Privacy, Confidentiality, and Personally Identifiable

InformationChristopher Cassel

Nebraska Department of Educationwww.education.ne.gov/nssrs

Scott SummersNebraska Department of Education

www.education.ne.gov

2011 State Data Conference

1

Agenda

2

• Privacy Laws• New Federal “Privacy Technical Assistance

Center” (PTAC) Resources• FERPA Notice of Proposed Rule Making

(NPRM)• Questions

Privacy Laws

3

• Federal Privacy Act• FERPA– Family Education Rights & Privacy Act

• U.S. Department of Agriculture– National School Lunch Act– Child Nutrition Act

• HIPAA– Health Insurance Portability and Accountability Act

• Nebraska State Law

Privacy Technical Assistance Center

• New U.S. Department of Education “Chief Privacy Officer”

• New “Privacy Technical Assistance Center” (PTAC)– http://nces.ed.gov/programs/ptac – Established by U.S. Department of Education’s National

Center for Education Statistics (NCES)– Seeks to be “one-stop” resource for education

stakeholders regarding data:• Privacy• Confidentiality• Security practices

4

PTAC Resources

• Glossary – http://nces.ed.gov/programs/ptac/glossary.aspx

• Frequently Asked Questions (FAQs)• Technical Briefs– Three published, seven planned

5

PTAC Technical Brief 1

• “Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records”– NCES 2011-601– http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011601

– Summary of terminology and issues

6

Privacy, Confidentiality & PII

Privacy An individual’s control over who has access to information about him or her

Confidentiality Relates to the management (and protection) of another individual’s personally identifiable information

Personally Identifiable Information (PII)

Includes information that can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information

7

PII: FERPA Definition (1 of 3)

8

Personally Identifiable Information (PII)1. Student's name2. Name of the student's parent or other family

members3. Address of the student or student's family4. A personal identifier, such as the student's Social

Security Number, student number, or biometric record

PII: FERPA Definition (2 of 3)

9

[Personally Identifiable Information (PII) definition, continued]

5. Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name

6. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty

PII: FERPA Definition (3 of 3)

10

[Personally Identifiable Information (PII) definition, continued]

7. Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates

Disclosure

11

• FERPA: “… to permit access to … PII contained in education records … to any party except the party identified …”

• Disclosures may be:– Authorized– Unauthorized– Inadvertent

Directory Information

12

PTAC Technical Brief 2

• “Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records” – NCES 2011-602– http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011602

13

Brief 2: Data Stewardship

• Defines “Data Stewardship” and recommends actions to ensure confidentiality– Conduct PII inventory– Implement internal controls to protect PII– Provide public notice of education records system

• Policies and Procedures

14

Brief 2: Direct vs. Indirect Identifiers

• Direct Identifiers– Information unique the student• Name, address, Social Security Number, NDE Student

ID, photographs, etc.

• Indirect Identifiers – Information not unique to the student but can be

used in combination with other information about the student to identify a specific student• Race/ethnicity, date of birth, place of birth, grade level,

participation in a particular program, etc.15

Brief 2: Sensitivity

16

• Not all personally identifiable data have the same level of sensitivity.– Sensitivity should be evaluated both in terms of

the specific data element and other available personally identifiable data elements. • Note that an individual’s SSN, medical history, or

financial account information is generally considered more sensitive than an individual’s phone number or ZIP code.

PTAC Technical Brief 3

• “Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting” – NCES 2011-603– http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011603

17

Brief 3: Reporting Rules

• Identifies best practices• Recommends reporting rules to avoid

unauthorized or inadvertent disclosures– Masking Rules• For examples, see “NDE Data Access and Use Policies

and Procedures”

18

NDE Data Access and Use Policy and Procedures

• Available on NSSRS Resources page of Nebraska Student and Staff Record System website (www.education.ne.gov/nssrs)

• Establishes NDE procedures for collecting, maintaining, disclosing, and disposing of education records containing PII

• NDE masking rules defined

19

Future PTAC Technical Briefs

• Upcoming briefs will focus on:– Different types of data sharing and data use

agreements– Electronic data security– Privacy training

• Release dates to be determined

20

Monday, April 27, 2009

21

FERPA Clarifications

• Handout: “Safeguarding Student Privacy”• Notice of Proposed Rule Making (NPRM)

– http://www.gpo.gov/fdsys/pkg/FR-2011-04-08/pdf/2011-8205.pdf

• Public comment accepted by USDE:– Until May 23, 2011– At http://www.regulations.gov

22

Summary of Proposed FERPA Changes

1. Stronger Enforcement2. Ensuring the Safety of Students– Protect students from marketers or criminals– Allow student ID or badge to be worn or presented

3. Ensuring effectiveness of Publicly Funded Programs– Allow states to enter research agreements with

organizations not under their “direct control”

4. Promoting research on effectiveness– Sharing data on how high school graduates perform

academically in college

23

Reminders

• Districts provide much public reporting• Policies and procedures• Communication and a team-based “Data

Quality Culture”

24

Resources

• Family Policy Compliance Office (FPCO)– www2.ed.gov/policy/gen/guid/fpco/index.html

• Privacy Technical Assistance Center (PTAC)– nces.ed.gov/programs/ptac

• NSSRS Information– www.education.ne.gov/nssrs

• NDE Bulletins– www.education.ne.gov/ndebulletins

25

Questions?

26

Partnering with Districts for Data Quality

Data Quality

27