1

SAFEGUARDING REGULATIONS AND HOW SAFEGUARDING REGULATIONS AND HOW THEY EFFECT USTHEY EFFECT US

MICHIGAN ASSOCIATION FOR STUDENT FINANACIAL SERVICE

ADMINISTRATORS

BY: KAREN REDDICKNATIONAL CREDIT MANAGEMENT

St. Louis, Missouri

2Since 1960

SANDBOX RULESSANDBOX RULES

This session is open forum

Audience participation is encouraged

Questions and comments as we move through the presentation are welcome

3Since 1960

LAWS AND REGULATIONS LAWS AND REGULATIONS THAT AFFECT USTHAT AFFECT US

FERPA: Family Educational Rights and Privacy Act

GLBA: Gramm-Leach-Bliley Privacy Act

State SSN Privacy Law

4Since 1960

FERPAFERPA FERPA: Family Educational Rights and

Privacy ActStatue: 20 U.S.C. 1232(g)Regulations: 34CFR Part 99

The intent of the Act is to protect the rights of students and to insure the privacy and accuracy of education records.

Those protected by FERPA are students and former students who have been in attendance at the institution.

Rights belong to the student

5Since 1960

FERPAFERPAPrimary Rights of Students

Under FERPA– Right to inspect and review

education records.– Right to seek to amend

education records– Right to have some control over

the disclosure of information from education records.

6Since 1960

FERPAFERPA Definitions

– Student Prior to first day of attendance FERPA does not

apply

– Educational Records Records containing information that is directly

related to student Records maintained by educational institution or

by a party acting for the institution

– Personally Identifiable Information Name Name of parent or other family member A personal identifier (SS # or Student ID #) List of characteristics or other information that

would make the student’s identity easily traceable.

7Since 1960

FERPAFERPA CFR 99.7 Annual Notification

– Examples of Notification Student Handbook School Newspaper or catalog Local Newspaper Inclusion in students registration packet

– Institutions must annually notify students in attendance of their rights under FERPA:

Right to inspect and review education records– Procedures to inspect and review education records– Statement that records may be disclosed to school

officials without prior consent including criteria for determining who are schools officials

– What constitutes a legitimate educational interests.

8Since 1960

FERPAFERPA 34 CFR Part 99.31 Under what conditions is prior consent not

required to disclose?– (a)An educational institution may disclose personally

identifiable information from an educational record of a student without the consent required by 34 CFR Part 99.30 if the disclosure meets one or more conditions outlined in Part 99.31

(1) The disclosure is to other school officials within the institution whom the institution has determined to have legitimate educational interests.

(2)The disclosure to officials of another school where the student seeks or intends to enroll

(3) The disclosure to authorized representatives:– Comptroller General of the United States– The United States Attorney General– The Secretary– State and local educational authorities

9Since 1960

FERPAFERPA(4) The disclosure is in connection w/FA for which the

student has applied, the info is necessary for such purposes as to

– A) Determine eligibility of Aid– B) Determine amount of FA– C) Determine conditions for the Aid– D) Enforce terms and conditions of the Aid

(5) The disclosure is to State and local officials or authorities under certain conditions

(6) The disclosure is to organizations conducting studies for or on behalf of educational agencies or institutions

(7) The disclosure is to accrediting organizations to carry out their accrediting functions

(8) The disclosure is to parents, as defined in 99.3 of a dependent student, as defined in section 152 of the Internal Revenue Code of 1986

(9) The disclosure is to comply with a judicial or subpoena

10Since 1960

FERPAFERPA(10) The disclosure is in connection with a health

or safety emergency under the conditions described in CFR 99.36

(11) The disclosure is information the educational agency or institution has designated as directory information under the conditions described in CFR 99.36.

(12) The disclosure is to the parent of a student who is not an eligible student or to the student

(13) The disclosure subject to requirements of CFR 99.39 is to a victim of an alleged perpetrator of a crime of violence

(14) The disclosure subject to requirement of CFR 99.39 in connection with a disciplinary proceeding at an institution

11Since 1960

FERPAFERPA 34 CFR Part 99 Final Regulations

Dated April 21, 2004Effective May 21, 2004

This Final Rule regulations provide general guidelines for accepting “signed and dated written consent”under FERPA in electronic format.

Section 99.30 is amended by adding a new paragraph (d) to read as follows:

12Since 1960

FERPAFERPA (d) “Signed and dated written consent” under this part

may include a record and signature in electronic form that-– (1) Identifies and authenticates a particular person

as the source of the electronic consent: and– (2) Indicates such person’s approval of the

information contained in the electronic consent. Safe Harbor

– Most support the use of FSA standards for electronic signatures in electronic student loan transactions (FSA Standards) as a “Safe Harbor”

– Schools are not required by FERPA to follow the FSA Standards. The Feds believe that schools may use the setup and security measures described in the FSA Standards, particularly sections 3 through 7, as guidance for security measures in a system using electronic records and signatures under FERPA

– Guidelines to Safe Harbor Rules can be found at www.ifap.ed.gov/dpcletters/gen0106.html.

