Electronic Security Issues for Schools
•Download as PPTX, PDF•
1 like•87 views
Learn the latest on school data security
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Viewers also liked
Viewers also liked (12)
Similar to Electronic Security Issues for Schools
Similar to Electronic Security Issues for Schools (20)
Recently uploaded
Recently uploaded (20)
Electronic Security Issues for Schools
- 1. Electronic Security Issues for Schools Presented by: Joanne Rinardo Partner Deutsch Kerrigan jrinardo@deutschkerrigan.com 504 593 0616
- 2. Why Data Integrity Has Become Important to Schools • More technology use in the education sector • New privacy and compliance challenges • More collection of student data • Outside contractors • Online courses
- 3. Protection of Pupil Rights Amendment (PPRA) Applies to programs of: ▫ State Educational Agency (SEA) ▫ Local Educational Agency (LEA) ▫ Or other recipient of funds under any program funded by the U.S. Department of Education
- 4. Governs Administering to Student • Any survey • Analysis • Evaluation in certain areas
- 5. The 8 protected areas include: • Political affiliations of the student/parent • Mental issues of the student/student’s family • Sex behavior or attitudes • Illegal, anti-social, self- incriminating, or demeaning behavior • Critical appraisals of those who have close family relationships to students • Legally recognized privileged relationships (lawyers, physicians and ministers) • Religious practices, affiliations, or beliefs of the student/student’s parents • Income
- 6. PPRA also addresses • Marketing surveys/areas of student privacy; • Parental access to information; and • Administration of certain physical examinations to minors
- 7. Third Party Providers • Written consent before sharing PII not always required
- 8. What Information is Protected? • Depends on the circumstances. • FERPA protects student profile information
- 9. What are Exceptions to FERPA? • Directory Information Exception • School Official Exception
- 10. Directory Information Exception • For PII disclosed in the school’s annual notice as Directory Information • No other limitations on other uses of data
- 11. School Official Exception • For TPP delivery of education services to the student. • Remember: ▫ For service that school would use own employees; ▫ School maintains data used by TPP; ▫ For a legitimate education interest; ▫ Data not used for unauthorized purposes; and ▫ Consider a written contract regarding use restrictions
- 12. FERPA does not apply to • An online portal for watching tutorials • Interactive exercises without logging in or using individual accounts.
- 13. Pieces of information that provide meaning and context to data collected, or contextual information
- 14. Metadata examples in testing • Date and time the student performed the activity; • Number of attempts they made to answer; • How long their mouse hovered over the answer button; and • Whether they changed their answer before submitting it
- 15. Metadata Not Usually Protected • If stripped of all their direct and in direct identifiers • Can be disseminated to TPPs • School name/geographic information can be indirect identifiers
- 16. Best Practices to Protect Data • Know what information is being collected or shared, • By whom, and • For what purposes
- 17. Best Practices • Develop policies evaluate and approve proposed on-line education services. ▫ Ex. - new software must be reviewed before implementation • Be cautious of “free” educational services • Free apps can introduce security vulnerabilities into your school networks • Be transparent with the parents use of data is being used
- 18. Retention Requirements • FERPA has no requirement for physical or electronic record retention • School districts establish their own policy and procedures • Common standard is 5-7 years after student leaves • Some schools just retain transcripts
- 19. Individuals with Disabilities Education Act, (“IDEA”) • Public agencies must inform parents when any PII is no longer needed • Parents may request it be destroyed • Defined as the “physical destruction or removal of personal identifiers from information so that the information is no longer personally identifiable” • Must inform parents before student records are destroyed • Must inform parents they can request destruction once child leaves • Parents can request that their child’s record be amended
- 20. Title IX • Keep compliance information for seven years • Applies to electronic data as well
- 21. Destruction/Disposal Best Practices • Deleting a digital record or file is insufficient • Use specific technical methods used to dispose of the data
- 22. Electronic Management Systems (“EMS”) • Allows school to have rules as to who can access certain documents; • Can be updated as regulations change; • Easier to move data to long-term storage media; and • Provides transaction trail
- 23. Defining Custodial of Records • Each school should have an official records custodian, • Even if records not under his/her personal control • Often Principal or Asst. Principal • Goal - To prevent the unauthorized access to student records.
- 24. FERPA Applies to All Records • Not just those records kept in the student’s file • Security cameras in school and on busses • Electronic records
- 25. Custodian Best Practices • Develop listing of all student data kept; • Develop custodian log for request trail; and • Develop records release form.
- 26. Extracted Data • Data that originally resided in the Student Records System • Now also resides in a special file
- 27. Best Practices for Extracted Data • PII must be de-identified whenever there is public reporting; • Mask of data sufficiently so individual students not identified from extracted data; • Use only for legitimate educational purposes; • Abide by security and information release requirements; • Never release updated extract data as school data
- 28. Internal Emails May Be Educational Records • If E-mails are maintained by school and • Are “directly related” to a student • Unless falls in one of the six “carve-outs” • E-mail to, from, or about student may be education record
- 29. Courts have ruled inconsistently • S.A. v. Tulane County Office of Ed., (CA) • President and Trustees of Bates College v. Congregation Beth Abraham et al., (ME) • Williams v. District Bd. of Trustees of Edison Community College, FL,
- 30. S.A. v. Tulane County Office of Ed., (CA) • Only printed emails part of records under IDEA • Others had been deleted; thus, not maintained
- 31. President and Trustees of Bates College v. Congregation Beth Abraham et al., (ME) • Email about complaints, part of the student’s records • Even though generated outside normal academic activities • Court noted FERPA does not limit the definition of “other materials.”
- 32. Williams v. District Bd. of Trustees of Edison Community College, FL, • Was sending students’ grades via the internet violated FERPA • Florida Commission on Human Relations found no violation • Make sure there are sufficient protections regarding access
- 33. Release of E-Mail Addresses • FERPA protection if not included in Directory Information • Proper notice of that fact has been given.
- 35. Artisita Records v. Does 1-: , • Students’ Media Access Control (MAC) addresses Directory Information.
- 36. Fonovisa v. Does 1-14, • MAC not was Directory Information, but not education record and could be shared
- 37. Warner Bros. Records v. Does 1-14, • FERPA allows release of e-mail addresses, contained in the student’s records if subpoenaed.
- 38. UMG Recordings, Inc. v. Doe, • Name, address, telephone number, e-mail address and MAC address is contained in educational records • Which triggered notification requirements of FERPA. • Court: information “detailing how a student uses the Internet, when they use it, and what they do on it” is protected under FERPA.
- 39. Louisiana Law • La. Rev. Stat. § 17:81(Q): • Public school must develop policies electronic communication by an employee at a school to a student enrolled at that school • To protect student • And school if violation by employee
- 40. Facebook • Can have educational applications • Communicate about projects; • Make assignment interactive; and • Create learning group
- 41. Caution • Do not use to post grades or information that educational record; and • Use safeguards to keep others from accessing the information.
- 42. Other Social Communications • Anti-fraternization prohibitions would extend to on-line communications. • Laws banning such communication • Issue of constitutional right to free speech.
- 43. Why not to “friend” student • Can undercut professional relationship; • Opens teacher to misuse of social media by the student; • Can be abused by the teacher or misinterpreted by the student; and • Can be seen as invasion of privacy
- 44. Other Considerations • Adult students v. Minor students • Former Students v. Current Students v. Future Students • Privacy Settings