610 likes | 724 Views
CMAEYC Opening Minds Conference. Confidentiality and Privacy. January 26, 2012. Paul A. Chandler Lei Shen Counsel, BTS Associate, BTS (312) 701-8499 (312) 701-8522 pchandler@mayerbrown.com lshen@mayerbrown.com. Disclaimer.
E N D
CMAEYC Opening Minds Conference Confidentiality and Privacy January 26, 2012 Paul A. Chandler Lei Shen Counsel, BTS Associate, BTS (312) 701-8499 (312) 701-8522 pchandler@mayerbrown.com lshen@mayerbrown.com
Disclaimer • The privacy laws are numerous and complex. We are describing some of those laws applicable to student records as an example of the issues. • The interpretation of a law depends on specific facts. This presentation and today’s discussion are not intended to provide legal advice or address specific factual situations. • The summary information in these slides is not legally binding, and you should direct specific questions either to your legal experts or to the appropriate government offices.
Agenda and Goals • Part 1: Privacy and Confidentiality Principles • Part 2: Privacy Laws, FERPA and Other Laws on Student Records • Part 3: Exceptions • Part 4: Conclusions and Additional Resources
Confidentiality and Privacy Principles • Confidentiality encompasses obligations to protect and not disclose information provided in confidence. • Obligations required by law • Contractual obligations • Privacy encompasses a person’s control over who has access to personal information about him, including the collection, use, storage, disclosure and disposal of that information. • Privacy is protected by numerous laws • An important distinction is that privacy pertains to individuals; confidentiality pertains to their information.
Privacy – What is Personal Information? • Personal information includes information concerning an identifiable individual • Personal information includes: • Name • Address • Gender • Age • Citizenship • Nationality, languages spoken, race, ethnicity • Religious or political beliefs • Etc.
Privacy – Who is protected? • Applicants • Employees (current and former) and their dependents and beneficiaries • Contractors and consultants • Employees of vendors, agencies, providers, etc. • Parents, board members, PTA members, etc. • Visitors • Activists • Students
How You Can Lose Personal Information • Lost or stolen media • Third party service provider weaknesses • Weak physical or computer controls • Web site leakage / Cloud Computing • Hackers (inside and outside) • Good intentions / social engineering • Lack of training or policies • Don’t forget loss of data quality (e.g., corrupted data)
General Consequences to Schools and Businesses of Losing Personal Information • Breach notification costs • Direct financial loss • Litigation • Regulatory action • Loss of confidence by parents, school boards and governments • Becoming an example of what could go wrong
Consequences to Individuals Whose Personal Information is Lost • Identity theft • Discrimination • Abusive, malicious or criminal acts • Especially for students, who may be the most vulnerable
Core Privacy Principles • Specify the purpose for collecting any personal data • Give notice of a privacy policy describing your purpose and policies for collection, storage and use of personal data. • Collect only personal data that you need for your purpose and only with consent • Keep personal data accurate, up-to-date and complete • Use personal data only with consent or by authority of law • Use reasonable measures to secure personal data against risk of unauthorized access, disclosure, use or change
Part 2: Privacy Laws – FERPA and Other Laws on Student Records
Privacy Laws in the U.S. • Implicit and implied right to privacy in U.S. Constitution • Third Amendment: Protection of home from quartering of troops • Fourth Amendment: Protection against unreasonable searches • Fifth Amendment: Privilege against self-incrimination • Compare to other countries • European Union • Canada
Privacy Laws in the U.S. • U.S. laws are a patchwork of function-oriented laws • Cable TV Privacy Act (subscriber data) • CAN-SPAM Act (e-mail addresses) • Children’s Online Privacy Protection Act (COPPA) (websites) • Driver’s Privacy Protection Act (driver data) • Fair Credit Reporting Act (FCRA) (consumer reports) • Health Insurance Portability and accountability Act (HIPPA) (health information) • Although there are many differences among these laws, the underlying principles of federal and state privacy laws are remarkably similar.
