FERPA Rules: Maintaining the Security and Privacy of Student Data West Virginia Department of Education Carla Howe, Ph.D. August 4, 2014 Introduction • You have access to data tools that allow you to view individual student records for performing your official duties. • You are legally and ethically obliged to safeguard the confidentiality of these student records. • There are many tools for exploring data; those that access student-level data must be secured. • The purpose of this presentation is to inform you of your responsibilities to protect student privacy. Responsibilities • Protect the privacy of students and the confidentiality of student data. • Comply with state and federal laws, and district policy, to maintain the confidentiality of student data. • Use confidential student data only as necessary for legitimate educational purposes. • Keep your password confidential. Consequences • Student education data may not be released except under specific circumstances. Improper release of these data expose you and your district to potential criminal and civil liability, and loss of federal funds. • Student-specific information gathered from secure tools may be shared only with authorized school personnel. Protecting Confidential Information • Be careful to prevent unauthorized people from viewing your screen while you are accessing confidential information. • When you are finished with the data tools, log off and close any windows containing data or reports. Sharing Reports • Printed reports can be shared publicly only after you’ve reviewed them to ensure that no student could be identified from the report (for example, in conjunction with other information that is available). • If a reasonable person from your community could identify a student from a report, directly or indirectly, then you should store that report in a secure place. Share the report only with those with a legitimate educational interest – as determined by your school board, or district leadership. Foundational Concepts Critical to Data Training and Use March 2014 What is FERPA? Family Educational Rights and Privacy Act of 1974, as amended (FERPA) • Federal regulations that govern access to and release of personally identifiable information about students found in education records • Applies to all schools that receive funds under applicable programs of the USED • Does not apply to private schools whose students or teachers receive services from an LEA or SEA, unless the private school also receives federal funds 8 FERPA: Two Purposes Access to Educational Records Limit on Disclosure Parents & Students Prior Written Consent Authorized Representatives Consent Exceptions 9 Annual notice of FERPA rights Schools must notify parents of their rights under FERPA on an annual basis. • Directory information designation – What information does the entity designate as directory? • Location of records • Right to inspect records, file a complaint, consent to disclosure, amend records • Military Recruiters – Schools must provide recruiters with student name, address, phone number and access to campus 10 Student Record Information • May be disclosed to the student with proper authentication – Amended FERPA requires the use of reasonable methods to determine the identity of intended and authorized recipient of information AND authenticate or ensure that recipient is, in fact, who he/she purports to be • Parent Access Procedures – Right to “inspect and review” – 45-day timeline to provide the records – May charge “reasonable fee” for copies, but not to search or retrieve • Exceptions – Letters of recommendation for which the student has waived the right to review – Information about other students 11 FERPA requires Educational Providers to: Educational Providers Protect student rights Ensure that third parties do not redisclose personally identifiable information Keep records of certain requests and disclosures of student education records Notify students/parents of their rights annually State Education Agency Protect student rights Ensure that third parties do not redisclose personally identifiable information Keep records of certain requests and disclosures of student education records 12 Basic Concepts • Education Record • Directory Information • Personally Identifiable Information 13 Education Record Education Record • A record which is maintained by the institution from which the student can be identified (Directory Information) • Directly related to a student • Maintained by an educational agency or institution (or party acting on behalf of the agency) • For elementary and secondary level students • Records maintained on special education students including records on services provided to those students EXCEPT: Records of School Personnel which are: • Kept in the record maker’s sole possession • Used only as a memory aid • Not accessible or revealed to anyone except temporary substitute for record maker 14 Directory information Information in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed As defined in Policy 4350, Directory Information can include: 1. 2. 3. 4. 5. 6. 7. 8. 9. Student's name Address Telephone listing Email address Photograph Date and place of birth Major field of study Dates of attendance (for school) Grade level 10. Participation in officially recognized activities and sports 11. Weight and height of members of athletic teams 12. Dates of attendance (for athletics) 13. Degrees and awards received, and 14. The most recent previous educational agency or institution attended by the student. 15 Personally identifiable information Personally Identifiable Information • Student’s name, parent or family member names, student’s address, or other information that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. • Indirect identifiers such as date and place of birth and mother’s maiden name. Personally Identifiable Information – Further Defined • Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable accuracy 16 Directory Information Directory Info IS NOT • Social Security Number • Student ID WOW Student Screen • Lists Directory Information • Student history details require an enrollment record 17 Restricting Directory Information • Parents can “Opt Out” of sharing directory information • For example, if a student in a post-secondary institution “opts-out”, then the National Student Clearinghouse cannot redisclose student level information to the state for that student • Students do not have the option to “opt-out” for required reporting to the state • Students cannot opt out of wearing or presenting a student ID or badge 18 How do you authenticate identity? • Regulations require a school to use reasonable methods to identify and authenticate the identity of parents, students, school officials, and other parties before disclosing education records. Sample Verification Process for Parent Requests Check student enrollment in the Student Information System Submit verification form to the district of enrollment to verify there are no court orders to prevent parent from seeing records Require parent to pick up the data in person, show proof of identify, sign verification form 19 Reasonable Methods • Regulations require the use of “reasonable methods” to ensure access is only given to only those education records in which the official has a legitimate educational interest. • Reasonable methods include: – Physical controls (locked filing cabinets) – Technological controls (role-based access controls for electronic records) – Administrative policies (must be effective in ensuring compliance) • This also means no student data are transferred off-site using portable media (thumb drives