The world of privacy regulation continues to be in a state of change. Certain information is covered under specific regulations yet the United States has no overarching Privacy Law. New international regulations, both enacted and soon to be enacted, impact the University and how we collect and process personal information. Absent a federal law, states have turned to developing their own privacy regulations which are all slightly different and have varying compliance requirements. In other words, the privacy regulatory landscape is difficult to navigate.
Due in large part to the diverse operations within higher education, we are required to comply with an array of privacy and information security laws. One goal of our Privacy Program is to design it in such a way that we are not developing different programs for different regulations. Rather, we have designed our Privacy Program to be flexible enough to cover as many of the compliance elements of these various regulations that we can and deal with the “outliers” as the arise. Ultimately, our goal is to protect all private and personally identifiable information as if it is legally required… because, it most likely is.
Depending on where you work at UVM and what information you have access to, one or more of these regulations may apply to your work.
FERPA: The Family Educational Rights and Privacy Act of 1974
FERPA provides certain rights to students with respect to their education records. The University has the responsibility to make sure that student record data is safeguarded from inappropriate access, use and disclosure, to notify students of their rights and to honor those rights. Student rights include:
- The right to inspect and review their student records;
- Seek amendment of their student records that they believe to be inaccurate, misleading, or otherwise in violation of their rights;
- Consent to disclosures of personally identifiable information contained in their student records (with exceptions); and
- File a complaint with the Department of education concerning alleged failures by the University to comply with the requirements of FERPA.
What organizations must comply with FERPA?
FERPA applies to an educational agency or institution to which funds have been made available under any program administered by the Department of Education if the educational institution provides educational services or instruction, or both, to students; or the education agency is authorized to direct and control public elementary or secondary, or postsecondary educational institutions.
Who at UVM needs to comply with FERPA?
FERPA applies to an educational agency or institution to which funds Everyone who has access to protected student record data must comply with FERPA. This includes faculty, staff, and contractors/third-parties to whom access has been granted.
What information is considered part of an “education record” under FERPA?
Education records are those records that are directly related to a student and maintained by the University or by a party acting for the University (contractors, third-parties, vendors, third-party websites). Education records does not include records that are kept in the sole possession of the maker, are used only as a personal memory aid, and are not accessible or revealed to any other person except as a temporary substitute for the maker of the record. It also does not include records of UVM Police or records that the University maintains as part of a student’s employment at UVM when those records are maintained in the normal course of business, relate exclusively to the student in their capacity as an employee and are not available for any other purpose.
Education records also include records the Center for Health and Wellbeing (CHWB) records created, maintained, or used in connection with health care treatment of students. CHWB records are protected under FERPA and not under HIPAA.
Are Student Health Records also protected under HIPAA?
No. CHWB is not a “covered entity” under HIPAA so, therefore, that regulation does not apply. However, the University is still required to protect the privacy and confidentiality of these records as they do fall under UVM’s FERPA responsibilities.
CHWB’s Privacy Notice can be found here (PDF).
What is Personally Identifiable Information (PII) under FERPA?
PII includes, but is not limited to:
- The student's name;
- The name of the student's parent or other family members;
- The address of the student or student's family;
- A personal identifier, such as the student's social security number, student number, or biometric record;
- Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;
- Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
- Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.
How can student records be used without consent?
The University may disclose PII from an education record without consent if the disclosure meets one or more of the following conditions:
- The disclosure is to school officials, including faculty and lecturers, within UVM who have a legitimate educational interest or a third party to whom the University has outsourced services or functions provided that the outside party performs a service or function for which UVM would otherwise use employees, is under the direct control of UVM with respect to the
use and maintenance of the educational records, and is subject to FERPA’s requirements governing the use and redisclosure of PII from education records.
- The University has implemented reasonable methods to ensure that school officials and third parties obtain access to only those education records in which they have legitimate educational interests. Depending on system capabilities, reasonable methods may include technology controls and/or written policies and procedures.
- The disclosure is to officials of another institute of higher education where the student seeks to enroll, or where the student is already enrolled so long as the disclosure is for purposes related to the student’s enrollment or transfer.
- The disclosure is to authorized federal, state and local authorities including, but not limited to, the Attorney General of the United States and the Secretary of the Department of Education or to other State and local officials when certain conditions are met.
- The disclosure is in connection with financial aid for which the student has applied or which the student has received but only if the information is necessary for authorized purposes. See the financial aid section for more details.
