FERPA Rules:Maintaining the Security

and Privacy of Student DataWest Virginia Department of Education

Carla Howe, Ph.D.August 4, 2014

Introduction

• You have access to data tools that allow you to view individual student records for performing your official duties.

• You are legally and ethically obliged to safeguard the confidentiality of these student records.

• There are many tools for exploring data; those that access student-level data must be secured.

• The purpose of this presentation is to inform you of your responsibilities to protect student privacy.

Responsibilities

• Protect the privacy of students and the confidentiality of student data.

• Comply with state and federal laws, and district policy, to maintain the confidentiality of student data.

• Use confidential student data only as necessary for legitimate educational purposes.

• Keep your password confidential.

Consequences

• Student education data may not be released except under specific circumstances. Improper release of these data expose you and your district to potential criminal and civil liability, and loss of federal funds.

• Student-specific information gathered from secure tools may be shared only with authorized school personnel.

ProtectingConfidential Information

• Be careful to prevent unauthorized people from viewing your screen while you are accessing confidential information.

• When you are finished with the data tools, log off and close any windows containing data or reports.

Sharing Reports

• Printed reports can be shared publicly only after you’ve reviewed them to ensure that no student could be identified from the report (for example, in conjunction with other information that is available).

• If a reasonable person from your community could identify a student from a report, directly or indirectly, then you should store that report in a secure place. Share the report only with those with a legitimate educational interest – as determined by your school board, or district leadership.

Foundational Concepts Critical to Data Training and Use

March 2014

What is FERPA?

Family Educational Rights and Privacy Act of 1974, as amended (FERPA)• Federal regulations that govern access to and release

of personally identifiable information about students found in education records

• Applies to all schools that receive funds under applicable programs of the USED

• Does not apply to private schools whose students or teachers receive services from an LEA or SEA, unless the private school also receives federal funds

8

FERPA: Two Purposes

9

Access to Educational Records

Parents & Students

Authorized Representatives

Limit on Disclosure

Prior Written Consent

Consent Exceptions

Annual notice of FERPA rights

Schools must notify parents of their rights under FERPA on an annual basis.• Directory information designation– What information does the entity designate as directory?

• Location of records• Right to inspect records, file a complaint, consent to

disclosure, amend records• Military Recruiters– Schools must provide recruiters with student name,

address, phone number and access to campus

10

Student Record Information

• May be disclosed to the student with proper authentication– Amended FERPA requires the use of reasonable methods to

determine the identity of intended and authorized recipient of information AND authenticate or ensure that recipient is, in fact, who he/she purports to be

• Parent Access Procedures– Right to “inspect and review”– 45-day timeline to provide the records– May charge “reasonable fee” for copies, but not to search or retrieve

• Exceptions– Letters of recommendation for which the student has waived the

right to review– Information about other students

11

FERPA requires Educational Providers to:

12

Educational Providers

Protect student rights

Ensure that third parties do not redisclose personally identifiable

information

Keep records of certain requests and disclosures of student

education records

Notify students/parents of their rights annually

State Education Agency

Protect student rights

Ensure that third parties do not redisclose personally

identifiable information

Keep records of certain requests and disclosures of student

education records

Basic Concepts

13

• Education Record• Directory Information• Personally Identifiable Information

Education Record

14

• A record which is maintained by the institution from which the student can be identified (Directory Information)

• Directly related to a student• Maintained by an educational agency or institution (or party acting on

behalf of the agency)• For elementary and secondary level students• Records maintained on special education students including records on

services provided to those students

Education Record

• Kept in the record maker’s sole possession• Used only as a memory aid• Not accessible or revealed to anyone except temporary substitute for

record maker

EXCEPT: Records of School Personnel which are:

Directory information

15

Information in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosedAs defined in Policy 4350, Directory Information can include:

1. Student's name2. Address3. Telephone listing4. Email address5. Photograph6. Date and place of birth7. Major field of study8. Dates of attendance (for school)9. Grade level

10. Participation in officially recognized activities and sports

11. Weight and height of members of athletic teams

12. Dates of attendance (for athletics)13. Degrees and awards received, and 14. The most recent previous

educational agency or institution attended by the student.

