1 / 43

Using Student Aid Data for Program Evaluation and Research: Legal Requirements and Best Practices

Session 55. Using Student Aid Data for Program Evaluation and Research: Legal Requirements and Best Practices. Michael Hawes and Benjamin Ferraro | Nov-Dec. 2016 Office of the Chief Privacy Officer, U.S. Department of Education 2016 FSA Training Conference for Financial Aid Professionals.

christineharris
Télécharger la présentation

Using Student Aid Data for Program Evaluation and Research: Legal Requirements and Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 55 Using Student Aid Data for Program Evaluation and Research: Legal Requirements and Best Practices Michael Hawes and Benjamin Ferraro | Nov-Dec. 2016 Office of the Chief Privacy Officer, U.S. Department of Education 2016 FSA Training Conference for Financial Aid Professionals

  2. Presentation Overview • Introduction • Covered Data • Applicable Laws • Scenarios • Takeaways • Resources • Questions

  3. Introduction This presentation is intended as a high level overview of the issues involved in the use of students’ financial aid information for program evaluation and research purposes. For more information please consult: • Office of the Chief Privacy Officer (OCPO) letter to UNC(10/31/16) • OCPO letter to Suffolk University (9/21/16) • PTAC guidance on IHEs using financial aid data for evaluation and research (forthcoming)

  4. Why? The Department of Education has seen an increase in questions from schools about whether they can use financial aid data for audits, program evaluations, and research. We will only be covering data that is accessible or maintained by Institutions of Higher Education (IHE)

  5. Q:What Kinds of Financial Aid Data? • Free Application for Federal Student Aid (FAFSA) • Student and parent demographic & financial information • Institutional Student Information Record (ISIR) • Contains processed student information reported on FAFSA and NSLDS financial aid history information • National Student Loan Data System (NSLDS) • Student enrollment, demographic, and loan information • Student Records • Any records that directly relate to the student and are collected or maintained by (or on behalf of) an educational agency or institution

  6. NSLDS University ISIR Education Records FAFSA

  7. Applicable Laws, Agreements, Etc. • Family Educational Rights and Privacy Act (FERPA) • Higher Education Act (HEA) • Privacy Act • Student Aid Internet Gateway (SAIG) Agreement

  8. FERPA: What is it? • Applies to all institutions receiving Federal funds under any program administered by the Secretary of Education • Gives parents (and eligible students) the right to access and seek to amend their children’s education records • Protects personally identifiable information (PII) from education recordsfrom unauthorized disclosure • Requires written consent before sharing PII – unless an exception applies

  9. FERPA Definitions Personally Identifiable Information (PII) is information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. Education Records are any records directly related to the student that are maintained by, or on behalf of, an educational agency or institution.

  10. But wait, there are exceptions…

  11. FERPA: Financial Aid Exception Education records may be disclosed in connection with financial aid for which the student has applied or which the student has received, if the information is necessary for such purposes as to: • Determine eligibility for the aid; • Determine the amount of the aid; • Determine the conditions for the aid; • Enforce the terms and conditions of the aid

  12. FERPA: School Official Exception PII can be disclosed from education records without consent to other third-party school officials if they: • Perform an institutional service or function for which the agency or institution would otherwise use employees; • Are under the direct control of the agency or institution with respect to the use and maintenance of education records; • Only use PII from education records for the purposes for which the disclosure was made • Meet the criteria specified in the institution’s annual notification of FERPA rights

  13. FERPA: Audit / Evaluation Exception Federal, State, and local officials listed under § 99.31(a)(3), or their authorized representatives, may have access to education records – • in connection with an audit or evaluation of Federal or State supported education programs, or • for the enforcement of, or compliance with, Federal legal requirements which relate to those programs.

  14. FERPA: Studies Exception PII from education records may be disclosed in connection with certain studies conducted “for or on behalf of” schools, school districts, or postsecondary institutions • Studies must be for the purpose of - Developing, validating, or administering predictive tests; - Administering student aid programs; or - Improving instruction

  15. Higher Education Act • The HEA authorizes numerous federal aid programs that provide support to both individuals pursuing a postsecondary education and institutions of higher education • The provisions of the HEA apply differently for information collected or derived from the student application for federal student aid (FAFSA/ISIR) and the data contained in the NSLDS

  16. Higher Education Act: FAFSA FAFSA/ISIR Data may only be used for the application and administrationof aid awarded under Federal student aid programs, state aid, or aid awarded by eligible institutions or such entities as the Department may designate. The department interprets “administration of aid” to include audits and program evaluations necessary for the efficient and effective administration of those aid programs.

  17. Higher Education Act: NSLDS With regard to NSLDS data, the HEA also: • Prohibits nongovernmental researchers and policy analysts from accessing personally identifiable information • Prohibits use of NSLDS data for marketing purposes

  18. Privacy Act Prohibits Federal agencies from disclosing records from systems of records without prior written consent…unless (among other exceptions) the disclosure is: • to a recipient who has provided written assurance that the record will be used solely as a statistical research or reporting record and the record is to be transferred in a form that is not individually identifiable (5 USC §552a(b)(5)) “The Privacy Act permits the non-consensual disclosure of records to a recipient… who has provided the Department with written assurance that the records will be used solely for statistical research purposes and that the records will be transferred in a form that is not individually identifiable.” OCPO Response to Suffolk

  19. Student Aid Internet Gateway • The agreement establishes the conditions under which the Department will provide to the Agency certain data received or generated by the Department concerning FAFSA applicants • The Department has a contractual agreement with every IHE that receives financial aid through the SAIG • All proposed data uses must be consistent with this agreement

  20. SAIG Agreement Under the SAIG Agreement, access, disclosure and use of data is limited to “authorized personnel.” The Department interprets “authorized personnel” to include anyone who is permitted access to the information under all applicable statutes and regulations. OCPO Response to UNC-GA

  21. In instances where more than one law/regulation applies, the most restrictive provisions from each law will jointly apply.