- The disclosure is to organizations conducting studies for, or on behalf of, educational agencies or institutions to develop, validate or administer predictive tests, administer student aid programs or improve instruction and only when certain conditions are met. The use of PII from an education record for research that does not fall into one of these categories is not allowed under FERPA.
- The disclosure is to accrediting organizations to carry out their accrediting functions.
- The disclosure is to comply with a judicial order or lawfully issued subpoena.
- The disclosure is in connection with a health or safety emergency and certain conditions are met.
- The disclosure is for “directory information”, the University has provided notice to the student and has given the student the ability to opt out of the directory.
- The disclosure, subject to certain conditions, is to a victim of an alleged perpetrator of a crime of violence or a non-forcible sex offense. The disclosure may only the disciplinary proceeding results.
- The disclosure, subject to certain conditions, is in connection with a disciplinary proceeding. The disclosure may only contain specific information.
- The disclosure is to a parent or legal guardian in the event the student is under the age of 21 and the student violates Federal, State or local law, or of any UVM rule or policy, governing the use or possession of alcohol or a controlled substance.
- The disclosure concerns sex offenders and other individuals required to register under federal or state law and the information was provided to the University under applicable federal, state regulations or guidelines.
When is consent needed to share PII from education records?
When the disclosure is for any reason not listed under the “without consent” section.
How can the information I provided in connection with my financial aid application or award be shared?
PII from student education records that was provided in connection with financial aid for which the student has applied or which the student has received may be disclosed ONLY if the disclosure is to:
- Determine eligibility for the aid;
- Determine the amount of the aid;
- Determine the conditions for the aid; or
- Enforce the terms and conditions of the aid.
Accessing, using or disclosing information obtained for this purpose outside of these allowed reasons is a violation of FERPA. Doing so puts the University’s Title IV funding at risk and also could result in a violation of the Gramm-Leach-Bliley Act (GLBA).
Can PII from student education records be used for research?
PI from a student education record may only be used for research under the following conditions:
- With consent. The student is afforded the opportunity to provide consent. The consent is only valid if it specifies the records that may be disclosed, the purpose of the disclosure and to whom the disclosure is being made. Consent must also be freely given and given on a voluntary basis.
- If the PII has been de-identified.
What does “de-identification” mean?
Under FERPA, records are considered de-identified only after ALL personally identifiable information has been removed and only when the University has made a reasonable determination that the information cannot be used by itself or in combination of other information to re-identify a student.
A code may be assigned to the data that could allow for the re-identification of the data provided that all information about how the code was generated and assigned is secured and not also shared. The code may ONLY be used for purposes of education research (described herein) and can never be used to ascertain personally identifiable information about a student. The code cannot be based on a social security number or any other personal information.
What is UVM’s Policy?
UVM’s FERPA Rights Disclosure Policy can be found here (PDF opens in new window).
Where can I find more information?
The FERPA regulations can be found here (Opens in new window).
HIPAA: The Health Insurance Portability and Accountability Act of 1996
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. This act passed by Congress in 1996 is an expansive set of rules that includes establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, an employers.
Is UVM considered a covered entity under HIPAA?
The University is considered a "hybrid entity" for HIPAA compliance purposes. This means that only certain identified components of the University are subject to the HIPAA Privacy rules. The University is able to designate some components that are medical components or group health plans that are separate and distinct from non-medical components. Only those components that the University has identified as medical components or group health plans are subject to the privacy requirements of HIPAA.
What components has UVM identified as covered?
The University has identified the following components as subject to the HIPAA Privacy Rule:
As health care providers:
- Eleanor M. Luse Center for Communication: Speech, Language and Hearing
Employee Group Health Plans
University departments that have signed Business Associate Agreements with other entities are subject to the use and disclosure provisions of the Privacy Rule.
Where can I find more information?
More information about HIPAA can be found here.
GLBA: The Gramm-Leach-Bliley Act
What is GLBA?
GLBA requires that financial institutions explain their information-sharing practices to their customers and to safeguard sensitive data.
Why does the University have to comply with GLBA?
GLBA applies to “financial institutions”. According to GLBA, a financial institution is a company that offers financial products or services like loans, financial or investment advice, or insurance to consumers. Since the University provides loans to students, it is a “financial institution” under GLBA and for those operations related to these loans, the University is required to comply with this regulation.
How does UVM comply with GLBA?
