1 safeguarding regulations and how they effect us michigan association for student finanacial...
TRANSCRIPT
1
SAFEGUARDING REGULATIONS AND HOW SAFEGUARDING REGULATIONS AND HOW THEY EFFECT USTHEY EFFECT US
MICHIGAN ASSOCIATION FOR STUDENT FINANACIAL SERVICE
ADMINISTRATORS
BY: KAREN REDDICKNATIONAL CREDIT MANAGEMENT
St. Louis, Missouri
2Since 1960
SANDBOX RULESSANDBOX RULES
This session is open forum
Audience participation is encouraged
Questions and comments as we move through the presentation are welcome
3Since 1960
LAWS AND REGULATIONS LAWS AND REGULATIONS THAT AFFECT USTHAT AFFECT US
FERPA: Family Educational Rights and Privacy Act
GLBA: Gramm-Leach-Bliley Privacy Act
State SSN Privacy Law
4Since 1960
FERPAFERPA FERPA: Family Educational Rights and
Privacy ActStatue: 20 U.S.C. 1232(g)Regulations: 34CFR Part 99
The intent of the Act is to protect the rights of students and to insure the privacy and accuracy of education records.
Those protected by FERPA are students and former students who have been in attendance at the institution.
Rights belong to the student
5Since 1960
FERPAFERPAPrimary Rights of Students
Under FERPA– Right to inspect and review
education records.– Right to seek to amend
education records– Right to have some control over
the disclosure of information from education records.
6Since 1960
FERPAFERPA Definitions
– Student Prior to first day of attendance FERPA does not
apply
– Educational Records Records containing information that is directly
related to student Records maintained by educational institution or
by a party acting for the institution
– Personally Identifiable Information Name Name of parent or other family member A personal identifier (SS # or Student ID #) List of characteristics or other information that
would make the student’s identity easily traceable.
7Since 1960
FERPAFERPA CFR 99.7 Annual Notification
– Examples of Notification Student Handbook School Newspaper or catalog Local Newspaper Inclusion in students registration packet
– Institutions must annually notify students in attendance of their rights under FERPA:
Right to inspect and review education records– Procedures to inspect and review education records– Statement that records may be disclosed to school
officials without prior consent including criteria for determining who are schools officials
– What constitutes a legitimate educational interests.
8Since 1960
FERPAFERPA 34 CFR Part 99.31 Under what conditions is prior consent not
required to disclose?– (a)An educational institution may disclose personally
identifiable information from an educational record of a student without the consent required by 34 CFR Part 99.30 if the disclosure meets one or more conditions outlined in Part 99.31
(1) The disclosure is to other school officials within the institution whom the institution has determined to have legitimate educational interests.
(2)The disclosure to officials of another school where the student seeks or intends to enroll
(3) The disclosure to authorized representatives:– Comptroller General of the United States– The United States Attorney General– The Secretary– State and local educational authorities
9Since 1960
FERPAFERPA(4) The disclosure is in connection w/FA for which the
student has applied, the info is necessary for such purposes as to
– A) Determine eligibility of Aid– B) Determine amount of FA– C) Determine conditions for the Aid– D) Enforce terms and conditions of the Aid
(5) The disclosure is to State and local officials or authorities under certain conditions
(6) The disclosure is to organizations conducting studies for or on behalf of educational agencies or institutions
(7) The disclosure is to accrediting organizations to carry out their accrediting functions
(8) The disclosure is to parents, as defined in 99.3 of a dependent student, as defined in section 152 of the Internal Revenue Code of 1986
(9) The disclosure is to comply with a judicial or subpoena
10Since 1960
FERPAFERPA(10) The disclosure is in connection with a health
or safety emergency under the conditions described in CFR 99.36
(11) The disclosure is information the educational agency or institution has designated as directory information under the conditions described in CFR 99.36.
(12) The disclosure is to the parent of a student who is not an eligible student or to the student
(13) The disclosure subject to requirements of CFR 99.39 is to a victim of an alleged perpetrator of a crime of violence
(14) The disclosure subject to requirement of CFR 99.39 in connection with a disciplinary proceeding at an institution
11Since 1960
FERPAFERPA 34 CFR Part 99 Final Regulations
Dated April 21, 2004Effective May 21, 2004
This Final Rule regulations provide general guidelines for accepting “signed and dated written consent”under FERPA in electronic format.
Section 99.30 is amended by adding a new paragraph (d) to read as follows:
12Since 1960
FERPAFERPA (d) “Signed and dated written consent” under this part
may include a record and signature in electronic form that-– (1) Identifies and authenticates a particular person
as the source of the electronic consent: and– (2) Indicates such person’s approval of the
information contained in the electronic consent. Safe Harbor
– Most support the use of FSA standards for electronic signatures in electronic student loan transactions (FSA Standards) as a “Safe Harbor”
– Schools are not required by FERPA to follow the FSA Standards. The Feds believe that schools may use the setup and security measures described in the FSA Standards, particularly sections 3 through 7, as guidance for security measures in a system using electronic records and signatures under FERPA
– Guidelines to Safe Harbor Rules can be found at www.ifap.ed.gov/dpcletters/gen0106.html.