  22. HEA Privacy Act FERPA SAIG NSLDS University ISIR FERPA Education Records FAFSA HEA Privacy Act FERPA Privacy Act HEA

  23. Scenario I Can a university provide an outside researcher with de-identified NSLDS data to study student loan servicing and borrower default and delinquency of the university’s students and graduates?

  24. Scenario I (continued) • HEA: If the NSLDS data are de-identified, then there is no violation • FERPA: If the NSLDS data are de-identified, then there is no violation • Privacy Act: Permissible if the researcher provides the Department with assurance that the NSLDS records contain no PII and that their use will be for statistical research purposes only

  25. FERPA Is it permissible? Yes: the NSLDS data are de-identified YES Yes: the NSLDS data are de-identified and researcher has provided assurances to the Department Yes: the NSLDS data are de-identified HEA Privacy Act

  26. Scenario II Is it permissible for a university to provide its development office with PII from ISIR(FAFSA) records for the purposes of school development and fundraising?

  27. Scenario II HEA: Not permissible because the activities of a development office would generally not include the award and administration of financial aid (this is especially true of fundraising) and the records contain PII FERPA: Could be permissible under the School Official exception, if the requirements are met Privacy Act: Not permissible because the records contain PII, and this is not a specified routine use

  28. FERPA Is it permissible? Yes: School Official Exception NO No: The use is not for the award and administration of student aid, and the data are not de-identified No: The data are not de-identified HEA Privacy Act

  29. Scenario III A Board of Regents wants to collect ISIR(FAFSA) data from its constituent institutions for the purposes of assessing the impact of proposals for setting tuition and determining levels of student aid support. Can this Board of Regents’ constituent institutions provide the Board of Regents with ISIR(FAFSA) data provided to each institution by the Department?

  30. Scenario III (continued) HEA: The proposed use is permissible because the evaluation can be considered part of the process of the administration of aid FERPA: If the Board of Regents is a State educational authority responsible for the evaluation of financial aid programs administered by the constituent institutions, then access would be permissible under the Audit and Evaluation exception SAIG: Board of Regents employees involved in the administration of student aid can be considered Authorized personnel

  31. FERPA Is it permissible? Yes: Audit and Evaluation Exception YES Yes: Program evaluation is part of the administration of aid Yes: Board of Regents employees can be Authorized personnel HEA SAIG

  32. Scenario IV Can a university use identifiable NSLDS data as part of a study evaluating different STEM curricula with student financial aid status as one of the control variables?

  33. Scenario IV FERPA: Permissible under the Studies Exception because the disclosure is for improving instruction HEA: Not permissible because the data contain PII and the study is not related to the administration of student aid SAIG: Not permissible because the use is not for the application, award, or administration of student aid

  34. FERPA Is it permissible? Yes: Studies Exception No: The proposed use of PII is not related to the application, award, or administration of student aid NO No: The proposed use of PII is not related to the application, award, or administration of student aid HEA SAIG

  35. Challenges in De-identifying PII De-identification of individual-level education data is difficult. When reporting data at the institution or program level, basic demographic information or even seemingly innocuous characteristics can be used to single-out a specific individual.

  36. Proper De-identification Step 1: Remove all direct and indirect identifiers Step 2: Apply one or more Statistical Disclosure Limitation Methods: Suppression – redacting all or some records for students from small subgroups or those with uncommon characteristics Blurring – rounding, top/bottom-coding, replacing continuous variables with categorical variables Perturbation – introducing noise or error into the data or swapping variable values for individuals at risk for re-identification Check out http://ptac.ed.gov for information on the application of SDL techniques for education data

  37. Take Away Points • The source of the data matters • The most restrictive provisions of all applicable laws apply • Remember FERPA when using data that were collected or maintained by the institution • Under HEA, all program evaluation/research uses must relate specifically to financial aid programs

  38. Remember Data Security Data Breaches in Higher Education Source: Identity Theft Resource Center

  39. Postsecondary Data Breaches *Average cost to institutions per record across all sectors - $154.00

  40. FSA Dear Colleague LetterProtecting Student Information (2015) DCL ID: GEN-15-18 “Protecting Student Information” (7/29/2015) • “Instances of data breaches…continue to proliferate and reinforce the need for focused action…” • FSA requires institutions to comply with the Gramm-Leach-Bliley Act • Institutions of higher education are required to ensure the security and confidentiality of customer records and information

  41. FSA Dear Colleague LetterProtecting Student Information (2016) DCL ID: GEN-16-12 “Protecting Student Information” (7/1/2016) • Under GLBA, postsecondary institutions must: • Develop, implement, and maintain a written information security program; • Designate the employee(s) responsible for coordinating the information security program; • Identify and assess risks to customer information; • Design and implement an information safeguards program; • Select appropriate service providers that are capable of maintaining appropriate safeguards; and • Periodically evaluate and update their security program. • The Department is incorporating the GLBA security controls into the Annual Audit Guide, and will require the examination of evidence of GLBA compliance as part of institutions’ annual compliance audits.

  42. Resources Privacy Technical Assistance Center Service Offerings: • Help Desk (privacyTA@ed.gov) • Training (CBT, webinar, or onsite) • FERPA 101 • Data Sharing under FERPA • Data Security Best Practices • Data Governance, Policy, and Architecture Reviews (online or on-site) • Data Governance • Data Security Architecture • Breach Response Preparation • Data Sharing MOU Assistance http://ptac.ed.gov

  43. QUESTIONS?

More Related