PTAC and FPCO: Moving Forward Under the New FERPA
Regulations
MIS 2012February 15, 2012
Michael Hawes, Statistical Privacy Advisor Baron Rodriguez, Director, PTACAllison Camara, PTAC
2
Pop Quiz
From 2009 to 2011, what is the percentage change of organizations conducting an annual privacy review?
- 26 % + 26 % - 13 % + 13 %
3
Pop Quiz
From 2009 to 2011, what is the percentage change of organizations conducting an annual privacy review?
- 26 % + 26 % - 13 % + 13 %
In 2009, 52% of companies invested in annual privacy policy reviews. In 2011, only 39% conducted an annual privacy review.
Presentation Overview
Overview of ED privacy initiatives
PTAC/FPCO coordination
FERPA overview
Understanding the new FERPA regulations
Moving forward -- priorities for 2012
Popular PTAC/FPCO resources
5
Early 2011 — ED Privacy Initiatives Begin
FERPA Notice of Proposed Rulemaking Guidance — NCES Technical Briefs Privacy Technical Assistance Center (PTAC) Chief Privacy Officer
6
Chief Privacy Officer: Organizational Structure
7
Late 2011 — Building on Progress
Regulation changes finalized– 274 Comments received– Final FERPA regulatory changes
• December 2, 2011 Federal Register• Effective January 3, 2012
PTAC guidance documents Privacy Advisory Committee Soliciting input
8
FPCO Mission and Resources
Administers – FERPA– Protection of Pupil Rights Amendment (PPRA)– Military recruiter provisions in the Elementary and
Secondary Education Act (ESEA) Investigates alleged violations of these laws Issues guidance documents Coordinates with PTAC
9
PTAC Mission and Resources
“One-stop” resource center Regional Meetings and Lessons Learned Forums Technical Assistance Site Visits Help Desk Web resources
– Technical Briefs, Issue Briefs, and White Papers– Case studies– Checklists– Frequently Asked Questions – Monthly Webinars, Presentations, and Training Materials
10
PTAC Experts
Baron Rodriguez – State Support Team
Mike Tassey – Security Expertise
WestStat – Statistical Expertise
Margie Bates – Support/Legal
11
How is a request to PTAC handled?
PTAC Request Received
Routed to PTAC security specialist
or to FERPA Working Group
Resources assigned to
review/research request
Answer proposed:Training?
Brief?
FERPA Working Group
reviews/approves answer/resource
12
13
What is FERPA?
Family Educational Rights and Privacy Act (FERPA) enacted 1974– Protects the privacy of students’ education records– Affords parents and eligible students rights to
• inspect and review education records, • seek to amend these records, and • consent to the disclosure of personally identifiable
information (PII) from education records.
14
Disclosure of Education Records under FERPA
Requirement for written consent to disclose PII Parents and eligible students Exceptions to consent
– Studies– Audit or evaluation– Other (e.g., court order, health or safety emergency)
15
FERPA and Student Privacy — Recent Developments
Move to electronic records Student longitudinal databases New risks and vulnerabilities ED privacy initiatives
– Most recent FERPA amendment—January 3, 2012
16
Key FERPA Regulatory Changes
“You know how sometimes FERPA can tie your brain in a knot trying to think through it all?” [quote from an email to PTAC]
17
FERPA Regulatory Changes — Definitions
Authorized Representative– Any entity or individual designated by a State or local educational
authority or an agency headed by an official… to conduct—with respect to Federal- or State-supported education programs—any audit or evaluation, or any compliance or enforcement activity in connection with Federal legal requirements that relate to these programs (FERPA regulations, §99.3).
Education Program– Any program principally engaged in the provision of education,
including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, and any program that is administered by an educational agency or institution (FERPA regulations §99.3).
18
FERPA Regulatory Changes — Audit or Evaluation Exception
Authorized Representative Written Agreements Reasonable Methods “
Guidance on Reasonable Methods and Written Agreements”
19
FERPA Regulatory Changes — Studies Exception
Not clear that a
redisclosure by
FERPA-permitted
entity (e.g., SEA)
would be “on behalf
of” an educational
agency
State educational
authorities acting
“on behalf of” their
constituent schools
OLD
INTERPRETATION
NEW
INTERPRETATION
20
FERPA Regulatory Changes — Directory Information
Definition of directory information Conditions for disclosure
– Student ID cards and badges – Limited directory information
21
A Couple of Case Studies
Technical Assistance Enforcement
22
ED Priorities for 2012
Guidance for SEAs and LEAs– Assistance with privacy, confidentiality, and security
concerns – Case Studies
FPCO resources and initiatives– Focus on legal interpretation of FERPA– Modernizing FPCO
PTAC resources and initiatives– Focus on best practices– Coordinating with FPCO
23
POP Quiz # 2
In 2011, what percentage of organizations dedicate resources to business continuity and/or disaster recovery?
– 21%– 52%– 5%– 14%
24
POP Quiz # 2
In 2011, what percentage of organizations dedicate resources to business continuity and/or disaster recovery?
– 21%– 52%– 5%– 14%
That’s down more than 10% from 2009!
25
2012 — PTAC Initiatives
Expansion to LEAs Coordination with FPCO Helping organizations come into compliance
– Statistical and data security experts– Site visits and regional meetings– Best practices guidance documents and training
materials– Compliance vs. transparency
26
Upcoming Events
25th Annual MIS Conference Presentation– February 16, 2012, Session VI, 10-11am (Nautilus 5):
Protection of Personally Identifiable Information Through Disclosure Avoidance Techniques
PTAC Webinar– March 15th, 2012, 2:00 p.m. EST: Special Education:
The Intersection of FERPA and IDEA Confidentiality Provisions
27
Available Resources
Guidance on Reasonable Methods and Written Agreements Data Stewardship: Managing Personally Identifiable Information in Electr
onic Student Education Records Basic Concepts and Definitions for Privacy and Confidentiality in Student
Education Records Responding to IT Security Audits: Improving Data Security Practices Data Security: Top Threats to Data Protection Data Security Checklist Data Governance and Stewardship Data Governance Checklist Data Security and Management Training: Best Practice Considerations
28
Contact Information
Family Policy Compliance Office
Privacy Technical Assistance Center
Michael Hawes,Statistical Privacy
AdvisorTEL: (202) 260-3887
TEL: (855) 249-3072
TEL: (202) 453-7017
FAX: (202) 260-9001
FAX: (855) 249-3073
FAX: (202) 401-0920
Email: [email protected]
Email: [email protected]
Email: [email protected]:
www.ed.gov/fpco/Website:www.ed.gov/ptac/