Demystifying Student Data Privacy

© 2015 Hobsons

Linnette Attai, President of PlayWell, LLC and Privacy Advisor to Hobsons

2

About Us

• Linnette Attai- President, PlayWell, LLC

Compliance consultingPrivacy, safety, advertising, marketing,

contentEducation and entertainment sectors

- Data Privacy Advisor to Hobsons

• Hobsons:- Creating solutions to maximize student

success and institutional effectiveness to create the world-changers of tomorrow

- Supporting over 7.3 million students across over 8,400 schools worldwide

- Measure our achievements by those of our clients

3

About Us

4

Agenda

• Why is student data privacy so complicated?

• Creating your school compliance program

• Assessing new technologies

• Q&A – use the “chat window” to submit your questions

Why is student data privacy so complicated?

5

6

Benefits of Technology

• Enhancing student learning and success- Identifying strengths and learning styles- Delivering personalized learning- Supporting at-risk students- Providing opportunities for accomplishment

and creativity- College and career planning and preparation

• Management and efficiency- Record-keeping for students and staff- Data analysis- Vendor and contract management- Operations management

7

Benefits of Technology

8

Technology in the Classroom

New Technology

New Uses for Data

New Privacy Frameworks

• Data privacy and security as separate but related terms:- Privacy: collection, use, handling and sharing

or transfer of data

- Security: protective measures applied to prevent unauthorized access, and to preserve the integrity of the data

9

Privacy vs. Security

• Existing federal regulation:- FERPA, PPRA, CIPA, COPPA

• Existing state regulation

• Emerging federal and state regulation

10

Regulatory Climate

• Applies to all schools that receive federal funds

• Protects privacy of student education records

• Provides parents and eligible students (ages 18+) with access to education records- Rights to review and request amendment or

correction

11

Family Educational Rights and Privacy Act (FERPA)

• Education records: directly related to a student and maintained by an educational agency

− Must obtain consent from parent or eligible student prior to release of student education records

FERPA

12

• Exceptions for obtaining prior consent for release of education records

−School officials with legitimate educational interest;−Other schools to which a student is transferring;−Specified officials for audits or evaluations;−Appropriate parties in connection with financial aid;−Organizations conducting certain studies on behalf of a school;−Accrediting organizations;−To comply with a judicial order or subpoena; −Certain officials in cases of health and safety emergencies;−State and local authorities, within a juvenile justice system, in accordance with certain state law.

FERPA

13

• School official:− Contractor to whom a school or institution has

outsourced institutional services or functions − Must be performing an institutional service or function

for which the agency would otherwise use employees− Must be under the direct control of the agency or

institution with respect to the use and maintenance of education records

FERPA

14

• Sets requirements around notice prior to disclosure of directory information

• Requires annual notice to parents of FERPA rights

15

FERPA

• Provides rights to parents of minor students around collection of sensitive information through surveys, analysis or evaluations

• Requires consent prior to collection of “protected” information

• Opt out rights for certain surveys, physical exams and information disclosure for marketing purposes

16

Protection of Pupil Rights Amendment (PPRA)

• Requires schools to establish policies for collection, disclosure or use of personal information about students for commercial purposes

PPRA

17

• Applies to schools or libraries that receive discounts for Internet access or internal connections via E-rate

• Requires:- Blocking or filtering of certain images- Internet safety policy that includes monitoring

online activities of minors- Education for minors about appropriate online

behavior

18

Children’s Internet Protection Act (CIPA)

• Applies to operators:- of commercial websites and online services

directed to children under 13- with actual knowledge that they are collecting

personal information from children under 13

• Requires clear, comprehensive privacy policy

• Maintain reasonable data security and deletion measures

19

Children’s Online Privacy Protection Act (COPPA)

• Provide parents with notice, choice and consent prior to collecting personal information

