SLDS Technical Brief #2:

Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education RecordsNCES Publication # 2011-602http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011602

Marilyn Seastrom, NCES

Baron Rodriguez, AEM

Tom Szuba, QIP

American Educational Research Association (AERA)

April 9, 2011

Educational Data Stewardship Defined

An organizational commitment to ensure that data in education records, including PII* are:

• Accurate, complete, timely, and relevant for the intended purpose;

• Collected, maintained, used, and disseminated in a way that respects privacy & ensures confidentiality and security

• Meet the goals of promoting access to the data for evaluating and monitoring educational progress and educational programs.

• Meet the goals of assuring accuracy and ensure that decisions relating to an individuals student’s rights and opportunities are based on the BEST possible information.

Personally Identifiable Information Defined

“Information that can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information” (34 CFR subsection 99.3)

Inventory Task: Confirm the need

The Fair Information Practice of Data Minimization and Retention calls for “only collecting personally identifiable information that is directly relevant and necessary to accomplish the specified purpose(s) [And for] only retaining personally identifiable information for as long as is necessary to fulfill the specified propose(s).”

4

Confirming the need to maintain PII

The National Forum on Education Statistics identifies the following K12 administrative uses of student education records:InstructionOperationsManagementAccountabilityResearch & Evaluation

Creating an Inventory of PII

• Governance/Data Subcommittee creates an inventory of PII with the following elements:• Content/definition• Type of identifier: Direct/Indirect• PPRA variable status• Specific use/relevance • Accuracy• Timeliness • Level of risk from disclosure (H/M/L)

6

Key Component – Data Governance Oversight

• Data Governance Committee• Management• Legal Counsel• Data system administrator• Data Providers (LEA’s, IHE’s, intra/inter

agency providers)• Data Managers• Data Users

7

Key Component – Privacy & Data Protection Plans

• Each entity that has student records with PII should have:• Policies/rules/regulations need to be comparable

across levels. (IHESEALEA)

• An inventory of PII within existing student records

8

Direct & Indirect Identifiers

Direct:

Provide information that is unique to the student or student’s family such as name, address, SSN, or state student ID.

Indirect:

Are not unique to the student or student’s family but can be used in combination with other information about the student to identify a specific student such as race/ethnicity, data of birth, place of birth, mother’s maiden name, grade level, program participation, and course enrollment.

PII in Educational Data

Includes, but is not limited to the following:

1. Student’s name

2. Name of the student’s parent or other family members

3. The address of the student or student’s family

4. A personal identifier such as the student’s SSN, student number, or biometric record.

5. Other indirect identifiers such as the student’s date of birth, place of birth, and mother’s maiden name.

6. Other information that alone, or in combination is linked or linkable to a specific student that would allow a person in the school community to identify the student with reasonable certainty

7. Information requested by a person who the agency or institution reasonably believes knows the identity of the student to whom the education record relates.

Example: Combinations of PII

Extra! Extra! 13 year old Asian student brutally assaulted!

PPRA – Protection of Pupil Rights Amendment

• Requires written parental consent before a minor student can be required to participate in any survey, analysis or evaluation funded by ED in the following categories:• Political affiliations/believes of the student or parent• Mental & psychological problems of the student/family.• Sex behavior or attitudes• Illegal, antisocial, self incriminating and demeaning behavior• Critical appraisals of other individuals with whom respondents have close

family relationships• Legally recognized privileged or analogous relationships such as those

of lawyers, physicians, and ministers• Religious practices, affiliations, or beliefs of the student or student’s

parents• Income (other than program participation eligibility or financial aid)

Identifying Risk Levels with different types of PII

• Evaluate sensitivity of elements• Set level of protection based on sensitivity

level• Evaluate risk of harm associated with each

element

• Set protections/security/access levels based on sensitivity of elements.

13

Educator Personally Identifiable Information

• SLDS requirement to link teachers/students• Educator data (ID in combination with other

identifiable fields) should be treated as PII • Can be used in combination with student

information to identify students as an indirect identifier.

• Although not protected by FERPA, should be protected similarly to identifiable student data.

14

Internal Controls to Protect PII

1. Assignment of new unique student ID within SLDS

2. Workforce security controls (limiting access)

3. Role-based management techniques

4. Conditions of use (rules for protection, destruction, archival)

5. Data breach planning

15

Internal Control #1 – New Unique Student ID

• SSN is recommended to be part of the student record for linkage purposes.• Duplicate resolution process needs to be in place.• SSN should be stored in a separate secure

location.• Linking code to state unique student ID needs to

be also stored in a separate secure location• Limit the # of staff who have access to either of these tables.

• Limit the # of staff who have knowledge of the methodology used to generate linking code.

16

Internal Control #2 – Controls for staff accessing PII

• Staff should have appropriate security screenings such as criminal background checks.

• Agencies should require annual training around protection of these data.• Cover rules/procedures & safeguards, as well

as penalties for misuse of information.