Personally identifiable information

16

• Student’s name, parent or family member names, student’s address, or other information that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

• Indirect identifiers such as date and place of birth and mother’s maiden name.

Personally Identifiable Information

• Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable accuracy

Personally Identifiable Information – Further Defined

Directory Information

17

• Social Security Number• Student ID

Directory Info IS NOT

• Lists Directory Information• Student history details require an enrollment

record

WOW Student Screen

Restricting Directory Information

• Parents can “Opt Out” of sharing directory information

• For example, if a student in a post-secondary institution “opts-out”, then the National Student Clearinghouse cannot redisclose student level information to the state for that student

• Students do not have the option to “opt-out” for required reporting to the state

• Students cannot opt out of wearing or presenting a student ID or badge

18

How do you authenticate identity?

• Regulations require a school to use reasonable methods to identify and authenticate the identity of parents, students, school officials, and other parties before disclosing education records.

19

Require parent to pick up the

data in person, show proof of identify, sign verification

form

Submit verification form to the district of

enrollment to verify there are no

court orders to prevent parent

from seeing records

Check student enrollment in the Student Information

System

Sample Verification Process for Parent Requests

Reasonable Methods

• Regulations require the use of “reasonable methods” to ensure access is only given to only those education records in which the official has a legitimate educational interest.

• Reasonable methods include: – Physical controls (locked filing cabinets)– Technological controls (role-based access controls for

electronic records)– Administrative policies (must be effective in ensuring

compliance)• This also means no student data are transferred off-site using

portable media (thumb drives to work at home) or are sent via email unless in a password-protected or de-identified file.

20

Consent Exceptions

• May be disclosed to school officials with “legitimate educational interest”

• Authorized government officials– Regulations expand the school official exception to include

contractors, consultants, volunteers, and other parties to whom a school has outsourced services or functions under certain circumstances:• The party is under the direct control of the SEA or LEA (contract);• The party is subject to the same conditions governing the use and re-

disclosure of education records applicable to other school officials;• WVDE requires these parties to also sign security agreements

21

Disclosure Exception: Organizations conducting studies

• The school must have a written agreement with the receiving organization that specifies: – the purposes of the study;– the information may only be used to meet the purposes of the study

stated in the agreement;– the restriction on re-disclosure of the information; – the requirement for destruction of the information when no longer

needed.– Clarifies requirements that information disclosed under this exception is

used only to meet the purposes of the study, and that all re-disclosure and destruction requirements are met.

• WVDE uses a Institutional Review Board and Research Review Committee process and has specific forms that data requestors must fill out

22

Disclosure Exceptions: To Parents of kids 18+

• Regulations clarify that disclosure of education records without consent is permitted to parents in some circumstances: – When a student is a dependent student under the IRS tax code;– When the student has violated a law or the school’s rules or

policies governing alcohol or substance abuse, if the student is under 21 years old;

– When the information is needed to protect the health or safety of the student or other individuals in an emergency.

– Ensures that schools understand that FERPA does not block information sharing with parents if any of the above exceptions apply.

23

Keeping records of disclosures

• At the SEA and LEA, must record name and legitimate interest in cases such as these– Information disclosed without student’s written consent– To the parent of an eligible student– In response to a lawfully issued court order or subpoena

• However there must still be an attempt to notify the parent in these cases unless it is in response to a threat on the student’s safety

– For external research purposes where individual students have been identified

– In response to an emergency• Emergencies do not require parental notification• These include endangerment to the health or well-being of a student

• Note this is why WVDE has the Research Proposal Application (and its process) and Data Security Agreements

24

25

More Exceptions

• To persons or organizations providing student financial aid, or determining financial aid decisionsFinancial Aid

• To officials at institutions in which a student seeks to enroll or has enrolled so long as the disclosure is in connection with the student’s enrollment

Enrollment

• Note that a reasonable attempt at parental notification is required!

