The Student Privacy Policy Office (SPPO) leads Department efforts to protect privacy. It provides leadership, oversight, and coordination to ensure Department and field compliance with several federal privacy laws and regulations, including the Family Educational Rights and Privacy Act (FERPA), Protection of Pupil Rights Amendment (PPRA), the Privacy Act of 1974, as amended, Section 208 of the E-Government Act of 2002, the Social Security Number Fraud Prevention Act of 2017, the privacy portion of the annual Federal Information Security Modernization Act of 2014 (FISMA) Privacy Report, and other applicable OMB requirements. The SPPO manages and maintains the Department's privacy program to include the enforcement of student privacy laws, the development and evaluation of privacy policy, the management of privacy risks, and the provision of administrative and technical support to the DIB.
The Office is led by the Department's Chief Privacy Officer (CPO), who also serves as the Department's Senior Agency Official for Privacy (SAOP). The CPO serves as an expert on privacy across the Department and the field, collaborates with other federal agencies and educational technology entities with roles in protecting privacy, and advises the Secretary and the Assistant Secretary on issues relating to privacy. The SPPO coordinates with other POCs on the privacy and confidentiality provisions of their laws and ensures the Department's compliance with privacy requirements for information systems under the Federal Information Security Modernization Act (FISMA). As the SAOP, the CPO chairs the Department's Data Integrity Board; reviews and approves System of Records Notices; coordinates with both the DIB and the Department's CDO on the development of computer matching agreements, memoranda of understanding, and other data sharing agreements; and chairs the Department's Privacy Incident Response Team (PIRT) and coordinates with Department's Chief Information Security Officer on issues related to program reviews and breaches. The CPO also manages and chairs the Department's DRB.
SPPO provides technical assistance, guidance, and training to educational agencies and institutions, including schools, LEAs, IHEs, SEAs, and other relevant organizations on issues related to compliance with FERPA, PPRA, and the Armed Forces Recruiter Access to Students and Student Recruiting Information provisions of the ESEA. Activities include the following:
- Develops policy for issues related to student privacy, including legislative and regulatory matters;
- Coordinates technical assistance and guidance for relevant organizations, including educational institutions, LEAs, SEAs, and the broader community regarding FERPA, PPRA, and the Armed Forces Recruiter Access to Students and Student Recruiting Information provisions of the ESEA, including both best practices and compliance;
- Responds to inquiries relating to privacy best practices related to FERPA, PPRA, and the Armed Forces Recruiter Access to Students and Student Recruiting Information provisions of the ESEA;
- Creates and maintains the Department's external web resources related to privacy best practices related to FERPA, PPRA, and the Armed Forces Recruiter Access to Students and Student Recruiting Information provisions of the ESEA; and
- In accordance with the PPRA, 20 U.S.C. Section 1232h(c)(5)(C), prepares annual notification for State and local educational agencies of their obligations under FERPA and PPRA and coordinates training on these topics generally.
In addition, as part of its enforcement of federal laws related to student privacy and parental rights, including FERPA, PPRA, and the Armed Forces Recruiter Access to Students and Student Recruiting Information provisions, SPPO activities include the following:
- Investigates, processes, and reviews complaints alleging violations of FERPA and PPRA, negotiates appropriate solutions to address such alleged violations, and, when warranted, initiates enforcement actions;
- Enforces the requirements under Section 8528 of the ESEA, which in part requires LEAs to disclose directory-type information (secondary school students' names, addresses, and telephone listings) to military recruiters and institutions of higher education, upon request and provided that the parents of the students have not opted out of such a disclosure;
- Sets enforcement priorities, relying on data and information, as well as anticipating trends in the education community;
- Conducts self-initiated investigations, where warranted, based on incoming information or in accord with enforcement priorities;
- Responds to phone calls about existing complaints, and assists those seeking to file complaints;
- Signs outgoing letters relating to complaints, such as dismissal letters, and letters of finding;
- Communicates with complainants and educational agencies and institutions subject to the above statutes to keep them informed about enforcement matters; and
- Uses and maintains a case tracking system for complaints and any resulting investigative or enforcement actions.
Finally, SPPO also is responsible for raising employees' awareness of privacy issues, demonstrates how employees can safeguard the personally identifiable information (PII) that the Department utilizes, and fosters a culture of accountability for protecting PII within the Department, including the following:
- Ensures Department-wide compliance with all applicable statutes, regulations, and policies regarding the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII by programs and information systems;
- Establishes and maintains a comprehensive privacy program and a privacy program plan that ensures compliance with applicable privacy and breach notification requirements, such as developing and evaluating Department-wide privacy policies on safeguarding privacy;
- Oversees the implementation and management of Department-wide systems and databases that support the successful and efficient handling of privacy safeguards administration;
- Provides guidance and instruction to Department staff regarding processes and procedures regarding the protection of PII, including Privacy Act Systems of Records Notices (SORNs) and Privacy Impact Assessments (PIAs);
- Coordinates interagency development, review, and approval of Computer Matching Agreements (CMAs) in support of the DIB and other matching activities that are not matching programs which the DIB wishes to review and report on.
- Coordinates with the CIO and information system stakeholders on the implementation of technical controls for privacy protection within the Department's information systems and with respect to the Department's information technology;
- Plays a central policy-making role in the Department's development and evaluation of legislative, regulatory, and other policy proposals that have privacy implications;
- Manages privacy risks associated with any Department activity that involves the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII by programs and information systems;
- Serves as a champion for privacy awareness and education across the agency to raise employees' awareness of privacy issues, developing and providing training to Department employees and contractors regarding the safeguarding of privacy; and
- Serves as the Department's primary liaison with the OMB and other agencies on interagency privacy safeguards, compliance, and breach notification initiatives.