1. What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014

2. Protecting personal information is everybody’s job! Don’t become a headline! City Herald Dispatch [ YOUR NAME ], KDE employee accidentally placed personal data of over 600 thousand Kentucky students at risk! Whose personal information?Protecting PII – where and how? StudentsIn the office – clean house Staff and teachersOn the systems – follow protocol Your personal informationData transfers, emails – Use MOVEit or don’t move it! Remote access - VPN Screenshots for publications, presentations – Create obviously fictitious person’s records i.e. Mickey Mouse Conversations – Keep private Reports – follow protocol, suppress, redact

3.  Family Educational Rights and Privacy Act (FERPA) gives parents protections with regard to their children’s education records and allows education agencies to disclose those records to parties under certain conditions. Family Educational Rights and Privacy Act  KRS 61.932 (HB 5) addresses the safety and security of personal information held by public agencies, and requires public agencies and nonaffiliated third parties to implement, maintain, and update security procedures and practices. This includes taking any appropriate corrective action to safeguard against security breaches. KRS 61.932  KRS 61.933 (HB 232) requires consumer notification when a data breach reveals personally identifiable information. It also requires cloud computing service providers contracting with educational institutions to maintain security of student data and allows the KBE to promulgate regulations as needed. KRS 61.933 What defines and regulates PII?

4. Protects the privacy of student education records. It applies to education agencies that receive funds under programs of the U.S. Dept. of Education. FERPA defines personally identifiable information as:  the student’s name and name of the student’s parent or other family members;  address of the student or student’s family;  a personal identifier, such as social security number or student number and,  other indirect identifiers, such as student’s date of birth, place of birth, and mother’s maiden name.  Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. Family Educational Rights & Privacy Act (FERPA)

5.  Local and state education agencies may ONLY re-disclose PII if the disclosure falls under one of the permitted exceptions to the consent requirement.  The most commonly used exceptions are: 1.Directory Information (for local agencies) 2.School Official (for local agencies) 3.Studies 4.Audit/evaluation * Studies and Audit/Evaluation exceptions require written agreements. FERPA exceptions allow disclosure of PII

6. KRS 61.932 defines personal information as a person’s (not just students’) first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:.  Account number or credit/debit card number, that in combination with any required security/access code or password would permit access to an account;  social security number; taxpayer ID number that incorporates a social security no.;  driver’s license number, state ID card number or other individual ID number;  passport number or other ID number issued by the United States government; or  individually identifiable health information, except for education records covered by FERPA. Kentucky’s data security requirements - HB 5

7. KRS 61.933 defines personally identifiable information as an individual’s first name or first initial and last name in combination with any one of the following:  Social security number  Driver’s license number  Account number, credit or debit card number, in combination with any security code, access code, or password required to permit access to the financial account Kentucky’s data security requirements – HB 232

8.  Understand the confidentiality of PII  Learn to identify PII in its many forms.  Keep a “clean house.”  Read, understand and follow state and federal privacy, security and confidentiality requirements and policies.  Learn more about the best practices covered in part-two of this training series, Data Access and Data Sharing. What do I need to remember about PII?

9. We appreciate your feedback, questions and comments. We can be reached through the KDE Data Request mailbox.KDE Data Request mailbox Explore other resources on the KDE Data Governance Web page.KDE Data Governance Web page Thank you! Have a question? Want more information?