Transcript Document

SAFEGUARDING REGULATIONS AND HOW
THEY EFFECT US
MICHIGAN ASSOCIATION FOR
STUDENT FINANACIAL SERVICE
ADMINISTRATORS
BY: KAREN REDDICK
NATIONAL CREDIT MANAGEMENT
St. Louis, Missouri
1
SANDBOX RULES

This session is open forum

Audience participation is encouraged

Questions and comments as we move
through the presentation are welcome
Since 1960
2
LAWS AND REGULATIONS
THAT AFFECT US

FERPA: Family Educational
Rights and Privacy Act

GLBA: Gramm-Leach-Bliley
Privacy Act

State SSN Privacy Law
Since 1960
3
FERPA
FERPA: Family Educational Rights and
Privacy Act
Statue: 20 U.S.C. 1232(g)
Regulations: 34CFR Part 99
 The intent of the Act is to protect the
rights of students and to insure the
privacy and accuracy of education
records.
 Those protected by FERPA are students
and former students who have been in
attendance at the institution.
 Rights belong to the student

Since 1960
4
FERPA

Primary Rights of Students Under
FERPA
– Right to inspect and review education
records.
– Right to seek to amend education
records
– Right to have some control over the
disclosure of information from
education records.
Since 1960
5

Definitions
FERPA
– Student

Prior to first day of attendance FERPA does not
apply
– Educational Records


Records containing information that is directly
related to student
Records maintained by educational institution or
by a party acting for the institution
– Personally Identifiable Information




Since 1960
Name
Name of parent or other family member
A personal identifier (SS # or Student ID #)
List of characteristics or other information that
would make the student’s identity easily
traceable.
6

FERPA
CFR 99.7 Annual Notification
– Examples of Notification




Student Handbook
School Newspaper or catalog
Local Newspaper
Inclusion in students registration packet
– Institutions must annually notify students in attendance of
their rights under FERPA:

Since 1960
Right to inspect and review education records
– Procedures to inspect and review education
records
– Statement that records may be disclosed to
school officials without prior consent including
criteria for determining who are schools officials
– What constitutes a legitimate educational
interests.
7
FERPA

34 CFR Part 99.31 Under what conditions is prior consent not
required to disclose?
– (a)An educational institution may disclose personally
identifiable information from an educational record of a
student without the consent required by 34 CFR Part
99.30 if the disclosure meets one or more conditions
outlined in Part 99.31
(1) The disclosure is to other school officials within the
institution whom the institution has determined to
have legitimate educational interests.
(2)The disclosure to officials of another school where the
student seeks or intends to enroll
(3) The disclosure to authorized representatives:
– Comptroller General of the United States
– The United States Attorney General
– The Secretary
– State and local educational authorities
Since 1960
8
FERPA
(4) The disclosure is in connection w/FA for which the
student has applied, the info is necessary for such
purposes as to
– A) Determine eligibility of Aid
– B) Determine amount of FA
– C) Determine conditions for the Aid
– D) Enforce terms and conditions of the Aid
(5) The disclosure is to State and local officials or
authorities under certain conditions
(6) The disclosure is to organizations conducting studies
for or on behalf of educational agencies or institutions
(7) The disclosure is to accrediting organizations to carry
out their accrediting functions
(8) The disclosure is to parents, as defined in 99.3 of a
dependent student, as defined in section 152 of the
Internal Revenue Code of 1986
(9) The disclosure is to comply with a judicial or
subpoena
Since 1960
9
FERPA
(10) The disclosure is in connection with a health or
safety emergency under the conditions described in
CFR 99.36
(11) The disclosure is information the educational
agency or institution has designated as directory
information under the conditions described in CFR
99.36.
(12) The disclosure is to the parent of a student who is
not an eligible student or to the student
(13) The disclosure subject to requirements of CFR
99.39 is to a victim of an alleged perpetrator of a
crime of violence
(14) The disclosure subject to requirement of CFR 99.39
in connection with a disciplinary proceeding at an
institution
Since 1960
10
FERPA
34 CFR Part 99 Final Regulations
Dated April 21, 2004
Effective May 21, 2004
 This Final Rule regulations provide
general guidelines for accepting “signed
and dated written consent”under FERPA
in electronic format.
 Section 99.30 is amended by adding a
new paragraph (d) to read as follows:

Since 1960
11
FERPA
(d) “Signed and dated written consent” under this part may
include a record and signature in electronic form that– (1) Identifies and authenticates a particular person as the
source of the electronic consent: and
– (2) Indicates such person’s approval of the information
contained in the electronic consent.
 Safe Harbor
– Most support the use of FSA standards for electronic
signatures in electronic student loan transactions (FSA
Standards) as a “Safe Harbor”
– Schools are not required by FERPA to follow the FSA
Standards. The Feds believe that schools may use the
setup and security measures described in the FSA
Standards, particularly sections 3 through 7, as guidance
for security measures in a system using electronic records
and signatures under FERPA
– Guidelines to Safe Harbor Rules can be found at
www.ifap.ed.gov/dpcletters/gen0106.html.

