Privacy, Confidentiality, and Personally Identifiable
InformationChristopher Cassel
Nebraska Department of Educationwww.education.ne.gov/nssrs
Scott SummersNebraska Department of Education
www.education.ne.gov
2011 State Data Conference
1
Agenda
2
• Privacy Laws• New Federal “Privacy Technical Assistance
Center” (PTAC) Resources• FERPA Notice of Proposed Rule Making
(NPRM)• Questions
Privacy Laws
3
• Federal Privacy Act• FERPA– Family Education Rights & Privacy Act
• U.S. Department of Agriculture– National School Lunch Act– Child Nutrition Act
• HIPAA– Health Insurance Portability and Accountability Act
• Nebraska State Law
Privacy Technical Assistance Center
• New U.S. Department of Education “Chief Privacy Officer”
• New “Privacy Technical Assistance Center” (PTAC)– http://nces.ed.gov/programs/ptac – Established by U.S. Department of Education’s National
Center for Education Statistics (NCES)– Seeks to be “one-stop” resource for education
stakeholders regarding data:• Privacy• Confidentiality• Security practices
4
PTAC Resources
• Glossary – http://nces.ed.gov/programs/ptac/glossary.aspx
• Frequently Asked Questions (FAQs)• Technical Briefs– Three published, seven planned
5
PTAC Technical Brief 1
• “Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records”– NCES 2011-601– http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011601
– Summary of terminology and issues
6
Privacy, Confidentiality & PII
Privacy An individual’s control over who has access to information about him or her
Confidentiality Relates to the management (and protection) of another individual’s personally identifiable information
Personally Identifiable Information (PII)
Includes information that can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information
7
PII: FERPA Definition (1 of 3)
8
Personally Identifiable Information (PII)1. Student's name2. Name of the student's parent or other family
members3. Address of the student or student's family4. A personal identifier, such as the student's Social
Security Number, student number, or biometric record
PII: FERPA Definition (2 of 3)
9
[Personally Identifiable Information (PII) definition, continued]
5. Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name
6. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty
PII: FERPA Definition (3 of 3)
10
[Personally Identifiable Information (PII) definition, continued]
7. Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates
Disclosure
11
• FERPA: “… to permit access to … PII contained in education records … to any party except the party identified …”
• Disclosures may be:– Authorized– Unauthorized– Inadvertent
Directory Information
12
PTAC Technical Brief 2
• “Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records” – NCES 2011-602– http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011602
13
Brief 2: Data Stewardship
• Defines “Data Stewardship” and recommends actions to ensure confidentiality– Conduct PII inventory– Implement internal controls to protect PII– Provide public notice of education records system
• Policies and Procedures
14
Brief 2: Direct vs. Indirect Identifiers
• Direct Identifiers– Information unique the student• Name, address, Social Security Number, NDE Student
ID, photographs, etc.
• Indirect Identifiers – Information not unique to the student but can be
used in combination with other information about the student to identify a specific student• Race/ethnicity, date of birth, place of birth, grade level,
participation in a particular program, etc.15
Brief 2: Sensitivity
16
• Not all personally identifiable data have the same level of sensitivity.– Sensitivity should be evaluated both in terms of
the specific data element and other available personally identifiable data elements. • Note that an individual’s SSN, medical history, or
financial account information is generally considered more sensitive than an individual’s phone number or ZIP code.
PTAC Technical Brief 3
• “Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting” – NCES 2011-603– http://nces.ed.gov/pubsearch/pubsinfo.asp?pubid=2011603
17
Brief 3: Reporting Rules
• Identifies best practices• Recommends reporting rules to avoid
unauthorized or inadvertent disclosures– Masking Rules• For examples, see “NDE Data Access and Use Policies
and Procedures”
18
NDE Data Access and Use Policy and Procedures
• Available on NSSRS Resources page of Nebraska Student and Staff Record System website (www.education.ne.gov/nssrs)
• Establishes NDE procedures for collecting, maintaining, disclosing, and disposing of education records containing PII
• NDE masking rules defined
19
Future PTAC Technical Briefs
• Upcoming briefs will focus on:– Different types of data sharing and data use
agreements– Electronic data security– Privacy training
• Release dates to be determined
20
Monday, April 27, 2009
21
FERPA Clarifications
• Handout: “Safeguarding Student Privacy”• Notice of Proposed Rule Making (NPRM)
– http://www.gpo.gov/fdsys/pkg/FR-2011-04-08/pdf/2011-8205.pdf
• Public comment accepted by USDE:– Until May 23, 2011– At http://www.regulations.gov
22
Summary of Proposed FERPA Changes
1. Stronger Enforcement2. Ensuring the Safety of Students– Protect students from marketers or criminals– Allow student ID or badge to be worn or presented
3. Ensuring effectiveness of Publicly Funded Programs– Allow states to enter research agreements with
organizations not under their “direct control”
4. Promoting research on effectiveness– Sharing data on how high school graduates perform
academically in college
23
Reminders
• Districts provide much public reporting• Policies and procedures• Communication and a team-based “Data
Quality Culture”
24
Resources
• Family Policy Compliance Office (FPCO)– www2.ed.gov/policy/gen/guid/fpco/index.html
• Privacy Technical Assistance Center (PTAC)– nces.ed.gov/programs/ptac
• NSSRS Information– www.education.ne.gov/nssrs
• NDE Bulletins– www.education.ne.gov/ndebulletins
25
Questions?
26
Partnering with Districts for Data Quality
Data Quality
27