Privacy Laws in the U.S. • Many sources of laws: • Statutes, federal, state and locals • Regulations, promulgated by governmental agencies (e.g., Dept. of Education) • Court decisions interpreting laws • Common law, based on customs/principles in court decisions (e.g., invasion of privacy claims) • Self-regulatory regimes/best practices (usually not law): • Children’s Advertising Review Unit (CARU) • National Resource Center for Health andSafety in Child Care and Early Education
Privacy Laws in the U.S. • Who enforces these laws? • Federal government (FCC, Dept. of Education, Dept. of Commerce, HHS, etc.) • States Attorneys General • Private causes of action
Major Federal Laws Covering Student Records • Family Educational Rights and Privacy Act (FERPA) (1974) • Protection of Pupil's Rights Amendments (PPRA) (1978) • No Child Left Behind Act of 2001 (NCLB) (January 2002) • USA Patriot Act (October 26, 2001) • Privacy Act of 1974 • Campus Sex Crimes Prevention Act • Individuals with Disabilities Education Act (IDEA) • National School Lunch Act • NOTE: Student records may be protected by multiple laws administered by multiple state and federal agencies.
FERPA • Why focus on FERPA? • Broad applicability/far-reaching implications for state and local policies regarding data use and collection activities • FERPA often incorporated into laws authorizing federal education programs • Most states include (and often expand) FERPA privacy concepts in their education laws
FERPA • What is required or prohibited? • Parents have the right to review and copy “student records” • School must have procedures by which student records can be released and protected • But FERPA does not dictate what safeguards must be taken (other laws may) • Schools must give parents annual notification of their rights under FERPA • Parents have the right to consent to release of student records outside the school, subject to some exceptions
FERPA • What is required or prohibited? • Parents have the right to review, and sometimes, consent to children’s participation in surveys, analyses or evaluations administered by state or local education agencies (PPRA) • Parents have the right to request amendments (e.g., to correct errors) to student records and, if applicable, a formal hearing if request is denied. • Parents have the right to opt-out of disclosure of student directory information (e.g., name, photo, email address, date/place of birth, grade) • Parents have the right to opt-out of student record access for military recruitment (with some exceptions)
FERPA • Who is covered by FERPA? • Education agencies and institutions that receive funds from the U.S. Department of Education (generally public schools) • Since private schools may not receive these funds, they may not be subject to FERPA • Parents • Eligible students over age 18 or who have graduated high school and are attending a postsecondary education institution (at any age) • Under PPRA, parent rights transfer to student when he/she becomes 18 years old or is emancipated under state law.
FERPA • What is a student record? It is any information: • Directly related to a student, recorded in any way; and • Maintained by an education agency or institution or parties acting for them (health or social services institutions). • Very broad definition that includes: • Family information, name/address of parents or guardians, number of siblings • Personal information, SSN, picture, personal characteristics, DNA • Medical/health records • Documentation of attendance, courses taken, awards • Videotapes of students or groups of students
FERPA • What is not a student record? • Notes (handwritten or typed) kept in the sole possession of the maker (e.g., teacher, counselor) which are used only as a personal memory aid and not revealed to any other person other than replacement personnel (e.g., substitute teacher) • Records created by law enforcement units of schools or school districts, for a law enforcement purpose, that are maintained separately from education records • Information about individuals obtained after they are no longer students
Illinois School Student Records Act • Works to implement/expand FERPA: • Requires schools to designate an official records custodian who is responsible for the maintenance, care and security of all school student records, whether or not such records are in his or her personal custody or control. • It is the job of the official records custodian to take all reasonable measures to prevent unauthorized access to or dissemination of school student records.
FERPA & Illinois School Student Records Act • Schools may disclose child’s records to his/her parents. • Parents have a right to (i) inspect and review their child’s education records; and (ii) consent to disclosures of personally identifiable information contained in their child’s education records, except in certain situations where disclosure is authorized without consent. (i.e., emergency situations, to be discussed) • Parents may only review specific information about their child; other student’s information must be blocked out or redacted.