13Since 1960
FERPA VS. GLBAFERPA VS. GLBA
FERPA - the access of information
GLBA – the physical handling of information
14Since 1960
GLBAGLBA GLBA: Gramm-Leach Bliley Act signed into
law November 1999.– Regulation: Privacy regulations issued by
federal agencies. Compliance required as of 7/1/01
– FTC PART 314-Standards for Safeguarding Customer Information (Effective 5/23/-03)
– Scope: Regulates the sharing of: “Nonpublic personal information” about individuals
who obtain “financial products or services” From “financial institutions” primarily for personal,
family or household purposes.
15Since 1960
GLBA-Implementing GLBA-Implementing the Safeguards Rulethe Safeguards Rule
The Gramm Leach Bliley Act requires financial institutions to ensure the security and confidentiality of customer personal information.
The Federal Trade Commission (FTC) implemented GLBA by issuing the Privacy Rule and the Safeguards Rule.
Colleges and universities are considered “financial institutions”primarily due to student loan making activities.
16Since 1960
GLBA-Implementing GLBA-Implementing the Safeguards Rulethe Safeguards Rule
Safeguards Rule requires all financial institutions to develop an information security program to protect customer information.
The three areas where safeguards must be considered:– Administrative– Physical– Technical
17Since 1960
GLBA- Implementing GLBA- Implementing the Safeguards Rulethe Safeguards Rule
We must ensure the security and confidentiality of student (customer) records and information.
We must protect against any anticipated threats or hazards to the security or integrity of such records.
We must protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any student
18Since 1960
GLBA- How to GLBA- How to Implement the RuleImplement the Rule
The Rule, which took effect on May 23, 2003, requires financial institutions over which the FTC has jurisdiction to develop, implement, and maintain a written information security program that contains comprehensive administrative, technical, and physical safeguards.
19Since 1960
GLBA- Implementing GLBA- Implementing the Safeguards Rulethe Safeguards Rule
As part of its program, each financial institutional must: – Designate an employee or employees to
coordinate its information security program.– Identify reasonably foreseeable internal and
external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise or information, and assess the sufficiency of any safeguards in place to control the risks
20Since 1960
GLBA- Implementing the GLBA- Implementing the Safeguards RuleSafeguards Rule
– Design and implement safeguards to control reasonably foreseeable risks, and monitor the effectiveness of these safeguards.
– Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information and require them, by contract, to implement and maintain such safeguards. Deadline for 3rd party providers to implement security plan was May 24, 2004.
– Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business arrangements or operations, or the results of testing and monitoring of safeguards.
21Since 1960
GLBA- Securing GLBA- Securing InformationInformation
Three areas that are particularly important to information security are the following:
– Employee Training– Information Systems– Managing System Failures
22Since 1960
SSN STATE PRIVACY LAWSSSN STATE PRIVACY LAWS– May not print SSN on any card required to
access products or services– May not require transmission of SSN over an un-
secure Internet Connection– May not require the SSN to access an Internet
web site unless other unique identification or authentication is used
– May not print SSN on any material mailed to the individual unless state or federal law requires the SSN to be on the document, applications and forms excluded (example: 1098T’s)
23Since 1960
SSN STATE PRIVACY LAWSSSN STATE PRIVACY LAWS 7 States have adopted law Michigan is the newest state to implement law
– Social Security Number Privacy Act 454 of 2004– Effective March 1, 2005– The Act required Universities to have privacy
policy in place by January 1, 2006– Enacted to prevent identity theft in the state of MI,
it limits the use of Social Security Numbers as an identifier of students and employees, unless necessary
– Best practice is convert to use of just the last 4 digits or to some other, non SSN system is recommended
24Since 1960
SSN Privacy Law– SSN Privacy Law– SolutionSolution
Create environment that will accommodate all state laws
25Since 1960
CONTACT INFORMATIONCONTACT INFORMATIONGLBA
www.ftc.gov/privacy/glbactLaura D. Berger, Attorney Division of Financial Practices FTC
(202) 326-3224
NACUBO http://www.nacubo.org/x2152.xml
FERPAFamily Policy Compliance Office
LeRoy Rooker, Director of Family Policy(202) 260-3887
www.ed.gov/policy/gen/guid/fpco/ferpa
Karen [email protected]
(800)627-2300, ext 229
Free Credit Reportwww.annualcreditreport.com
Legislative Council, State of MIwww.legislature.mi.gov