13Since 1960

FERPA VS. GLBAFERPA VS. GLBA

FERPA - the access of information

GLBA – the physical handling of information

14Since 1960

GLBAGLBA GLBA: Gramm-Leach Bliley Act signed into

law November 1999.– Regulation: Privacy regulations issued by

federal agencies. Compliance required as of 7/1/01

– FTC PART 314-Standards for Safeguarding Customer Information (Effective 5/23/-03)

– Scope: Regulates the sharing of: “Nonpublic personal information” about individuals

who obtain “financial products or services” From “financial institutions” primarily for personal,

family or household purposes.

15Since 1960

GLBA-Implementing GLBA-Implementing the Safeguards Rulethe Safeguards Rule

The Gramm Leach Bliley Act requires financial institutions to ensure the security and confidentiality of customer personal information.

The Federal Trade Commission (FTC) implemented GLBA by issuing the Privacy Rule and the Safeguards Rule.

Colleges and universities are considered “financial institutions”primarily due to student loan making activities.

16Since 1960

GLBA-Implementing GLBA-Implementing the Safeguards Rulethe Safeguards Rule

Safeguards Rule requires all financial institutions to develop an information security program to protect customer information.

The three areas where safeguards must be considered:– Administrative– Physical– Technical

17Since 1960

GLBA- Implementing GLBA- Implementing the Safeguards Rulethe Safeguards Rule

We must ensure the security and confidentiality of student (customer) records and information.

We must protect against any anticipated threats or hazards to the security or integrity of such records.

We must protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any student

18Since 1960

GLBA- How to GLBA- How to Implement the RuleImplement the Rule

The Rule, which took effect on May 23, 2003, requires financial institutions over which the FTC has jurisdiction to develop, implement, and maintain a written information security program that contains comprehensive administrative, technical, and physical safeguards.

19Since 1960

GLBA- Implementing GLBA- Implementing the Safeguards Rulethe Safeguards Rule

As part of its program, each financial institutional must: – Designate an employee or employees to

coordinate its information security program.– Identify reasonably foreseeable internal and

external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise or information, and assess the sufficiency of any safeguards in place to control the risks

20Since 1960

GLBA- Implementing the GLBA- Implementing the Safeguards RuleSafeguards Rule

– Design and implement safeguards to control reasonably foreseeable risks, and monitor the effectiveness of these safeguards.

– Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information and require them, by contract, to implement and maintain such safeguards. Deadline for 3rd party providers to implement security plan was May 24, 2004.

– Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business arrangements or operations, or the results of testing and monitoring of safeguards.

21Since 1960

GLBA- Securing GLBA- Securing InformationInformation

Three areas that are particularly important to information security are the following:

– Employee Training– Information Systems– Managing System Failures

22Since 1960

SSN STATE PRIVACY LAWSSSN STATE PRIVACY LAWS– May not print SSN on any card required to

access products or services– May not require transmission of SSN over an un-

secure Internet Connection– May not require the SSN to access an Internet

web site unless other unique identification or authentication is used

– May not print SSN on any material mailed to the individual unless state or federal law requires the SSN to be on the document, applications and forms excluded (example: 1098T’s)

23Since 1960

SSN STATE PRIVACY LAWSSSN STATE PRIVACY LAWS 7 States have adopted law Michigan is the newest state to implement law

– Social Security Number Privacy Act 454 of 2004– Effective March 1, 2005– The Act required Universities to have privacy

policy in place by January 1, 2006– Enacted to prevent identity theft in the state of MI,

it limits the use of Social Security Numbers as an identifier of students and employees, unless necessary

– Best practice is convert to use of just the last 4 digits or to some other, non SSN system is recommended

24Since 1960

SSN Privacy Law– SSN Privacy Law– SolutionSolution

Create environment that will accommodate all state laws

25Since 1960

CONTACT INFORMATIONCONTACT INFORMATIONGLBA

www.ftc.gov/privacy/glbactLaura D. Berger, Attorney Division of Financial Practices FTC

(202) 326-3224

NACUBO http://www.nacubo.org/x2152.xml

FERPAFamily Policy Compliance Office

LeRoy Rooker, Director of Family Policy(202) 260-3887

www.ed.gov/policy/gen/guid/fpco/ferpa

Karen Reddickkreddick@ncmstl.com

(800)627-2300, ext 229

Free Credit Reportwww.annualcreditreport.com

Legislative Council, State of MIwww.legislature.mi.gov