REGION II MEETING
Attendance
Schools:
Rochester Business
Institute: Stephen Dodds
Rochester Institute of
Technology: Verna Hazen, Rachel Shuman
SUNY Brockport:
Scott Atkinson
SUNY Geneseo: Andrea Mason
Vendors:
AFC: Kristen Carey
AMS: Shane Rauh
Bank of
Chase/Bank One: Michael Woody
Citizens Bank: Jean Fura
HSBC Bank: Sherrie
Sheppard
Key Bank: Kathleen O’Connell
M&T Bank: Andy Leardini
Nellie Mae: Katrina Delgrosso
Nelnet: Anne Del Plato,
Marc Vernon (via conference call)
NYHESC: Ed Gilbert
Presentation: “Protect
Yourself: FERPA,
Gramm-Leach-Bliley Act and Identity Theft” (Anne Del
Plato and Marc Vernon, Nelnet):
§
First, a big
thank you to Anne and Marc for a great presentation that was very informative.
§
The presentation
handouts are available—e-mail Katrina Delgrosso to obtain a copy (Katrina_delgrosso@nelliemae.com).
§
The following
notes were taken in addition to the handouts.
§
Once someone
turns 18 and is no longer a minor, privacy rules change.
§
In addition to FERPA and GLBA, there are the
Sarbanes-Oxley Act and California Data Disclosure Act—both relating to the
financial services industry. All of these privacy acts are threads
that make up the veil of privacy in this country.
§
As consumers, our
information is at-risk for hackers because we willingly give our information to
grocery stores, drug stores, frequent flyer programs, hotel discount programs,
gym memberships, etc.
§
Our privacy is
threatened in our everyday lives as consumers.
§
Privacy Act of
1974—www.usdoj.gov/foia/privstat.htm lists the 7 principles of privacy
§
1. Collection Limitation Principle—collecting
personal data. Collect data about an
individual that is fair and within reason.
§
2. Data Quality Principle—the information you
control. Why are you gathering this
data? It should be applicable to the
purpose. The data should be kept up to
date—if it is old, then it should be destroyed.
§
3. Purpose Specification Principle—what purpose
does the data serve? The purpose should
be specified at the time the data is collected.
§
4. Use Limitation Principle—data that should not
be disclosed. With the consent of the
individual or by the authority of law, then data could be disclosed. Smart Cards on campus—students could give
consent for school officials to use their usage data. School comes up with a plan and has a consent
form on file in order to disclose information that was gathered from the Smart
Card usage. On the other hand, “by
authority of law” would mean that if you got a speeding ticket in NY, the State
Police would have access to information from the DMV—the offices that are
linked in the state of NY.
§
5. Security Safeguards Principle—protection of
data. When you are placing a student’s
file or social security number on a desk or you have a data CD lying on a desk
with student information, you need to use common sense. If you are meeting with a student and you
leave files all over the office that has other student’s social security
numbers listed in them, you are placing those students at-risk. Put yourself in your customers’ shoes—how
would you feel if your information were lying around in an open setting where
others could tap into it freely?
§
6. Openness Principle—should be a general policy
on this at the school. Be careful with
picture cell phones that students have when they come into your office. Also, cordless phones and cell phones are not
secure. Also, when parents call in and
want to see the student’s file, if the student is over 18, then the student may
want to release consent for the parent to receive this information. Regardless of dependent status for financial
aid purposes, FERPA says that the student needs to
provide consent at the age of 18 in order to provide information about that
student to someone else. Some schools are
handling this differently. The best
advice to schools is to consider being in their shoes—to tell parents that you
want to protect the student’s confidentiality as a legal adult. If the parent were in your shoes, would they
do the same? It would be better to
protect yourself at the school level than to put the student’s confidentiality
at risk. The school should consider
potential lawsuits. John Smith commented
that since the FAFSA requires both student and
parent’s signature, then isn’t this consent to release information? The school has the authority to make this
call and release the information. The
school has the latitude to require consent from the student to release
information to the parent in addition to the FAFSA. It is a business decision on the campus as to
how to handle this extra level of consent.
