Privacy in the 21st Century:Privacy in the 21st Century: Issues for Schools &Issues for Schools &

Libraries Libraries

www.dpi.state.wi.us/dltcl/pld/privacy.html

Helen Adams hadams@coredcs.com

Rosholt School District

2003 WEMA Conference

Bob Bocher

robert.bocher@dpi.state.wi.usDept. of Public Instruction

Privacy — 2003 WEMA Conf.(Adams, Bocher)2

Topics to Cover

1. An overview of privacy issues

2. Federal and state protections and actions

3. Tips on online privacy

4. Privacy issues in schools

5. Privacy resources

Privacy — 2003 WEMA Conf.(Adams, Bocher)3

Privacy Concerns and PII(Personally Identifiable Information)

Privacy concerns are high on consumer polls. Key concerns include Identity theft and fraud .Coms selling your PII Government misuse of your PII Security of your medical and financial data

Privacy concerns increase as More people are online Residential broadband access increases (now 20%+)

Use of wireless communication increases More people shop and conduct business online

“Identity theft is one of the fastest growing crimes in the state. It’s about time law enforcement officials had the tools to bring down these high tech con artists.” –State Rep Mark Gundrum (R-New Berlin), Chair, Assembly TF on Identity Theft (April 8, 2003)

Privacy — 2003 WEMA Conf.(Adams, Bocher)4

Personally Identifiable Information (PII)

Typical PII includes Name Address (work, residence) Email address Telephone number Other ID (SSN, etc.)

Non-PII includes Demographic

• Age, gender, race/ethnicity

Education level, job, income Preferences, interests, hobbies

How much of this data is in your school’s database?

Privacy — 2003 WEMA Conf.(Adams, Bocher)5

Federal Protections and Action

4th and 5th amendments Federal Trade Commission (FTC) is lead privacy agency Many federal laws have privacy provisions, including:

Gramm-Leach-Bliley Act (GLB, 1999) Health Insurance Portability and Accountability Act (HIPAA, 1996)

• Rules (93 pages) effective, April 14

USA Patriot Act (2001) Children’s Online Privacy Protection Act (COPPA, 1998) Family Educational Rights and Privacy Act (FERPA, 1974)

34 privacy-related bills are pending in Congress

Privacy — 2003 WEMA Conf.(Adams, Bocher)6

FTC’s Fair Information Practice Principles (FIPPs)

Any Website that collectsPII should provide:

1) Notice Sites must state policy on use of PII and have the policy in a prominent location on the Website.

2) Choice Consumers decide how their PII is to be used, if at all (opt-in or opt-out).

3) Access Consumers can access their PII and make any corrections.

4) Security Companies must secure your PII from any unauthorized use.

"The key to privacy protection is enforcement. Now, there's no financial harm for not having or following a privacy policy." –Andrew Shen, EPIC

Privacy — 2003 WEMA Conf.(Adams, Bocher)7

USA Patriot Act (PL107–56, Sections 214–216)

Quickly passed following Sept 11, 2001 342 pages that revises more than 15 other laws

Expands Foreign Intelligence Surveillance Act (FISA) Provisions extend beyond terrorism

Increases counterfeiting penalties Russ Feingold was only senator to

vote “no” Patriot II act has been drafted Total Information Awareness (TIA) system, research

continues

“In our haste to develop legislation to help America, we went too far.” –Sen. Feingold, 9-02

Privacy — 2003 WEMA Conf.(Adams, Bocher)8

USA Patriot Act: Some Privacy Issues

Expands monitoring laws (beyond phone taps) to include Internet traffic Email addresses, IP addresses/routing, Web search terms

• Monitoring at various levels, from PC to the ISP

Allows nationwide monitoring

Expands surveillance with less judicial review Former “probable cause” was higher legal bar than new

“relevant to an ongoing investigation”

ALA advises librarians to “avoid creating unnecessary records” Is this a new “Library Awareness Program”?

Privacy — 2003 WEMA Conf.(Adams, Bocher)9

State Protections and Action

Student privacy protections are in state statutes WI library privacy law DPI approves school district

technology plans Plans often include privacy provisions

in relation to NCIPA

State statutes

ALA policy

Local library/school

policy

Privacy — 2003 WEMA Conf.(Adams, Bocher)10

WI Library Privacy Law

Library privacy law (43.30(1)) covers the following:

1. Any library supported by public funds

2. Any information indicating the identity of an individual

3. Any use of a library’s materials or other resources or services may not be disclosed except by court order. (emphasis added)

Includes any individual, regardless of age, residence, etc.