to work at home) or are sent via email unless in a password-protected or deidentified file. 20 Consent Exceptions • May be disclosed to school officials with “legitimate educational interest” • Authorized government officials – Regulations expand the school official exception to include contractors, consultants, volunteers, and other parties to whom a school has outsourced services or functions under certain circumstances: • The party is under the direct control of the SEA or LEA (contract); • The party is subject to the same conditions governing the use and redisclosure of education records applicable to other school officials; • WVDE requires these parties to also sign security agreements 21 Disclosure Exception: Organizations conducting studies • The school must have a written agreement with the receiving organization that specifies: – the purposes of the study; – the information may only be used to meet the purposes of the study stated in the agreement; – the restriction on re-disclosure of the information; – the requirement for destruction of the information when no longer needed. – Clarifies requirements that information disclosed under this exception is used only to meet the purposes of the study, and that all re-disclosure and destruction requirements are met. • WVDE uses a Institutional Review Board and Research Review Committee process and has specific forms that data requestors must fill out 22 Disclosure Exceptions: To Parents of kids 18+ • Regulations clarify that disclosure of education records without consent is permitted to parents in some circumstances: – When a student is a dependent student under the IRS tax code; – When the student has violated a law or the school’s rules or policies governing alcohol or substance abuse, if the student is under 21 years old; – When the information is needed to protect the health or safety of the student or other individuals in an emergency. – Ensures that schools understand that FERPA does not block information sharing with parents if any of the above exceptions apply. 23 Keeping records of disclosures • At the SEA and LEA, must record name and legitimate interest in cases such as these – Information disclosed without student’s written consent – To the parent of an eligible student – In response to a lawfully issued court order or subpoena • However there must still be an attempt to notify the parent in these cases unless it is in response to a threat on the student’s safety – For external research purposes where individual students have been identified – In response to an emergency • Emergencies do not require parental notification • These include endangerment to the health or well-being of a student • Note this is why WVDE has the Research Proposal Application (and its process) and Data Security Agreements 24 More Exceptions Financial Aid • To persons or organizations providing student financial aid, or determining financial aid decisions Enrollment • To officials at institutions in which a student seeks to enroll or has enrolled so long as the disclosure is in connection with the student’s enrollment Judicial Order / Subpoena • Note that a reasonable attempt at parental notification is required! Accreditation • To accrediting organizations and other entities conducting educational studies Health & Safety Emergency • When necessary to protect the health or safety of the student or other persons 25 More Exceptions USA Patriot Act Campus Sex Crimes Prevention Act Clery Act School Officials with a legitimate educational interest Specified officials for audit or evaluation purposes • information relevant to an investigation or prosecution of an act of terrorism • Schools are permitted to disclose information about registered sex offenders • Requires a school to inform the accuser and the accused of the outcome of a school’s disciplinary proceeding of an alleged sex offense (name, violation, and sanction imposed). • A school may not require the accuser to execute a non-disclosure agreement. http://www.ed.gov/policy/gen/guid/fpco/ferp a/index.html 26 FERPA & HIPAA • At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic, that receives funds under any program administered by the U.S. Department of Education are “education records” subject to FERPA, including health and medical records maintained by a school nurse who is employed by or under contract with a school or school district. 27 What Can – and Can’t – Be Released • Individual student data can never be publicly published or released. • Summary (aggregated) data can be released, but only if the group size is large enough (>10) to protect the privacy of individual members of the group. • When the identity of an individual student could be inferred due to small group size in a report, treat that report as confidential. The summary reports to which you have access may contain small group sizes, and should therefore be treated as confidential. Unauthorized disclosures of PII • Unauthorized disclosures of PII may result in being prohibited from accessing PII for at least five years • The entity from which the data originated is responsible for the prohibition of access • Most recent FERPA provisions require documentation and mandatory provisions for written agreements 29 State Level Security • Policy 4350 & HB 4316 • WVBE Data Security and Privacy Resolution • WVDE Data Access & Management Guidance (available online on the WVDE website under the Data tab) • Limited access at WVDE to WOW through jobrelated duties justification, supervisor sign-off, and assurance to adhere to FERPA regulations. 30 Remember Email is now encrypted in transit nor at rest whether on a work device or a personal device – BUT be cautious – Attachments & messages opened on personal devices will not be secure – Sensitive data stored on a personal device is a security breach – Emails on personal devices that are work-related are subject to FOIA – Errors are easy with auto-complete names 31 Remember • Remind your colleagues that disclosing PII is a violation of state and federal law and policy. School districts are local units of government subject to the same laws and acceptable use policies. • Do not allow family members or others to use your work devices. Coming Soon • Guidance for the “Alert” screen in WOW – Primarily for student safety • Life-threatening allergy information • Custody/family information if student safety is at stake • Local rules can still be applied, but some general guidance will come from WVDE Family Policy Compliance Office • U.S. Department of Education – Phone: (202) 260-3887 Fax: (202) 260-9001 – Email: FERPA@ed.gov • www.ed.gov/fpco – FERPA Final Regulations – Revised Regulation Overviews for LEAs, Parents, Students – FAQs • Privacy Technical Assistance Center – www.ptac.ed.gov – Webinars, Publications, Case Studies – FERPA 101 Webinar Recording and Transcript 34 Check your Quiz! 1. True 2. True 3. True 4. False – annually 5. True 6. False – if he/she HAS legal rights 7. False – do have authority 8. True 9. Grade Level 10. False – social security, cannot be direction information Check Your Quiz! 11. False – by student ID or other identifier 12. True 13. True 14. True 15a. Yes 15b. Yes 15c. No 15d. No 15e. No 15f. Yes New Information • Data Access & Management Guidance document – Available online on the WVDE homepage under the Data tab • HB 4316 - Student Data Accessibility, Transparency and Accountability Act • ZoomWV – West Virginia’s source for accurate, K-12 education information – Coming Soon 37 Contact Information • For questions about data privacy and security, please contact Carla Howe, Ph.D. Data Governance Manager. chowe@k12.wv.us 304-558-7881