1 / 44

Student Privacy Basics

Everall A. Peele, MPH, LHRM , RHIA , CCS Privacy Training & HIM Coordinator The Privacy Office, University of Florida. Student Privacy Basics. Housekeeping. Attendance Roster – someone remind me to start it before the session ends Evaluation will be online, based on the roster

diallo
Download Presentation

Student Privacy Basics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Everall A. Peele, MPH, LHRM, RHIA, CCS Privacy Training & HIM Coordinator The Privacy Office, University of Florida Student Privacy Basics

  2. Housekeeping • Attendance Roster – someone remind me to start it before the session ends • Evaluation will be online, based on the roster • Pro3 credit will be given automatically, based on the roster • Cell phones, pagers, text messaging, off, please!

  3. The Goals of This Training • To make you aware of key privacy issues related to FERPA. • To help you understand the core concepts of state and federal education privacy laws. • To define commonly used terms related to education records and privacy. • To help you decide when you need to ask an expert for advice or help with a student record issue or question. • FERPA Basics is strongly recommended for completion annually.

  4. Classification & Ownership • UF Student records and Personal identification information are classified as Restricted Information. • must be used and secured as directed by UF privacy and information security policies and procedures. • UF education records are the property of the university, not of any individual or college. • The way University education records are handled, then, is ultimately the responsibility and under the direction of the University, not of any individual or college. • University regulations (4.007) allow the President of UF to delegate record custodian duties to the Vice Presidents: • (3) “Each Vice President may designate an individual in his or her area as the custodian of records for that area.

  5. Everyone is Responsible • If you have access to restricted informationin any format, you are responsible: • Student / education information, • Financial information, or • Personal identification information,. • Severe consequences for UF and individuals if the privacy or security of restricted information is violated by anyone. • Federal law:loss of federal funding for UF. • State law: both UF and you may be sued. • UF regulations and policies: disciplinary action, including termination

  6. Student Privacy Is Not Simple • FERPA:(20 U.S.C. s. 1232g) – The Family Educational Rights and Privacy Act • Heard about often • Complex law, but not the only one! • Florida Statutes: • 1002.225 and 1006.52 – Student and Parental Rights and Learning Support • 817.568 – Security of Personal Information • 119.071(5) - Social Security Numbers in State Agencies • UF Regulations:(UF4.007) – Confidentiality of Student Records at UF

  7. Quick Review - FERPA • FERPA was created to protect the privacy of student education records. • Under FERPA, parents of students have rights: • Inspect and review their child’s education records within a reasonable period (no more than 45 days after the request has been received). • Request to amend inaccuracies in the education records. • Limit disclosures of personally identifiable information included in education records. • File a complaint with the Family Policy Compliance Office if they feel their FERPA rights have been violated

  8. Applying the Law • The rights afforded to the student's parents are automatically transferred to the student: • When a student reaches 18 years of age or • begins attending an institution of higher education such as the University of Florida • Any student attending a college or university, regardless of age, has FERPA rights. • Applicantsare not “students,” but applicant records are protected by Florida Statutes. • After the applicant is “in attendance” at UF, their records are protected by FERPA, the federal law.

  9. Quick Review – Florida Statutes • Florida’s Statutes generally mirror FERPA • Adds privacy provisions for applicant records • Other Florida Statutes: • Personal Identification Information (PII) (F.S. 817.568) • Prohibits the use of PIIwithout authorization • Requires notification if unencrypted PII is breached • Social Security Numbers (F.S. 119.071(5)) • Prohibits the use of SSNsas an ID in state agencies unless: • required by law • Approved for specific business needs

  10. When In Doubt… • The Law is the foundation – always go back to the laws. • UF’s regulations and policies are the official interpretation of the law for UF. • College, department, and division policies may clarify, but may not contradict, UF’s policies • Specific proceduresfor UF units to comply with the law. • Written procedures – essential for consistency and integrity. • Does your unit have written procedures for handling student record materials?

  11. Who is a Student? • A Studentis any individual… • is or wasattending an educational institution, • and that institution maintains education records. • Institutions may define “attendance” individually. • UF says, “attendance shall commence upon formal enrollment for college-credit courses approved and scheduled by the University…” UF4.007(2) • includes, but not limited to, attendance in person, by traditional correspondence, or electronically.

