SHEEO/NCES Breakout Session:Overview of the Privacy Technical

Assistance Center

May 5, 2011

Emily Anthony, National Center for Education Statistics

Baron Rodriguez, PTAC

2

• The Privacy Technical Assistance Center (PTAC) is one component of USED’s comprehensive privacy initiative, which also includes:

- Chief Privacy Officer

- Technical Briefs

- FERPA Notice of Proposed Rulemaking (NPRM)

Privacy, Security, and Confidentiality at USED

• Run in conjunction with the NCES SLDS program as an extension of technical assistance efforts:

- Webinars, best practice briefs

- Site Visits, Technical Assistance Experts, Personnel Exchange Network

Background: SLDS

• The Statewide Longitudinal Data Systems (SLDS) Grant Program is designed to aid state education agencies in developing and implementing longitudinal data systems.

• The data systems developed with these grants are intended to help states, districts, schools, and teachers make data-driven decisions to improve student learning, as well as facilitate research to increase student achievement and close achievement gaps.

• The focus of the grant program has evolved over the four rounds of SLDS awards (2006-2010), with an early emphasis on K-12 systems expanding to more holistic P-20-WF (pre-kindergarten through workforce).

• http://nces.ed.gov/programs/slds

3

74 grants to 41 states and DC.  As of 2010, total awards of $514 million.

74 grants to 41 states and DC.  As of 2010, total awards of $514 million.

What is PTAC?

The Privacy Technical Assistance Center at USED…

• A “one-stop” shop for technical assistance related to best practices on privacy and data security

• Provides stakeholders with: A set of tools, resources, and other opportunities to receive assistance with privacy,

security, and confidentiality of longitudinal data systems.

A means for stakeholders to share their best practices, documents, and other relevant resources in the areas of privacy, security, and confidentiality.

A focal point for queries and responses to the privacy-related needs of state education agencies (SEAs), local education agencies (LEAs), and institutions of higher education (IHEs) in a confidential, safe environment.

A set of resources to promote compliance with FERPA and summarize best practices for ensuring the confidentiality and security of personally identifiable information.

4

PTAC Resources

5

The SLDS Technical Briefs

• This series of Technical Briefs focuses on privacy, confidentiality, and security considerations related to data in student record systems, especially longitudinal data systems.

• The briefs are intended to inform practitioners responsible for the development, maintenance, protection, or use of student record data.

• Author: Marilyn Seastrom, Chief Statistician and Acting Deputy Commissioner, NCES.

• NCES is seeking input and comments on these briefs. If you have any comments or suggestions, please send them to SLDStechbrief@ed.gov.

6

The SLDS Technical Briefs

SLDS Technical Brief #1: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records

Discusses basic concepts and definitions that establish a common set of terms related to the protection of personally identifiable information, especially in education records in the Statewide Longitudinal Data Systems (SLDS).

This Brief also outlines a privacy framework that is tied to Fair Information Practice Principles that have been promulgated in both the United States and international privacy work.

7

The SLDS Technical Briefs

1. Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records.

2. Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records.

3. Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting.

8

Now AVAILABLE at http://nces.ed.gov/programs/ptac/TechnicalBriefs.aspx

Frequently Asked Questions

• ED recognizes that SEAs, LEAs, and IHEs engaged in building SLDSs are asking similar questions about privacy, confidentiality, and security issues.

• What is needed? Technical assistance that includes responses to frequently asked questions (FAQs) that are:

• Accurate• Consistent• Timely• User-friendly (clear, concise, and actionable)• Trusted

9

Example FAQ – Ensuring Privacy

Q) What is personally identifiable information?

 A) Personally identifiable information, as defined in FERPA, includes, but is not limited to:

• a student's name;

• the name of the student's parent or other family members;

• the address of the student or student's family;

• a personal identifier, such as the student's Social Security number, student number, or biometric record;

• other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;

• other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; and

• information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

10

Glossary of Terms

• Biometric Record

FERPA regulations define a biometric record as one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting. For more information, see the Family Educational Rights and Privacy Act Regulations, 34 CFR §99.3, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf.

