- At EDUCAUSE 2012, U.S. Department of Education speakers discussed new privacy and security initiatives, as well as offering recommendations on navigating privacy efforts and preparing for and managing security breaches.
- Many of the new amendments to FERPA exceptions were developed in order to improve accountability in data sharing.
- At the heart of breach prevention and response are solid, established processes and targeted oversight.
As higher education's static mountain of paper-based data has given way to electronic records, managing and insuring the privacy and security of student information has grown ever more challenging. To illuminate these challenges and highlight new U.S. Department of Education initiatives, EDUCAUSE invited two leaders from the department to speak at its November 2012 Annual Conference. Representing the information privacy side was Kathleen Styles, the department's first-ever chief privacy officer; on information security was Richard Gordon, chief innovation officer Federal Student Aid.
Following is a summary of their remarks; a full transcript of the session is also available.
Kathleen Styles: Information Privacy
As CPO at the Department of Education, Styles — aided by the statistician she immediately hired — focuses on information privacy issues related to publishing and anonymizing data, as well as on records management and information-collection clearance. She also oversees the Family Policy Compliance Office, which administers the Family Educational Rights and Privacy Act (FERPA).
After offering background on FERPA, Styles discussed the dramatic changes since its founding in 1974, including the pivotal move from paper-based records to online information systems. "The basic picture that I want to get across is that we have a whole lot of new risks and vulnerabilities surrounding privacy and student records," she said.
FERPA in Brief
Noting that FERPA is "a complicated statute," Styles said that, in essence, it gives parents and (in higher education) students the right to access and amend their educational records. It also protects the personally identifiable information (PII) in records from unauthorized disclosure without written consent, though there are exceptions. Styles highlighted three of these exceptions, starting with directory information.
"This is information that many — and, certainly, the authors of the FERPA statute — think is going to be noncontroversial," she said. "It includes, however, a number of things that we already recognize clearly as PII and clearly as offering the ability to locate and re-identify students — name, address, telephone number, photograph."
Styles went on to note that students can opt out of directory information, but if they don't, "you are allowed to share their directory information without their consent, but you have to put out an annual notice about the categories of directory information that you're sharing."
Another exception she discussed was for health and safety emergencies. Noting that this topic was discussed in detail after the Virginia Tech tragedy, Styles said that her office has tried to be very clear on this matter: "If you think you have an emergency on campus, and you need to be releasing information to protect your students on your campus, we are not going to be second-guessing you."
In terms of studies, the exception was originally narrow, but has gotten more complicated. As originally written, Styles explained, the exception lets institutions share information about students without consent in order to conduct studies. However, she continued, this exception was broadened somewhat under recent amendments to FERPA, many of which were intended to "facilitate and improve accountability involving data sharing. There's a lot of research about program effectiveness and accountability. We wanted the regulations to be clear about what was and was not permissible under FERPA."
FERPA Amendments — and Challenges
The amended studies exception lets institutions "share data without consent for or on behalf of schools, school districts, or postsecondary institutions," Styles said, adding that it must be for one of the following purposes: developing, validating, or administering predictive tests; administering student aid programs; or improving instruction.
An exception that is actually broader — and raising more questions — is the audit and evaluation exception. "This says that data can be used to audit or evaluate a federal or state-supported education program, or to enforce or comply with legal requirements that relate to that education program," said Styles.
She went on to discuss questions they've received about the new audit and evaluation exception, including about the definition of an education program, which is broadly drawn to include everything from preschool to adult and vocational education. "But, " she said, "it does not include programs that are not educational in nature, like child welfare programs."
The FERPA amendments went into effect in January and February of this year. However, the Electronic Privacy Information Center has filed a lawsuit in U.S. Federal court charging that the amendments violate student privacy. "We've been going through discovery and records exchange," said Styles. "We have a briefing schedule now that should get us a ruling sometime next spring. We're waiting eagerly to hear the response to that."
Beyond FERPA: Evaluating New Programs
Styles said that many information privacy issues that educators face are actually outside of FERPA; when evaluating new programs and proposals, she said, it's thus best to also think in terms of Fair Information Practice Principles. Like FERPA, these principles have been around since the '70s and, she said, "are the basis of all major federal privacy legislation, and they still have great meaning today."
It's important, for example, to ensure that information obtained for one purpose is not used for another purpose without consent. Also, given the prominence of data sharing, it's crucial that institutions establish a governing process to guide their data sharing. Rather than start from scratch with every data-sharing request, she said, "you should have a process in place that allows you to evaluate the incoming requests."
Minimization — that is, sharing only the information that you need to share to achieve your goal — is also crucial, as is using written agreements. "That's actually a requirement in our statutes and regulations," said Styles. "Pay attention to disclosure avoidance when publishing results. This is becoming increasingly important. It is very easy to publish tables that have small cell sizes in them and to identify individuals by doing that."
