In Tracy Mitrano’s October 31, 2001 blog “FERPA, GLBA and HIPAA In Vendor Contract,” there was “a bold proposal.” She posited that most important action that can be taken to protect student privacy is a contractual requirement that contractors follow the same privacy requirements—including FERPA (Federal Education Rights and Privacy Act)—as colleges and universities themselves follow. Mitrano, is a lawyer in Cornell University’s Office of VP for Information Technology. She has written about intellectual property issues in universities.
Mitrano warns this will not be easy: “Contract lawyers associated with Internet companies have heard of these laws, but are not knowledgeable about them.”
As discussed at last year’s Department of Education’s DC-STATS Conference, FERPA can only be enforced by the U.S. Department of Education. Moreover, because the only remedy is preventing any federal funding of the college or university and its students, the Department has never enforced FERPA. Students and parents have no standing in courts under FERPA until they request the U.S. Department of Education investigate and exhausts the regulatory process.
At the DC-STATS Conference in July this year the Department of Education’s Chief Privacy Officer, Kathleen Styles, said revisions to the FERPA regulations would be completed “by the end of the year.” 274 public comments were received. A number of major revisions to increase privacy of student data have been suggested.
Styles’ presentation was followed by a brief discussion of student data provided to colleges and universities by Federal Student Aid (FSA). One commented that FSA is the largest source of higher-education student data. . These data include IRS “tax return data” for both the student and the parent. An implicit release could be assumed for the student or parent requesting the data transfer from the IRS to FSA.
IRS Publication 1075 has clear requirements for the protection of such “return data” which may not be currently satisfied by the implied authorization to release. According to a SHEEO July 10, 2010 publication student financial data flow up to a state database in 31 states. These convey between one and nine data elements relating to student financial aid.
Although the Department has emphasized FERPA in the past, it stated at the FSA Software Developers’ Conference in August FSA that it will be enforcing the FISMA (Federal Information Security Management Act of 2002) regulations. This includes the requirement that any further distribution of student data include the contractual clause as suggested by Mitrano. However responding to a question about whether these contractor provisions would apply to the “Participation Agreement” that colleges and universities sign with the Department in order to receive financial aid funding , the reply was “this is not a contract” (though likely meaning “for this purpose”). The transcript of the conference presentations was to become available in the first week of September, but, to date,is still unavailable.
FISMA provisions require strict compliance with NIST (National Institute of Standards and Technology) Special Publications, a requirement higher education has successfully avoided for almost a decade.
So far the FERPA regulations only require “reasonable standards” for privacy protection. The contract clause Mitrano suggests could become explicit in forthcoming revisions as well as other security measures.
In the earlier 2009 Software Developers Conference, FSA said their student data would require NIST Level of Assurance 2- and possibly Level 3.(The transcript of the questions and answers can be found here.) Compliance with FISMA at these levels would require substantial campus IT security upgrades. This may be the reason FSA is not yet requiring compliance. Justin Draeger, President of the National Association of Financial Aid Administrators, said colleges and universities could not immediately implement these requirements; it would take two or three years, at least.
Mitrano’s recommendation should be the first and immediate step toward improved security of student data.