FERPA Compliance and Data Privacy in Education

Data Privacy and FERPA UAPCS Regional Trainings January 2017

Background USBE added a Chief Privacy Officer in 2016 to oversee privacy and compliance within the Data and Statistics division of the department. Whitney Phillips, PhD, was hired to fill the position. Right now, we have a lot more questions that we do answers about what compliance is going to look like, but we know that FERPA and data privacy compliance is coming, so we need to be prepared. At the privacy training recently held by USBE Dr. Phillips said sample policies will be drafted and made available to schools for modeling. I suggest gearing up and having necessary policies in place before the next school year. UAPCS will continue to monitor the situation and provide updates.

The Bottom Line Most schools are out of compliance with Federal FERPA and data privacy laws, as well as HB358. We need to create policy and procedure, train teachers and staff on proper implementation, and internally monitor compliance. If the above steps are followed and there is still a breach, both Dr. Phillips and the Privacy Technical Assistance Center staff said the penalties against the school should be minimal to non-existent. Whether that holds in a court of law is undetermined. There is a lot more to consider than many schools (and districts) have considered in the past.

FERPA 101 A lot has changed since FERPA was passed in 1974 ..records were kept on paper and maintained at the school. The possibility for information to be shared was minimal. It has not been updated since then, but the implications and ramifications of it have grown exponentially. FERPA applies to elementary, secondary, and postsecondary schools and establishes the following: Protects the privacy of students by restricting access to records to contain personally identifiable information (PII); Does not permit the disclosure of PII from education records without consent, except under certain exceptions; Requires that reasonable methods be used to protect the integrity and security of the data being maintained; Permits the disclosure of certain types of PII that is previously designated as directory information by the school.

FERPA Rights of Parents and Eligible Students Right to inspect and review educational records; Right to request amendment of education records; Right to consent to disclosures; Right to file a complaint with U.S. Department of Education

Definitions: Educational Records Educational records are defined as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution. Exceptions include: Sole possession records used as a personal memory aid; Law enforcement unit records; Peer-graded papers before they are collected and recorded by the teacher. Heath records on students, including immunization records, maintained by an educational agency or institution subject to FERPA are considered education records and are not subject to HIPPA Other HIPPA rules may apply (no specific examples were given in the training)

Definitions Under FERPA, parent means a parent of a student and includes a natural parent, a guardian, or an individual acting as a parent in the absence of a parent or guardian (often a grandparent) Includes custodial and noncustodial parents UNLESS a school is provided with evidence that there is a court order or state law that specifically provides to the contrary. Have all staff who would be interacting with these requests regularly review policy, procedure, and especially the list of students who would be impacted by release of information to a parent who does not have that right. Example Jane

Definitions Anonymizing means stripping the direct identifiers from data (i.e. name) De-identification means making the identification of the student impossible. Anonymizing is rarely enough to de-identify the data, which is required by FERPA. Transfer of Rights: When a student turns 18 or enrolls in a postsecondary institution at any age, the rights under FERPA transfer to the student. Concurrent Enrollment example How are records maintained and transferred? Report cards for 18-year old students or emancipated minors

Definitions: Personally Identifiable Information Anything that can be used to identify a student, which may include: Name Address Date of Birth Social Security Number Ethnicity Gender Parent s name(s) A one-handed pirate, with an irrational fear of crocodiles and ticking clocks Essentially anything that can be used to identify a student from within a group and therefore does not have a limit on categories. Some information may or may not be considered as PII in varying situations.

Definition: Prior Written Consent Except for certain exceptions, a parent or eligible student shall provide a signed and dated written consent before a school may disclose education records. Consent must include: Records that may be disclosed; Purpose of disclosure; Identify party or class of parties to whom disclosure may be made.

Definition: Exceptions to General Consent To school officials with legitimate educational interests (defined in annual notification); To schools in which a student seeks or intends to enroll; To state and local officials pursuant to a state statue in connection with serving the student under the juvenile justice system; To comply with a judicial order or subpoena (must make reasonable effort to notify parent or student at last known address); To accrediting organizations; To parents of a dependent student;

Definition: Exceptions to General Consent, Continued To authorized representatives of Federal, State, and local educational authorities conducting an audit, evaluation, or enforcement of programs; To organizations conducting studies for specific purposes on behalf of schools; In a health or safety emergency; To child welfare agency or tribal organization for those children in foster care; Directory Information; Military recruiters (name, address, phone number) school must provide notice of the practice and allow an opt-out; School officials must have a reason to know break room gossip is a violation of FERPA; Outsourcing services contractors, consultants, volunteers, or other third parties.

Volunteers You need a policy stating what kind of information is available to volunteers and how it is used; Volunteer training in FERPA; Non-disclosure agreement signed by volunteers

Law Enforcement Units Law enforcement unit means any individual, office, department, division, or other component of a school that is officially authorized or designated by the school to: Enforce any local, state, or federal law, or refer to appropriate authorities a matter for enforcement of any law against any individual or organization other than the school itself; or Maintain the physical security and safety of the school. Examples include: Unit of commissioned police officers Unit of non-commissioned security guards Fully equipped police units Smaller security office Vice-principal or other school officer Local off-duty police officer School resource officer

Definition: Directory Information Generally would not be considered harmful or an invasion of privacy if disclosed; May include: Name, address, phone number, and email address; Photograph; Date and place of birth; Most recent school attended; grade level and major field of study; Dates of attendance; Participation in officially recognized sports and activities; Height and weight of athletes; Degrees, honors, and awards received.

