Privacy Technical Assistance Center (PTAC)—Frequently

Asked Questions

Emily Anthony, NCES

Baron Rodriguez, AEM

Anthony Bargar, ESS

Tom Szuba, QIP

FAQ

s

2

• The Privacy Technical Assistance Center (PTAC) is part of ED’s comprehensive privacy initiative:

- Chief Privacy Officer

- Technical Briefs- NPRM

What is the Privacy Technical Assistance Center?

• Run in conjunction with SLDS program; extension of SLDS TA efforts:

- Webinars, best practice briefs

- Site visits, TA experts, PEN

What is PTAC?

• Proactive, central, “one-stop” TA• best practices resources on privacy and data security

• PTAC vs. FPCO• PTAC: Technical Assistance• FPCO: Administers FERPA, authority over

FERPA violations & regulations

• Primary audience: State and Local LDS

3

4

• The Privacy TA Center is designed to provide states with:

• A set of tools, resources, and other opportunities for states to receive assistance with privacy, security, and confidentiality of student-level longitudinal data systems.

• A means for states to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality.

• A focal point for queries and responses to the privacy-related needs of state education agencies (SEAs), local education agencies (LEAs), and institutions of higher education (IHEs) in a confidential, safe environment.

• A set of resources to promote compliance with FERPA and other best practices for ensuring the confidentiality and security of personally identifiable information.

PTAC Mission

PTAC Resources

5

FAQ Background

• ED recognizes that SEAs, LEAs, and IHEs engaged in building SLDSs are asking similar questions about privacy, confidentiality, and security issues.

• What is needed? Technical assistance that includes responses to frequently asked questions (FAQs) that are:

• Accurate• Consistent• Timely• User-friendly (clear, concise, and actionable)

6

FAQs – Points of Emphasis

• To establish a single authoritative source for information pertaining to education data privacy, confidentiality, and security.

• Audience appropriate• Useful and timely

• e.g., quarterly as systems mature, guidance changes, data use evolves, and new questions arise

• Trusted sources: • existing guidance from ED (e.g., NCES Technical Briefs)

• best practices from the education data community

• other industries

7

FAQs – Current Topic Areas

• About PTAC

• FERPA (Family Educational Rights and Privacy Act)• Disclosure, Consent, and Annual Notification• Record Requests, Review, and Amendment• Health, Safety, and Disaster Disclosures

• Ensuring the Privacy, Security, and Confidentiality of Education Records• e.g., NCES Technical Briefs, other Industries

• Glossary of Terms

8

Example FAQs – About PTAC

• Q) Where can I send questions on privacy, confidentially, and security topics related to longitudinal data systems?

A) Questions on data privacy, data confidentiality, and cybersecurity can be sent to the PTAC Help Desk. A Help Desk staff member will review your question and send an email to confirm receipt of your question within 24 hours. Any question that PTAC staff cannot answer will be sent to other offices at ED such as the Family Policy Compliance Office (FPCO) and the Office of General Counsel (OGC). PTAC will work with those offices to provide an answer to your question.

• Q) How can I request technical assistance from PTAC?

A) PTAC staff will be conducting a limited number of technical assistance visits to states each year. You can request on-site technical assistance by filling out the request form. Additionally, you can send questions of privacy, confidentiality, and security matters to the PTAC Help Desk using that form or by emailing them to PrivacyTA@ed.gov.

9

Example FAQ - FERPA

• Q) What is FERPA?

A) The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records, such as report cards, transcripts, disciplinary records, contact and family information, and class schedules. FERPA affords parents the right to inspect and review their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. To protect a student’s privacy, the law generally requires written consent from parents before disclosing a student’s personally identifiable information to individuals or entities not approved under law. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (an “eligible student"). The FERPA statute is found at 20 U.S.C. § 1232g, and the FERPA regulations are found at 34 CFR Part 99.  

10

Glossary of Terms

• Student

FERPA regulations define student as any individual who is or has been in attendance at an educational agency or institution and regarding whom the agency or institution maintains education records. For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf.

