Data for Student Success Data Security

“It is about focusing on building a culture of quality data through professional development and web based

dynamic inquiries for school improvement.”

Data Security

• Presentation given at the Cadillac Launch, September 2009

Data Security: Resources

• Maintaining Confidentiality Activities on Data for Student Success web site outline best practices and provide resources for addressing data security. www.data4ss.org

Data Security

• Examples in the Best Practice Handout:– Don’t share passwords; change frequently– AUPs cover both Internet Access and data

use– Don’t email student records outside of secure

systems– Don’t show names or UICs in

presentations/print outs

Data SecurityQuestions Districts Should be

Asking:• What measures are in place to secure the data at the

– District level?– School level?– Classroom level?

• Who can have access based on district policy?• Are staff knowledgeable of directory information versus

an educational record and how both can be used?• What required training is in place for individuals who

access data and/or use the information?• How protected is the data?• Do we have confidentiality issues?• Are the annual requirements and notifications in place?

Why? FERPA/HIPPA

• Family Educational Records and Privacy Act (FERPA) and the Health Insurance Portability and Access Act (HIPAA)– Confidentiality and protection of student’s

data, including educational record and directory information

What is an Education Record?

• “The term “education records” is defined as all records, files, documents and other materials containing information directly related to a student; and maintained by the education agency or institution, or by a person acting for such agency or institution (34 CFR § 99.3). This includes all records regardless of medium, including, but not limited to, handwriting, videotape or audiotape, electronic or computer files, film, print, microfilm, and microfiche.”Forum Guide to the Privacy of Student Information: A Resource for Schools

What is Directory Information?

• “The term “directory information” is used for the portion of the education record that, if disclosed, would not generally be considered harmful or an invasion of privacy (34 CFR § 99.3). This may include the student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. Under FERPA, school systems have flexibility in deciding what information will be considered directory information.”Forum Guide to the Privacy of Student Information: A Resource for Schools

What about Free/Reduced Lunch?

• 2008 Memo: Reaffirmation of Policy on Limited Disclosure of Children‘s Eligibility Information to the National Assessment of Educational Progress (NAEP):– “….school food authorities may disclose children’s

names and eligibility status to persons directly connected with the administration or enforcement of State educational assessment programs to the extent that the State assessment is part of the NAEP or the assessment program is established at the State, not local level.”

– “This does not imply that these persons have routine access to participants' eligibility status. There must be a ‘need to know’”

Analyzing FERPA Data

How did we do?

Specifically questions 1-10

Using the FERPA/HIPAA Quiz Answer Key discuss the results with your ISD team

• Resource book - Section 1

FERPA Quiz Group Results

1: Data 4SS Cadillac Launch FERPA Quiz: Schools must provide a parent with an opportunity to inspect and review his or her child's education records within 60 days of receipt of a request. FALSE

2: Data 4SS Cadillac Launch FERPA Quiz: Schools must individually notify parents of their FERPA rights by mail. FALSE

3: Data 4SS Cadillac Launch FERPA Quiz: When a student turns 18 years old and the rights under FERPA transfer from the parent to the student, the school must obtain consent from the student in order to disclose grades and other education records to the parents. FALSE

4: Data 4SS Cadillac Launch FERPA Quiz: In a legal separation or divorce situation, both parents have the right to gain access to the student’s education records. TRUE

5: Data 4SS Cadillac Launch FERPA Quiz: A school may designate and disclose any information on a student as "directory information," as long as the school notifies parents and provides them with an opportunity to opt out. FALSE

6: Data 4SS Cadillac Launch FERPA Quiz: Teachers may post grades by student name or social security number. FALSE

7: Data 4SS Cadillac Launch FERPA Quiz: To be considered an "education record," information must be maintained in the student's cumulative or permanent folder. FALSE

8: Data 4SS Cadillac Launch FERPA Quiz: When a student transfers to a new school, the former school is required to send the student's education records to the new school. FALSE

9: Data 4SS Cadillac Launch FERPA Quiz: A parent of a former student has the same right to inspect and review the student's education records as a parent of a student currently attending the school. GENERALLY TRUE, but DEPENDS

10: Data 4SS Cadillac Launch FERPA Quiz: Schools are required by FERPA to maintain a student's transcript for 5 years. FALSE

FERPA Scenarios

• Resource book – Section 1– Scenarios 1, 2, and 5– Read and determine your answer as a team– Share out

Let’s consider how your LEAs will do?

Do you need to plan for addressing this? What is our responsibility?

Scenario 1 Answer

1. Information on a computer screen should be protected the same way as printed reports. Computer programs with confidential information should be closed when you are not using them and computers should be locked when you leave the room. Printed reports should be filed in a secure area and not left on your desk.

The medium that holds the information is not important. No information should be left accessible or unattended, including computer screens. Recent changes have allowed damage recovery as well as cease and desist requirements.

Scenario 2 Answer

2. It has been determined that a student’s social security number or any portion of the social security number is considered an educational record and is protected by FERPA. In addition, any type of identifying number such as a student ID or UIC number that could be considered “easily traceable” also falls into this category. So both instances would be considered a violation of FERPA.

Student social security numbers (SSNs), or partial sequences of SSNs, may not be disclosed as directory information because they can be used to obtain sensitive, non-public information about individuals.

Scenario 5 Answer

5. It is a violation of FERPA to display the results of the assessment to the entire staff. Even though it was data for that discussion leader’s class, it was not information that was readily available to the public (district or school scores). In addition, the fact that student names were displayed, although in an educational setting, is also a violation. Plus the fact that the information pages, including names and ID numbers were distributed to staff is also a violation of FERPA.

The exception would be a group of teachers working on specific student strategies (last year’s teacher, this year’s teacher, and next year’s teacher) as they are a specific population that then has a “legitimate educational interest” in the information.

Legal Consequences

• Federal Law

• Local Board of Education policy– Release of information– Board of Education determines directory

information– Need for a “go to” person at district level– Access log

• Paper trail

Go to…

www.data4ss.org

For your FERPA resources

Data for Student SuccessKey Contact Information

• General – www.data4ss.org– contact@data4ss.org

• Mary Gehrig, Assistant Superintendent, Calhoun ISD– gehrigm@calhounisd.org

• Mike Oswalt, Assistant Superintendent, Calhoun ISD– oswaltm@calhounisd.org

• Becky Rocho, Assistant Superintendent, Calhoun ISD– rochob@calhounisd.org

• Maureen Slamer – Data 4SS PD Director, Calhoun ISD– slamerm@calhounisd.org