CMAEYC Opening Minds Conference
Download
Report
Transcript CMAEYC Opening Minds Conference
CMAEYC Opening Minds
Conference
Confidentiality and Privacy
Paul A. Chandler
Lei Shen
Counsel, BTS
(312) 701-8499
Associate, BTS
(312) 701-8522
[email protected]
[email protected]
January 26, 2012
Mayer Brown is a global legal services organization comprising legal practices that are separate entities ("Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States;
Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; and JSM, a Hong Kong partnership, and its associated entities in Asia. The Mayer Brown Practices are known as Mayer Brown JSM in Asia.
Disclaimer
• The privacy laws are numerous and complex. We are
describing some of those laws applicable to student
records as an example of the issues.
• The interpretation of a law depends on specific facts. This
presentation and today’s discussion are not intended to
provide legal advice or address specific factual situations.
• The summary information in these slides is not legally
binding, and you should direct specific questions either to
your legal experts or to the appropriate government
offices.
2
Agenda and Goals
• Part 1: Privacy and Confidentiality Principles
• Part 2: Privacy Laws, FERPA and Other Laws on Student
Records
• Part 3: Exceptions
• Part 4: Conclusions and Additional Resources
3
•Part 1: Privacy and Confidentiality Principles
4
Confidentiality and Privacy Principles
• Confidentiality encompasses obligations to protect and
not disclose information provided in confidence.
– Obligations required by law
– Contractual obligations
• Privacy encompasses a person’s control over who has
access to personal information about him, including the
collection, use, storage, disclosure and disposal of that
information.
– Privacy is protected by numerous laws
• An important distinction is that privacy pertains to
individuals; confidentiality pertains to their information.
5
Privacy – What is Personal Information?
• Personal information includes information concerning an identifiable
individual
• Personal information includes:
• Name
• Address
• Gender
• Age
• Citizenship
• Nationality, languages spoken, race, ethnicity
• Religious or political beliefs
• Etc.
6
Privacy – Who is protected?
• Applicants
• Employees (current and former) and their dependents
and beneficiaries
• Contractors and consultants
• Employees of vendors, agencies, providers, etc.
• Parents, board members, PTA members, etc.
• Visitors
• Activists
• Students
7
How You Can Lose Personal Information
• Lost or stolen media
• Third party service provider weaknesses
• Weak physical or computer controls
• Web site leakage / Cloud Computing
• Hackers (inside and outside)
• Good intentions / social engineering
• Lack of training or policies
• Don’t forget loss of data quality (e.g., corrupted data)
8
Example of Lost Personal Information
9
General Consequences to Schools and Businesses of
Losing Personal Information
• Breach notification costs
• Direct financial loss
• Litigation
• Regulatory action
• Loss of confidence by parents, school boards and
governments
• Becoming an example of what could go wrong
10
Consequences to Individuals Whose Personal
Information is Lost
• Identity theft
• Discrimination
• Abusive, malicious or criminal acts
• Especially for students, who may be the most vulnerable
11
Core Privacy Principles
• Specify the purpose for collecting any personal data
• Give notice of a privacy policy describing your purpose and
policies for collection, storage and use of personal data.
• Collect only personal data that you need for your purpose
and only with consent
• Keep personal data accurate, up-to-date and complete
• Use personal data only with consent or by authority of law
• Use reasonable measures to secure personal data against risk
of unauthorized access, disclosure, use or change
12
•Part 2: Privacy Laws – FERPA and Other Laws
on Student Records
13
Privacy Laws in the U.S.
• Implicit and implied right to privacy in U.S. Constitution
– Third Amendment: Protection of home from quartering of troops
– Fourth Amendment: Protection against unreasonable searches
– Fifth Amendment: Privilege against self-incrimination
• Compare to other countries
– European Union
– Canada
14
Privacy Laws in the U.S.
• U.S. laws are a patchwork of function-oriented laws
– Cable TV Privacy Act (subscriber data)
– CAN-SPAM Act (e-mail addresses)
– Children’s Online Privacy Protection Act (COPPA) (websites)
– Driver’s Privacy Protection Act (driver data)
– Fair Credit Reporting Act (FCRA) (consumer reports)
– Health Insurance Portability and accountability Act (HIPPA) (health information)
• Although there are many differences among these laws,
the underlying principles of federal and state privacy laws
are remarkably similar.
15
Privacy Laws in the U.S.