• Indirect Identifier

Indirect identifiers include information that can be combined with other information to identify specific individuals, including, for example, a combination of gender, birth date, geographic indicator and other descriptors. Other examples of indirect identifiers include place of birth, race, religion, weight, activities, employment information, medical information, education information, and financial information. See also Direct Identifier. For more information, see the SLDS Technical Brief: Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records, available at http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011601.

11

Example of Templates/Tools (coming soon to web site)

• Security Checklists

• Sample Memorandums of Understanding

• Sample Acceptable Use Policies

• Glossary of Terms

• Webinar Series (2011)

o Summer: NCES Brief – Data Stewardshipo Summer: Threats to your data, what you should knowo Fall: NPRM – Finalized – Latest Newso Winter: FERPA & Interagency data exchange

12

Regional Meetings (2011)

• South: AERA, New Orleans – April 9• Technical Brief 1: Concepts and Definitions• Technical Brief 2: Data Stewardship• Technical Brief 3: Statistical Methods for Protecting PII• Technical Brief 4: Data Access for External Researchers

• Northeast: EIMAC, Washington, DC – April 18• FERPA/NPRM News• Guest speaker: Kathleen Styles, ED Chief Privacy Officer• Cyber Security Session • Security Audit Panel

• West: SHEEO/NCES Network Conference & IPEDS Workshop – May 3 • Intro to PTAC• Workshop on Security Data Exchanges: Federated Models• USED Privacy Update• Discussion: Postsecondary perspectives on data sharing, security, and partnership

• Midwest: Education Information Council – August

NCES Events Summer Data

Conference

Annual MIS Conference

SLDS Grantee Conferences

National Forum on Education Statistics

13

Site Visits

• Voluntary!

• No cost!!

• Designed to assist states with their privacy and security needs.

• Not an audit of security or compliance.

• Can provide independent, objective, third party assistance in the areas of SLDS and Cyber Security.

14

Site Visit Expert Help

• Audit response assistance.

• Independent validation of implementation recommendations as a result of security review.

• Security policy reviews.

• Governance assistance (multi-agency).

• Facilitation of multi-agency privacy/security discussions.

• If interested, send request to PrivacyTA@ed.gov

15

PTAC Help Desk

Contact• Phone, email, or use the form on the PTAC website (see contact info at the end

of the presentation).

• Submit a question, suggest a topic for regional meeting, request a site visit or document review.

Issues are logged, clarified, and reviewed by subject matter experts (SMEs)• Expect to have any contact with PTAC acknowledged within one business day.

If appropriate, the SMEs’ draft responses are forwarded to ED for review.• If the PTAC SMEs cannot answer the question, the issue is immediately

forwarded to ED for internal review.

Issues are reviewed at ED by the Privacy Advisory Committee (PAC).

16

What types of questions are being received?

• “Is it OK to Share student information with a school to which a student will transfer?”

• “Has FERPA been passed? From what I have read, it protects student data. Does this law protect student privacy with regards therapy?”

17

Privacy TA Team

ED/NCES Program Manager: Emily Anthony

Project Director: Baron Rodriguez

Subject Matter Experts:

Mark Hall, Anthony Bargar, Tom Szuba,

Alexandra Henning, Allison Camara

Help Desk Support: Dan Boland

18

Types of Resources Available from Privacy TA Center

• ED Expertise

• Chief Privacy Officer• Family Policy Compliance Office• Office of General Council• Office of Planning, Evaluation and Policy

Development• NCES Chief Statistician

19

PTAC Role

• PTAC and FPCO

PTAC: Technical Assistance

FPCO: Administers FERPA, authority over FERPA violations & regulations

20

21

Top Data Protection Issues in Education’s Cyberspace 

•Protecting Personally Identifiable Information (PII)• As we strive towards a “digital nation,” exposure to risk increases• More records online & accessible• Identity Theft (10% Children)

•Keeping pace with Network & Systems Security• Protective measures are outpaced by the “bad-guy”• Traditional “wack-a-mole” patching doesn’t work anymore

•Maintaining the foundation of Strategy, Policy, Governance & People

• Training, Education & Awareness is key• Cloud computing complicates traditional security architecture

approaches

Current Examples of Cyber Security Support from PTAC

• Review and comment on network security portion of RFPs.

