Student Privacy Boot Camp

Presenters

  • Michael Hawes, Director of Student Privacy Policy, US Department of Education
  • Amelia Vance, Education Policy Counsel, Future of Privacy Forum
  • Rachel Rudnick, Privacy Officer / Assistant Director, University of Connecticut

Resources

What is your top privacy concern?

Attendees have many reasons for being here (several on GDPR, the European Union’s privacy law – something International students will care about). I’m specifically here to learn more about the use of student data within web applications. For example, how do we let students know how we’re using their data, beyond ToS (Terms of Service) or EULA (End User License Agreement).

Types of Risk

Keep in mind the “front page of the newspaper” kinds of risks, because that’s a significant driver on the perception side of things.

  1. An actual security or privacy risk
  2. Risk of not being in compliance
  3. Perception Risk

Michael Hawes’ Segment of the Session

By the end of this session, you’ll know a lot more about PTAC – Privacy Technical Assistance Center. This provides loads of guidance and tools you can use in your work.

ED’s role in protecting student privacy

  • We administer & enforce federal laws governing the privacy of student information (FERPA)
  • Raise awareness of privacy challenges
  • Provide tech assistance to schools, districts, states, colleges and universities
  • Promoting privacy and security best practices

What is Privacy?

Privacy and security are related, but not the same thing.

Privacy: the state of being free from intrusion or disturbance in one’s private life or affairs.” Components include:

  • Info
  • Bodily
  • Territorial
  • Communications

Privacy Principles (from NIST):

  • Authority and purpose
  • Accountability
  • Data Quality and Integrity
  • Data Minimization and Retention
  • Individual Participation and Redress
  • Security
  • Transparency
  • Use Limitation

IT Security:

  • Focused on confidentiality
  • Integrity
  • Availability

Privacy and Security overlap at Confidentiality & Integrity, plus Accountability, Audit and Risk Management

FERPA 101

  • 43 years old, passed in 1974
  • Applies to all institutions receiving federal funds under any program administered by the Secretary of Education
  • Gives eligible students the right to access and seek to amend their education records
  • Protects personally identifiable information (PII) from education records from unauthorized disclosure
  • Requires written consent before sharing PII – unless an exception applies

FERPA definitions

PII: is info that alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

Education records are any records directly related to the student that are maintained by, or on behalf of, an educational agency or institution.

The Netflix Prize from a few years ago is a good case in point (algorithm to improve their movie recommendation engine). The de-identified data was able to be re-identified by data researchers, based on movie preferences! Favorite movie became highly identifiable information.

  • Directory information exception
  • Students don’t attend school anonymously
  • Allows schools to release certain information without consent. A few examples:
    • name, address, telephone, electronic mail address
    • date and place of birth
    • photographs
    • weight & height of athletes
  • Schools/Districts must designate data elements they consider to be directory information. Common uses: yearbooks, concert programs, telephone directories.
  • Students have a right to opt-out of disclosures under the directory information exception.

School Official Exception: schools or LEAs can use the school official exception to disclose education records without consent to a third party if the 3rd party:

  • performs a service / function the school would otherwise do themselves
  • under direct control of the school / district
  • uses education data in a manner consistent

Health or Safety Emergencies Exception

  • Disclosure necessary to protect health & safety of the student or others
  • Articulable threat to health or safety
  • Typically law enforcement

Parents of Dependent Students

  • A school may choose to disclose, without the students consent, a student’s ed record to that student’s parent if the student is sa dependent for IRS tax purposes.

Judicial Orders & Subpoenas Exception

  • School may disclose PII from ed records necessary to comply with a judicial order or lawfully issued subpoena
  • Reasonable effort to notify eligible student of the order before complying with it
  • Some judicial orders and subpoenas are exempt from FERPA’s notification requirement

Financial Aid Exception

  • Ed records may be disclosed in connection with financial aid

Studies Exception

  • Permits disclosure of PII that are for or on behalf of the school for developing, validation, or administering predictive tests
  • Administering student aid programs
  • Improving instruction
  • Must specify purpose, scope, duration

Attendee question: what counts as consent?

  • Must be written (electronic must be authenticated).
  • Has to specify PII that will be disclosed
  • Has to specify category of people it’s going to
  • Has to specify purpose
  • Has to be voluntary (for example, it cannot be waived in a “blanket ToS” at the beginning of the term)

Data Governance, Online Services, and Predictive Analytics

  • Increase in data silos at IHEs and the importance of Data Governance
  • Guidance on Protecting Student Privacy while Using Online Educational Services (2014) and Model Terms of Service (2015)
  • Be mindful of privacy and ethics when using predictive analytics in higher education

HIPAA

  • If an institution keeps student medical records, HIPAA (generally, but not always) applies, not FERPA
  • Student and treatment records can be very complex! Engage counsel when working with this data

As recipients of federal student aid, universities are financial institutions under the Gramm-Leach Bliley Act.

Audience question: is there a NIST standard for transmitting FERPA data? Yes! When in doubt, ask the school about their requirements for PII.