• Many sources of laws:
– Statutes, federal, state and locals
– Regulations, promulgated by governmental agencies (e.g., Dept.
of Education)
– Court decisions interpreting laws
– Common law, based on customs/principles in court decisions
(e.g., invasion of privacy claims)
– Self-regulatory regimes/best practices (usually not law):
• Children’s Advertising Review Unit (CARU)
• National Resource Center for Health and
Safety in Child Care and Early Education
16
Privacy Laws in the U.S.
• Who enforces these laws?
– Federal government (FCC, Dept. of Education, Dept. of
Commerce, HHS, etc.)
– States Attorneys General
– Private causes of action
17
Major Federal Laws Covering Student Records
• Family Educational Rights and Privacy Act (FERPA) (1974)
• Protection of Pupil's Rights Amendments (PPRA) (1978)
• No Child Left Behind Act of 2001 (NCLB) (January 2002)
• USA Patriot Act (October 26, 2001)
• Privacy Act of 1974
• Campus Sex Crimes Prevention Act
• Individuals with Disabilities Education Act (IDEA)
• National School Lunch Act
• NOTE: Student records may be protected by multiple laws
administered by multiple state and federal agencies.
18
FERPA
•Why focus on FERPA?
– Broad applicability/far-reaching implications for
state and local policies regarding data use and
collection activities
– FERPA often incorporated into laws authorizing
federal education programs
– Most states include (and often expand) FERPA
privacy concepts in their education laws
19
FERPA
• What is required or prohibited?
– Parents have the right to review and copy “student
records”
– School must have procedures by which student records
can be released and protected
• But FERPA does not dictate what safeguards must be taken (other
laws may)
– Schools must give parents annual notification of their
rights under FERPA
– Parents have the right to consent to release of student
records outside the school, subject to some exceptions
20
FERPA
• What is required or prohibited?
– Parents have the right to review, and sometimes, consent to children’s
participation in surveys, analyses or evaluations administered by state
or local education agencies (PPRA)
– Parents have the right to request amendments (e.g., to correct errors)
to student records and, if applicable, a formal hearing if request is
denied.
– Parents have the right to opt-out of disclosure of student directory
information (e.g., name, photo, email address, date/place of birth,
grade)
– Parents have the right to opt-out of student record access for military
recruitment (with some exceptions)
21
FERPA
• Who is covered by FERPA?
– Education agencies and institutions that receive funds from the
U.S. Department of Education (generally public schools)
• Since private schools may not receive these funds, they may not be
subject to FERPA
– Parents
– Eligible students over age 18 or who have graduated high
school and are attending a postsecondary education institution
(at any age)
• Under PPRA, parent rights transfer to student when he/she becomes 18
years old or is emancipated under state law.
22
FERPA
• What is a student record? It is any information:
– Directly related to a student, recorded in any way; and
– Maintained by an education agency or institution or parties
acting for them (health or social services institutions).
– Very broad definition that includes:
• Family information, name/address of parents or guardians, number of
siblings
• Personal information, SSN, picture, personal characteristics, DNA
• Medical/health records
• Documentation of attendance, courses taken, awards
• Videotapes of students or groups of students
23
FERPA
• What is not a student record?
– Notes (handwritten or typed) kept in the sole possession of the
maker (e.g., teacher, counselor) which are used only as a
personal memory aid and not revealed to any other person
other than replacement personnel (e.g., substitute teacher)
– Records created by law enforcement units of schools or school
districts, for a law enforcement purpose, that are maintained
separately from education records
– Information about individuals obtained after they are no longer
students
24
Illinois School Student Records Act
• Works to implement/expand FERPA:
– Requires schools to designate an official records custodian who
is responsible for the maintenance, care and security of all
school student records, whether or not such records are in his
or her personal custody or control.
– It is the job of the official records custodian to take all
reasonable measures to prevent unauthorized access to or
dissemination of school student records.
25
FERPA & Illinois School Student Records Act
• Schools may disclose child’s records to his/her parents.
– Parents have a right to (i) inspect and review their child’s
education records; and (ii) consent to disclosures of personally
identifiable information contained in their child’s education
records, except in certain situations where disclosure is
authorized without consent. (i.e., emergency situations, to be
discussed)
– Parents may only review specific information about their child;
other student’s information must be blocked out or redacted.
26
FERPA & Illinois School Student Records Act
• Administrative officials may disclose personally
identifiable information from a student record to anyone,
provided the student’s parents provide a broad signed,
written consent authorizing them to do so.
