Private-Independent Schools and Personal Financial Information
Private-independent schools typically do not think of themselves as financial institutions. But their engagement in certain financial activities may subject them to obligations under the federal Financial Services Modernization Act of 1999, commonly known as the Gramm-Leach-Bliley Act (GLBA). Additionally, every school that hires any third-party vendor with access to the “nonpublic personal information” (NPI) of employees or students should be concerned about the terms and conditions of the contract relating to data protection and response to data breaches. To the extent that those vendors perform financial activities and are covered by GLBA, then contract provisions relating to GLBA compliance are important and the school should ensure that they are adequate.
An independent school that is subject to the GLBA must comply with its obligations or face possible enforcement action by the Federal Trade Commission (FTC). This article explains how those obligations may arise and what independent schools should do in response.
The Gramm-Leach-Bliley Act
The GLBA regulates the privacy and security of NPI of consumers, which includes personal data provided by a consumer to a financial institution to get a financial product or service. “Financial institutions” subject to the GLBA include banks and similar entities, but also any organization that is “significantly engaged” in “financial activities.” This includes most higher educational institutions, and may include private-independent primary and secondary schools.
If a school qualifies as a financial institution under the GLBA, compliance is a must.
“Financial activities” under the GLBA include making loans and providing financial advisory services. For example, making direct loans to students or staff, offering tuition installment payment plans that charge interest, counseling prospective donors, and offering financial aid advisory services could all be considered financial activities under the GLBA.
Whether a school “significantly engages” in these activities involves a fact-specific analysis. However, if a school engages in one or more of these activities routinely, then it may be considered a financial institution for purposes of compliance with the privacy and security requirements of the GLBA. These obligations are found in regulations issued by the FTC, and are known as the “Privacy Rule” and the “Safeguards Rule.”
The Privacy Rule
The Privacy Rule requires a financial institution that obtains NPI to provide a written “privacy notice” describing its privacy practices to its “customers” and, occasionally, to “consumers.” Under the GLBA, a consumer is any individual who obtains a financial product or service mainly for personal, family, or household purposes. A customer is a consumer with whom the financial institution has a continuing relationship. In the independent school context, customers could include students, parents, staff, and donors.
Every customer must receive a privacy notice. This document must tell the customer what NPI is collected, how it is safeguarded, and with whom it is shared. If your school shares NPI with unaffiliated third parties (i.e., third parties that are not legally affiliated with the financial institution disclosing NPI), customers must have the choice to “opt out” of information sharing. A financial institution must provide a privacy notice at the start of the relationship and an annual privacy notice after that. The notice must be in writing, and delivered by mail or in person. It should be clear, conspicuous, and readily understandable. The notice should explain the process for opting out of information sharing—for example, by completing and returning a form attached to the notice, or by calling a telephone number provided in the notice.
There are exceptions to the customer’s right to opt out of NPI sharing. For example, a financial institution may share NPI with an unaffiliated third-party service provider, such as a data processor. However, the service provider is also obligated under the GLBA to uphold the privacy and security of the NPI that it receives. Further, the GLBA does not prohibit a financial institution from sharing customer NPI with affiliated entities. For example, in the private-independent school context, a provider of financial aid counseling could share students’ or parents’ NPI with a bank that is a legal affiliate of the provider.
The GLBA does not require provision of a privacy notice to consumers unless NPI is shared with unaffiliated third parties—subject, again, to exceptions for service providers. If a school engages in limited financial activities with an individual, that person may not need a privacy notice.
The Safeguards Rule
The Safeguards Rule requires that a financial institution take certain steps to protect NPI from loss, unauthorized access, and misuse. These steps include:
- adopting a written information security program—policies and procedures to ensure that collected NPI is protected;
- designating an employee to oversee the information security program;
- reviewing, on a regular, periodic basis, the NPI collected and how it is protected; and
- implementing any security measures deemed necessary to ensure NPI protection.
A school’s security program should be institutionally appropriate. This varies in scope depending on the amount and nature of NPI that it collects and stores.
Use of Service Providers
Most financial institutions subject to the GLBA use service providers to perform various functions relating to the processing of customer NPI. In the private-independent school context, these service providers could include providers of “software as a service.” This may include, for example, school IT systems on which stored NPI may reside on a “cloud” provided by a third-party vendor. Service providers that collect and store NPI are subject to the GLBA and other applicable federal (and often, state) privacy laws. However, to protect themselves, schools should ensure that service providers’ obligations under the GLBA are adequately covered in their service contracts.
At a minimum, a contract should include representations and warranties by the service provider that the services will comply with all applicable laws, including the GLBA; and that the service provider has adopted adequate administrative, technical, and physical safeguards to prevent unauthorized access to or use of customer NPI. Other important contract provisions may include the service provider’s obligations to respond to breaches of customer NPI.
Private-independent schools engaged in financial activities that might be covered by the GLBA should review those activities and determine whether they might qualify as financial institutions subject to the GLBA. For those that are considered financial institutions, the appropriate response varies in each case according to the scope of its financial activities, how it collects and uses NPI, and other factors. Schools are advised to consult with their legal counsel to determine whether the GLBA applies and take steps necessary to comply with its requirements.
Richard D. Leigh, Special Counsel at Saul Ewing LLP, resident in the firm’s Harrisburg, Pennsylvania office contributed to this article. It has been prepared for information purposes only.
The provision and receipt of the information in this article (a) should not be considered legal advice, (b) does not create a lawyer-client relationship, and (c) should not be acted on without seeking professional counsel that has been informed of the specific facts. Under the rules of certain jurisdictions, this communication may constitute “Attorney Advertising.”