““We’re From the Government and We’re Here to Help We’re From the Government and We’re Here to Help You”You”

Privacy Initiatives at the Privacy Initiatives at the U.S. Department of EducationU.S. Department of Education

January 25, 2012EDUCAUSE Webinar

Kathleen M. Styles, Chief Privacy OfficerMichael B. Hawes, Statistical Privacy Advisor

Presentation OverviewPresentation Overview

Overview of changes to FERPA regulations Privacy initiatives at ED Priorities for 2012 Interactive polls throughout

2

POLL #1POLL #1

We’re presuming most of you are in the postsecondary community. Which part of the postsecondary community do you work in specifically?

A. ITB. Registrar/Administration/AdmissionsC. FacultyD. Other postsecondary roleE. Your assumption is wrong! I’m not part of the

postsecondary community

3

Background: Student PrivacyBackground: Student Privacy

FERPA enacted 1974 Move to electronic records State longitudinal databases 2009 Fordham report New risks and vulnerabilities

4

Breaches by Educational Breaches by Educational InstitutionsInstitutions

All varieties: hacking, loss of portable device, unintentional, insider breach, etc.

YearNumber of Breaches

Number of Records

2005 64 1,886,8412006 103 2,019,1192007 107 791,9382008 103 1,107,0012009 71 1,062,2752010 73 1,575,698

2011 57 394,008

Source: Privacy Rights Clearinghouse5

6

Received in an email:

“You know how sometimes FERPA can tie your brain in a knot trying to

think through it all?” 

Our Favorite FERPA QuoteOur Favorite FERPA Quote

Poll #2Poll #2

Question: Which answer best characterizes your prior experience with FERPA?

A. I’m a pro! I work with the statute and regs all the timeB. I work with FERPA, but find it confusingC. I know what FERPA is, but don’t work with it oftenD. FERPA? What’s FERPA?

7

FERPA & Postsecondary EdFERPA & Postsecondary Ed

FERPA Basics Health and safety emergencies Intersection with state and local laws

8

Early 2011 – ED Privacy Early 2011 – ED Privacy Initiatives BeginInitiatives Begin

• FERPA Notice of Proposed Rulemaking• Best Practices -- NCES Technical Briefs• Privacy Technical Assistance Center (PTAC)• Chief Privacy Officer

9

Late 2011: Building on ProgressLate 2011: Building on Progress

• Regulatory changes• PTAC best practice documents• Privacy Advisory Committee• Soliciting input

10

FERPA Regulatory Changes FERPA Regulatory Changes

274 Comments received Final FERPA regulatory changes

– December 2, 2011 Federal Register– Effective January 3, 2012

The new regulations serve to:– Strengthen enforcement– Help ensure student privacy– Improve program effectiveness

11

New Definitions for Audits and New Definitions for Audits and EvaluationsEvaluations

Authorized Representative– Any entity or individual designated by a State or local educational authority

or an agency headed by an official… to conduct—with respect to Federal- or State-supported education programs—any audit or evaluation, or any compliance or enforcement activity in connection with Federal legal requirements that relate to these programs (FERPA regulations, § 99.3).

Education Program– Any program principally engaged in the provision of education, including, but

not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, and any program that is administered by an educational agency or institution (FERPA regulations § 99.3).

12

FERPA Regulatory Changes – FERPA Regulatory Changes – Audit and EvaluationAudit and Evaluation

Authorized Representative Written Agreements Reasonable Methods “Guidance on Reasonable Methods and Written

Agreements”

13

FERPA Regulatory Changes – FERPA Regulatory Changes – Studies ExceptionStudies Exception

State educational authorities acting on behalf of their constituent schools

Requirement for written agreements

14

POLL – Directory InformationPOLL – Directory Information

Does your institution currently have a directory information policy?A. Yes, we have a directory information policyB. Sort-of. We have a policy, but it could use improvementC. No, we don’t have a directory information policyD. Directory information? What’s that?

15

FERPA Regulatory Changes – FERPA Regulatory Changes – Directory InformationDirectory Information

ID badges Limited directory information

16

POLL – FERPA and Directory POLL – FERPA and Directory InformationInformation

In light of the recent FERPA reg changes, do you think your institution will change its directory information policy?A. YesB. MaybeC. NoD. We don’t have a policy

17

FERPA Regulatory Changes - FERPA Regulatory Changes - EnforcementEnforcement

Enforcement against entities without students 5 year ban

18

Priorities for 2012Priorities for 2012

Guidance and Best Practices Inter-Agency Collaboration Publishing Data While Protecting PII

19

Guidance!Guidance!

PTAC Initiatives– Move to CPO Office– Expansion to LEAs– Coordination with FPCO– Site visits and regional meetings– Helping organizations come into compliance

Guidance Documents and Training ResourcesCase studies

20

Best Practices and Guidance Best Practices and Guidance ResourcesResources

Guidance on Reasonable Methods and Written Agreements Data Stewardship: Managing Personally Identifiable Information in Electr

onic Student Education Records Basic Concepts and Definitions for Privacy and Confidentiality in Student

Education Records Responding to IT Security Audits: Improving Data Security Practices Data Security: Top Threats to Data Protection Data Security Checklist Data Governance and Stewardship Data Governance Checklist Data Security and Management Training: Best Practice Considerations

21

Inter-Agency CollaborationInter-Agency Collaboration

Agriculture: Free and reduced price lunch data Federal Trade Commission: Child ID theft Health and Human Services: Early Childhood

programs Department of Justice: Patriot Act amendments to

FERPA

22

Data Release PolicyData Release Policy

Utility vs. privacy in data tables Disclosure avoidance in an information-rich world A need for more uniformity and rigor Strong public interest Data Release Working Group

23

Unsettled QuestionsUnsettled Questions

Cloud Computing Video Recordings Email

24

Privacy AND TransparencyPrivacy AND Transparency

Culture of confidentiality Maintaining transparency

25

Have Questions?Have Questions?

26

Family Policy Compliance Office

Telephone: (202) 260-3887

Email: FERPA@ed.gov

FAX: (202) 260-9001

Website: www.ed.gov/fpco

Privacy Technical Assistance Center

Telephone: (855) 249-3072

Email: privacyTA@ed.gov

FAX: (855) 249-3073

Website: www.ed.gov/ptac

Contact InformationContact Information

27

Poll - FeedbackPoll - Feedback

Question: How helpful did you find today’s webinar?

A. Very helpful! B. Somewhat helpful. C. Not at all helpful.

28