2. Why Data Integrity Has Become
Important to Schools
• More technology use in the education sector
• New privacy and compliance challenges
• More collection of student data
• Outside contractors
• Online courses
3. Protection of Pupil Rights
Amendment (PPRA)
Applies to programs of:
▫ State Educational Agency (SEA)
▫ Local Educational Agency (LEA)
▫ Or other recipient of funds under any program
funded by the U.S. Department of Education
5. The 8 protected areas include:
• Political affiliations of the
student/parent
• Mental issues of the
student/student’s family
• Sex behavior or attitudes
• Illegal, anti-social, self-
incriminating, or demeaning
behavior
• Critical appraisals of those
who have close family
relationships to students
• Legally recognized privileged
relationships (lawyers,
physicians and ministers)
• Religious practices, affiliations,
or beliefs of the
student/student’s parents
• Income
6. PPRA also addresses
• Marketing surveys/areas of student privacy;
• Parental access to information; and
• Administration of certain physical examinations
to minors
8. What Information is Protected?
• Depends on the circumstances.
• FERPA protects student profile information
9. What are Exceptions to FERPA?
• Directory
Information
Exception
• School Official
Exception
10. Directory Information Exception
• For PII disclosed in the school’s annual notice
as Directory Information
• No other limitations on other uses of data
11. School Official Exception
• For TPP delivery of education services to the
student.
• Remember:
▫ For service that school would use own
employees;
▫ School maintains data used by TPP;
▫ For a legitimate education interest;
▫ Data not used for unauthorized purposes; and
▫ Consider a written contract regarding use
restrictions
12. FERPA does not apply to
• An online portal for watching tutorials
• Interactive exercises without logging in or using
individual accounts.
13. Pieces of information that provide
meaning and context to data collected,
or contextual information
14. Metadata examples in testing
• Date and time the student
performed the activity;
• Number of attempts they made
to answer;
• How long their mouse hovered
over the answer button; and
• Whether they changed their
answer before submitting it
15. Metadata Not Usually Protected
• If stripped of all their direct and in direct
identifiers
• Can be disseminated to TPPs
• School name/geographic information can be
indirect identifiers
16. Best Practices to Protect Data
• Know what
information is being
collected or shared,
• By whom, and
• For what purposes
17. Best Practices
• Develop policies evaluate and approve
proposed on-line education services.
▫ Ex. - new software must be reviewed before
implementation
• Be cautious of “free” educational services
• Free apps can introduce security vulnerabilities
into your school networks
• Be transparent with the parents use of data is
being used
18. Retention Requirements
• FERPA has no requirement for physical or
electronic record retention
• School districts establish their own policy and
procedures
• Common standard is 5-7 years after
student leaves
• Some schools just retain transcripts
19. Individuals with Disabilities
Education Act, (“IDEA”)
• Public agencies must inform parents when any PII is
no longer needed
• Parents may request it be destroyed
• Defined as the “physical destruction or removal of
personal identifiers from information so that the
information is no longer personally identifiable”
• Must inform parents before student records are
destroyed
• Must inform parents they can request destruction
once child leaves
• Parents can request that their child’s record be
amended
20. Title IX
• Keep compliance
information for
seven years
• Applies to
electronic data as
well
21. Destruction/Disposal Best Practices
• Deleting a digital
record or file is
insufficient
• Use specific
technical methods
used to dispose of
the data
22. Electronic Management Systems
(“EMS”)
• Allows school to have rules as to who can
access certain documents;
• Can be updated as regulations change;
• Easier to move data to long-term storage media;
and
• Provides transaction trail
23. Defining Custodial of Records
• Each school should have an official records
custodian,
• Even if records not under his/her personal
control
• Often Principal or Asst. Principal
• Goal - To prevent the unauthorized access to
student records.
24. FERPA Applies to All Records
• Not just those records kept in the student’s file
• Security cameras in school and on busses
• Electronic records
25. Custodian Best Practices
• Develop listing of all student data kept;
• Develop custodian log for request trail; and
• Develop records release form.
26. Extracted Data
• Data that originally resided in the Student
Records System
• Now also resides in a special file
27. Best Practices for
Extracted Data
• PII must be de-identified whenever there is
public reporting;
• Mask of data sufficiently so individual students
not identified from extracted data;
• Use only for legitimate educational purposes;
• Abide by security and information release
requirements;
• Never release updated extract data as school
data
28. Internal Emails May Be Educational
Records
• If E-mails are maintained by school and
• Are “directly related” to a student
• Unless falls in one of the six “carve-outs”
• E-mail to, from, or about student may be
education record
29. Courts have ruled inconsistently
• S.A. v. Tulane County Office
of Ed., (CA)
• President and Trustees of
Bates College v.
Congregation Beth Abraham
et al., (ME)
• Williams v. District Bd. of
Trustees of Edison
Community College, FL,
30. S.A. v. Tulane County Office of Ed.,
(CA)
• Only printed emails part of records under IDEA
• Others had been deleted; thus, not maintained
31. President and Trustees of Bates
College v. Congregation Beth
Abraham et al., (ME)
• Email about complaints, part of the student’s
records
• Even though generated outside normal
academic activities
• Court noted FERPA does not limit the definition
of “other materials.”
32. Williams v. District Bd. of Trustees of
Edison Community College, FL,
• Was sending students’ grades via the internet
violated FERPA
• Florida Commission on Human Relations found
no violation
• Make sure there are sufficient protections
regarding access
33. Release of E-Mail Addresses
• FERPA protection if not included in Directory
Information
• Proper notice of that fact has been given.
34.
35. Artisita Records v. Does 1-: ,
• Students’ Media Access Control (MAC)
addresses Directory Information.
36. Fonovisa v. Does 1-14,
• MAC not was Directory Information, but not
education record and could be shared
37. Warner Bros. Records v. Does 1-14,
• FERPA allows release of e-mail addresses,
contained in the student’s records if
subpoenaed.
38. UMG Recordings, Inc. v. Doe,
• Name, address, telephone number, e-mail
address and MAC address is contained in
educational records
• Which triggered notification requirements of
FERPA.
• Court: information “detailing how a student uses
the Internet, when they use it, and what they do
on it” is protected under FERPA.
39. Louisiana Law
• La. Rev. Stat. § 17:81(Q):
• Public school must develop policies electronic
communication by an employee at a school to a
student enrolled at that school
• To protect student
• And school if violation by employee
40. Facebook
• Can have educational applications
• Communicate about projects;
• Make assignment interactive; and
• Create learning group
41. Caution
• Do not use to post grades or information that
educational record; and
• Use safeguards to keep others from accessing
the information.
42. Other Social Communications
• Anti-fraternization
prohibitions would
extend to on-line
communications.
• Laws banning such
communication
• Issue of
constitutional right to
free speech.
43. Why not to “friend”
student
• Can undercut professional
relationship;
• Opens teacher to misuse of
social media by the student;
• Can be abused by the
teacher or misinterpreted by
the student; and
• Can be seen as invasion of
privacy
44. Other Considerations
• Adult students v. Minor students
• Former Students v. Current Students v. Future
Students
• Privacy Settings