Finally, Styles emphasized the need for transparency. "If you're sharing data and you have results, publish them."
Hot Topics in Information Privacy
Styles started her "hot topics" discussion by noting that it's necessarily incomplete: "You all are innovating a whole lot faster than we're responding at this point, so if you have other proposals, I'd love to talk about them."
For her presentation, she focused on analytics, big data, smart disclosure, researcher access, and data publishing. On analytics and big data, she said that you should always consider whether your program complies with both FERPA and fair information practices. "There's so much that can be done with analytics with this sort of information — whether it's identifying students who haven't accessed your online learning system recently and who may need a little nudge to get back on track, or identifying which parts of your course curriculum are causing students more difficulty."
It's also critical to think about who the data belongs to — and how you're going to anonymize it. People often assume their data is anonymized, Styles said, simply because they remove the names. "Re-identification risk is a very real risk. You can't just take off somebody's name and say that the record is anonymized. With the amount of information that's available online, it's increasingly easy to re-identify individuals," Styles explained. "Again, my final point there is, don't just think about FERPA compliance. FERPA is the floor. The ceiling is something very different. Achieving compliance with FERPA is not the end of the story."
Another hot topic Styles discussed was smart disclosure related to use of "my data" buttons that let individuals download their own data. "The privacy issue with that is sometimes it's not only just your data. Sometimes you're entering information about other people as well," she said.
Styles also discussed researcher access — including the department's efforts to include program data in the National Center for Education Statistics' confidential data sets. "The civil rights data collection and the school-level accountability data, if they're not already available, should be available very soon."
In terms of data publishing, Styles reiterated that one of her first acts as CPO was to hire someone with a statistics background. At present, the department is in the process of trying to publish school-level accountability and assessment data. "The states have been doing this for a while," she said. "As we're doing it ourselves, I have to tell you it is a humbling experience. It's very complicated to do the kind of suppression and blurring that you need to do in order to protect student identities in small cell sizes."
Styles completed her formal talk by offering the audience additional resources, including the URL for the Department of Education's Privacy Technical Assistance Center. The PTAC site has numerous resources, including the FERPA 101 videos for both K–12 and postsecondary educators.
Richard Gordon: Data Security
Richard Gordon is the chief innovation officer and "operations guy" at the U.S. Department of Education's Federal Student Aid Office, which moves and protects massive amounts of sensitive data. Gordon noted that the Free Application for Federal Student Aid (FAFSA) alone has 113 million unique users — including students from 225 countries — and 1.2 billion page views per year.
"We have a need to protect data. We have a need to make sure that the facilities are there, they're doing the things that they need to do, and they're compliant with the laws and regulations."
Defining a breach as "the unauthorized extraction of data or the manipulation of data," Gordon noted that most breaches are external in original. Whatever the source, however, he said the point is to make sure they don't happen, and prevention starts with basic, commonsense practices.
"This is not something where we have to figure out the world," said Gordon. "We just have to do the basics. We have to make sure that we have processes in place that are protecting the assets that we have. We have to make sure that we sequester data that is highly sensitive. We have to make sure that every single person that's associated with the systems has the right skills and is doing the right thing each and every day."
Ideally, your institution will have a knowledgeable chief information security officer to help you formalize and maintain these processes. If you do, Gordon said, "you're going to have the policies. You're going to have the procedures. You're going to have the audit."
In contrast, he said, if overseeing and implementing these processes is something that's simply tacked on to someone's job description, it's probably not going to get done.
"Patching is boring. Securing those routers is boring. Monitoring is boring," he said. "But if you don't have someone doing it, then your potential risk is going up exponentially. When the lawyers show up, they're going to say, 'How did we get here?'"
Managing a Breach
In the event of a breach, Gordon explained that process is again the key. Organizations should deal with a breach by conducting an investigation, auditing, contacting external stakeholders, and bringing in legal services — as well as doing identity protection and "anything you can do to try to seal this up." In addition, in the wake of a breach, organizations should increase training, as well as implement additional manual processes, identity and access management control, and endpoint security.
"Document everything. Start creating that root-cause analysis document at the moment you know there's a problem. Have a single voice to outside parties. Get to the root cause and execute the fix," advised Gordon. "This is something that you need to put in place long before you start to leak records, and it's something that you need to practice."
Other FSA Efforts
Gordon explained that beyond the "scary stuff" of breaches and leaks, his office is also involved in several other projects, including the F6 project, which is a federal government effort to create a federal identity exchange. FSA is also working on a case-management system to ease the process of auditing financial aid offices, as well as "bread and butter technologies" including Arena, K2, and SharePoint. "We're trying to catch up," Gordon said. "I think it's going to make a huge difference. Hopefully, it will allow us to offer more flexible access to our systems."
Following their presentations, Styles and Gordon took questions from the audience on topics ranging from managing data sharing with external contractors to the F6 program and the future of identity management. Their responses conclude the complete transcript of their talks.