Protecting Student Privacy in Blended
and Online Learning: New FERPA
Guidance from the US Department of
Education
• Frank ...
Introductions & Overview
Maria Worthen
Vice President, Federal & State Policy
iNACOL
• Palm Springs, Ca – Nov. 4-7, 2014
• Registration available soon.
• Over 2200 experts, educators and
thought leaders in t...
Webinar Format
• Feel free to type questions in the chat box
• The webinar is being recorded and
archived. Link will be em...
iNACOL’s mission is to ensure all
students have access to a world-
class education and quality blended
and online learning...
iNACOL Strategic Priorities
• Development of new learning models
• Quality assurance for blended and online
learning
• Pol...
State Policy Priority Issues
1. Create competency-based education systems
2. Improve equity and access for students to
ble...
Priority Area: Support new learning models
through connectivity, data systems, and
security.
• Broadband telecommunication...
Without data, we cannot
personalize instruction at scale.
Without sensible data
governance, we cannot sustain
new learning...
Protecting Student Privacy
While Using Online Educational
Services
An Overview of Recent Department of
Education Guidance
...
QuestionsQuestions
 Please type your questions in the chat
box in the lower left hand corner of the
webinar window.
11
Poll: Who is in thePoll: Who is in the
Audience?Audience?
Please indicate which sector you represent:
A) K-12 Administrati...
OverviewOverview
 The changing landscape of education technology in
schools
 The U.S. Department of Education’s role in ...
14
Use of EducationUse of Education
Technology in SchoolsTechnology in Schools
 Student Information Systems
 Productivity a...
Online Educational ServicesOnline Educational Services
This guidance relates to the subset of education services that
are:...
The Challenge of OnlineThe Challenge of Online
Educational ServicesEducational Services
 Schools and districts are increa...
The U.S. Department ofThe U.S. Department of
Education’s Role in ProtectingEducation’s Role in Protecting
Student PrivacyS...
Poll: FERPA AwarenessPoll: FERPA Awareness
Please rate your familiarity with FERPA:
A) “FERPA, what’s FERPA?”
B) I know en...
Family Educational RightsFamily Educational Rights
and Privacy Act (FERPA)and Privacy Act (FERPA)
 Gives parents (and eli...
But wait! There areBut wait! There are
exceptions!exceptions!
Two of FERPA’s exceptions to the parental consent
requiremen...
Directory InformationDirectory Information
ExceptionException
 Students don’t attend school anonymously.
 Allows schools...
Directory InformationDirectory Information
ExceptionException
 Common uses:
– Yearbooks
– Concert programs
– Telephone di...
School Official ExceptionSchool Official Exception
 Schools or LEAs can use the School Official exception to disclose
edu...
Poll: PPRA AwarenessPoll: PPRA Awareness
Please rate your familiarity with PPRA:
A)(Yawn) I know all about it.
B)I’ve work...
Protection of Pupil RightsProtection of Pupil Rights
Amendment (PPRA)Amendment (PPRA)
 Amended in 2001 with No Child Left...
Question 1:Question 1:
Is student information used in online
educational services protected by FERPA?
27
Is student information used inIs student information used in
online educational servicesonline educational services
protec...
Question 2:Question 2:
What does FERPA require if PII from
students’ education records is disclosed to a
provider?
29
What does FERPA require ifWhat does FERPA require if
PII is disclosed to aPII is disclosed to a
provider?provider?
 Paren...
Question 3:Question 3:
Under FERPA and PPRA, are providers
limited in what they can do with the student
information they c...
Are providers limited in whatAre providers limited in what
they can do with the studentthey can do with the student
inform...
Are providers limited in whatAre providers limited in what
they can do with the studentthey can do with the student
inform...
Question 4:Question 4:
What about metadata? Are there restrictions
on what providers can do with metadata
about students’ ...
What about metadata?What about metadata?
“Metadata” are pieces of information that provide meaning
and context to other da...
Other laws to considerOther laws to consider
 Childrens Online Privacy and Protection Act (COPPA)
– Applies to commercial...
