12.5 Privacy and Security
Institutions should focus on two critical areas as they consider protection of institutional data: Privacy and Security. Privacy deals with the classification and release of protected data, while Security deals with the protection or confidentiality, integrity, and availability of data.
The protection of institutional data is governed by a growing collection of federal and state laws relating to privacy and security. All institutions are morally, and now legally, responsible for the protection and integrity of the data they create and maintain on their campus. Through a number of legal statutes and regulations, institutions now have a legal responsibility for protection of student, employee, and faculty information.
An institution is responsible for complying with all current laws and regulations concerning data privacy and security. The institution should identify an individual or group that will have responsibility for compliance with new regulations.
The following sections describe the major current laws that effect educational institutions. Due to the rapid changes in information technology and privacy requirements, however, new laws are being introduced at a rapid pace. Each institution must be vigilant and stay aware of new legal requirements in the Privacy and Security areas.
Reference: IT Security for Higher Education: A Legal Perspective. White paper produced for Educause by Kenneth D. Salomon, Peter C. Cassat, Briana E. Thibeau Dow, Lohnes & Albertson, PLLC, March 20, 2003
12.5.1 Family Education Rights and Privacy Act (FERPA)
The primary law that governs the privacy of educational information is the Family Education Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g(b).
FERPA is the keystone federal privacy law for educational institutions. FERPA generally imposes a cloak of confidentiality around student educational records, prohibiting institutions from disclosing “personally identifiable education information,” such as grades or financial aid information, without the student’s written permission. FERPA also grants to students the right to request and review their educational records and to make corrections to those records. The law applies with equal force to electronic records as it does to those stored in file drawers.
Generally, institutions must have written permission from the student in order to release any information from a student’s education record. However, FERPA does allow institutions to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
- School officials with legitimate educational interest
- Other schools to which a student is transferring
- Specified officials for audit or evaluation purposes
- Appropriate parties in connection with financial aid to a student
- Organizations conducting certain studies for or on behalf of the school
- Accrediting organizations
- To comply with a judicial order or lawfully issued subpoena
- Appropriate officials in cases of health and safety emergencies
- State and local authorities, within a juvenile justice system, pursuant to specific State law
Institutions may disclose, without consent, “directory” information, such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, institutions must tell students about directory information and allow students a reasonable amount of time to request that the school not disclose directory information about them.
Institutions must notify parents and eligible students annually of their rights under FERPA. The actual means of notification, such as a special letter, student handbook, or newspaper article, is left to the discretion of each institution.
While violations of FERPA do not give rise to private rights of action, the U.S. Secretary of Education has established the Family Policy Compliance Office, which has the power to investigate and adjudicate FERPA violations and to terminate federal funding to any institution that fails to substantially comply with the law.
12.5.2 Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to protect the rights of patients and participants in certain health plans. In 2000, the federal Department of Health and Human Services adopted copious regulations granting consumers the right to receive written notice of the information practices of entities subject to HIPAA.
Colleges and universities that are affiliated with health care providers are considered covered entities, and institutions must provide written notice of their affiliated health care provider’s electronic information practices. Most employer-sponsored health plans also are considered to be “entities” subject to HIPAA. As a result, various compliance obligations are imposed on colleges and universities that sponsor and administer such plans.
HIPAA generally requires covered entities to:
Adopt written privacy procedures that describe, among other things, who has access to protected information, how such information will be used, and when the information may be disclosed.
Require their business associates to protect the privacy of health information.
Train their employees in their privacy policies and procedures.
Take steps to protect against unauthorized disclosure of personal health records.
Designate an individual to be responsible for ensuring the procedures are followed.
12.5.3 Electronic Communications Privacy Act (ECPA)
The Electronic Communications Privacy Act (ECPA) broadly prohibits the unauthorized use or interception by any person of the contents of any wire, oral or electronic communication. Protection of the “contents” of such communications, however, extends only to information concerning the “substance, purport, or meaning” of the communications.
In other words, the ECPA likely would not protect from disclosure to third parties information such as the existence of the communication itself or the identity of the parties involved. As a result, the monitoring by institutions of students’ network use or of network usage patterns, generally, would not be prohibited by the ECPA, as long as the substance of the communication was not made public.
The ECPA will come into play when an institution is forced to monitor or intercept student, faculty, or employee electronic communications such as e-mail. The effect of the law may depend on the type of person being monitored and the person’s association with the institution, as a student, faculty member, or employee, and whether the communication system is considered a public or private system.
The ECPA also contains specific exceptions allowing disclosures to law enforcement agencies under certain circumstances.
12.5.4 USA Patriot Act
The USA Patriot Act can effect educational institutions in many ways. Probably the most significant effect is that it potentially prohibits institutions from revealing the very existence of a law enforcement investigation. All institutions should ensure that they have worked with their legal staff to produce written procedures on how to deal with law enforcement information requests. Any institution employee faced with a request from law enforcement should follow these procedures.
12.5.5 TEACH Act
The TEACH Act relaxes certain copyright restrictions to make it easier for accredited nonprofit colleges and universities to use technology materials in educational settings. Institutions that want to take advantage of the relaxed copyright restrictions must limit “to the extent technologically feasible” the transmission of such content to students who actually are enrolled in a particular course, and they must use appropriate technological means to prohibit the unauthorized retransmission of such information.
In other words, the TEACH Act may require institutions to implement technical copy protection measures and to authenticate the identity of users of electronic course content.
12.5.6 Gramm – Leach – Bliley Act (GLBA)
The Gramm – Leach – Bliley Act (GLBA), enacted in 1999, was largely directed at financial institutions and creates obligations to protect customer financial information, However, it has been determined that colleges and universities are also covered by the act.
The GLBA has two major sections: privacy and security. The Federal Trade Commission’s (FTC) regulations implementing the GLBA specifically provide that colleges and universities will be deemed to be in compliance with the privacy provisions of the GLBA if they are in compliance with FERPA. Therefore, GLBA privacy requirements should not effect educational institutions. They should therefore focus mainly on the security sections of the GLBA.
The information security, or Safeguard, section has five major requirements that an institution must follow:
Designate one or more employees to coordinate the security safeguards.
Identify and assess the risks to customer information in each relevant area and evaluate the effectiveness of the current safeguards.
Design and implement a safeguards program and regularly monitor and test it.
Select appropriate service providers and contract with them to implement safeguards.
Evaluate and adjust the program in light of relevant circumstances or the results of testing.
12.5.7 Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act (CFAA) criminalizes unauthorized access to a “protected computer” with the intent to obtain information, defraud, obtain anything of value or cause damage to the computer. A “protected computer” is defined as a computer that is used in interstate or foreign commerce or communication or by or for a financial institution or the government of the United States. An institution may use this law when there has been a break-in of their computer systems.