Judicial Order / Subpoena

• To accrediting organizations and other entities conducting educational studiesAccreditation

• When necessary to protect the health or safety of the student or other persons

Health & Safety Emergency

More Exceptions

• information relevant to an investigation or prosecution of an act of terrorismUSA Patriot Act

• Schools are permitted to disclose information about registered sex offenders

Campus Sex Crimes Prevention Act

• Requires a school to inform the accuser and the accused of the outcome of a school’s disciplinary proceeding of an alleged sex offense (name, violation, and sanction imposed).

• A school may not require the accuser to execute a non-disclosure agreement.

Clery Act

School Officials with a legitimate educational interest

Specified officials for audit or evaluation purposes

26

http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

FERPA & HIPAA

• At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic, that receives funds under any program administered by the U.S. Department of Education are “education records” subject to FERPA, including health and medical records maintained by a school nurse who is employed by or under contract with a school or school district.

27

What Can – and Can’t – Be Released

• Individual student data can never be publicly published or released.

• Summary (aggregated) data can be released, but only if the group size is large enough (>10) to protect the privacy of individual members of the group.

• When the identity of an individual student could be inferred due to small group size in a report, treat that report as confidential.

The summary reports to which you have access may contain small group sizes, and should therefore be treated as confidential.

Unauthorized disclosures of PII

• Unauthorized disclosures of PII may result in being prohibited from accessing PII for at least five years

• The entity from which the data originated is responsible for the prohibition of access

• Most recent FERPA provisions require documentation and mandatory provisions for written agreements

29

State Level Security

• Policy 4350 & HB 4316• WVBE Data Security and Privacy Resolution• WVDE Data Access & Management Guidance

(available online on the WVDE website under the Data tab)

• Limited access at WVDE to WOW through job-related duties justification, supervisor sign-off, and assurance to adhere to FERPA regulations.

30

Remember

Email is now encrypted in transit nor at rest whether on a work device or a personal device – BUT be cautious – Attachments & messages opened on personal devices will

not be secure – Sensitive data stored on a personal device is a security

breach – Emails on personal devices that are work-related are subject

to FOIA– Errors are easy with auto-complete names

31

Remember

• Remind your colleagues that disclosing PII is a violation of state and federal law and policy. School districts are local units of government subject to the same laws and acceptable use policies.

• Do not allow family members or others to use your work devices.

Coming Soon

• Guidance for the “Alert” screen in WOW– Primarily for student safety• Life-threatening allergy information• Custody/family information if student safety is at stake

• Local rules can still be applied, but some general guidance will come from WVDE

34

Family Policy Compliance Office

• U.S. Department of Education– Phone: (202) 260-3887 Fax: (202) 260-9001– Email: FERPA@ed.gov

• www.ed.gov/fpco – FERPA Final Regulations– Revised Regulation Overviews for LEAs, Parents, Students– FAQs

• Privacy Technical Assistance Center– www.ptac.ed.gov– Webinars, Publications, Case Studies– FERPA 101 Webinar Recording and Transcript

Check your Quiz!

1. True2. True3. True4. False – annually5. True6. False – if he/she HAS legal rights7. False – do have authority8. True9. Grade Level10. False – social security, cannot be direction information

Check Your Quiz!

11. False – by student ID or other identifier12. True13. True14. True15a. Yes15b. Yes15c. No15d. No 15e. No15f. Yes

New Information

• Data Access & Management Guidance document– Available online on the WVDE homepage under

the Data tab• HB 4316 - Student Data Accessibility,

Transparency and Accountability Act• ZoomWV – West Virginia’s source for

accurate, K-12 education information – Coming Soon

37

Contact Information

• For questions about data privacy and security, please contact

Carla Howe, Ph.D.Data Governance Manager.chowe@k12.wv.us304-558-7881