Since 1960
12
FERPA VS. GLBA

FERPA - the access of information

GLBA – the physical handling of information
Since 1960
13
GLBA

GLBA: Gramm-Leach Bliley Act signed into
law November 1999.
– Regulation: Privacy regulations issued by federal
agencies. Compliance required as of 7/1/01
– FTC PART 314-Standards for Safeguarding
Customer Information (Effective 5/23/-03)
– Scope: Regulates the sharing of:


Since 1960
“Nonpublic personal information” about individuals who
obtain “financial products or services”
From “financial institutions” primarily for personal, family
or household purposes.
14
GLBA-Implementing
the Safeguards Rule
The Gramm Leach Bliley Act requires
financial institutions to ensure the security
and confidentiality of customer personal
information.
 The Federal Trade Commission (FTC)
implemented GLBA by issuing the Privacy
Rule and the Safeguards Rule.
 Colleges and universities are considered
“financial institutions”primarily due to student
loan making activities.

Since 1960
15
GLBA-Implementing
the Safeguards Rule
Safeguards Rule requires all financial
institutions to develop an information security
program to protect customer information.
 The three areas where safeguards must be
considered:

– Administrative
– Physical
– Technical
Since 1960
16
GLBA- Implementing
the Safeguards Rule

We must ensure the security and confidentiality
of student (customer) records and information.

We must protect against any anticipated threats
or hazards to the security or integrity of such
records.

We must protect against unauthorized access to
or use of such records or information which
could result in substantial harm or
inconvenience to any student
Since 1960
17
GLBA- How to
Implement the Rule

The Rule, which took effect on May 23,
2003, requires financial institutions over
which the FTC has jurisdiction to
develop, implement, and maintain a
written information security program
that contains comprehensive
administrative, technical, and physical
safeguards.
Since 1960
18
GLBA- Implementing
the Safeguards Rule

As part of its program, each financial
institutional must:
– Designate an employee or employees to
coordinate its information security program.
– Identify reasonably foreseeable internal and
external risks to the security, confidentiality, and
integrity of customer information that could result
in the unauthorized disclosure, misuse, alteration,
destruction, or other compromise or information,
and assess the sufficiency of any safeguards in
place to control the risks
Since 1960
19
GLBA- Implementing the
Safeguards Rule
– Design and implement safeguards to control reasonably
foreseeable risks, and monitor the effectiveness of these
safeguards.
– Take reasonable steps to select and retain service
providers that are capable of maintaining appropriate
safeguards for customer information and require them,
by contract, to implement and maintain such safeguards.
Deadline for 3rd party providers to implement security
plan was May 24, 2004.
– Evaluate and adjust the program in light of relevant
circumstances, including changes in the firm’s business
arrangements or operations, or the results of testing and
monitoring of safeguards.
Since 1960
20
GLBA- Securing
Information

Three areas that are particularly
important to information security are
the following:
– Employee Training
– Information Systems
– Managing System Failures
Since 1960
21
SSN STATE PRIVACY LAWS
– May not print SSN on any card required to access
products or services
– May not require transmission of SSN over an unsecure Internet Connection
– May not require the SSN to access an Internet
web site unless other unique identification or
authentication is used
– May not print SSN on any material mailed to the
individual unless state or federal law requires the
SSN to be on the document, applications and
forms excluded (example: 1098T’s)
Since 1960
22
SSN STATE PRIVACY LAWS


7 States have adopted law
Michigan is the newest state to implement law
– Social Security Number Privacy Act 454 of 2004
– Effective March 1, 2005
– The Act required Universities to have privacy
policy in place by January 1, 2006
– Enacted to prevent identity theft in the state of
MI, it limits the use of Social Security Numbers as
an identifier of students and employees, unless
necessary
– Best practice is convert to use of just the last 4
digits or to some other, non SSN system is
recommended
Since 1960
23
SSN Privacy Law–
Solution

Create environment that will
accommodate all state laws
Since 1960
24
CONTACT INFORMATION
GLBA
www.ftc.gov/privacy/glbact
Laura D. Berger, Attorney Division of Financial Practices FTC
(202) 326-3224
NACUBO
http://www.nacubo.org/x2152.xml
FERPA
Family Policy Compliance Office
LeRoy Rooker, Director of Family Policy
(202) 260-3887
www.ed.gov/policy/gen/guid/fpco/ferpa
Karen Reddick
[email protected]
(800)627-2300, ext 229
Free Credit Report
www.annualcreditreport.com
Legislative Council, State of MI
www.legislature.mi.gov
Since 1960
25