– Written consent must specify:
• Records to be disclosed;
• Purpose of disclosure;
• Party or class of parties to whom disclosure may be made; and
• Whether parent wishes to receive a copy of the records to be disclosed
27
FERPA & Illinois School Student Records Act
• Schools may disclose to the following parties without
consent:
– School, officials, teachers within the school with legitimate
educational interests;
– Records custodian of another school/school system where
student seeks/intends to enroll/is already enrolled, for the
purpose of the student’s enrollment or transfer;
– Certain federal, state and local officials with prior written
notice;
– Organizations conducting studies for/on behalf of educational
agencies/institutions provided the study does not make it
possible to identify parents or students;
28
FERPA & Illinois School Student Records Act
Continued:
– Accrediting organization officials to carry out accrediting
functions;
– Health or safety emergency officials;
– To any person provided the disclosure only concerns directory
information (so long as parent does not object);
• Provide notice to parent defining directory information and give
reasonable opportunity to object
– The recipient of a court order;
– A governmental agency official in furtherance of an
investigation of a student’s school attendance;
– Department of Healthcare and Family Services officials provided
the limited information concerns school lunch applicants
29
FERPA
• Requires schools to keep records of each the following:
– Requests for access to personally identifiable information;
– Disclosure of personally identifiable information from a
student’s education records;
– Names of the state/local educational authorities and federal
officials/agencies that will make secondary disclosures of
personally identifiable information from a student’s education
records without consent; and
– Parties who request or receive personally identifiable
information and the legitimate interests the parties had in
requesting or obtaining information.
30
FERPA & Illinois School Student Records Act
• What if a school does not comply?
– Failure to follow the procedures set forth in FERPA and the
Illinois School Student Records Act may result in the following:
• Loss of federal funds
• Individuals bringing an action for injunctive relief or damages
– School is liable to a successful plaintiff for damages, cost of action
and reasonable attorneys fees.
– Absent malice, no official or employee acting at the direction of the
school can be liable.
– Willful failure to comply is a petty offense.
• State Board or State’s Attorney may bring an action for injunctive relief to
secure compliance with the procedures
31
Additional Laws: Children’s Day Care
IL Administrative Code Title 89, Chapter III, Subchapter e, Section 407.80
• Facility personnel must respect the confidential nature of
the child’s records.
• Information pertaining to the admission, progress, health,
or discharge of an individual child shall be confidential
and limited to facility staff designated by the child care
director or Department of Children and Family Services
(“DCFS”) representatives unless the parent(s) of the child
has granted written permission for disclosure or
dissemination.
32
Additional Laws: Children’s Day Care
IL Administrative Code Title 89, Chapter III, Subchapter e, Section 407.80
– Must have confidentiality release forms signed by the parent(s)
which specify to whom information may be released and the
length of time the release form is valid. Such release forms
shall be on file at the facility prior to the release of confidential
information.
– If information is requested by outside persons or agencies, a
specific written request signed by the person requesting the
information shall be obtained and placed on file at the facility
prior to the release of the information.
33
Additional Laws: Children’s Day Care
IL Administrative Code Title 89, Chapter III, Subchapter e, Section 407.80
• Authorized DCFS licensing representatives, DCFS child
protection investigators, or other DCFS representatives
who have the DCFS Director’s written authorization shall
have access to the day care center’s records and reports.
All persons with access to records and reports shall
respect their confidential nature.
34
Additional Laws: Children’s Day Care
IL Administrative Code Title 89, Chapter III, Subchapter d, Part 383A
• Failure to follow these procedures will result in an
investigation by DCFS and may result in any of the
following depending on the severity of the violation:
– Warning;
– Corrective plan followed by an informal review;
– Conditional license; or
– Refusal to renew or revocation of license.
35
Children’s Day Care
Caring for our children: National Health and Safety Performance Standards
• Best Practice: Maintain a file for each child in one central
location in the facility to be kept confidential but available
to child’s caregivers (who must have parental consent to
access the records), parents, legal guardian and licensing
authority upon request.
• File should include:
– Pre-admission enrollment information;
– Health report immunization records;
– Admission agreement signed by parent at enrollment; and
– Health history and medication record.
36
Children’s Day Care
Caring for our Children: National Health and Safety Performance Standards
• Records should be kept in safe, locked places.
• Get prior, informed, written consent for the release of
records and information to other service providers (i.e.
health service providers), including permission for
secondary release of records.
– Get consent forms in native language of parent;
– When disclosing information about one child, take care that no
other child’s information is disclosed in the process;
37
Children’s Day Care
Caring for our Children: National Health and Safety Performance Standards
– Have a written policy that covers the exchange of information
among parties; and
– Do not disclose or discuss personal information regarding
children and their relatives with any unauthorized person.
Discuss it only with staff members who need the information to
provide services, i.e., it’s a need-to-know basis.