• Review audit results and recommendations.

• Site visits to review security architecture, capabilities and plans.

• Best practice and security guidance documents.

• Future: more technically-focused documents and training.

22

Privacy Initiatives

• Chief Privacy Officer

• Privacy Technical Assistance Center

• Technical Briefs

• FERPA Notice of Proposed

Rulemaking

23

Chief Privacy Officer: Organizational Structure

Principal DeputyAssistant Secretary for

Management

Kathleen StylesChief Privacy Officer

Privacy, Information, and Records Management

Services

Family Policy Compliance Office

FOIA Services Privacy Safeguards Information Collection Clearance

Records & Documents

Management

24

Kathleen Styles’ Background

• Attorney

• Certified in government privacy

• Worked on the 2010 Census and American

Community Survey

• Prior position: Director, Office of Analysis and

Executive Support, U.S. Census Bureau

25

CPO Responsibilities

• Compliance

• Advice

• Training

• Outreach

• Advocacy

26

Initial Areas of Emphasis

• Considering comments to FERPA NPRM

• Process improvements

• Working with PTAC and the Technical Briefs

• Open Government/transparency

• Data management

27

28

Proposed Changes to FERPA

• Stronger enforcement

• Ensuring student safety

• Promote wise investment of taxpayer funds in educational programs

• Promote effectiveness research

FERPA: Stronger EnforcementEnforcement Authority

CURRENT

INTERPRETATION

PROPOSED

INTERPRETATION

29

FERPA: Ensuring Student Safety Limited Directory Information

CURRENT

INTERPRETATION

PROPOSED

INTERPRETATION

30

FERPA: Ensuring Student SafetyStudent ID Badges

CURRENT

INTERPRETATION

PROPOSED

INTERPRETATION

31

FERPA: Ensuring Program EffectivenessTerm Definitions

CURRENT

INTERPRETATION

PROPOSED

INTERPRETATION

32

FERPA: Ensuring Program EffectivenessLegal Authority to Conduct Audit/Evaluations

CURRENT

INTERPRETATION

PROPOSED

INTERPRETATION

33

FERPA: Ensuring Program EffectivenessWritten Agreements

CURRENT

INTERPRETATION

PROPOSED

INTERPRETATION

34

FERPA: Ensuring Program EffectivenessReasonable Methods

CURRENT

INTERPRETATION

PROPOSED

INTERPRETATION

35

FERPA: Promoting Research on Effectiveness Authority to Conduct Study

CURRENT

INTERPRETATION

PROPOSED

INTERPRETATION

36

37

Please Comment on the NPRM

Submit formal comments: In writing

By May 23, 2011

According to instructions in the Federal Register

Specific and clear

Postsecondary Leadership Examples

• States using University Systems’ research capacity for SLDS work.

• States utilizing Postsecondary infrastructure for scalable SLDS implementations

• Electronic transcripts – speeding the registration process for students and IHE staff.

• Student readiness assessments – determining students ability to thrive in postsecondary.

38

Postsecondary Concerns/Challenges

• What challenges are postsecondary institutions dealing with around security, privacy, and confidentiality?

• How can PTAC provide assistance/guidance to the postsecondary community?

• What are the areas that ED should be aware of regarding data exchanges between postsecondary and workforce?

Future Topics?

• PTAC would like to know what topics, publications, and webinars would be most helpful to you:

• State Attorney General Training on FERPA?• NCES Technical Brief trainings?• Security best practices?• Others?

40

For more information…• Website

• http://nces.ed.gov/programs/PTAC/

• Help Desk• PrivacyTA@ed.gov• Toll Free Phone: 855-249-3072• Toll Free FAX: 855-249-3073

• NCES• Emily.Anthony@ed.gov

• Request assistance• Upcoming events• Subscribe to email list• Recently released relevant ED publications • Privacy TA Center publications• Best practice guidelines• Frequently Asked Questions• Latest FERPA news• Other on-line recommended resources

41