERPA – Access & Consent • Gives eligible students the right to access and seek to amend their education records • Protects personally identifiable information (PII) from education records from unauthorized disclosure • Requirement for written consent before sharing PII Training Video: FERPA 101 for Colleges and Universities ptac.ed.gov

  20. Personally Identifiable Information (PII) • Name • Name of parents or other family members • Address • Personal identifier (e.g., SSN, Student ID#) • Other indirect identifiers (e.g., date or place of birth) • “Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.” (34 CFR § 99.3)

  21. Education Records • FERPA regulations define education records as those records that are: • Directly related to a student; and • Maintained by an educational agency or institution or by a party acting for the agency or institution.

  22. Education Records • Excludes: • Sole-possession materials; • Law enforcement records ; • Employee records; • Post-secondary students’ medical treatment records; • records created or received by an educational agency or institution after an individual is no longer a student in attendance and that are not directly related to the individual's attendance as a student; • Grades on peer-graded papers before they are collected and recorded by a teacher. (Paraphrased -- See 34 CFR §99.3 for precise definition)

  23. FERPA Pop Quiz Is a student’s name, phone number, or email address protected under FERPA?

  24. FERPA Pop Quiz Can a university give a parent a copy of their child’s transcript?

  25. Exceptions • Exceptions from the consent requirement for: • “Directory Information” • “Studies” • “Audits and Evaluations” • Health and Safety emergencies • And others purposes as specified in §99.31

  26. Directory Information • Students don’t attend school anonymously! • Allows schools to release certain information, without consent, such as: • name, address, telephone listing, electronic mail address; • date and place of birth; • photographs; • participation in officially recognized activities and sports; • field of study; • weight and height of athletes; • enrollment status (full-, part-time, undergraduate, graduate); • degrees & awards received; • dates of attendance; • most recent previous school attended; and • grade level.

  27. Directory Information • Common uses: • Yearbooks • Concert programs • Telephone directories • National Student Clearinghouse • Students have a right to opt-out!

  28. “Research Exception”

  29. Studies Exception • “For or on behalf of” schools, school districts, or postsecondary institutions • Studies must be for the purpose of • Developing, validating, or administering predictive tests; or • Administering student aid programs; or • Improving instruction • Written Agreements

  30. Audit/Evaluation Exception Allows PII from education records to be shared without consent with • “Authorized representatives” of • “FERPA-permitted entities” • Comptroller General of U.S., • U.S. Attorney General, • U.S. Secretary of Education, and • State or Local Educational Authorities 34 CFR Section 99.31(a)(3)

  31. Audit/Evaluation • Data can only be shared in order to • Audit or evaluate a Federal- or State-supported education program, or • Enforce or comply with Federal legal requirements that relate to those education programs • Education program – broad, but not limitless Training Video (coming soon): FERPA 201: Data Sharing Under FERPA ptac.ed.gov

  32. Other Legal Requirements • FERPA is only one applicable statute covering post-secondary data; other laws may apply too! • HIPAA • Gramm-Leach-Bliley • and other federal/state/local laws

  33. Data Security • Risks, Threats, and Vulnerabilities • Hacking, Phishing • Removable Media • Cloud Computing • The “oops” moment • Responding to a breach • Importance of training “Data Breach Response Checklist” “Data Security and Management Training: Best Practice Considerations” and other data security resources are available at: www.ed.gov/ptac

  34. Pop Quiz If a college has a data breach do they need to notify the U.S. Department of Education?

  35. Authentication • Reasonable assurance of identity • Methods • Knowledge Factors • Ownership Factors • Inherence Factors • Particularly challenging for electronic transactions WARNING: YOU MAY NOT USE STUDENT ID NUMBER AS AN EXCLUSIVE AUTHENTICATION FACTOR IF THAT ID NUMBER IS DESIGNATED AS DIRECTORY INFORMATION “Identity Authentication Best Practices” available at: ptac.ed.gov

  36. Level of Access • Just because someone canlegally access the data doesn’t mean they shouldbe accessing it! • Masking, redaction, and de-identification Resources on Data De-Identification available at: ptac.ed.gov

  37. Public Release • Aggregation or Anonymization isn’t enough • Importance of Disclosure Avoidance • It’s more than a method…it’s a process

  38. Keeping People Informed • Accountability Allows the public to have confidence in program performance and decision-making • Transparency Allows individuals to know how their personal information is being used and protected

  39. Data Governance Protecting privacy requires IT Security BUT A robust IT Security program will only take you partway. You need strong and effective data governance to ensure that: • You only collect the information you need • You only use it for allowable/appropriate uses • You only share what you need to, and only with the right people • You inform people about what information you are collecting, and what you are doing with it. “Data Governance and Stewardship” Issue Brief Data Governance Checklist ptac.ed.gov

  40. Additional Resources

  41. Michael Hawes Statistical Privacy Advisor U.S. Department of Education Michael.Hawes@ed.gov (202) 453-7017

More Related