38
Some Other Applicable Laws
• Individuals with Disabilities Education Act (IDEA)
– Provides additional protections for students who are receiving
special education and related services
– Public agencies must inform parents of children with disabilities
when information is no longer needed, and except for certain
permanent record information, that information must be
destroyed at the request of the parents
• National School Lunch Act (NSLA)
– Stricter than FERPA
– Strictly limits how school districts may use, and who may have
access to, information obtained as part of the free and reducedprice meals eligibility process
39
• Part 3: Exceptions
40
Exceptions
• Privacy laws are subject to numerous exceptions where
other public policies prevail over privacy concerns.
• Examples include:
– Communicable Diseases
– Child Abuse
– Health and Safety Emergencies
– Social Workers
41
Exception: Communicable Disease
Children’s Day Care
Control of Communicable Diseases Code, Communicable Disease Report Act,
Department of Public Health Act
• School personnel having knowledge of a known or
suspected case or carrier of a reportable communicable
disease or communicable disease death shall report to
the local health authorities the case, suspected case,
carrier or death in humans within the respective time
frame required by the Code.
– The identity of the individual infected shall remain confidential;
and
– School personnel may release information that is necessary to
protect the health or safety of the student or other persons,
provided parents are notified as soon as possible.
42
Exception: Communicable Disease
Children’s Day Care
Licensing Standards for Day Care Centers
• Report any known or suspected case or carrier of
communicable disease to local health authorities and
comply with the Illinois Department of Public Health’s
Control of Communicable Diseases Code (lists diseases
and amount of time required to report).
– Maintain a file of reported illnesses that may indicate possible
infectious disease.
43
Exception: Communicable Disease
Children’s Day Care
Caring for Our Children: National Health and Safety Performance Standards
• Notify parents of exposed children with the following
information:
– Diagnosed disease
– Number of cases of disease
– Nature of exposure
– Signs/symptoms of disease and a timeline of what to watch for
– Mode of transmission
– Period of communicability
– Disease prevention recommended measures
• Do NOT identify the child who has the communicable
disease!
44
Exception: Communicable Disease
Children’s Day Care
Caring for Our Children: National Health and Safety Performance Standards
• Suggestions/Best practices:
– Have a written policy regarding the IL reporting requirements
for ill children.
– Report all communicable diseases to the health department.
– Maintain confidential records of immunizations, periodic health
assessments and any special medical considerations.
– Family should identify the child’s healthcare providers and
provide written consent to enable caregivers to establish direct
communication with providers.
• Always inform family prior to communicating with providers unless it is an
emergency/abusive situation.
45
Exception: Child Abuse
Children’s Day Care, Schools and Social Workers
Abused and Neglected Child Reporting Act
• Mandated reporters have a duty to report to the DCFS if
they have reasonable cause to believe a child known to
them in their professional or official capacity may be an
abused or neglected child.
– Mandated reporters include school personnel, social workers,
social service administrators, child day care director or staff, etc.
– If required to report, you should have signed a statement prior
to employment that stated you have knowledge and
understanding of the reporting requirements of this Act.
– Any mandated reporter who knowingly and willfully fails to
report this information is guilty of a Class A misdemeanor for
the first violation and a Class 3 felony for any subsequent failure
to report.
46
Exception: Child Abuse
Children’s Day Care, Schools and Social Workers
Abused and Neglected Child Reporting Act
• Duty to report if reasonable cause to suspect a child has
died as a result of abuse or neglect. Immediately report
suspicion to medical examiner or coroner.
• Best Practices: Caregivers should know the methods for
reducing the risks of child abuse and neglect, common
symptoms and signs.
• Child Abuse/Neglect Hotline:
– 1-800-25-ABUSE (252-2873)
• Consider calling the police, especially in emergencies or
when the child has been injured.
47
Exception: Child Abuse
Children’s Day Care, Schools and Social Workers
Abused and Neglected Child Reporting Act
• Report the following to the DCFS, if possible:
– Family composition and other children in the environment;
– Name, age, sex, ethnicity of child’s parents, caregiver,
relationship of caregiver to child and alleged perpetrator and
his/her relationship to the child subjects;
– Physical harm to the involved child and estimate of child’s
present physical, medical and environmental condition. Include
information about previous incidents of suspected child abuse
or neglect; and
– Reporter’s name, occupation and relationship to the child,
actions taken by reporter, where to reach reporter and other
information the reporter believes could be helpful.
48
Exception: Health & Safety Emergencies
FERPA & Illinois School Student Records Act
• Disclosure of information is permitted if there is an
articulable and significant threat to the safety of a student
or to other individuals.