• Eligible Student

FERPA defines an eligible student as a student who has reached 18 years of age or is attending a postsecondary institution at any age. This means that, at the secondary level, once a student turns 18, all the rights that once belonged to his or her parents transfer to the student. However, a secondary school or postsecondary institution may still provide an eligible student’s parents with access to education records, without the student’s consent, if the student is claimed as a dependent for IRS tax purposes or other exceptions apply. For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3, §99.3, 99.5 and 99.31, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf.

11

Example FAQ - FERPA• Q) Are there exceptions to FERPA’s consent requirement that would permit a school to disclose personally

identifiable information on affected students in the case of a health or safety emergency?

A) Yes. FERPA permits school officials to disclose, without consent, education records, or personally identifiable information from education records, to appropriate parties in connection with an emergency if knowledge of that information is necessary to protect the health or safety of the student or other individuals. This exception to FERPA’s general consent requirement is limited to the period of the emergency and generally does not allow for a blanket release of personally identifiable information from the student’s education records. Typically, law enforcement officials, public health officials, trained medical personnel, and parents (including parents of an eligible student) are the types of appropriate parties to whom information may be disclosed under this FERPA exception.

If, for example, public health authorities determine that a pandemic, such as tuberculosis or H1N1 flu, is a significant threat to a particular community, a school in that community may determine that an emergency exists, (note that such an emergency does not include the threat of a possible or eventual emergency for which the likelihood of occurrence is unknown, which would be addressed in general emergency preparedness activities). Under this health or safety emergency provision, an educational agency or institution is responsible for making a determination whether to make a disclosure of personally identifiable information on a case-by-case basis, taking into account the totality of the circumstances pertaining to the threat. If the school district or school determines that there is an articulable and significant threat to the health or safety of the student or other individuals and that certain parties need personally identifiable information from education records to protect the health or safety of the student or other individuals, it may disclose that information to such appropriate parties without consent.

For more information, see the Family Educational Rights and Privacy Act (FERPA) and H1N1 (October 2009), available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferpa-h1n1.pdf.

12

Example FAQs - FERPA

• Q) If a student or parent requests to view records under FERPA, how long can a school take to provide access to those records? Does FERPA dictate the length of time to reply for such a request?

A) An educational agency or institution is required to comply with a request for access to education records within a reasonable period of time, but no more than 45 days after it has received the request. For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.10, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf.

• Q) May an educational agency or institution charge a fee for copies of education records?

A) Unless the imposition of a fee effectively prevents a parent or eligible student from exercising the right to inspect and review the student's education records, an educational agency or institution may charge a fee for a copy of an education record which is made for the parent or eligible student. A fee may not be charged to search for or to retrieve the education records of a student. For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.11, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf.

13

Example FAQs – About the NPRM

• Q) Does the U.S. Department of Education (Department) intend to release an NPRM on the Family Educational Rights and Privacy Act?

A) As announced in the December 20, 2010 Office of Management and Budget’s Unified Regulatory Agenda, the Department of Education (Department), through the Family Policy and Compliance Office, intends to propose changes to the Family Educational Rights and Privacy Act (FERPA) regulations.

• Q) What is an NPRM?

A) A Notice of Proposed Rulemaking (NPRM) is a public notice issued by law when a Federal agency wishes to add, remove, or change a rule or regulation as part of the rulemaking process. The proposed rule, or NPRM, is the official document that announces and explains the agency's plan to address a problem or accomplish a goal. All proposed rules must be published in the Federal Register to notify the public and to give them an opportunity to submit comments. The proposed rule and the public comments received on it form the basis of the final rule.

14

Example FAQ – Ensuring Privacy

• Q) What is personally identifiable information?

•  A) Personally identifiable information, as defined in FERPA, includes, but is not limited to:

• a student's name;

• the name of the student's parent or other family members;

• the address of the student or student's family;

• a personal identifier, such as the student's Social Security number, student number, or biometric record;

• other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;

• other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; and

• information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

15

Glossary of Terms

• Biometric Record

FERPA regulations define a biometric record as one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting. For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf.