  12. What Are Education Records? • FERPA definition: • Directly relatedto a student, and • Maintained by an educational agency or institution or by a party acting for that agency or institution • Directly related means: • The record expressly identifies the student by name, number or some other direct identifier, or • The student’s identity could be deduced from the information in the record, either alone or in combination with other publicly available information. • Maintained means: • Recorded and retained in any medium for use by University personnel for official University business or for carrying out the University’s mission.

  13. Education Records Include: • Biographical Information: • Date and place of birth, gender, nationality, race and ethnicity, identification photographs, and disabilities. • Academic Information: • Grades, test scores, evaluations, courses taken, academic specialization and activities, official communications regarding status, internship program records • Coursework Information: • Papers and exams after they are graded and recorded, class schedules, disability accommodations, written, email, or recorded communications that are part of the academic process • Disciplinary Records: • Actions or proceedings, including investigation, adjudication, or imposition of sanctions by an educational agency or institution with respect to an infraction or violation of the internal rules of conduct. • Financial records • Including financial aid forms, records, and correspondence • Any other records or logs containing identifiable student information, maintained by the University for any reason.

  14. These are NOT Education Records: • UPD Records • University of Florida law enforcement unit • Employment records • Unless the employment is dependent on status as a student (such as, evaluations of graduate assistants)  • Medical and mental health records • Used only for treatment of the student and not released to anyone • Records created or received after an individual is no longer a student • Not directly related to the individual's attendance as a student. • Grades on peer-graded papers… • …before they are collected and recorded by a teacher. • Verbal conversations about students • Where the information is not from the student’s records, and the conversation is not recorded in any medium • “Sole-possession records” • A very limited category of records - used only as memory aids for the personal use of the maker and not shared with others.

  15. “Sole Possession” • Sole Possession Records: made and retained by one person: • Used only as a personal memory aid,and: • Not received or maintained by UF, and • not shared with anyone except a temporary substitute. • Sole Possession Records may not be accessed by students. • FYI: If you don't want it reviewed – ever – don't write it down!

  16. Parents’ Rights under FERPA • Parents may access their student’s records if: • It’s Directory Information and the student does not have a privacy hold. • Notarized authorization • Student is a dependent, as defined by the IRS. • Lawfully issued subpoena. • Students may not access parents’ financial information that may be in the record.

  17. Disclosures of Recorded Information • Informationrecorded in, or derived froma student’s education records may not be disclosed. • Disclosuremeans: “to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records by any means, including oral, written, or electronic means, to any party except the party… that provided or created the record. (Authority: (FERPA) 20 U.S.C. 1232g(b)(1) and (b)(2)) • There are 3 exceptions: • Directory Information: Publicly available information about a student that is not considered harmful or an invasion of privacy if disclosed. • The student has given consentfor the disclosure, or • The law provides an exception for disclosure without the student’s consent.

  18. Directory Information at UF Under FERPA, directory information includes information that is generally considered to be public. Each institution has the authority to define directory information for its own use, based on FERPA. The definition must be included in an annual notice to the students. • The student’s name, • Class, college, and major • Local and permanent addresses and email address, • Listed telephone number, • Enrollment status, • Most recent previous educational institution attended, • Dates of attendance at the university of florida, • Degree earned, • Nature and place of employment at the university, • Honors and awards received, • Publication titles, • Participation in officially recognized or registered activities and sports, • Weight and height of members of athletic teams. Missing from this list: UFID’s and photos!!

  19. Directory Information Is Public… • Students are notified annuallyabout Directory Information through the University’s academic catalog and the Registrar’s website. • Students may restrict disclosure of their Directory Information. • Only current studentsmay request a “privacy hold.” • Must go personallyto the University Registrar’s office, and • Complete a Request for Nondisclosure of Directory Information.

  20. Privacy Holds • A “privacy hold” means that no information may be released from a student’s education record. • Remains in effect until the student removes it, in writing. • If the student does not remove it, the hold will remain indefinitely, even in the case of the student's withdrawal, graduation, or death. • If you receive a call about a student with a privacy hold: • You cannot provide any information about that student; in fact, you cannot even acknowledge that the individual is a UF student. • Any student who has placed a privacy hold on their record must conduct all business in person after presenting photo identification. • How can you know if a student has placed a privacy hold on their information?

  21. Who Can Release Records? • 4.007 (6) “The department custodians of student records and applicant records and their designees may release information from such records only upon written and dated authorization from the student or applicant or as otherwise provided by law.” • Must maintain a record of all requests and disclosures of information from a student's education record, except disclosures: • To the student • Pursuant to the written consent of the student (put it in the file) • To UF employees with legitimate educational interest • Of directory information • The record of disclosures may be inspected by the student, the official record custodian and other university and government officials.