• Institution may only disclose to those persons who need
to know the information to protect the health and safety
of the student or other individuals.
• Make a record of (i) the articulable and significant threat
that formed the basis for such disclosure, and (ii) the
parties to whom information was disclosed.
49
Exception: Health & Safety Emergencies
FERPA & Illinois School Student Records Act
• Notify parents as soon as possible of the information
released, the date of the release, the person, agency, or
organization receiving the information and the purpose of
the release.
• Factors to be considered in determining whether records
should be released pursuant to this paragraph include:
– Seriousness of the threat to the health or safety of the student
or other persons;
– Need for such records to meet the emergency; and
– Extent to which time is of the essence in dealing with the
emergency.
50
Exception: Health & Safety Emergencies
• Children’s Day Care
– In emergency situations, children under 12 years of age do not
need to be informed of such disclosure of information.
• Social Workers
– Duty to take steps to protect or warn third parties who may be
endangered by the child under their care.
– Duty to report the misconduct or impairment of another
professional.
51
Exception: Social Workers
Mental Health and Developmental Disabilities Confidentiality Act
• Social workers shall keep all records and communications
confidential except:
– to a parent or guardian of a recipient who is under 12 years of
age;
– to a reviewer for purposes of licensure, statistical complication,
research, evaluation, or other similar purpose provided that
personally identifiable data is removed from the record before
use;
– to a reviewer for purposes of funding, accreditation,
reimbursement or audit by a State or federal agency or
accrediting body;
– to the Mental Health and Developmental Disabilities Medical
Review Board (upon its official request);
52
Exception: Social Workers
Mental Health and Developmental Disabilities Confidentiality Act
• Social workers shall keep all records and communications
confidential except (continued):
– to the Department of Human Services, the Department of
Healthcare and Family Services, Department of Public Health,
State Board of Education, Department of Children and Family
Services and other agencies or departments of the state,
provided the disclosure is limited to the name, social security
number, and information concerning services rendered
regarding a recipient of services;
– to the Guardianship and Advocacy commission official (upon
their request) in the course of an investigation or in the course
of monitoring issues concerning the rights of recipients or the
services provided to recipients; and
53
Exception: Social Workers
Mental Health and Developmental Disabilities Confidentiality Act
• Social workers shall keep all records and communications
confidential except (continued):
– if you have a written consent specifying:
• person or agency to whom disclosure is to be made (must also consent to
redisclosure);
• purpose for which disclosure is to be made;
• nature of the information to be disclosed (blanket consents not
permitted);
• right to inspect and copy the information to be disclosed;
• consequences of a refusal to consent, if any;
• calendar date on which consent expires (if none specified, may be
released only on the day the form is received by the therapist); and
• right to revoke the consent at any time.
54
Exception: Social Workers
Mental Health and Developmental Disabilities Confidentiality Act
• Failure to follow the procedures set forth in the Mental
Health and Developmental Disabilities Confidentiality Act
may result in the following:
– Individuals bringing an action for damages, injunction, or other
appropriate relief.
• Reasonable attorney’s fees and costs may be awarded to a successful
plaintiff.
– Knowing and willful violations are a class A misdemeanor
55
Note on HIPAA
• “Covered entities” under HIPAA include health plans,
healthcare clearinghouses, and health care providers that
transmit health information in electronic form.
• Technically, schools that provide health care services to
students may qualify as a health care provider.
• However, HIPAA expressly excludes information
considered to be “education records”.
• Rare situations in which a school would engage in a
“HIPAA transaction.”
56
Note on Confidentiality Agreements
• Key Issues:
– Limitations on right to use the information
– Obligations to keep the information confidential
– Obligations not to disclose the information
– Obligations to return or destroy
• Key Steps:
– Entering into confidential relationships carefully
– Following procedures to comply with confidentiality obligations
– Imposing confidentiality obligations on employees and others
57
• Part 4: Conclusions and Additional Resources
58
Conclusion
• Child/Student records – err on the side of confidentiality
• Provide notice, get consent, record requests
• In emergency situations, disclose only what is necessary
and only to those who need the information
• Education/student privacy laws are complex and evolving.
Check with a designated authority when in doubt.
59
Additional Resources
• U.S. Department of Education’s Privacy Technical
Assistance Center (PTAC)
– Has a privacy toolkit, papers, and other resources
• U.S. Department of Education’s Family Policy Compliance
Office
• Council of School Attorneys (part of National School
Boards Association)
• Other Resources on the Internet
60
Questions?
61