1 / 22

CAMP: Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle

CAMP: Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle. FERPA, Privacy, and Identity Management Beth Cate Associate General Counsel Indiana University February 6, 2009. Change We Can Believe In. New FERPA regs 12/9/08

due
Télécharger la présentation

CAMP: Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CAMP: Delivering, Sourcing, and Securing Services Throughout the Student Identity Life Cycle FERPA, Privacy, and Identity Management Beth Cate Associate General Counsel Indiana University February 6, 2009

  2. Change We Can Believe In New FERPA regs 12/9/08 Higher Education Opportunity Act 2008 Increased Dept. of Education involvement in student record data breaches “Red Flag” rules International law issues Federation

  3. Don’t Panic

  4. FERPA Authentication of records requesters Limiting access to school officials’ legitimate educational interest Control over outsourcing partners Limits on directory information disclosure opt-out Biometrics added as PII Data security guidelines Change in OFCP leadership

  5. Authentication “Authentication of identity is more complex for disclosure of electronic records as new methods and technologies are developed. Under the final regulations, districts and institutions may use PINs, passwords, personal security questions; “smart cards” and tokens; biometric indicators; or other factors known or possessed only by the user, as appropriate.” -- DOE Section-by-Section Analysis of Final Rule (12/08)

  6. Authentication • Single-factor authentication: • OK for grades, transcripts • Not OK for SSNs, credit cards, and other data used for ID theft and financial fraud • Portals? • Using widely available information to authenticate is not reasonable • Name, DOB, SSN, Student ID • Assumes schools will deliver PINs and passwords through US mail or in person • FSA OIG report: recommends in-person authentication before first disbursement

  7. Access Limits • Schools can choose mix of A,P,T • Specific mention of role-based access • “Many institutions use software with role-based security features that limit an individual’s access to electronic records based on their professional responsibilities and, therefore, already comply with the final regulations. Those that do not will now have specific guidance for updating or upgrading the security of their recordkeeping systems as appropriate. “ – DOE Section-by-Section Analysis • Suggests tracking access • Magnitude of harm from disclosure + scope of threat = protection level. • Usual and customary good business practices of similar institutions, as they evolve over time

  8. Outsourcing Only available for services institution would otherwise provide/use EE’s for “A contractor (or other outside service provider) that is given access to education records under this provision must be under the direct control of the disclosing institution and subject to the same conditions on use and redisclosure of education records that govern other school officials.” -- DOE Section-by-Section Analysis of Final Rule (12/08)

  9. Outsourcing • Schools liable for contractors’ violations • Need robust written contract terms • Instructions on permitted uses and redisclosures • Limits on contractor employee access • Return/destruction of records when contract ends • Prompt notice of violations • Indemnification • Flow down requirements to subs • Vetting before selection • Echoes GLBA Safeguards Rule

  10. Opt outs • Cannot remain anonymous in/to class • Name, email address, electronic identifier disclosable • Opt-outs forego use of school services that require directory information for operation • Same outcome as considering service providers as school officials with LEI • Cautions schools to limit directory information designations

  11. Recommendations for Safeguarding Education Records • Cites NIST and OMB standards, acknowledges many others • Recognizes nothing is failsafe • Schools choose data protection measures based on • Size, complexity, resources of institution • Type and context of information • Methods used by similar institutions • “Sliding scale” • Recommends incident response steps for data breaches, including notification

  12. HEOA Section 495 (effective 7/1/10) Accrediting agencies must “require[] an institution that offers distance education or correspondence education to have processes through which the institution establishes that the student who registers in a distance education or correspondence education course or program is the same student who participates in and completes the program and receives the academic credit.”

  13. Conference Committee report “The Conferees expect institutions that offer distance education to have security mechanisms in place, such as identification numbers or other pass code information required to be used each time the student participates in class time or coursework on-line. As new identification technologies are developed and become more sophisticated, less expensive and more mainstream, the Conferees anticipate that accrediting agencies or associations and institutions will consider their use in the future. The Conferees do not intend that institutions use or rely on any technology that interferes with the privacy of the student and expect that students’ privacy will be protected with whichever method the institutions choose to utilize.”

  14. DOE Negotiated Rulemaking • 6 initial hearings in fall 2008 • Several testified to need for flexibility, minimal burden re: distance ed authentication • DOE appeared to agree on flexibility • Announced they were appointing 5 negotiated rulemaking committees; one on accreditation • ACUTA asked to be on/advise the panel

  15. DOE & Data Breaches DOE FSA office monitoring and tracking data breaches, writing to schools requesting explanation Hook is Title IV/Program Participation Agmt “administrative capability” req’t PPA and FSA handbook language encourage breach notification to FSA

  16. “Red Flag” Rules (May 1, 2009) • “Creditors” holding “covered accounts” must develop written program to: • Identify patterns, practices, activities that indicate possible ID theft (“red flags”) • Detect red flags • Respond to red flags to prevent/mitigate ID theft • Update program as risks evolve • Program must have high-level approval, development, implementation, oversight • Flowdown and oversight for service providers • Requires close and ongoing look at account creation and access mechanisms

  17. FCRA—address discrepancies • Schools that use consumer credit reports must have reasonable procedures to: • Determine that a report is in fact about X, if notified by the consumer reporting agency that the address for X provided by the school differs from the one on file at the agency • Report to the agency addresses the school has reasonably confirmed to be accurate • Effective 11/1/08

  18. Whose law? Distance education Clinical training Field research Study abroad

  19. Whose law? • “Long Arm” jurisdiction • Generally = Due Process • Scope of contacts, purposeful availment of forum • Choice of law = multifactor test • European Data Protection Directive • Privacy = human right • Much less balancing against other interests • Data collection, use, and transfer highly restricted • International laws enforceable? • Against US public policy? • Assets abroad? • Traveling anytime soon? (think Google)

  20. Federation • Sharing student data attributes to enable federated identity management may implicate FERPA and other privacy laws – it all depends on who’s giving what to whom • If you’re only passing directory information, fine except • Opt outs • Caution against widespread directory information disclosures

  21. Federation • Confirming directory information with SSN etc. supplied by requester, is a disclosure of education records • If non-directory information, need: • Consent • School official with LEI (contract) – but limited by nature of service at issue • Exemption for sharing records with school in which student is enrolled/plans to enroll, for purposes related to enrollment – limited • If data shared is not personally identifiable, OK • E.g., “X is an enrolled student at IU” • To not be PII, data alone or in combination with other data out there reasonably would not allow one in the school community w/o special knowledge of circumstances, to identify student • PII if reasonably believe that requester knows who student is

  22. Q&A

More Related