• Indirect Identifier

Indirect identifiers include information that can be combined with other information to identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors. Other examples of indirect identifiers include place of birth, race, religion, weight, activities, employment information, medical information, education information, and financial information. See also Direct Identifier. For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records, available at http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011601.

16

Example FAQ – Ensuring Privacy• Q) What are basic internal control procedures?

A) Protecting personally identifiable information warrants appropriate administrative, technical, and physical security safeguards against loss, unauthorized access or use, destruction, modification, and unintended or inappropriate disclosure. A variety of internal controls can be employed to strengthen the management of personally identifiable data, including:

• assigning unique student identifiers to preserve the integrity of an individual’s records and personally identifiable information in longitudinal electronic data systems;

• ensuring that only authorized staff have access to personally identifiable information from student records on a “need-to know” / “legitimate educational interest” basis;

• establishing policies and operating rules for appropriate data use, such as rules clarifying permissible and prohibited use, practices for protecting personally identifiable information when it is in the possession of authorized users, and procedures for guaranteeing the destruction of records (and copies) at the end of a period of authorized use; and

• planning responses to potential data breaches by establishing procedures for reporting known or suspected breaches, analyzing the causes and impact of breaches, and notifying affected individuals.

• For more information, see the SLDS Technical Brief: Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records, available at http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011602.

17

Feedback

• Confirming Direction

• Audience• SEAs (SLDS)• LEAs• IHEs• Schools• Other (Parents?)

• Tone/Voice/Content• Legal versus conversation voice• Definitional versus actionable• Depth versus brevity• Use of examples

18

Feedback

• Suggestions for New FAQs and Topic Areas?

• SLDS• Cybersecurity• Other security (physical, access, etc.)• SEAs, LEAs, Schools• Early childhood, IHEs, Workforce• Others…

19

Feedback

20

How can PTAC help you?

What are your needs?

What products/services would be helpful?

How to suggest new FAQs or communicate other needs

• Website • http://nces.ed.gov/programs/ptac/

• Help Desk• PrivacyTA@ed.gov• Toll Free Phone: 855-249-3072• Toll Free FAX: 855-249-3073

• National Meetings (SLDS, MIS, Summer Data Conference)

• Regional Meetings

• Site Visits

21

Website: http://nces.ed.gov/programs/ptac/

• Request assistance

• Upcoming events

• Subscribe to email list

• Recent relevant ED publications

• Privacy TA Center publications

• Best practice guidelines

• Frequently Asked Questions

• Latest FERPA news

• Other on-line recommended resources

22

Important Next Steps – FERPA NPRM

• Q) How and when can the public comment on an NPRM?

A) Public comments on the proposed rule are extremely valuable to help inform the final policy. To ensure that public comments are considered, it is critical that individuals and organizations submit their comments according to the instructions and within the timeframe specified in the NPRM. The public comment period is typically between 30 and 60 days - a deadline will be included in the Federal Register when the NPRM is published. During the public comment period, Department officials may also hold public hearings or Webcasts to encourage additional feedback on the NPRM.

• http://www.gpoaccess.gov/fr/

23

EVENTS

Regional Meetings

• Northeast/West Regional Meeting – EIMAC, Washington, DC – April 18th.• Tentative Agenda

• Latest on FERPA/NPRM• Guest speakers: ED Chief Privacy Officer, and/or Melanie Muenzer• Cyber Security session • State Privacy & Security Roundtables• Best practice sessions from fellow states (ideas?)

• Midwest Regional: June/July – Chicago or Detroit

• Southern Regional: August/September – Atlanta

For more information…

• Website• http://nces.ed.gov/programs/PTAC/

• Help Desk• PrivacyTA@ed.gov• Toll Free Phone: 855-249-3072• Toll Free FAX: 855-249-3073

• NCES• Emily.Anthony@ed.gov

• Best Practices in Data Protection & Cyber Security Thur. 2:45 pm (Salon J)

25

Privacy Technical Assistance Center (PTAC)—Frequently

Asked Questions

Emily Anthony, NCES

Baron Rodriguez, AEM

Anthony Bargar, ESS

Tom Szuba, QIP

FAQ

s

Thank You for Participating