electronic security issues for schools
TRANSCRIPT
Electronic Security Issues for SchoolsPresented by:Joanne RinardoPartnerDeutsch [email protected] 593 0616
Why Data Integrity Has Become Important to Schools
•More technology use in the education sector
•New privacy and compliance challenges•More collection of student data•Outside contractors•Online courses
Protection of Pupil Rights Amendment (PPRA)
Applies to programs of:▫State Educational Agency (SEA)▫Local Educational Agency (LEA)▫Or other recipient of funds under any
program funded by the U.S. Department of Education
Governs Administering to Student•Any survey•Analysis•Evaluation in certain areas
The 8 protected areas include:• Political affiliations of the
student/parent• Mental issues of the
student/student’s family• Sex behavior or attitudes• Illegal, anti-social, self-
incriminating, or demeaning behavior
• Critical appraisals of those who have close family relationships to students
• Legally recognized privileged relationships (lawyers, physicians and ministers)
• Religious practices, affiliations, or beliefs of the student/student’s parents
• Income
PPRA also addresses•Marketing surveys/areas of student
privacy;•Parental access to information; and•Administration of certain physical
examinations to minors
Third Party Providers
•Written consent before sharing PII not always required
What Information is Protected?•Depends on the circumstances. •FERPA protects student profile information
What are Exceptions to FERPA?•Directory Information Exception
•School Official Exception
Directory Information Exception •For PII disclosed in the school’s annual
notice as Directory Information•No other limitations on other uses of data
School Official Exception •For TPP delivery of education services to the
student. •Remember:▫For service that school would use own
employees; ▫School maintains data used by TPP;▫For a legitimate education interest; ▫Data not used for unauthorized purposes; and▫Consider a written contract regarding use
restrictions
FERPA does not apply to •An online portal for watching tutorials • Interactive exercises without logging in or
using individual accounts.
MetadataPieces of information that provide meaning and context to data collected, or contextual information
Metadata examples in testing • Date and time the student
performed the activity;• Number of attempts they
made to answer;• How long their mouse
hovered over the answer button; and
• Whether they changed their answer before submitting it
Metadata Not Usually Protected• If stripped of all their direct and in direct
identifiers •Can be disseminated to TPPs •School name/geographic information can
be indirect identifiers
Best Practices to Protect Data•Know what
information is being collected or shared,
•By whom, and •For what purposes
Best Practices•Develop policies evaluate and approve
proposed on-line education services. ▫Ex. - new software must be reviewed before
implementation•Be cautious of “free” educational services •Free apps can introduce security
vulnerabilities into your school networks •Be transparent with the parents use of
data is being used
Retention Requirements•FERPA has no requirement for physical or
electronic record retention •School districts establish their own policy
and procedures •Common standard is 5-7 years after student leaves •Some schools just retain transcripts
Individuals with Disabilities Education Act, (“IDEA”) • Public agencies must inform parents when any PII is
no longer needed • Parents may request it be destroyed •Defined as the “physical destruction or removal of
personal identifiers from information so that the information is no longer personally identifiable”
•Must inform parents before student records are destroyed
•Must inform parents they can request destruction once child leaves
• Parents can request that their child’s record be amended
Title IX•Keep
compliance information for seven years
•Applies to electronic data as well
Destruction/Disposal Best Practices
•Deleting a digital record or file is insufficient
•Use specific technical methods used to dispose of the data
Electronic Management Systems (“EMS”) •Allows school to have rules as to who can
access certain documents;•Can be updated as regulations change; •Easier to move data to long-term storage
media; and•Provides transaction trail
Defining Custodial of Records•Each school should have an official records
custodian, •Even if records not under his/her personal
control •Often Principal or Asst. Principal•Goal - To prevent the unauthorized access
to student records.
FERPA Applies to All Records•Not just those records kept in the
student’s file •Security cameras in school and on busses •Electronic records
Custodian Best Practices•Develop listing of all student data kept;•Develop custodian log for request trail;
and•Develop records release form.
Extracted Data•Data that originally resided in the Student
Records System •Now also resides in a special file
Best Practices for Extracted Data •PII must be de-identified whenever there is
public reporting; •Mask of data sufficiently so individual
students not identified from extracted data;•Use only for legitimate educational purposes;•Abide by security and information release
requirements;•Never release updated extract data as school
data
Internal Emails May Be Educational Records • If E-mails are maintained by school and •Are “directly related” to a student•Unless falls in one of the six “carve-outs” •E-mail to, from, or about student may be
education record
Courts have ruled inconsistently
•S.A. v. Tulane County Office of Ed., (CA)
•President and Trustees of Bates College v. Congregation Beth Abraham et al., (ME)
•Williams v. District Bd. of Trustees of Edison Community College, FL,
S.A. v. Tulane County Office of Ed., (CA)
•Only printed emails part of records under IDEA
•Others had been deleted; thus, not maintained
President and Trustees of Bates College v. Congregation Beth Abraham et al., (ME)
•Email about complaints, part of the student’s records
•Even though generated outside normal academic activities
•Court noted FERPA does not limit the definition of “other materials.”
Williams v. District Bd. of Trustees of Edison Community College, FL,
•Was sending students’ grades via the internet violated FERPA
•Florida Commission on Human Relations found no violation
•Make sure there are sufficient protections regarding access
Release of E-Mail Addresses•FERPA protection if not included in
Directory Information•Proper notice of that fact has been given.
Relevant Cases
Artisita Records v. Does 1-: , •Students’ Media Access Control (MAC)
addresses Directory Information.
Fonovisa v. Does 1-14, •MAC not was Directory Information, but
not education record and could be shared
Warner Bros. Records v. Does 1-14, •FERPA allows release of e-mail addresses,
contained in the student’s records if subpoenaed.
UMG Recordings, Inc. v. Doe, •Name, address, telephone number, e-mail
address and MAC address is contained in educational records
•Which triggered notification requirements of FERPA.
•Court: information “detailing how a student uses the Internet, when they use it, and what they do on it” is protected under FERPA.
Louisiana Law •La. Rev. Stat. § 17:81(Q):•Public school must develop policies
electronic communication by an employee at a school to a student enrolled at that school
•To protect student •And school if violation by employee
Facebook•Can have educational applications•Communicate about projects;•Make assignment interactive; and •Create learning group
Caution •Do not use to post grades or information
that educational record; and•Use safeguards to keep others from
accessing the information.
Other Social Communications•Anti-fraternization
prohibitions would extend to on-line communications.
•Laws banning such communication
• Issue of constitutional right to free speech.
Why not to “friend” student
•Can undercut professional relationship;
•Opens teacher to misuse of social media by the student;
•Can be abused by the teacher or misinterpreted by the student; and
•Can be seen as invasion of privacy
Other Considerations •Adult students v. Minor students•Former Students v. Current Students v.
Future Students•Privacy Settings