CASE STUDY 1: DATA BREACH

Knowing how to respond when you’ve had a data breach can be really helpful. Thank about each of the roles needed in your org. The full extent or impact of a data breach is rarely known up front. Don’t get ahead of yourself.

We broke up into groups and discussed the following:

  • Public & Internal communications/Messaging
  • Response Plan

Things to consider:

  • How can you prevent this in the future?
  • Policies & Procedures
  • Central # to call should they have questions
  • FERPA training implemented in any way? Whoever would respond to such breaches should definitely be trained.
  • Have reporting obligations changed?

Federal Laws and Actions

  • FERPA rewrite
    • Potential rollback of 2008/2011 updates
  • Several student data privacy bills introduced in Congress in 2015 and a FERPA re-write may pass in 2018. One bill has been re-introduced in 2017 so far.
  • 40 states have passed 126 laws since 2013
  • Over last 5 years, states have enacted over 100 laws governing how schools and their service providers collect, use, and protect student data

Unintended Consequences

  • Words matter: definitions and vague language; governance needed
  • Fear-based policies
  • Privacy problems with privacy legislation
  • Need for input
  • Penalties

Big case of unintended consequences: LifeTouch (a billion-dollar photo vendor) is impacted and engaged politically because photos can be classified as PII. What do they sell? Yearbooks.

Interesting Trends

  • Governance
  • Transparency
  • Contracts
  • Opt-in or Out Requirements
  • Device and social media privacy
  • Audits
  • Training
  • Penalties (financial & criminal)

State Laws

  • Of 106 state laws passed on student privacy since 2013, only 26 are applicable to higher education.
  • Most laws discussing higher ed either do not differentiate between private or public institutions or higher ed, or only apply the law to state schools.
  • Reflects a perceived inability by state legislators to govern private institutions of higher education.

Lack of laws

  • 75% of data breaches occur in higher ed, so it’s surprising that there aren’t MORE laws governing data breaches in higher ed.
  • In total, 19 states since 2014 have passed laws that included at least one provision targeted at researches. Most of these are governance-focused, but some are far more restricted.

What is Driving These Laws?

Typical comments that encapsulate what’s driving these laws:

  • “What is ed research, and why do I care about it?”
  • “Researchers are able to get access to student data and use it for whatever they want”
  • “Parents should always be allowed to opt their child out of research that will not directly improve their child’s ed or help their child in some direct way”
  • Beyond IRBs

Rachel Rudnick, University of Connecticut Privacy Officer

I think of my role as mostly a compliance function. How many campuses have a privacy office and officer? It differs from campus to campus; there’s no one way to manage it.

Do you have a designated Privacy Officer?

  • What is a privacy officer?
  • Privacy vs. Information Security
  • Privacy Office
  • Centralized function vs. embedded?
  • Just part of someone’s job?

Where Should Privacy Report?

  • Compliance (good place to start, should have buy-in of C-suite)
  • Legal
  • IT
  • Audit
  • Provost
  • Registrar
  • President/Board
  • Nowhere? Everywhere?

Models to Consider

  • Compliance/regulatory function vs. Program
  • Centralized vs. distributed (embedded)
  • Big picture comprehensive program vs. regulation-by-regulation
  • Reactive vs. Proactive approach

What is Privacy?

This is a gross oversimplification, but this helps folk understand privacy a little better, especially when they need to call someone for help:

  • Privacy is the WHAT
  • Security is the HOW

What does a Privacy Officer Do?

  • Does not mean I have a “Do Not Disturb” sign on my door!
  • Knowledge of ever-evolving rules
  • Oversee program
  • Serve as privacy resource/Subject Matter Expert
  • Write and possibly enforce policies
  • Review/draft contract language
  • Assist/provide guidance to faculty, staff, students, constituents
  • Investigate concerns/complaints
  • Educate/conduct training
  • Breach mgmt
  • Internal/external communication
  • Create and maintain relationships/partnerships
  • Work hand-in-hand with the ISO
  • Be a team player > committees, committees, committees…

To manage privacy properly on a campus, you need great partnerships!

Partnerships & Collaboration with Stakeholders

  • ISO
  • Legal
  • Audit
  • Risk Mgmt
  • Senior Mgmt (buy-in, elevator speeches)
  • Functional Offices (registrar, bursar/financial aid, research compliance/sponsored programs, HR/Payroll, Health-related units, etc.)
  • Compliance Cowboys: liaisons to support your efforts; train the trainer

Tools

  • Data inventories
  • Records retention & Info Mgmt strategies
  • Privacy Impact Assessments (PIA)
  • Maturity Modeling
  • Nymity’s comprehensive approach
  • Beg, borrow and steal from colleagues

External resources

  • HE-CPO group (supported by EDUCAUSE)
  • IAPP
  • Law firms
  • Vendors (webinars, free tools)
  • NACUA/AACRAO
  • FERPA|Sherpa
  • PTAC

Want to Be a Privacy Officer?

EDUCAUSE has resources, search for Higher Ed CPO Primer, Parts 1 & 2 on their web site