Best Practices forBest Practices for
Protecting Student PrivacyProtecting Student Privacy
 Maintain awareness of other re...
Best Practices forBest Practices for
Protecting Student PrivacyProtecting Student Privacy
 Maintain awareness of other re...
Best Practices forBest Practices for
Protecting Student PrivacyProtecting Student Privacy
 Maintain awareness of other re...
Question 5:Question 5:
Can individual teachers sign up for free (or
“freemium”) education services?
40
Using free educationalUsing free educational
servicesservices
Remember the FERPA’s requirements for schools and
districts ...
Best Practices forBest Practices for
Protecting Student PrivacyProtecting Student Privacy
 Maintain awareness of other re...
Best Practices forBest Practices for
Protecting Student PrivacyProtecting Student Privacy
 Maintain awareness of other re...
Best Practices forBest Practices for
Protecting Student PrivacyProtecting Student Privacy
 Maintain awareness of other re...
Question 6:Question 6:
What provisions should be in a school’s or
district’s contract with a provider?
45
Best Practices for ContractBest Practices for Contract
Provisions for OnlineProvisions for Online
Educational ServicesEduc...
Question 7:Question 7:
What about online educational services that
use “click-wrap” agreements instead of
traditional cont...
What to look for in “click-What to look for in “click-
wrap” agreementswrap” agreements
When reviewing “click-wrap” agreem...
Read the GuidanceRead the Guidance
DocumentDocument
http://ptac.ed.gov/document/protecting-student-privacy-
while-using-on...
ResourcesResources
 Family Policy Compliance Office, U.S. Department of
Education, Model Notice for Directory Information...
QuestionsQuestions
 Please type your questions
in the chat box in the lower
left corner of the webinar
screen.
51
Contact InformationContact Information
52
Telephone: (855) 249-3072
Email: privacyTA@ed.gov
FAX: (855) 249-3073
Website: w...
FERPA and Student Privacy
Protections: District Perspective
Themy Sparangis, Ed.D.
Chief Technology Director
Los Angeles U...
• What are the benefits of using data to
personalize instruction?
• How does LAUSD handle student data?
• What is the impa...
Q&A
• Please type questions or comments in the
chat box on the left side of your screen.
Contact Information
• Frank Miller, Management and Program Analyst, U.S.
Department of Education, Frank.E.Miller@ed.gov
• ...
Upcoming SlideShare
Loading in …5
×

iNACOL Leadership Webinar "Protecting Student Privacy in Blended and Online Learning"

943 views

Published on

The Family Educational Rights and Privacy Act (FERPA) is the federal law that protects personally identifiable information from students’ education records from unauthorized disclosure. The US Department of Education’s Privacy Technical Assistance Center (PTAC) recently issued new FERPA guidance specific to online learning environments, “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices". This webinar was presented by officials from the US Department of Education Privacy Assistance Center. http://ptac.ed.gov/

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
943
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Hello. And welcome to our webinar entitled, “Protecting Student Privacy While Using Online Educational Services. My name is Ross Lemke and I am a Technical Assistance Manager at the Privacy Technical Assistance Center, or PTAC. With me is Frank Miller, the Team Lead for the Family Policy Compliance Office at the U.S. Department of Education.
    Frank: “Good Afternoon, or for those of you out on the west coast, Good Morning!”
  • If you have questions, please type them in the lower right hand corner of the webinar window. At the conclusion of the webinar, we will have a moderator answer a few select questions. We may not be able to answer all of your questions, either due to time constraints, or simply because we don’t know the answer at this time.
  • Now we’d like to know who is in the audience. Please select from the following choices in the poll.
  • Ross
    The ever changing landscape of technology is difficult to keep up with at best. PTAC/The Department recognizes that there is a need for more guidance around protecting student privacy in an electronic age. Remember that FERPA was enacted well before the preponderance of electronic data files and student information systems. As such, FERPA is very unclear around the protection of electronic student records. Today we are going to discuss, at a high level, guidance to help schools/districts/service providers and others to navigate the best practice considerations for protecting student privacy. Remember that there ARE legal protections for student information used online and you should also consider state, local, and tribal law protections of student information as well. Finally, it’s important to think beyond simply being compliant with FERPA. We always recommend employing best practices in addition to compliance requirements such as PPRA and FERPA.