• Require signed Affidavits of Nondisclosure

17

Sample Affidavit of Nondisclosure

18

Sample Affidavit of Nondisclosure

19

STATEMENT OF CONFIDENTIALITY AND NONDISCLOSURE I, _____________________________________, as an employee/contractor/intern/volunteer of the Iowa Department of Education (DE) or authorized representative of a state or local education authority, may have access to confidential information processed, stored, or managed by DE systems. Confidential information includes all information protected by state or federal law, especially relevant to DE data are: the federal laws of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA); section 22.7 of the Iowa Code; Chapter 281-5 of the Iowa Administrative Code; and DE confidentiality policy delineating confidential information in the classes of 1) sealed bids before opening; 2) tax records, 3) minutes from a closed government meeting, 4) attorney work product, and 5) personally identifiable, non-directory information. I acknowledge that unauthorized disclosure, retention, or negligent handling of confidential information could compromise the integrity of DE systems, cause damage to the reputation of DE, impede operations, may violate state or federal law, and may subject me to the loss of state and federal funds from other contracts, as any breach of this agreement may be shared with those federal, state, and local agencies with which the DE collaborates. Further, I am fully aware any breach I am responsible for may result in the termination of my contract/memorandum of understanding with DE and may affect future prospects for contracts between me and the DE. I understand that it is a violation of this agreement to read, copy, modify, delete, distribute or otherwise access confidential information unless required to do so to complete my assigned duties. I understand that I shall not discuss confidential information processed, stored or managed by DE with anyone outside of DE unless required as part of my job. I understand that I shall not discuss confidential information with anyone else at DE or elsewhere unless required to do so to complete my assigned duties and the person provided the information is authorized to view it. I acknowledge that I will implement appropriate physical, electronic and managerial safeguards to prevent unauthorized access to, or disclosure of, confidential information. I understand that I am required to promptly destroy or return all confidential information upon request of the DE management. I understand that this Confidentiality and Nondisclosure Agreement remains in full force and effect after the conclusion, termination or expiration of my work with DE. I understand that violation of this agreement by me may personally lead to: loss of access privileges to DE systems; termination; and that a court of competent jurisdiction may impose damages against me under Iowa Code section 22.10. I understand that a breach of the above obligations by me may require me to defend, indemnify, and hold harmless DE from actual damages or losses that result from its breach. This includes attorneys' fees and costs of suit. My signature below attests that I fully understand and agree with the above statements, terms and conditions.

Signature Date Signature, Jim Addy, Iowa Department of Education Date

Citations to applicable laws.

Consequences

Time period

Example Security Training

20

Test Questions

1. When carrying data on a laptop, you should always be aware of what type of data being stored on the laptop, to include the contents of documents or presentations. What kind of data is safe to have on a laptop?

a. Confidential/Personal Data b. Public Data c. Student Data d. All of the above

2. Although certain types of data can be carried on a laptop, what is a more secure

way to carry that data? a. On a floppy disk b. On a flash drive c. On a CD-Rom d. Encrypted

3. What is the proper course of action if you are using an ODE laptop and it is

stolen? a. Notify your supervisor b. Notify the police c. Notify the ODE CIO or CISO d. All of the above

4. When complying with document retention schedules, ODE has which kinds?

a. General b. Special c. Federal d. All of the above

6. Attempts to find information by learning about you is called?

a. Social Engineering b. Data Mining c. Resource Surfing d. Being Friendly

7. You can greatly reduce the risk of having a malicious website install something

without you knowing if you? a. Open links only from reputable sources b. Only install programs that have familiar sounding names (Adobe, etc..) c. Run without administrator rights unless needed d. No steps needed, anti-virus programs will block threats automatically

Internal Control #3 – Role-based access

• Use of student record components vary based on roles:

21

Internal Control # 3 – Role-based access

• Use job descriptions to identify sets of data elements needed by groups of data users.• Define roles based on groups of employees.

22

Data Quality – Stewardship responsibility

• Systems should be in place to ensure the highest level of quality.

• Regularly updated records• Programmatic validation• Cross-collection validation algorithms/routines• Obsolete record deactivation (not deletion)

23

Internal Control #4 – Use of Education Records

• Establish WHERE student records can be accessed.

• Promulgate rules that prohibit browsing and unauthorized use of information.

• Identify behaviors that could lead to inadvertent unauthorized access & establish rules prohibiting those behaviors.

• Hard copy storage/limit printing; shredding

• Records retention rules

24

Archival Guidelines

• Governance Committee should develop a schedule and plan for migrating student records to a retrievable archive following a students completion at a specific level or departure date.

• Archiving historic student records in a secure environment that is separate from active system decreases likelihood of unauthorized/inadvertent disclosures of records of former students.

• Establish a plan for record destruction at a point in time that it is anticipated the records will no longer be needed.

Internal Control #5 – Breaches of PII

• EVERY privacy & data protection plan should include a response plan.• Often required by state law!

• Develop a clear description of what constitutes a breach.

• Describe immediate steps to take in the event of a data breach.

• Designate a POC and notification chain involving any PII breach.