• Allows schools to consent to collection of personal information in certain circumstances:- Collection is only for use and benefit of the

school- No other commercial purposes

• Operator may rely on the contract to indicate consent

20

COPPA

• 2014: 110 student data privacy bills introduced across 36 states 28 new laws

• 2015 to date: 128 state bills introduced, along with new federal regulation

21

State Regulation

• California legislation

• Applies to operators of websites, online services designed, marketed and used primarily for K-12 school purposes

• Restricts use of data from minors for certain marketing or advertising practices

22

Student Online Personal Information Privacy Act (SOPIPA)

• Prohibits targeted advertising and sale of student information

• Limits disclosure of “covered” information

• Requires reasonable security, appropriate to the nature of the covered information

• If requested by a school or district, must delete a student’s covered information under the school or district’s control

SOPIPA

23

• Different nomenclature and definitions of protected data:- Education records- Directory information- Protected information- Personal information- Covered information

• Prior consent vs. opt out

• Marketing restrictions

Navigating the Terrain

24

• Control of the data

• Transparency

• Notice and choice

• Acceptable educational use cases

• Reasonable security measures

Common Threads

25

• Responsible for navigating regulatory matrix

• Stewards of district and community norms

• Community relations and communication plans

• Incident response management

26

Voice of Schools

Creating your school compliance program

27

• Identify compliance risks and gaps

• Address existing issues

• Create policies and practices to minimize risks

• Establish communications and incident response plans

• Educate employees, parents and students on privacy rights and responsibilities

Program Goals

28

• Technology audit and assessment- What technology is currently used to support

school operations? Data management platforms Support services

- What technology is used in the classroom? Devices Websites Apps

29

Where to Begin?

29

• Assemble stakeholders

• Assess current technology use

• Assess resources and infrastructure

• Identify existing capabilities and talent

30

Next Steps

• Identify gaps and needs:- Policies, technology, infrastructure, security,

bandwidth, communications, training

• Consider impacts: - Financial, personnel, logistics, time, pedagogy

• Create your goals

Planning Process

31

• Device use

• Data privacy and security

• App and website compliance assessment

• Social media use

• Data disclosure circumstances

• Incident response plans32

Policy Development

• Notices to parents and students- Acceptable use policy- Rules and responsibilities- Incident report procedures

• Policy and technology updates

• Post-incident information

Communications Plans

33

• Educate teams and implement policies and processes

• Inform parents and establish plans for ongoing community outreach

34

Transparency and Engagement

Assessing new technologies

35

• Create assessment and compliance processes for adding new technology at the district, school and classroom levels- Identify stakeholders- Map out review process

Who is involved? What will be reviewed? How will it be reviewed? Are additional resources needed?

36

Establish a Review Process

• Privacy policies

• Terms of use

• Contract terms

• Questions for vendors

37

Compliance Review Process

• What data is collected and why?

• Who has access and for what purposes?

• What are the security protocols?

• How can the school access the data to respond to a request from a parent?

• What happens to the data when the agreement ends?

Understanding the Technology

38

• What is the process for integrating the technology into your school?

• How will the vendor support implementation?• How much time is needed to be operational?• What are the costs?• What support is provided after implementation?• What are the recommendations and resources for

training?

39

Going Beyond Compliance

• What were the goals of bringing the technology into the school?- Measure and assess the impacts - Use the results to inform the process for the

future

40

Examining the Results

• Use the chat function to submit your questions

• We will send the list of questions and answers to attendees after the webinar

41

Q & A

• US Department of Education- http://www.ed.gov/

• Privacy Technical Assistance Center (PTAC)- http://ptac.ed.gov/

• Consortium for School Networking (CoSN):- http://www.cosn.org/focus-areas/leadership-vision/protecting-privacy

• Future of Privacy Forum FERPA|SHERPA: - http://ferpasherpa.org/

42

Additional Resources

• For more information and to review this webinar again, please visit the events page at:

www.hobsons.com/education-trends/events

43

Thanks for Attending!