  • Frank
  • Ross
    Technology is everywhere in the education community. These are some examples of technology in schools that may contain or use student personally identifiable information, or PII. Student Information Systems such as Pearson or eScholar, Productivity applications such as Google Apps for education or Microsoft 365, educational applications such as teacher dashboards and fundimental school services such as school transportation services or cafeteria services.
  • Ross
    This particular guidance relates to the following subsets of education services such as computer software, mobile applications, web-based tools THAT:
    Are provided by a third party
    Accessed via the Internet by students and/or parents AND
    Are used as part of a school activity.
    This guidance is not covering online services or social media used in a personal capacity or those that are used by the district in an administrative function that are NOT accessed by parents or students.
  • Frank:
    With the changes in the computing and telecommunications sectors over the last couple decades, we’ve seen corresponding shifts in these technologies’ use in the education sector. This has led to a number of new privacy and data governance challenges that schools and districts have had to address.
    For starters, the growing complexity of many of these technologies, coupled with budgetary constraints, has led many schools and districts to contract out a greater share of school functions, rather than performing them in-house.
    As more services move online, and as technology advances, we have many new types of data that are being collected, and a whole lot more of it, overall.
    Many online services also increasingly use a “take-it-or-leave-it” Terms of Service agreement (often called a “click-wrap” agreement) instead of the 2-party written contract model used in more traditional contracting relationships – which raises new challenges that we’ll talk about later in the presentation.
    Faced with all of these developments, our major challenge is to find a way to leverage the tremendous potential of these new technologies and data in an effective and appropriate way, without compromising students’ privacy.
  • Frank:
    So, to that end, what role does the U.S. Department of Education play in protecting student privacy?
    Most importantly, we administer and enfore a number of federal laws governing the privacy of student information, including two laws that we’ll be talking about today in the context of using online educational services: the Family Educational Rights and Privacy Act (or FERPA, for short), and the Protection of Pupil Rights Amendment, or PPRA.
    But, administering and enforcing these laws is not all that we do to protect student privacy (though it does keep our Family Policy Compliance Office very busy). We also work to raise awareness throughout the education community of the privacy risks and challenges involved when collecting and using student data.
    We provide both general and targeted technical assistance, through PTAC, on privacy and security issues to schools, districts, and states, and we are active in promoting a number of privacy and security best practices that we encourage education stakeholders to adopt.
  • Ross
    Now we’d like to gauge your level of expertise with FERPA:
    A: FERPA, what’s FERPA?
    B: I know enough to be dangerous
    C: You could add me to your national cadre of experts on FERPA: I’m an expert!
  • Frank:
    Put simply, FERPA guarantees parents access to the information contained in their children’s education records, and protects those records from unauthorized disclosure without the parents’ consent.
    More specifically, FERPA gives parents the right to access and seek to amend their children’s education records.
    The law protects any personally identifiable information (or PII) from those education records from unauthorized disclosure, and it requires written consent from the parent before sharing PII with third parties…unless an exception applies.
  • Frank:
    There are a number of these exceptions to FERPA’s written consent requirement – and those of you who have sat through any of our prior webinars are undoubtedly familiar with some of them.
    For today’s discussion, we’re going to focus exclusively on two of these exceptions: the Directory Information exception and the school official exception.
    But, as I said, there are a number of other exceptions to this consent requirement, and we’ll have a link to the PTAC website at the end of the presentation if you want to find out more information about any of them.
    So, Ross, can you tell us about these two exceptions to FERPA’s consent requirement?