FERPA & Illinois School Student Records Act • Administrative officials may disclose personally identifiable information from a student record to anyone, provided the student’s parents provide a broad signed, written consent authorizing them to do so. • Written consent must specify: • Records to be disclosed; • Purpose of disclosure; • Party or class of parties to whom disclosure may be made; and • Whether parent wishes to receive a copy of the records to be disclosed
FERPA & Illinois School Student Records Act • Schools may disclose to the following parties without consent: • School, officials, teachers within the school with legitimate educational interests; • Records custodian of another school/school system where student seeks/intends to enroll/is already enrolled, for the purpose of the student’s enrollment or transfer; • Certain federal, state and local officials with prior written notice; • Organizations conducting studies for/on behalf of educational agencies/institutions provided the study does not make it possible to identify parents or students;
FERPA & Illinois School Student Records Act Continued: • Accrediting organization officials to carry out accrediting functions; • Health or safety emergency officials; • To any person provided the disclosure only concerns directory information (so long as parent does not object); • Provide notice to parent defining directory information and give reasonable opportunity to object • The recipient of a court order; • A governmental agency official in furtherance of an investigation of a student’s school attendance; • Department of Healthcare and Family Services officials provided the limited information concerns school lunch applicants
FERPA • Requires schools to keep records of each the following: • Requests for access to personally identifiable information; • Disclosure of personally identifiable information from a student’s education records; • Names of the state/local educational authorities and federal officials/agencies that will make secondary disclosures of personally identifiable information from a student’s education records without consent; and • Parties who request or receive personally identifiable information and the legitimate interests the parties had in requesting or obtaining information.
FERPA & Illinois School Student Records Act • What if a school does not comply? • Failure to follow the procedures set forth in FERPA and the Illinois School Student Records Act may result in the following: • Loss of federal funds • Individuals bringing an action for injunctive relief or damages • School is liable to a successful plaintiff for damages, cost of action and reasonable attorneys fees. • Absent malice, no official or employee acting at the direction of the school can be liable. • Willful failure to comply is a petty offense. • State Board or State’s Attorney may bring an action for injunctive relief to secure compliance with the procedures
Additional Laws: Children’s Day Care IL Administrative Code Title 89, Chapter III, Subchapter e, Section 407.80 • Facility personnel must respect the confidential nature of the child’s records. • Information pertaining to the admission, progress, health, or discharge of an individual child shall be confidential and limited to facility staff designated by the child care director or Department of Children and Family Services (“DCFS”) representatives unless the parent(s) of the child has granted written permission for disclosure or dissemination.
Additional Laws: Children’s Day Care IL Administrative Code Title 89, Chapter III, Subchapter e, Section 407.80 • Must have confidentiality release forms signed by the parent(s) which specify to whom information may be released and the length of time the release form is valid. Such release forms shall be on file at the facility prior to the release of confidential information. • If information is requested by outside persons or agencies, a specific written request signed by the person requesting the information shall be obtained and placed on file at the facility prior to the release of the information.
Additional Laws: Children’s Day Care IL Administrative Code Title 89, Chapter III, Subchapter e, Section 407.80 • Authorized DCFS licensing representatives, DCFS child protection investigators, or other DCFS representatives who have the DCFS Director’s written authorization shall have access to the day care center’s records and reports. All persons with access to records and reports shall respect their confidential nature.
Additional Laws: Children’s Day Care IL Administrative Code Title 89, Chapter III, Subchapter d, Part 383A • Failure to follow these procedures will result in an investigation by DCFS and may result in any of the following depending on the severity of the violation: • Warning; • Corrective plan followed by an informal review; • Conditional license; or • Refusal to renew or revocation of license.
Children’s Day Care Caring for our children: National Health and Safety Performance Standards • Best Practice: Maintain a file for each child in one central location in the facility to be kept confidential but available to child’s caregivers (who must have parental consent to access the records), parents, legal guardian and licensing authority upon request. • File should include: • Pre-admission enrollment information; • Health report immunization records; • Admission agreement signed by parent at enrollment; and • Health history and medication record.
Children’s Day CareCaring for our Children: National Health and Safety Performance Standards • Records should be kept in safe, locked places. • Get prior, informed, written consent for the release of records and information to other service providers (i.e. health service providers), including permission for secondary release of records. • Get consent forms in native language of parent; • When disclosing information about one child, take care that no other child’s information is disclosed in the process;
Children’s Day CareCaring for our Children: National Health and Safety Performance Standards • Have a written policy that covers the exchange of information among parties; and • Do not disclose or discuss personal information regarding children and their relatives with any unauthorized person. Discuss it only with staff members who need the information to provide services, i.e., it’s a need-to-know basis.