Includes circulation records, Internet use (email, Web logs, history files, sign-up sheets) meeting room use, etc.

Includes public libraries, public K-12 schools, UW and WTCS libraries.

Privacy — 2003 WEMA Conf.(Adams, Bocher)11

Tips on Personal Privacy

Read closely any Website’s privacy policy Keep a “clean” email address Home cable and DSL users are especially vulnerable Never enter sensitive PII without a secure connection Enter only minimal data, look for opt-out check boxes Look for compliance with groups like

BBBOnline, TRUSTe and HON Be aware of your surroundings

Security cameras in Times Square

Privacy — 2003 WEMA Conf.(Adams, Bocher)12

Schools and Privacy: 12 Issues & Answers

Helen Adams hadams@coredcs.com

Rosholt School District

Privacy — 2003 WEMA Conf.(Adams, Bocher)13

Privacy in Schools: Issue #1Confidentiality of Student Records (federal law)

Family Educational Rights and Privacy Act (FERPA, 1974) Applies to schools accepting DOE funds Requires districts to establish written policies and procedures

protecting student PII Defines educational records and who has access Parental permission required to disclose student PII

Privacy — 2003 WEMA Conf.(Adams, Bocher)14

Privacy in Schools: Issue #1Confidentiality of Student Records (state law)

Chapter 118.125 WI State Statutes All student records in public schools are confidential,

including:• Behavioral, directory data, progress records, physical health

Access to records granted • To parents• To staff with “legitimate educational interest”• For legal reasons• For an audit of state or federal program

Privacy — 2003 WEMA Conf.(Adams, Bocher)15

Privacy in Schools: Issue #2Privacy Language in the AUP

Addressing privacy in the AUP N-CIPA requires schools receiving E-rate discounts to adopt

an Internet Safety Policy• Must address “unauthorized disclosure, use, and dissemination of PII

regarding minors.”• Minor defined as someone less than 17 years old• Requires public hearing and formal Board adoption

Privacy — 2003 WEMA Conf.(Adams, Bocher)16

Privacy in Schools: Issue #3Privacy Policy on a District’s Website

All school sites should post a privacy policy Present on every major page of site Examples

• Anchorage (Alaska) School District– www.asd.k12.org/privacy.asp

• School District of Greenville County (SC)– www.greenville.k12.sc.us/district/web/policy/privacy.htm

• Valley Elementary School (Utah)– www.weber.k12.ut.us/LegalNotice/privacy.html

Privacy — 2003 WEMA Conf.(Adams, Bocher)17

Privacy in Schools: Issue #4Identifying Students on the District’s Website

FBI recommends districts not publish student photos Increased arrests of pedophiles Study: 12% of kids meet unknown person

Districts approach the issue in different ways Pictures and names Pictures with no names Pictures and names separated No photos or names

Mankato (MN) S.D. #77 www.isd77.k12.mn.us/webguide.php

Privacy — 2003 WEMA Conf.(Adams, Bocher)18

Privacy in Schools: Issue #5Protecting the Confidentiality of Library Records

Records kept for library management No federal law protects confidentiality Legislation in 48 states and DC varies Wisconsin Library Privacy Law covers

Patron information, circulation records Records associated with use of the Internet Use of in-house databases Can release only by court order

Privacy — 2003 WEMA Conf.(Adams, Bocher)19

Privacy in Schools: Issue #6Privacy and Security of Electronic Student Records

Student management systems allow access to records via LAN and WAN Include directory, attendance, grade, disciplinary, and other

records Levels of security for data

• Confidentiality and privacy policies• LAN/WAN network security procedures

– Teacher access

Parents access child’s records via Web– Grades, attendance, discipline, and health records

Privacy — 2003 WEMA Conf.(Adams, Bocher)20

Privacy in Schools: Issue #7Conducting Market Research on Students

Companies have offered districts incentives for info on student use of the Internet Equipment, email accounts, host Website

Student Privacy Protection Act (Dec. 2001) Requires schools to develop and adopt policies

• Collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling

Privacy — 2003 WEMA Conf.(Adams, Bocher)21

Privacy in Schools: Issue #8Students Providing PII About Themselves

Students have little concept of privacy Annenberg “The Internet and the Family 2000” study

• Teenagers more likely to give information

Teach “Stranger danger” online and off Wisconsin Rapids (WI) School District AUP

• No PII transmitted from district computers

Privacy — 2003 WEMA Conf.(Adams, Bocher)22

Privacy in Schools: Issue #9Access to Student Information by Military Recruiters

NCLB Act 2001 requirement H.S.’s must supply military recruiters with students’ names,

addresses, and phone numbers (including unlisted #’s)• District policies keep student information confidential under Family

Educational Rights and Privacy Act (1974)• Oct. 2002 letter sent to districts by federal officials• Parents can “opt out”

Privacy — 2003 WEMA Conf.(Adams, Bocher)23

Privacy in Schools: Issue #10Internet Use Logs as Public Record

2 legal battles over whether Internet logs are public records and available 1998: Utah Supreme Court granted right to review logs of

Utah Educational Network 2000: New Hampshire judge ruled Internet history logs of 2

school districts are public records and may be reviewed– Student PII must be removed first

– Person requesting logs bears the cost for removal

WiscNet’s policy

Privacy — 2003 WEMA Conf.(Adams, Bocher)24

Privacy in Schools: Issue #11Use of Email to Conduct School Business

Monitoring of employees 63% monitor email and Internet use Personal email and recreational surfing cost money Employers have the right to monitor without informing

employees

Court cases “No legal or factual basis for extending right of privacy to

cover business-related communications.”

Employers should establish use policy Reasonable use vs. abuse

Privacy — 2003 WEMA Conf.(Adams, Bocher)25

Privacy in Schools: Issue #11Use of Email to Conduct School Business

Email communication by administration and school boards email issues discussion may violate open

records and open meetings laws

Archiving district email Content, not format, determines if documents

require archiving and length of time Madison (WI) School District case 2001 Oshkosh (WI) School District case 2002

It is the public policy of this state that all persons are entitled to the greatest possible information regarding the affairs of government.

–WI Stat. 19.31

Privacy — 2003 WEMA Conf.(Adams, Bocher)26

Privacy in Schools: Issue #12Use of Surveillance Cameras

Dept. of Justice “Safe Schools Manual” Allows use of “surveillance technology to protect health,

welfare, and safety of students and staff” Generally in places students and staff lack reasonable

expectation of privacy• Hallways, cafeteria, stairways, parking lot, entrances• School libraries and computer labs

Installed to prevent vandalism, enforce school rules, provide security

Notification of public• Signs on doors, notice in district newsletter, letters to parents,

highlighted in orientation meetings

Privacy — 2003 WEMA Conf.(Adams, Bocher)27

Actions Schools Can Take

Add privacy language to Internet AUP Add privacy statement to district Website Review how Internet logs are archived Maintain minimal library records Provide staff training on privacy issues Teach students about privacy issues

Students should know their rights They should learn to protect their own privacy

Inform parents of district policies related to privacy

Privacy in the 21st Century: Issues for Schools &Issues for Schools &

Libraries Libraries

www.dpi.state.wi.us/dltcl/pld/privacy.html

Helen Adams hadams@coredcs.com

Rosholt School District

Bob Bocherrobert.bocher@dpi.state.wi.us

Dept. of Public Instruction

? Questions ?

Privacy — 2003 WEMA Conf.(Adams, Bocher)29

Map showing over 120 security cameras in Times Square area. Most predate Sept 11.

–As Security Cameras Sprout, Someone’s Always

Watching, NYT Sept. 29, 2002

return

Privacy — 2003 WEMA Conf.(Adams, Bocher)30

Monday, Feb. 10, 2003 FRANKFORT, Kentucky (AP)

– Over 2,000 state PCs sold as surplus still had confidential files on them naming thousands of people with AIDS and other STDs.

"It's a lot of information with lots of names and things like the sexual partners of those diagnosed with AIDS. It's a terrible security breach." – KY State Auditor Ed Hatchett

KY Health Services Secretary Marcia Morgan has ordered an investigation.

B.J. Bellamy from the Kentucky Auditor's Dept. checks a hard drive on a PC owned by the state.

return