  • Ross
    We know students don’t attend school anonymously, therefore FERPA allows schools to releasce certain information without consent. Some examples include, name, address, email address, photographs, degrees and awards received (such as validictorian). Keep in mind that much of this information could be PII and just because you CAN do it, doesn’t mean it’s a best practice. In addition, remember that schools must provide the list of what they consider directory information in its annual notification to parents and that parents can opt out of that information being shared.
  • Ross
    Some common uses of this exception are yearbooks, student directories, and concert programs. Remember that parents have the right to opt out!
  • Ross
    The school official exception is generally the exception that allows those involved in the education of students to be able to deliver education services needed to the student. When involving a third party provider, or TPP, it’s important the following caveats are met:
    It has to be a service or function that the school/district would otherwise use its own employees. For example this could be student information system services or dashboards provided by a vendor.
    The use of the data by that TPP is under the direct control of that provider with regard to the USE/Maintenance of those education records.
    The use of the data aligns with the annual notification sent to parents on what constitutes a school official with a legitimate education interest.
    The data is not used for unauthorized purposes.
  • Frank:
    As we mentioned before, FERPA isnt the only Federal law that protects student privacy – there’s also the PPRA.
    Now, let’s do another little poll, and be honest! How many of you have ever heard of the PPRA before today?
    And for those of you who have, how many of you understand how it applies to students’ use of online services? (wait for poll results)
    I didn’t think so – but you’re in good company. Awareness of the PPRA lags far behind that of FERPA, though we hope to change that moving forward.
  • Frank:
    Though the PPRA has been around for many years, its most notable changes – for the purposes of today’s discussion – were introduced with it was amended as part of the No Child Left Behind Act of 2001.
    While the law is mostly known for its provisions dealing with surveys in elementary and secondary schools (the so-called “Sex, Drugs, and Rock and Roll” provisions) it also includes limitations on the use of personal information collected from students for marketing purposes.
    Subject to certain exceptions (including one notable one for education products and services), the PPRA also has requirements on parental notification, and provides parents the opportunity to opt their children out of these activities.
  • Ross
  • Frank:
    As much as I wish I could give a definitive answer to that question, and as much as I appreciate those on Twitter who recently poked fun at us for saying it in the guidance document, the real answer to that question is “It depends”
    Some data used in online educational services is absolutely protected by FERPA – say, for instance, the student profile information (like name, grade, and email address) that a school enters into an online system to create students’ user accounts. When that information is taken from education records (like the school’s Student Information System) then FERPA would absolutely be implicated.
    But, there are many different types of online services, and even more types of data – much of which probably isn’t protected by FERPA. Take, for instance, an online portal that students use to watch tutorials or complete interactive exercises without logging in or using individual accounts. In tese cases, no PII is involved, so FERPA would not apply.
    In the end, schools and districts will typically need to evaluate the use of online educational services on a case by case basis, to determine if FERPA-protected information is implicated.
  • Ross
  • Frank:
    Well, the most straight-forward approach would be to have parents provide written consent for their children’s information to be disclosed to the service provider. But, as anyone who has ever tried to collect field trip permission slips can attest, this is often not an efficient process, and may be unworkable for essential services central to the education process.
    Without written parental consent, disclosure of PII from education records can only occur under one of FERPA’s exceptions to the consent requirement. In the case of online educational services, this will most likely be done under one of the two exceptions we discussed earlier.
    The Directory Information exception is an easy way to disclose student information to create student accounts – but only if all of the data elements that will be disclosed are properly designated as directory information in the school or district’s annual notice. Also, using the Directory Information exception may be problematic in those cases where parents have elected to “opt out” of directory information. It is often unfeasible for a school to maintain two separate systems for the same function – an online one for the majority of students, and a separate, paper-based one for those students who’s parents have opted out of Directory Information.
    Because of the complexities of using the Directory Information exception, either because of the data elements involved, or because of the parental opt-out option, FERPA’s School Official exception to consent is often the best (or at least the most efficient) option to disclose information to third party service providers.
    As we mentioned before, however, when using the School Official exception there are a number of requirements that must be met.
