FERPA Update

Embed Size (px)

DESCRIPTION

FERPA Update. February 13-14, 2012 National Forum on Education Statistics San Diego, California. Kathleen M. Styles Chief Privacy Officer U.S. Department of Education. Presentation Overview. A long and winding road: What we’ve been up to Overview of changes to FERPA regulations - PowerPoint PPT Presentation

Text of FERPA Update

Were From the Government and Were Here to Help You Privacy Initiatives at the U.S. Department of Education

FERPA UpdateFebruary 13-14, 2012National Forum on Education StatisticsSan Diego, California

Kathleen M. StylesChief Privacy OfficerU.S. Department of Education1Presentation OverviewA long and winding road: What weve been up toOverview of changes to FERPA regulationsCase studies: Real world hypotheticalsPriorities for 2012Your feedback

2When Last We Talked .The situation at the July, 2011 STATS Conference:

Me: Almost brand newFERPA regulation changes: GestatingED Data Release Working Group: Learning to walkPTAC: Hitting their stride

3Breaches by Educational InstitutionsAll varieties: hacking, loss of portable device, unintentional, insider breach, etc.YearNumber of BreachesNumber of Records2005641,886,84120061032,019,1192007107791,93820081031,107,0012009711,062,2752010731,575,698201157394,008Source: Privacy Rights Clearinghouse44What Weve Been Up ToIm proud that we Published amended FERPA regulations on 12/1/2012 Issued a lot of guidance and best practices documentsResumed FERPA trainingIncreased the coordination between PTAC and FPCOStarted a 2-way line of communication

I am challenged with Persistent, tough data release issuesThe mountain of work yet to do

5

Best Practices and Guidance ResourcesGuidance on Reasonable Methods and Written AgreementsData Stewardship: Managing Personally Identifiable Information in Electronic Student Education RecordsBasic Concepts and Definitions for Privacy and Confidentiality in Student Education RecordsResponding to IT Security Audits: Improving Data Security PracticesData Security: Top Threats to Data ProtectionData Security ChecklistData Governance and StewardshipData Governance ChecklistData Security and Management Training: Best Practice Considerations

and more on the way667You know how sometimes FERPA can tie your brain in a knot trying to think through it all?

Our Favorite FERPA Quote

Received in an email to PTAC7FERPA Regulatory Changes 274 Comments receivedFinal FERPA regulatory changes December 2, 2011 Federal RegisterEffective January 3, 2012 The new regulations serve to:Strengthen enforcementHelp ensure student privacyImprove program effectiveness88FERPA Regulatory Changes Studies ExceptionState educational authorities acting on behalf of their constituent schoolsRequirement for written agreements

But remember! Studies ResearchThere is no Research Exception under FERPA910FERPA Regulatory Changes Studies ExceptionOLD INTERPRETATIONNEW INTERPRETATION10New Definitions for Audits and EvaluationsAuthorized RepresentativeAny entity or individual designated by a State or local educational authority or an agency headed by an official to conductwith respect to Federal- or State-supported education programsany audit or evaluation, or any compliance or enforcement activity in connection with Federal legal requirements that relate to these programs (FERPA regulations, 99.3). Education ProgramAny program principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, and any program that is administered by an educational agency or institution (FERPA regulations 99.3).

11FERPA Regulatory Changes Audit and EvaluationRequirement to use reasonable methodsWritten agreements mandatoryGuidance on Reasonable Methods and Written Agreements12FERPA Regulatory Changes Directory InformationID badges Limited directory information 13FERPA Regulatory Changes - EnforcementEnforcement now allowed against entities without studentsFive year ban extended to audit and evaluation exception1415FERPA Regulatory Changes EnforcementOLD INTERPRETATIONNEW INTERPRETATION15Case Study 1: High School Feedback ReportSFSF requirement: publish data on student success in collegeAssume functional K-12 SLDSAssume Higher Education Governing Board with public postsecondary informationAccomplish using audit/evaluation exception and written agreementUse reasonable methods and select best practices

16Case Study 2: Head Start ProgramLocal community action organization operates an HHS-funded Head Start programThe Head Start program wants to evaluate how well it is preparing children for school in K-3Assume functional K-12 SLDS As a federally funded education program the Head Start program uses the audit/evaluation exceptionWritten agreement/Reasonable methods/Best practicesAnd dont forget the recordation requirement

17Case Study 4: Technical AssistanceHigh school health clinics run by city health department Research organization wants to conduct both a health and an educational assessmentLEA is concerned about FERPA and contacts PTACPTAC conducts site visit, consults with FPCO, and makes best practices recommendationsNew agreements executed, following guidanceFPCO concludes that the LEA is in compliance

1818Priorities for 2012Expansion of PTAC to LEAsMore guidance and best practices:Formal ED guidancePTAC best practices guidanceCase studiesFAQs, etc. Inter-agency collaborationPublishing data while protecting PIIPrivacy and transparency

1919Prioritizing GuidanceWe cant do it all! Priorities for 2012 include:Template or checklist for written agreementsEmail and electronic transmission of PIIVideo which ones are education records?Joint guidance with USDA on FRPL dataBreach response checklistBest practices for transparencyDistinctions between de-identified and aggregate data

2020Longer Term Projects:Student government records are they education records?Guidance on responding to subpoenas and court ordersUpdating 1997 publication on FERPA in the juvenile justice systemExternal researcher accessId like your input too

21222012 PTAC InitiativesExpansion to LEAsCoordination with FPCOHelping organizations come into complianceStatistical and data security expertsSite visits and regional meetingsBest practices guidance documents and training materialsCompliance vs. transparency22Inter-Agency CollaborationAgriculture: Free and reduced price lunch data Federal Trade Commission: Child ID theftHealth and Human Services: Early childhood programs and foster childrenDepartment of Justice: Patriot Act amendments to FERPAUpdating 1997 juvenile justice guidanceResponding to subpoenas and court orders 23Publishing Data While Protecting PIIUtility vs. privacy in data tablesDisclosure avoidance in an information-rich worldTechnical Brief 3 and strong public interestA need for more uniformity and rigor Data Release Working Group

24Beware!Expect a 2012 update of:Childrens Educational Records and Privacy: A Study of Elementary and Secondary School State Reporting Systems, Fordham Center on Law and Information Policy, 2009.Transparency is keyDont forget about your contractsPTAC will be reaching out to help you2525Key Messages to Take HomeParents should be able to find basic information on your website about what you are doing with their childrens data and how you are protecting it.

Be proud! If youre learning important things from student data, publish those results.

26If youre staying for the MIS Conference .Wednesday, 10:15 a.m. (Nautilus 1):PTAC and FPCO: Moving Forward Under the New FERPA RegulationsThursday, 10:00 a.m. (Nautilus 5): Protection of Personally Identifiable Information Through Disclosure Avoidance Techniques

2727Contact Information28Kathleen M. StylesChief Privacy OfficerU.S. Department of EducationKathleen.styles@ed.gov(202) 453-5587Questions and CommentsYour feedback helps us prioritize our work better. What questions, comments, or concerns do you want to discuss?29