Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

[Gary Dobbins <dobbins () ND EDU>]

We deliberately defined our internal unique ID number as "not to be
considered secret, and therefore not valid as roof of identity" -- it's
merely a disambiguator, making it an ideal primary key.

[rant]
...All the things SSN was supposed to be, until the credit bureaus and
banks started accepting knowledge of it as authentic proof of identity.
I'm not sure the government caused the SSN debacle.  But they could fix
it, at the risk of angering the banks and credit agencies, who would
have to incur expense to change their business processes.  It's easier
for them to make us secure the number than to let it become public and
valueless as an authenticator.
[/rant]



Kevin Shalla wrote:
> Thanks Rodney,
>
> It seems that the legislators here are confusing identification with
> authentication.  I hope that universities learned from the social
> security number problem (a number, stored in thousands if not millions
> of IT systems around the country, properly used for identification and
> improperly used (because it's convenient) as authentication) and are
> not allowing knowledge of a student ID number to gain access to
> anything.  I'm pushing to define student ID as directory information
> so that it cannot ever be used for authentication, but some on campus
> are afraid of doing this.
>
> What do others think?
>
> Kevin
>
> At 12:58 PM 3/31/2008, Rodney Petersen wrote:
>
> > The U.S. Department of Education has issued a Notice of Proposed
> > Rulemaking ( _http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf_)
> > with proposed regulations pertaining to the Family Education Rights
> > and Privacy (FERPA).   Among other things, "the proposed regulations
> > respond to changes in information technology and address other issues
> > identified through the Department's experience administering FERPA,"
> > according to the Notice. Additionally, the regulations are needed to
> > implement amendments to FERPA contained in the USA Patriot Act and
> > the Campus Sex Crimes Prevention Act, to implement two U.S. Supreme
> > Court decisions interpreting FERPA, and to make other necessary changes.
> >
> > Among the IT-related changes are:
> >
> >     * Clarification of what can be included as directory information,
> >       addressing Social Security Number (SSN), other student ID
> >       numbers, and email addresses
> >     * Requiring the use of reasonable methods to identify and
> >       authenticate the identity of students, parents, school
> >       officials, and any other parties to whom personally
> >       identifiable information is disclosed
> >     * Recommendations to assist institutions in safeguarding
> >       educational records (Note:  this is covered on page 15598 of
> >       Federal Register Notice or page 26 of PDF document.)
> >
> >
> > The deadline for comments is May 8, 2008.
> >
> > The EDUCAUSE Washington Office (_ http://www.educause.edu/policy_) is
> > reviewing the proposed changes and welcome your comments or questions
> > (send comments to rpetersen () educause edu). We will provide a more
> > detailed analysis of the proposed rules and any further updates at a
> > later date.
> >
> > -Rodney
> >
> > --------------------------------------------------
> > Rodney J. Petersen, J.D.
> > Government Relations Officer & Security Task Force Coordinator
> >
> > EDUCAUSE
> > 1150 18th Street, N.W., Suite 1010
> > Washington, D.C. 20036
> > (202) 331-5368 / (202) 872-4200
> > (202) 872-4318 (FAX)
> > EDUCAUSE/Internet2 Security Task Force
> > _ www.educause.edu/security <http://www.educause.edu/security>_
> > --------------------------------------------------

--

 ------------------------------------------------------------
 Gary Dobbins, CISSP -- Director, Information Security
 University of Notre Dame, Office of Information Technologies