    First, the provider must meet the school or district’s specified criteria for “school official with legitimate education interest,” as documented in their annual FERPA notice. The provider’s use of the PII must be for authorized purposes only, and under the direct control of the school or district. And, in those cases where the third party provider will be creating or maintaining education records for the school, the school or district must ensure that parents retain the right to access those records (either directly from the provider, or more likely, from the school or district who obtains them from the provider).
  • Ross
  • Frank:
    Again, I’ll have to say “It depends” – in this cases, it depends on how the information was collected or disclosed.
    If the PII was disclosed under the Directory Information exception, then typically there would be no other limitations on using the data for other purposes.
    If the information was disclosed under the School Official exception, on the other hamd, then the PII may only be used for the specific purpose for which it was disclosed. Third Party Providers are prohibited from selling or sharing the PII, or using it for any other purpose except as directed by the school or district, and as permitted by FERPA.
    But, whether or not FERPA protected information is implicated, whenever personal information is collected from a student the PPRA may also apply. So the PPRA’s restrictions on marketing may apply even when there are no other legal protections on the data.
  • Frank:
    We want to stress, though, that FERPA and the PPRA represent minimum legal requirements. They are the floor, not the ceiling when it comes to protecting students’ privacy.
    Schools and Districts can, and often should consider placing additional limitations on what online service providers can do with student information by inserting those provisions into their agreements with the service providers.
  • Ross
    Frank: I hear the word metadata thrown around quite a bit. What is it? And are there restrictions on what providers can do with metadata about students’ interactions with their services.
  • Frank:
    So, you’re right. Metadata has been used a lot in the news recently, and many of those who use the term have not done a very good job explaining what it actually means.
    Put simply, metadata are pieces of information that provide meaning and context to other data being collected or used. For example, if we were interested in tracking a student’s performance on a particular online activity (or, as is more often the case, trying to find patterns in how a large number of students perform on a specific activity) we would want to know how the students did on the activity (the data), but that performance information would have a whole lot more meaning and analytical use if you also knew the date and time the student performed the activity, the number of attempts they made, how long their mouse hovered over the answer button (which is an indicator of indecision), or whether they changed their answer before submitting it.
    All of these other pieces of contextual information, collectively known as “metadata,” are tremendously useful for education technology developers in building and enhancing the underlying algorithms used in personalized learning and other similar technologies.
    Metadata that have been stripped of all their direct identifiers and other indirect indentifying information are NOT protected under FERPA, because at that point they are no longer considered to be PII. I’ll make the important caveat, however, that when you’re looking to de-identify metadata it is important to consider that, depending on the context, school name or other geographic information can be indirect identifiers in student data. People often forget that point.
    Assuming it’s done properly, de-identified metadata can be used by providers for any number of other purposes, unless prohibited by other laws, or by more restrictive data use provisions in the provider’s agreement with the school or district.
  • Ross
    There are other laws to consider such as COPPA which applies to commercial websites and online services directed to children under age 13. This law is administered by the Federal Trade Commission. Please see the link for more information.
  • Ross
    Now we will walk you through several best practices on protecting student privacy. The first which we just discussed, is that it’s critical to be aware of other relevant laws such as COPPA, that may apply.
    You should also be aware of your local, state or tribal laws. In fact, many states and local entities have pending or passed laws regarding the protection of student personally identifiable information.
  • Frank
    Administrators will also want to be aware of which online educational services are currently in use in your school or district. The first step in protecting student data is knowing what information is being collected or shared, by whom, and for what purposes. And you can’t even begin to answer these questions until you know what services are being used across your organization.
  • Ross
    It’s important that your organization has policies and procedures consistent with state, local and federal law to evaluate and approve proposed education services. For instance, you may have a policy that requires that any new software must be reviewed by legal, IT, and management prior to being implemented in a classroom setting.
  • Frank:
    So, Ross, on that subject, can individual teachers sign up for free (or “freemium”) education services to use in their classrooms?