  22. Student Authorizations • Students may authorize disclosures information from their records to third parties. • Written consent by the student must be notarizedand must include, at a minimum: • The person or entity authorized to make the disclosure, • The precise records to be disclosed, including dates, • The purpose of the disclosure, • To whom the disclosure may be made. • The expiration date of the authorization. • At this time, there is no standard authorization form for this purpose.

  23. Exceptions By Law

  24. Academic Issues – School Officials Legitimate educational interest= access is required toperform official duties • School Official: • Agent of UF or the State University System in an administrative, supervisory, academic, research or support staff position; • Member of a university committee, board and/or councils • Person under contract to the university to perform a special task, such as an attorney or auditor. • Official Duties: • Task specified in a position description or contract;  • Task related to a student’s education or discipline;  • Authorized service or benefit to a student or student’s family; or  • Maintaining safety and security on campus.

  25. Limiting Access • Electronic Record Systems: • Access electronically limited by role • To provide only information needed to complete authorized tasks. • Paper Record Systems: • Depend on the custodians to maintain security • Personal Ethical Boundaries: • Sometimes a school official is the only one who will know what the “minimum necessary” is under the circumstances

  26. Student Employees • Same obligations to maintain confidentiality • All UF offices who hire student assistants should have written procedures for: • Handling restricted information • Ensuring that all staff are educated • Should be required to sign a Confidentiality of Student Records statement.

  27. Faculty Responsibilities • School officials are required by law to maintain the confidentiality of student records. • Any school official who maintains identifiable records is considered a record custodian. • Office of the University Registrar (O.U.R.) is the official custodian for academic records. • The release of any nondirectory informationabout a student to any person outside the university community or to any university personnel without a legitimate educational interest violates federal and state law, as well as university regulations.

  28. Graded Papers and Exams • Share graded papers and exams only with: • the student, • others upon receiving the student's consent, • university officials only in the performance of official duties. • Students should not have access to other students' grades: do not leave student papers or exams outside an office door where students must look through all the papers to find their own.

  29. Notifying Students of Grades • Posting Grades • Use a unique confidential identifier (e.g., a 4-digit number). • Not part of student's name, UFID or SSN. • Post grade lists in random, not alphabetical order. • Use Web-based course management systems such as Sakai • Sending Grades: • Do not send grades by email! No guarantee of confidentiality. • By fax, text, or phone only if certain the student is the one receiving the information. • By mail, have students provide self-addressed, stamped envelopes. No postcards! • Safest practice: return papers personally

  30. Letters of Recommendation • Authorization Required: To include non-directory, personally identifiable information (grades, GPA, etc.) obtained from the student’s academic record • Authorization Strongly Recommended: To include information derived from personal observation or knowledge of the student only, sent to other educational / professional institutions to which the student is applying

  31. Health & Safety Concerns • Question:May information from a student’s education records be disclosed to protect health or safety? • Answer:Yes. • Disclosure of information is permitted: “to appropriate partiesin connection with an emergency, if…necessary to protect the health or safety of the student or other individuals.” • Limitations:the disclosure should generally only be made to professionals trained to evaluate and manage the concern. • Does not authorize “knee-jerk” or “broadcast” disclosures, • but a limited disclosure to a limited number of people, • made on the basis of a good-faith determination, • in light of the facts available at the time. • Document the reasons for the disclosure at or near the time the disclosure is made.

  32. Safety & Personal Observations • Question:May a school official disclose personal knowledge about a student, based on personal interactions, to protect health or safety? • Answer: Yes. • Disclosure restrictions only apply to information derived from student education records, not to personal knowledge derived from direct, personal experience with a student. • For example, a faculty or staff member who personally observes a student engaging in erratic and threatening behavior is not prohibited from disclosing that observation. • Again, the disclosure should generally only be made to professionals trained to evaluate and manage the concern.

  33. Security of Education Records • Security and Privacy go hand-in-hand – you can’t have one without the other. • To avoid becoming a data-loss statistic, include these points in your written procedures: • Store electronic restricted information on secure servers, never on your workstation. • Passwordprotect your computer and set your screensaver to come on automatically. • Avoid providing restricted data over the telephone or by email. • Cross-shred all restricted data documents before throwing them away. • Keep conversations quiet – make sure they cannot be overheard when exchanging restricted data.