What if the family circumstances are not as they seem and the student’s
safety were at risk if information were released? The healthcare industry is leading the way with
HIPA on privacy due to malpractice lawsuits, etc. Healthcare professionals cannot provide
information over the phone to anyone because they can’t authenticate that the
patient is on the other end of the line.
§
7. Individual Participation Principle—whether or
not the data pertains to the individual.
Confirmation of existence of data.
Can charge a fee to the customer to obtain the data. Right to be given a reason why their request
to obtain data is denied. They have to
have the ability to challenge this in a public forum (i.e. student government,
committee of their peers, etc.). Right
to challenge any data relating to them that you have on file; if the challenge
is successful and it is found that the data is incorrect, then you have to
correct or delete that data (e.g. credit reports with errors—credit bureaus
have 30 days to correct the data).
§
Family
Educational Rights & Privacy Act (FERPA): Students have the right to inspect &
review the records within reasonable business hours/times—they have 45 days to
then review the records. There are some
limitations that were discussed today during the meeting.
§
Gramm-Leach-Bliley Act (GLBA): You have to protect customer information and
not breach confidentiality. According to
GLBA, schools are financial institutions because they
administer Perkins loans, institutional loans, scholarships, etc. This is up for debate as to whether or not
schools should be considered financial institutions. The compliance deadline for the safeguard
rule was
§
College and
universities are required to develop a written security plan. Legal counsel most likely wrote/developed
this plan, along with the IT department.
Regulations circulated in 5/00.
Higher education institutions are subject to provisions of GLBA, but there is a contradiction in the policy. Some believe that as long as you comply with FERPA, then you do not have to comply with GLBA. The FTC
regulation does not provide much guidance on this, though.
§
3 objectives you
should meet: Ensure security and
confidentiality of customer information.
Take reasonable means to protect against threats and the integrity of
information (i.e. fire, flood, natural disasters, earthquakes, hackers, from
someone stealing information from the office, etc.). Protect against unauthorized access that
could result in substantial harm or inconvenience of a customer.
§
The plan should
be appropriate to the size of the institution.
§
Each institution
must have the following 5 elements:
1. Designate an employee to manage this (or
committee—Safeguard Committee).
2. Identify and assess risk to customer
information in each relevant area of the company’s operation—do an
inventory. Evaluate the safety of the
risk per office.
3. Design and implement a safeguard program and
regularly monitor and test it to make sure it is effective.
4. Select appropriate service providers to
implement safeguard measures. Service
providers also need to comply with safeguard measures.
5. Evaluate and adjust program—changes in
business arrangements, operations, testing/monitoring—risk factors. E.g. enrollment management movement, merging
financial aid with other offices on campus where you are co-mingling staff and
resources.
§
C.I.A. = Confidentiality.
Integrity. Accessibility.
§
We watched a
video about a criminal who received financial aid funds illegally.
§
1-800-MISUSED
§
www.ed.gov/misused
Action Item: Scott Atkinson suggested that their service
providers (e.g. lenders, guarantors) should provide something in writing to the
school ensuring the safeguarding of their student’s information.
§
If you would like
Scott Atkinson to send you a copy of the FTC policy he wrote for SUNY Brockport, please e-mail him at satkinso@brockport.edu
Treasurer’s Report (Scott Atkinson—on behalf of Nora
Bell):
§
Balance = $1,340.04
§
Includes $950
revenue sharing check
§
Support Staff
Workshop bills not received/paid yet.
Karen Blankenburg is co-chairing with Steve Dodds. Some of the
funds will be requested from NYSFAAA.
Membership Report (Katrina Delgrosso):
§
05-06 membership
is available on-line in the Member Services area of www.nysfaaa.org. Please remember to complete
your online membership form—it’s easy!