  • Ross
    Many say, “nothing is free”. And in many cases, from Facebook to your grocery’s frequent shopper card, identifiable information or marketing information is your “payment” for the service. It’s important to remember that FERPA has requirements, which we discussed earlier, that you must adhere with when using these types of software/apps. Also, remember that many free apps can introduce security vulnerabilities into your school networks. Most importantly, we consider it a best practice to have regular trainings with staff around your policies regarding the use of software, downloads, and “free services”.
  • Frank
    Good to know. Getting back to our list of best practices to consider, though FERPA does not expressly require that schools or districts use a written contract or legal agreement when disclosing information under the school official exception, we strongly recommend that schools and districts do so, whenever possible. Not only do these agreements help with the “direct control” requirements we discussed earlier, but they also serve to clarify the use restrictions and other legal requirements that the provider is expected to meet.
  • Ross
    Transparency is critical when it comes to communicating with parents and students on how data is being used, who it’s being shared with and for what purpose. We highly recommend that school districts inform parents of how children’s data is being used, what information is being shared and for what purpose in a public forum such as a website.
  • Frank:
    And lastly, while there are many circumstances where obtaining parental consent is just not feasible, hence FERPA’s exceptions, there are many other circumstances where obtaining parental consent is the best way to go. Going the consent route is a great way to increase transparency about your school or district’s data use, and many districts are doing it to communicate with parents about what their kids are doing online. So, we understand that it’s not always an option, but we do recommend it whenever possible.
  • Ross
  • Frank:
    Good question. Again, FERPA does not expressly require that schools or districts use a contract or written agreement with a third party provider, but for all the reasons we’ve discussed, it is absolutely a best practice to do so, and there are a number of provisions that we recommend including in those agreements when you develop them.
    For starters, we recommend including data security and data stewardship provisions. Make it clear whether the data being collected belongs to the school or the provider, and describe each party’s responsibility in the event of a data breach. You can even establish minimim security controls that the provider should use, and allow for auditing of their compliance with those controls.
    We also recommend clearly specifying what information the provider will be collecting through their service (logs, cookies, tracking pixels, whatever it may be). It’s hard to assess and mitigate the privacy risk of a technology if you don’t even know what information it’s collecting!
    Be sure to define the specific purposes for which the provider may use student information, and legally bind them only to those approved uses. How long will the provider hold on to the data in identifiable form? Will they be permitted to share it with any other party? When the contract ends, how should they handle destroying the data? All of these are important terms to consider laying out in a written agreement.
    We recommend specifying whether the school, district, or parent will be permitted to access the data in the system, and if so, the process for obtaining access. This is particularly important if the provider will be creating or maintaining education records for the school, as FERPA’s access rights would then come into play.
    We recommend establishing how long the agreement will be in force, and what the terms are for modifying, amending, or terminating the agreement. This is particularly important for reasons will talk about a little later.
    And lastly, we recommend considering whether there should (or should not) be any provisions wherein the school or district indemnifies the provider, or vice versa, particularly as it relates to the school or district’s potential liabilities resulting from failure to comply with federal, state, or tribal law.
  • Ross
  • Frank:
    So, as we mentioned before, “Click Wrap” agreements are a particlar form of legal agreement between a service provider and the user of that service. They are essentially a compilation of “take-it-or-leave-it” legal provisions established by the provider to which the user agrees by clicking “accept.” Not accepting these provisions means not using the service, plain and simple.
    Well, these click-wrap agreements pose a challenge for the use of online educational services because they muddy the waters a bit about how the various legal requirements and best practices will be met. Consequently, we recommend that schools or districts take extra caution and apply extra scrutiny to these agreements before accepting them and using the services.
    First, schools and districts should be sure to check the amendment provisions. Many click-wrap agreements allow the provider to unilaterally change the terms of the agreement without notice to the user. Given the FERPA school official’s exception requirement to maintain “direct control” over the use of student information, we recommend that schools and districts exercise caution when agreeing to any terms of service that allows for amendment without notice. And if you do enter into them, we recommend reviewing the agreements regularly to determine if any provisions have changed.
    We recommend printing (or saving) any terms of service agreement that you accept. Remember, these are legally binding agreements between the vendor and the school or district – you should be sure to keep a copy for future reference.