  34. Security: Paper Records • Dispose of paper containing PHI by shredding or destroying. • Place in a secure location for professional recycling by an approved contracted document destruction company. (Call the Privacy Office for assistance) • Store active paper records containing Restricted Data in areas that can be locked or are monitored at all times • Inactive paper records containing restricted data may be stored on-campus or in approved off-site storage facilities that are environmentally controlled and meet UF’s security policies. • Approved facilities do not include commercial mini-storage units, your mother-in-law’s attic, or a mobile home in Alachua…

  35. Security: Record Retention • Do not retain records longer than you need to. • The retention requirement for student records other than transcript data is three years. • See the General Records Schedule for all retention requirements http://www.aa.ufl.edu/aa/records/ • This includes all types and formats of records!

  36. Security: Record Disposal • Reminder: Follow UF policies and procedures to obtain permission before destroying records • All UF records are state property and must only be destroyed in accordance with state laws. • Obtain permission to destroy records (any format) from the Records Management office: Dennis Kozak. • Disposal of documents, films, cassette and video tapes, CD’s or disks containing restricted data: • Preferred Method: Shred, deface, demagnetize, or destroy immediately • Next Best: Use an approved document/media destruction company for shredding and recycling (UF currently has a negotiated agreement with Cintas for this purpose.)

  37. Technical Safeguards: Electronic Devices • Security Applications – not optional! • Use encryption software on servers and laptops to prevent unauthorized reading or changing of electronic data • Install software to detect, contain or remove viruses, trojans, and other malicious software. • Use auto-shutdowns and screen-savers • Set your computer to automatically turn on a screen-saver after a short period of inactivity • Require a password to re-enter • Loss Prevention • Label all portable devices – engraving is best • Lock up devices when they are not in use • Do not leave devices exposed in your vehicle!

  38. Security: Computer Disposal • All electronic equipment must be professionally purged before being discarded, if the device: • Contains an internal memory device, and • Was used for purposes that included UF restricted data. • Reformatting or erasing information is not sufficient. • Equipment includes, but is not limited to: • Desktops, Laptops, some Copiers • Phones, Blackberries, Dictation Devices, PDA’s • Any other portable or non-portable data storage devices • Contact your Unit Information Security Manager or Administrator for instructions.

  39. Security: Internet • Internet:Do NOT post student or personal identification information on unsecured websites • Faculty may not require students to supply non-directory information for class websites or communications • Be sure you have permission before posting anyone’s picture or other “harmless” information on a web page or the internet • Social Media Policy: Facebook, Twitter, etc. have privacy issues

  40. Security: E-Mail • E-mail: Restricted information about students may be included in email, but onlywithin the ufl.edusystem and onlyfor official business purposes • Never include a student’s name and UFID together in the subject line. • For emails about more than one or two students, put the restricted data in a separate file, password-protect or encrypt it, and send as an attachment. • Never, ever, ever, include Social Security Numbers in emails. • Not even partial or truncated numbers (Ex.: xxx-xx-1234)! • Send this type of data as an attached, encryptedfile

  41. Security: Faxing • Faxing restricted information is OK, if you use standard confidentiality procedures, including: • A Cover Sheet with Confidentiality Disclaimer • Use a cover sheet with every fax to protect yourself and UF • Verification procedures when needed: • Send the cover sheet first -- call and verify that it was received • Then send the rest of the documents • Pre-programmed Numbers in your fax machine (to avoid misdials) • Check the numbers at least annually to be sure they are still correct!!

  42. Academic Privacy • When you’re not sure, ask! • There are many points to remember and many fine distinctions in these laws. • There are plenty of experts at UF who will gladly provide advice or clarification – before you do something. • Never assume! • Always ask if you’re not sure! • It’s OK to ask even if you think you know the answer!

  43. Who Are the Experts? • The following people and websites are available to you: • The Office of the University Registrar • http://www.registrar.ufl.edu/ferpa.html • 352-392-1374 • The Dean of Students Office • http://dso.ufl.edu/ • 352 - 392-1261 • The Office of General Counsel • http://www.generalcounsel.ufl.edu/about/ • 352-392-1358 • The Privacy Office • http://privacy.ufl.edu • 352-273-1212 • (Toll-free Hotline) 866-876-4472

  44. Thanks for Attending!Share the wealth – tell others about what you have learned!

More Related