PTAC and FPCO: Moving Forward Under the New FERPA Regulations

PTAC and FPCO: Moving Forward Under the New FERPA

Regulations

MIS 2012February 15, 2012

Michael Hawes, Statistical Privacy Advisor Baron Rodriguez, Director, PTACAllison Camara, PTAC

2

Pop Quiz

From 2009 to 2011, what is the percentage change of organizations conducting an annual privacy review?

- 26 % + 26 % - 13 % + 13 %

3

Pop Quiz

From 2009 to 2011, what is the percentage change of organizations conducting an annual privacy review?

- 26 % + 26 % - 13 % + 13 %

In 2009, 52% of companies invested in annual privacy policy reviews. In 2011, only 39% conducted an annual privacy review.

Presentation Overview

Overview of ED privacy initiatives

PTAC/FPCO coordination

FERPA overview

Understanding the new FERPA regulations

Moving forward -- priorities for 2012

Popular PTAC/FPCO resources

5

Early 2011 — ED Privacy Initiatives Begin

FERPA Notice of Proposed Rulemaking Guidance — NCES Technical Briefs Privacy Technical Assistance Center (PTAC) Chief Privacy Officer

6

Chief Privacy Officer: Organizational Structure

7

Late 2011 — Building on Progress

Regulation changes finalized– 274 Comments received– Final FERPA regulatory changes

• December 2, 2011 Federal Register• Effective January 3, 2012

PTAC guidance documents Privacy Advisory Committee Soliciting input

8

FPCO Mission and Resources

Administers – FERPA– Protection of Pupil Rights Amendment (PPRA)– Military recruiter provisions in the Elementary and

Secondary Education Act (ESEA) Investigates alleged violations of these laws Issues guidance documents Coordinates with PTAC

9

PTAC Mission and Resources

“One-stop” resource center Regional Meetings and Lessons Learned Forums Technical Assistance Site Visits Help Desk Web resources

– Technical Briefs, Issue Briefs, and White Papers– Case studies– Checklists– Frequently Asked Questions – Monthly Webinars, Presentations, and Training Materials

10

PTAC Experts

Baron Rodriguez – State Support Team

Mike Tassey – Security Expertise

WestStat – Statistical Expertise

Margie Bates – Support/Legal

11

How is a request to PTAC handled?

PTAC Request Received

Routed to PTAC security specialist

or to FERPA Working Group

Resources assigned to

review/research request

Answer proposed:Training?

Brief?

FERPA Working Group

reviews/approves answer/resource

12

13

What is FERPA?

Family Educational Rights and Privacy Act (FERPA) enacted 1974– Protects the privacy of students’ education records– Affords parents and eligible students rights to

• inspect and review education records, • seek to amend these records, and • consent to the disclosure of personally identifiable

information (PII) from education records.

14

Disclosure of Education Records under FERPA

Requirement for written consent to disclose PII Parents and eligible students Exceptions to consent

– Studies– Audit or evaluation– Other (e.g., court order, health or safety emergency)

15

FERPA and Student Privacy — Recent Developments

Move to electronic records Student longitudinal databases New risks and vulnerabilities ED privacy initiatives

– Most recent FERPA amendment—January 3, 2012

16

Key FERPA Regulatory Changes

“You know how sometimes FERPA can tie your brain in a knot trying to think through it all?”  [quote from an email to PTAC]

17

FERPA Regulatory Changes — Definitions

Authorized Representative– Any entity or individual designated by a State or local educational

authority or an agency headed by an official… to conduct—with respect to Federal- or State-supported education programs—any audit or evaluation, or any compliance or enforcement activity in connection with Federal legal requirements that relate to these programs (FERPA regulations, §99.3).

Education Program– Any program principally engaged in the provision of education,

including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, and any program that is administered by an educational agency or institution (FERPA regulations §99.3).

18

FERPA Regulatory Changes — Audit or Evaluation Exception

Authorized Representative Written Agreements Reasonable Methods “

Guidance on Reasonable Methods and Written Agreements”

19

FERPA Regulatory Changes — Studies Exception

Not clear that a

redisclosure by

FERPA-permitted

entity (e.g., SEA)

would be “on behalf

of” an educational

agency

State educational

authorities acting

“on behalf of” their

constituent schools

OLD

INTERPRETATION

NEW

INTERPRETATION

20

FERPA Regulatory Changes — Directory Information

Definition of directory information Conditions for disclosure

– Student ID cards and badges – Limited directory information

21

A Couple of Case Studies

Technical Assistance Enforcement

22

ED Priorities for 2012

Guidance for SEAs and LEAs– Assistance with privacy, confidentiality, and security

concerns – Case Studies

FPCO resources and initiatives– Focus on legal interpretation of FERPA– Modernizing FPCO

PTAC resources and initiatives– Focus on best practices– Coordinating with FPCO

23

POP Quiz # 2

In 2011, what percentage of organizations dedicate resources to business continuity and/or disaster recovery?

– 21%– 52%– 5%– 14%

24

POP Quiz # 2

In 2011, what percentage of organizations dedicate resources to business continuity and/or disaster recovery?

– 21%– 52%– 5%– 14%

That’s down more than 10% from 2009!

25

2012 — PTAC Initiatives

Expansion to LEAs Coordination with FPCO Helping organizations come into compliance

– Statistical and data security experts– Site visits and regional meetings– Best practices guidance documents and training

materials– Compliance vs. transparency

26

Upcoming Events

25th Annual MIS Conference Presentation– February 16, 2012, Session VI, 10-11am (Nautilus 5):

Protection of Personally Identifiable Information Through Disclosure Avoidance Techniques

PTAC Webinar– March 15th, 2012, 2:00 p.m. EST: Special Education:

The Intersection of FERPA and IDEA Confidentiality Provisions

27

Available Resources

Guidance on Reasonable Methods and Written Agreements Data Stewardship: Managing Personally Identifiable Information in Electr

onic Student Education Records Basic Concepts and Definitions for Privacy and Confidentiality in Student

Education Records Responding to IT Security Audits: Improving Data Security Practices Data Security: Top Threats to Data Protection Data Security Checklist Data Governance and Stewardship Data Governance Checklist Data Security and Management Training: Best Practice Considerations

28

Contact Information

Family Policy Compliance Office

Privacy Technical Assistance Center

Michael Hawes,Statistical Privacy

AdvisorTEL: (202) 260-3887

TEL: (855) 249-3072

TEL: (202) 453-7017

FAX: (202) 260-9001

FAX: (855) 249-3073

FAX: (202) 401-0920

Email: FERPA@ed.gov

Email: PrivacyTA@ed.gov

Email: Michael.Hawes@ed.govWebsite:

www.ed.gov/fpco/Website:www.ed.gov/ptac/