HESC Update (Ed Gilbert):
http://www.hesc.com/bulletin.nsf/0/B3C6C4AC492D318D85256FF000530B15?OpenDocument&a=SL
§
Training Grant Update: Many financial
aid professionals are attending state workshops, conferences and other events,
including the recent SUNYFP Conference, as a result
of HESC’s pilot training grant initiative. Developed
in cooperation with HESC’s college financial aid
office partners, more than $636,000 in financial aid training grants were
awarded to 165 HESC participating schools. HESC training grants are helping
colleges pay to send financial aid and bursar office staff to professional
training programs offered by HESC, the U.S. Department of Education, and other
approved organizations.
§
State Waives Insurance Fee: For the
seventh year in a row, HESC is removing the insurance fee students.
§
HESC Supports “Regents Review Live”: For the sixth
year consecutive year, HESC is supporting a television program and a Web site
to help high school students prepare for the rigorous statewide Regents exams
in June. Students and parents can go to
the HESC Web site at http://www.hesc.org/,
click on “What’s New,” then click on "Regents Review Live!" for a
schedule of the helpful and entertaining programs being shown on public broadcast
stations around the state. The “Regents
Review Live!” programs and the Web site give students instruction and guidance
for taking the 13 Regents exams in subjects ranging from math to world history.
§
HESC Testifies at D.C. Hearing to Simplify the Financial
Aid Process: Bob Butler, HESC’s Senior
Vice President and Chief Operating Officer, appeared last month at a hearing
conducted by the Advisory Committee on Student Financial Assistance, where he
testified that Web processing simplifies the system for students, families and
employees. The committee advises Congress and the secretary of education on
student financial aid. This hearing explored ways to simplify and streamline
the financial aid application process. As
an example, in a few months HESC’s computer
technology will allow students to change information on their aid applications
on the Web using a new state personal identification number (PIN). As part of
this unique program, HESC will also e-mail grant award certificates to
students, saving hundreds of thousands of dollars in printing, postage and
labor.
§
HESC Unveils New
HESC
We Help People Pay for College
Values
Our Employees
We are committed to teamwork, excellence, initiative,
personal growth and responsibility.
Our Customers
We never take our customers for granted.
We ask, we listen, and we respond.
Our Products
and Services
We are committed to high quality, dependability, and
continuous improvement to meet the changing needs of our customers.
Executive Council Update (John Smith):
§
Exec Council is
coming up with a blueprint to approach the next phase of reauthorization for NYSFAAA
Lender News:
§
Key Bank: Jason Santora left
Key Bank and they now have a new manager for the Northeast—Rob Laconto. Jenn Dwire is now the
School News:
§
SUNY Brockport is hiring a Director of Financial Aid
Committee Updates
ð We need committee volunteers for 2005-2006
for the following committees. Please
e-mail Katrina_delgrosso@nelliemae.com
if you would like to volunteer. She will
compile the committee lists and provide those to the Chairperson who will
contact you at a later date during the academic year.
§
School Counselor
Workshops (committee members needed)
§
Support Staff
Workshop (Chairperson(s) and committee needed for 05-06 workshop)
§
Elections
(committee members needed)
§
CAAN (Chairperson(s) and committee members needed)
§
Membership
(Chairperson needed; no committee necessary)
§
Training
(committee members needed)
Support Staff Workshop Committee:
§
Friday, June 3rd
at Rochester Business Institute
§
‘50s theme!
§
Committee
contacting Directors at campuses to encourage staff to attend.
§
Registration form
was sent via the listserv. Can register
on-line.
§
38 are registered
so far
Summer Outing/Meeting:
§
Summer
meeting: Picnic! Red Wings game won by 1 vote, but the game
dates aren’t working out for June. So
Susan Romano (SUNY Geneseo)
is still researching the 2nd option with the most votes, which will
be a picnic.
§
Picnic will be on
§
More details will
be forthcoming on the Region II listerv.