26

NIST 2010 Guide (Protecting the Confidentiality of PII)

• Report should minimally include the following information:• Name/title/contact info of person reporting

incident.• “ “ “ of person who discovered the incident.• Date/Time incident was discovered.• Nature of the incident (electronic, paper)• Description of information lost or

compromised.

27

NIST Breach Report Guidelines (cont)

• Name of electronic system and interconnectivity.

• Storage medium (tape, disk, laptop?)

• Controls in place to prevent unauthorized use.

• # of individuals potentially affected

• Law enforcement contacted?

28

29

Breach Report Example

US Department of Education Computer Security Suspicious Event Report

For Actual or Suspected Personally Identifiable Information Incidents

(Final or Preliminary Report: ______________ ) Date: / /

Contact Information for Incident Handler

Title Organization

Fax E-mail

Room Number

Rack/Cube Location

Time that loss of data was realized

Time Time Zone

Narrative of Incident

Description of data that was lost

Was data on Mobile Media? Yes, No If yes what type?

Laptop DVD Magnetic Tape CD Thumb Drive Other/Specify:

Was Data Encrypted? _______Yes ________No Were local authorities contacted? _______Yes ________No Is there a police report? _______Yes ________No (If so please attach it below) Number of Individuals impacted? __________________

Has notification of Individuals started? If so, explain how/what has started.

Actions Taken to reduce the problem from happening again: (1) What actions have been taken on the system (Back-ups, commands, removed from network, etc). (2) Who has been notified? Times? Other info:

Additional Information: (If this incident is related to a previously reported incident, include any previously assigned incident number for reference.):

System logs/Police Report are attached below (firewall logs, IDS logs, and any other applicable supporting artifacts)

If a breach occurs.. FIRST…

• Conduct an analysis of the likelihood of exposure and potential harm to affected individuals.

• This will drive your mitigation strategies!!

30

Mitigation strategies of breach

• Establish time span for reporting event.

• Identify how, when, and to whom notification should be made.

• Determine the content of your notification.

• Determine who will deliver the message (Principal, Superintendent, PIO)

• Determine WHO will receive the notification (individuals affected, public, media, etc.)

• Remediation options, if any (e.g. free copy of credit report, credit monitoring, etc.)

• Corrective actions taken and by whom.

31

Transparency

• People worry about what they can’t see…

• Annual requirements for notification:

• FERPA: Institution, school, or district must provide parents with annual notification of their rights and procedures to use to inspect and review their child’s education records… and notified of disclosures that are permissible under law without their consent…

• Directory: Can be combined with above… types of information school/district has designated directory information…and parents right to opt out of this information.

• PPRA: Parental notification of a study conducted in a school… If related to 8 sensitive topics: political affiliations/beliefs, religious practices, affiliations, or beliefs, mental/psychological problems, sex behavior/attitudes, illegal, anti-social, self-incriminating info, critical appraisals of family members, legally recognized privileged relationships, or income.

32

Disclosure

• Parents’ rights to consent to disclosures of PII included in the student’s education record must be described in the annual FERPA notice; to this end, schools must:

• Have a parent’s consent prior to the disclosure of education records; and

• Ensure that the consent is signed and dated, specifies which records may be disclosed, states the purpose of the disclosure, and identifies to whom the disclosure may be made.

• The Fair Information Practice of Purpose Specification stresses the importance of “specifically articulating the authority that permits the collection of personally identifiable information and specifically articulating the purpose or purposes for which the personally identifiable information is intended to be used.” The annual FERPA notice should provide information about permissible uses of PII in education records.

• FERPA allows educational agencies and institutions to non-consensually release education records to school officials and other designated entities with legitimate educational interests, but educational agencies or institutions that elect to disclose education records to the authorized entities must use the annual notice to specify the criteria used for identifying a school official and the definition of a legitimate educational interest.

• See FERPA regulations at 34 CFR § 99.31 for a list of cases in which parental consent is not required for disclosure of PII from education records.

33

Accountability & Auditing

• Data protection plan should provide a plan to demonstrate compliance with internal policies/guidelines around protection of PII.

• LDS PII Audit should validate:

1. Inventory of PII for students/teachers/staff is accurate/complete.

2. Inventory includes required information for each element.

3. Identify updates to system that added new data elements and that those elements were added to inventory.

34

Accountability & Auditing (cont)

• Data Quality Audit should validate:• That periodic audits/checkpoints for data

quality are occurring and that these checks are built in to the data collection, reporting, and release cycles.

• Data validation checks against data entry errors, outliers, and provides corrections to data entry staff.

• Anomalies can be real.. Or NOT!!

35

Contact Info

Privacy TA CenterWebsite: http://nces.ed.gov/programs/ptac/

Email: PrivacyTA@ed.gov

Phone: 1-855-249-3072

Fax: 1-855-249-3073  

Family Compliance Policy OfficeWebsite:

http://www2.ed.gov/policy/gen/guid/fpco/index.html

Phone: 1-800-USA-LEARN

Issue Brief Comments

NCES is seeking input and comments on these briefs. If you have any comments or suggestions, please send them to

SLDStechbrief@ed.gov.

36