protecting the privacy of student information—ferpa 101 privacy technical assistance center
TRANSCRIPT
Protecting the Privacy of Student Information—FERPA 101
Privacy Technical Assistance Center
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Disclaimer• This presentation is intended to discuss the current FERPA
regulations and recent changes. • It is NOT intended to interpret or provide comment on whether sharing of data with other agencies is permissible
under other federal, state, or local laws.• State and local laws may have MORE stringent protections
around privacy and security of education data and other state agency associated data. Remember that for student education data containing PII, FERPA is the floor, not the ceiling, regarding the protection of the privacy of student
education records.
• FERPA Basics and Definitions• Transparency• Data Threats• Data Security Best Practices• Recent Documentation• PTAC’s Website• Questions
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Overview of Today’s Presentation
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
The Family Education Rights Privacy Act (FERPA)
• What is FERPA?• Introduction to FERPA
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Here’s FERPA in Writing
The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to consent to the disclosure of personally identifiable information from education records, except as provided by law.
When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”).
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Key Terms
FERPA protects the privacy of students by restricting access to records that contain Personally Identifiable Information (PII).
FERPA does not permit the Disclosure of PII from education records without consent, except under certain Exceptions.
FERPA requires that Reasonable Methods be used to protect the integrity and security of the data being maintained at the school or district.
FERPA does permit the disclosure of certain types of PII that is previously designated as Directory Information by the school or district.
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Personally Identifiable Information
• What is Personally Identifiable Information (PII)?
PII is information from education records that would make the student’s identity easily recognized (by itself or in combination with other factors).
Some examples of PII:
• Full Name• Student ID Number• Grade Level AND Race/Ethnicity
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Disclosure
• Disclosure means to permit access to or the release, transfer, or other communication of PII by any means. Disclosure can be authorized, such as when a parent or an eligible student gives written consent to share educational records with an authorized party, such as a researcher. Disclosure can also be unauthorized or inadvertent (accidental).
• FERPA and other federal statues, such as PPRA, restrict the release or collection of different types of sensitive information without prior consent
• Under FERPA, parents and eligible students have the right to consent to disclosures of PII
• Rights must be described in the Annual FERPA Notice
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
What standard is used to evaluate disclosure risk?
• Can a “reasonable person” in the school community who does not have personal knowledge of the relevant circumstances identify an individual in the publicly released data with reasonable certainty? • Paraphrased from 34 CFR §99.3 and §99.31(b)(1)
• The “reasonable person” standard • Hypothetical, rational, prudent, average individual in the school
community• Does not have personal knowledge of the relevant
circumstances • School officials, including teachers, administrators, coaches,
and volunteers, are not included
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Senate Bill No. 1372Idaho Code 33-133
• Local laws apply to student privacy as well, and work in conjunction with FERPA to bolster baseline privacy protections provided by the statute.
• This bill, passed by the Idaho State Senate, calls on the Idaho Board of Education to create and oversee policies and data security plans to govern student data systems and authorized access to student data.
• The bill defines “student data” and “education record” and specifies what types of information can be considered under those headings.
• The bill prohibits any “secondary uses” of student data, including but not limited to sales, marketing or advertising, while allowing the vendor to use data to maintain the product itself
• And includes a requirement that the vendor disclose — in detail — any planned secondary uses of student data, including but not limited to sales, marketing or advertising. The board must then obtain parental consent for these uses prior to the start of the vendor contract.
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Why Transparency?
Rise in public discourse on data and student privacyRise in misinformation and confusion about the issues
State-level legislative action to restrict data collection, use, and sharing
In the absence of information, people willassume the worst
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Transparency – What is Required?
• FERPA requires certain information be provided to parents including:• Annual notification listing rights under FERPA including:
• Right to inspect and review their education records• Procedure for exercising that right• Criteria for what constitutes a “School Official” and “Legitimate Educational
Interest”
• Directory Information Policy including• Types of information designated as directory information• Opt out provisions
• PPRA requires districts notify parents of their rights annually
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Approaches to Parental Inquiries
• Keep communications open• Review inquiries, concerns, suggestions in a
thoughtful manner• Timely responses• Periodically review old inquiries/resolutions to
improve communication/transparency efforts
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
FERPA & Data Security
FERPA was written back in 1974 when:
• Average house price was $38k
• Average income was $11k
• Federal spending was “only” $269B
• You could buy a PC for the low, low price of $20k
And…
• Disco was cool (think about it)
• Education records were papers in the principal’s office
FERPA is a survivor because it is not prescriptive. It doesn’t tell you how to protect student data from disclosure, only that you must use “reasonable methods” to protect it.
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
FERPA & Data SecurityFERPA is everywhere in IT, sometimes masquerading as plain old good common sense:
• FERPA just lays out the expectations, but leaves the details the experts… that’s you
• Being compliant with FERPA can sometimes be as easy as having solid IT policy and good data management practices
• The $64,000.00 question is
Do you have solid IT policy & good data management practices?
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
FERPA & Data Security
What is a good Data Security program?