Directory Information, Continued Can never include Social Security Number. Cannot disclose non-directory information with directory information. Annual notice must be given to parents defining what directory information is. School may adopt a limited directory information policy that allows for the disclosure of directory information to specific parties, for specific purposes, or for both (i.e. school pictures) Parents must have the option to opt-out of the disclosure of directory information. Yearbook policy exception for those who opt-out

Inspection and Review of Educational Records FERPA Requirements: Comply within 45 days; School may not destroy records if a request for access is pending; Generally only requires the school to give copies if failure to do so would effectively deny access, or make other arrangements to inspect and review; i.e. parent or student who does not live within a commuting distance

Procedures for Amending Education Records Parent or student identifies portion of record believed to contain inaccurate or misleading information; School must decide within a reasonable period of time whether to amend as requested (no definition is given of reasonable period of time so your policy needs to make this definition); If school decides not to amend, must inform parent or eligible student of right to a hearing; After a hearing, if decision is still not to amend, parent or eligible student has a right to insert a statement in the record; Typical amendments include final grades, attendance, and possibly discipline.

Pop Quiz A police officer shows up at the main office of a school and asks if a certain student is in attendance. The officer does not have a search warrant or a subpoena and wants to speak with the student regarding some gang violence that occurred three weeks ago. Can the school tell the officer whether or not the student is in attendance?

Pop Quiz A math teacher wants to post the statistics from his latest test and runs a report that has the names, scores, gender, and race/ethnicity of the students. He wants to preserve the privacy of the students so he deletes the column with student names. Is what he did okay?

Data Disclosure: Protecting Student Privacy in Public Reports PII under FERPA for purposes of data disclosure include: Name Name of parents or other family members Address Personal identifier (SSN, student ID #) Other indirect identifiers (e.g. date or place of birth) Other information that, alone, or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances to identify the student with reasonable certainty.

Data Disclosure Definitions Disclosure means to permit access to or the release, transfer, or other communication of PII by any means. It can be authorized through written consent. Unauthorized or inadvertent disclosures are the most common and most difficult to deal with. Reasonable person is a hypothetical, rational, prudent, average individual in the school community who does not have personal knowledge of the relevant circumstances; school officials, including teachers, administrators, coaches, and volunteers, are not included. Be careful with how you define volunteer.

Ways to Avoid Data Disclosure a.k.a Disclosure Avoidance Suppression: Removing data to prevent the identification of individuals in small cells or with unique characteristics (remove the pirate sub-category); Blurring: Reducing the precision of data that is presented to reduce the certainty of identification; Perturbation: Making small changes to the data to prevent identification of individuals from unique or rare characteristics.

Disclosure Avoidance Define and implement a policy waiting on state sample and additional guidance Conduct a risk analysis Make sure that if various agencies are releasing data that information cannot be combined to identify students Train teachers DropBox example

What Data Needs to Be Protected? Student Information Systems Productivity Applications Educational Applications Fundamental School Services

Data Security FERPA is a floor not a ceiling, and does not provide guidance because it was written in 1974 and today s issues could not be imagined or anticipated. Online Educational Services that require electronic data security include: Computer software, including mobile apps and web-based tools; Provided by a third-party to a district or school; Accessed via the internet by students and/or parents; AND Used as part of a school activity.

Data Security Challenges and Issues Click-wrap agreements Policy creation, training, and effective implementation Terms of Service updates and protocols 15-50 bugs per 1,000 lines of code, so nothing is completely secure Self-Inflicted Wounds What are your policies and procedures? Lost hardware Security misconfiguration Phishing Insecure wi-fi Careless browsing Hacks and Data Breaches in Utah School Phishing is the biggest problem in Utah right now Improper redaction is a cause of data disclosure problems in many cases

Utah HB 358 Districts and schools must have provisions in contracts with third party vendors that have: Requirements and restrictions related to the collection, use, storage or sharing of student data; Description of people who have access and who they will share the data with; Provisions for deletion of data by the third party; Prohibitions on secondary use of the data Audit clauses EVERY SCHOOL IN THE STATE IS LIKELY IN VIOLATION OF HB 358 because teachers are using click-wrap apps without contracts!

Freemium Educational Services To be in compliance with FERPA, you either need a signed parental consent OR meet all of the following criteria for an exception: Direct Control Consistent with annual FERPA notice provisions Authorized use Includes limits on re-disclosure These services may introduce security vulnerabilities to your system, so use with prudence. Put proper policies in place, train regularly, and monitor compliance.

Best Practices for Protecting Student Privacy Maintain awareness of all relevant laws. Be aware of which online educational services are currently being used in your school and make sure they are in compliance with school policy. Have policies and procedures to evaluate and approve proposed educational services. When possible, use a written contract or legal agreement. Be transparent with parents and students. Consider that parental consent may be appropriate.

Resources http://www.schools.utah.gov/data/Security-Privacy.aspx This site includes a number of links to helpful sites, contact information for Dr. Phillips, as well as the PDF copies of the original state training.