Some Other Applicable Laws • Individuals with Disabilities Education Act (IDEA) • Provides additional protections for students who are receiving special education and related services • Public agencies must inform parents of children with disabilities when information is no longer needed, and except for certain permanent record information, that information must be destroyed at the request of the parents • National School Lunch Act (NSLA) • Stricter than FERPA • Strictly limits how school districts may use, and who may have access to, information obtained as part of the free and reduced-price meals eligibility process
Exceptions • Privacy laws are subject to numerous exceptions where other public policies prevail over privacy concerns. • Examples include: • Communicable Diseases • Child Abuse • Health and Safety Emergencies • Social Workers
Exception: Communicable Disease Children’s Day Care Control of Communicable Diseases Code, Communicable Disease Report Act, Department of Public Health Act • School personnel having knowledge of a known or suspected case or carrier of a reportable communicable disease or communicable disease death shall report to the local health authorities the case, suspected case, carrier or death in humans within the respective time frame required by the Code. • The identity of the individual infected shall remain confidential; and • School personnel may release information that is necessary to protect the health or safety of the student or other persons, provided parents are notified as soon as possible.
Exception: Communicable Disease Children’s Day CareLicensing Standards for Day Care Centers • Report any known or suspected case or carrier of communicable disease to local health authorities and comply with the Illinois Department of Public Health’s Control of Communicable Diseases Code (lists diseases and amount of time required to report). • Maintain a file of reported illnesses that may indicate possible infectious disease.
Exception: Communicable Disease Children’s Day Care Caring for Our Children: National Health and Safety Performance Standards • Notify parents of exposed children with the following information: • Diagnosed disease • Number of cases of disease • Nature of exposure • Signs/symptoms of disease and a timeline of what to watch for • Mode of transmission • Period of communicability • Disease prevention recommended measures • Do NOT identify the child who has the communicable disease!
Exception: Communicable Disease Children’s Day Care Caring for Our Children: National Health and Safety Performance Standards • Suggestions/Best practices: • Have a written policy regarding the IL reporting requirements for ill children. • Report all communicable diseases to the health department. • Maintain confidential records of immunizations, periodic health assessments and any special medical considerations. • Family should identify the child’s healthcare providers and provide written consent to enable caregivers to establish direct communication with providers. • Always inform family prior to communicating with providers unless it is an emergency/abusive situation.
Exception: Child Abuse Children’s Day Care, Schools and Social WorkersAbused and Neglected Child Reporting Act • Mandated reporters have a duty to report to the DCFS if they have reasonable cause to believe a child known to them in their professional or official capacity may be an abused or neglected child. • Mandated reporters include school personnel, social workers, social service administrators, child day care director or staff, etc. • If required to report, you should have signed a statement prior to employment that stated you have knowledge and understanding of the reporting requirements of this Act. • Any mandated reporter who knowingly and willfully fails to report this information is guilty of a Class A misdemeanor for the first violation and a Class 3 felony for any subsequent failure to report.
Exception: Child Abuse Children’s Day Care, Schools and Social WorkersAbused and Neglected Child Reporting Act • Duty to report if reasonable cause to suspect a child has died as a result of abuse or neglect. Immediately report suspicion to medical examiner or coroner. • Best Practices: Caregivers should know the methods for reducing the risks of child abuse and neglect, common symptoms and signs. • Child Abuse/Neglect Hotline: • 1-800-25-ABUSE (252-2873) • Consider calling the police, especially in emergencies or when the child has been injured.
Exception: Child Abuse Children’s Day Care, Schools and Social WorkersAbused and Neglected Child Reporting Act • Report the following to the DCFS, if possible: • Family composition and other children in the environment; • Name, age, sex, ethnicity of child’s parents, caregiver, relationship of caregiver to child and alleged perpetrator and his/her relationship to the child subjects; • Physical harm to the involved child and estimate of child’s present physical, medical and environmental condition. Include information about previous incidents of suspected child abuse or neglect; and • Reporter’s name, occupation and relationship to the child, actions taken by reporter, where to reach reporter and other information the reporter believes could be helpful.
Exception: Health & Safety Emergencies FERPA & Illinois School Student Records Act • Disclosure of information is permitted if there is an articulable and significant threat to the safety of a student or to other individuals. • Institution may only disclose to those persons who need to know the information to protect the health and safety of the student or other individuals. • Make a record of (i) the articulable and significant threat that formed the basis for such disclosure, and (ii) the parties to whom information was disclosed.
Exception: Health & Safety Emergencies FERPA & Illinois School Student Records Act • Notify parents as soon as possible of the information released, the date of the release, the person, agency, or organization receiving the information and the purpose of the release. • Factors to be considered in determining whether records should be released pursuant to this paragraph include: • Seriousness of the threat to the health or safety of the student or other persons; • Need for such records to meet the emergency; and • Extent to which time is of the essence in dealing with the emergency.