Strong security policy & governance structure that establishes a framework for managing risk to information systems and data
Sets standards & procedures which implement generally accepted data security best practices and controls
Manages system and data lifecycle, procurement, maintenance and decommissioning
Measures program effectiveness against baseline standards
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
FERPA & Data Security
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Protecting Student Privacy while Using Online Educational Services
• Schools and districts are increasingly contracting out school functions such as Student Information Systems
• Many online services do not utilize the traditional 2-party written contractual business model
• Increasing concern about the commercialization of personal information and behavioral marketing
• As educators we need to use that data effectively and appropriately, while still protecting students’ privacy
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Is student information used in online educational services protected by FERPA?
• It depends!
• Some data used in online educational services is protected by FERPA.
• Other data may not be.
• Schools and Districts will typically need to evaluate the use of online educational services on a case by case basis to determine if FERPA-protected information is implicated.
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
What does FERPA require if PII is disclosed to a provider?
• Parental consent for the disclosure; OR
• Disclosure is permitted under one of FERPA’s exceptions to the consent requirement. Typically, either:• Directory Information exception
• Remember parents’ right to “opt-out”• School Official exception
• Annual FERPA notice• Direct control• Use for authorized purposes only• Limitation on re-disclosure• Remember parents’ right to access their student’s education
records
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Threats to Education Data
Organized Criminal Enterprises
• Criminal hackers and scammers
• 100+ billion dollars a year
• Most damaging attacks involve web based applications and insiders
• Responsible for most external data breaches
• Botnets, malware, data breaches
• They will not advertise their success
• Most breaches are discovered long after the damage is done
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Threats to Education Data
Hacktivism* Hacktivism (a portmanteau of hack and activism) is the use of computers and computer networks as a means of protest to promote political ends.
* http://en.wikipedia.org/wiki/Hacktivism
• Motivated by ideology or political agenda
• Largely decentralized, ad hoc organizational structure
• Favor DDoS, Phishing and Application attacks
• Historically focus on industrial, financial and political targets
• Increasingly targeting schools and school districts
• Hacktivists want to tell everybody about their exploits
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Threats to Education Data
Nation-State Threats
• Cyber-espionage, cyber-warfare by foreign governments
• Spying, stealing intellectual property
• View schools and districts as proxies for their real targets
• Highly advanced, very sophisticated
• Virtually unlimited budget
• Stealth and longevity are priorities
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Threats to Education Data
The REAL risk is with US!
• Internet provider for thousands of hackers… ahem… students
• Lose laptops, USB drives
• Do business / learn via email
• Use unapproved third party apps
• BYOD – “Bring Your Own Device”
• Wi-Fi Everything!!!!!!!
• We have no idea where all of our “stuff” is
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Threats to Education Data
What do “they” want with my data?
• Identity information like SSNs, banking info, names and other PII
• Prove a point, make a statement
• Bypass student content filters (surf freely)
• Alter grades, access test info, cause disruption in service
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Threats to Education Data
Sophistication of
Attacks
AttackerSkill
Required
• Open source and free tools
• Hacker training online
• Cyber-theft commoditized
• Black market trading in identity data
• “Do-It-Yourself” malware kits
• Underground economy where tools are built and sold to order
• Still developing flawed software
• SQLi, XSS, CSRF, etc
• Poor authentication / session mgmt.
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Countering the Threat• Starts with leadership buy-in
• Create a strong information security policy & governance architecture that is reflective of reality
• Dedicate resources to security, put someone in charge
• Implement tools, technology and automation
• Develop meaningful metrics to measure the effectiveness of your program
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Countering the Threat
Additional Steps• Use a layered approach (“defense-in-depth) to security which
forces attackers to traverse multiple layers of security controls like firewalls, Web Application Firewalls (WAFs), Intrusion Detection / Prevention Systems (IDPS), antivirus, access controls, etc.
• Keep systems patched, practice vulnerability management.
• Account and Password Management: complex passwords, balanced security requirements. (Don’t overburden your staff! They’ll just find ways around the requirements.)
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Countering the ThreatData Security Best Practices
Make what you already have work better
People are the key, training and awareness is a powerful weapon
Monitor & Manage your data
Collect logs that make sense
Retain information to help reconstruct events which may have occurred in the past
Lots of free security tools exist to help you protect your data
Be ready to respond
Have a response plan
Identify response team in advance and set aside the resources needed
Periodically test response capability with simulated events
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Be the Data Security You Wish to See in the World
• Parents, students and the public care about privacy
• Be transparent with how you secure their data, tell them what they can expect
• Explain where the data goes and how it is used
• Get feedback
GET THE WORD OUT!
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Visit ptac.ed.gov Today!
• PTAC’s website, http://ptac.ed.gov is a wealth of resources and documentation on all things data-sharing.
• Interactive training modules are available for staff. Modules range from beginning to advanced on a range of different topics.
• Submit questions to PTAC easily through our online submission form.
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
New Resources
Transparency Best Practices for Schools and Districts FERPA/IDEA CrosswalkHeartbleed FAQProtecting Student Privacy while Using Online Educational ServicesData Destruction Best PracticesFERPA Exceptions Cheat Sheet
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
• Questions?
*Remember, you can always submit questions to PTAC later!
PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION
Contact Information
Family Policy Compliance Office
Telephone: (202) 260-3887
Email: [email protected]
FAX: (202) 260-9001
Website: www.ed.gov/fpco
Privacy Technical Assistance Center
Telephone: (855) 249-3072
Email:
FAX: (855) 249-3073
Website: http://ptac.ed.gov