GLBA requires that the University develop a written information security plan that describes its program to protect customer information. As part of our plan, the University must:
- Designate one or more employees to coordinate its information security program;
- Identify and assess the risks to customer information in each relevant area of the University, and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program, and regularly monitor and test it;
- Select service providers that can maintain appropriate safeguards, make sure contracts require them to maintain safeguards, and oversee their handling of student financial data; and
- Evaluate and adjust the program in light of relevant circumstances or the results of security testing and monitoring.
Who does this affect?
The day-to-day compliance requirements of GLBA, for the most part, fall to employees within Enrollment Management and, specifically, the Department of Student Financial Services (SFS). However, anyone who has access to student financial data needs to be aware of GLBA and is required to comply with both the regulation and with the University’s policies and procedures related to the privacy and security of personal data.
Is student financial data available for research?
No. Student financial information is protected under both FERPA and GLBA. Information collected by the University in it’s role as a lender cannot be used for research purposes unless an exception applies. Contact the Office of Student Financial Services for more information.
Who is responsible for the GLBA information security program?
The Information Security Officer (ISO), the Chief Privacy Officer (CPO), the Registrar, and the Director for Student Financial Services (SFS) are designated as the individuals responsible for coordinating its GLBA information security program. The Associate Director for Student Financial Services has been designated as the individual with day-to-day oversight of the program.
Where can I find more information?
GDPR: The European Union General Data Protection Regulations
What is GDPR?
GDPR was enacted by the European Union to provide greater protections and rights to EU data subjects.
It’s an EU regulation. Why do we care?
GDPR covers personal data on “data subjects” regardless of where we are physically located. There are many reasons why GDPR pertains to UVM. Data subjects may include, but are not limited to:
- Students from the EU studying at UVM
- Research affiliates in the EU
- Research participants in the EU
- Employees, guest lecturers, visiting scholars from the EU
- Students traveling to the EU for study abroad
- Vendors from the EU
We also care about it because the fines and penalties are some of the highest we’ve seen for these types of regulations.
What are the penalties for non-compliance?
GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses. While GDPR provides discretion to the enforcement agencies in determining the amount of the fine(s), the regulation specifies two tiers of fines. The first is for less severe infringements and could result in fines up to € 10 million euro (depending on current conversion rates, that could be around $11.2 million US dollars) or 2% of worldwide yearly revenue, whichever is higher. The higher tier allows for fines up to € 20 million euro (around $22 million US dollars) or 4% of worldwide yearly revenue, whichever is higher.
Where can I find more information?
The European Union’s GDPR page can be found here (Opens in new window).
VERMONT DATA BREACH: 9 V.S.A. § 2435
What is the “Vermont Data Breach Law”?
9 V.S.A. § 2435, more commonly known as the Vermont Data Breach Notification Law, requires businesses and state agencies to notify the Attorney General and consumers in the event it suffers a “security breach”. The law requires that businesses notify the Attorney General within 14-days (unless they have obtained a waiver of this requirement) and that they notify individuals as soon as possible and without unreasonable delay, and no later than 45 days after discovery or notice of the breach.
What is a security breach under Vermont state law?
A security breach under Vermont law is defined as the “unauthorized acquisition or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security,confidentiality, or integrity of personal information maintained by” the University of Vermont.
What is personal information under this regulation?
Personal information is defined as an individual’s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or protected by another method that renders them unreadable or unusable by unauthorized persons:
- Social Security Number;
- Motor vehicle operator’s license number or non-driver identification card number;
- Financial account number or credit or debit card number, if circumstances exist in which the number could be used without other identifying information, access codes or passwords; or
- Account passwords or personal identification numbers or other access codes for a financial account.
Where can I find more information?
Vermont Library Patron Records 22 V.S.A. § 171-173
What is the “Vermont Library Patron Records Act”?
22 V.S.A. § 171-173 requires that libraries keep user registration and transaction records confidential. Under this law, a library cannot disclose records about someone's use of library resources and services to anyone outside the library unless an exception applies.
What is an exception under this Act?
The only exceptions to the disclosure prohibition are when the request is made under an authorized judicial order or warrant directing disclosure or when the library user has given written permission for the disclosure.
Vermont is a public records state. How does this impact library patron records?
According to 1 V.S.A. § 317(C)(19), library patrons' registration records and transaction records are exempt from public inspection and copying.
Where can I find more information?
The UVM Libraries Confidentiality Policy Statement and Procedures can be found here (Opens in new window).