    And lastly, because these click-wrap agreements are legally binding documents between the provider and the school or district, and because they are so easy to agree to with one quick click of a mouse button, we recommend that districts (or schools) establish policies that specify who has authority to accept terms of service agreements, and what they shoud be reviewing these agreements for prior to accepting them.
  • Ross
  • Ross
  • Ross
  • Ross
    Thank you for attending today’s webinar. We appreciate your attention and look forward to hearing more from you regarding your thoughts/comments on this document. Please send your comments to privacyta@ed.gov
  • iNACOL Leadership Webinar "Protecting Student Privacy in Blended and Online Learning"

    1. 1. Protecting Student Privacy in Blended and Online Learning: New FERPA Guidance from the US Department of Education • Frank E. Miller, Management and Program Analyst, U.S. Department of Education • Ross Lemke, Technical Assistance Manager, Privacy Technical Assistance Center, U.S. Department of Education • Themy Sparangis, Chief Technology Director, Los Angeles Unified School District • Maria Worthen, Vice President for Federal and State Policy, iNACOL April, 2014
    2. 2. Introductions & Overview Maria Worthen Vice President, Federal & State Policy iNACOL
    3. 3. • Palm Springs, Ca – Nov. 4-7, 2014 • Registration available soon. • Over 2200 experts, educators and thought leaders in the field of online and blended learning and competency based education
    4. 4. Webinar Format • Feel free to type questions in the chat box • The webinar is being recorded and archived. Link will be emailed out to you within 2 days after the webinar • Also posted in iNACOL Member Forum
    5. 5. iNACOL’s mission is to ensure all students have access to a world- class education and quality blended and online learning opportunities that prepare them for a lifetime of success.
    6. 6. iNACOL Strategic Priorities • Development of new learning models • Quality assurance for blended and online learning • Policy and advocacy
    7. 7. State Policy Priority Issues 1. Create competency-based education systems 2. Improve equity and access for students to blended & online learning opportunities 3. Ramp up quality assurance 4. Provide room for innovation. 5. Support new learning models through connectivity, data systems, and security.
    8. 8. Priority Area: Support new learning models through connectivity, data systems, and security. • Broadband telecommunications infrastructure • Statewide longitudinal data systems • Secure and ethical use of student data.
    9. 9. Without data, we cannot personalize instruction at scale. Without sensible data governance, we cannot sustain new learning models powered by blended and online learning.
    10. 10. Protecting Student Privacy While Using Online Educational Services An Overview of Recent Department of Education Guidance April 9, 2014 Frank Miller Team Lead, Family Policy Compliance Office U.S. Department of Education Ross Lemke Technical Assistance Manager Privacy Technical Assistance Center
    11. 11. QuestionsQuestions  Please type your questions in the chat box in the lower left hand corner of the webinar window. 11
    12. 12. Poll: Who is in thePoll: Who is in the Audience?Audience? Please indicate which sector you represent: A) K-12 Administration B) K-12 Faculty C) Post-Secondary Administration or Faculty D) Education Technology Industry E) Other (e.g., parent/student, non-profit org., etc.) 12
    13. 13. OverviewOverview  The changing landscape of education technology in schools  The U.S. Department of Education’s role in protecting student privacy  Legal protections for students’ information used in online educational services – How FERPA and PPRA protect student information used in online educational services – Other laws to consider  Beyond compliance: best practices for protecting student privacy 13
    14. 14. 14
    15. 15. Use of EducationUse of Education Technology in SchoolsTechnology in Schools  Student Information Systems  Productivity applications  Educational applications  Fundamental school services 15
    16. 16. Online Educational ServicesOnline Educational Services This guidance relates to the subset of education services that are: Computer software, mobile applications (apps), or web- based tools; Provided by a third-party to a school or district; Accessed via the Internet by students and/or parents; AND Used as part of a school activity. This guidance does not cover online services or social media used in a personal capacity, nor does it apply to services used by a school or district that are not accessed by parents or students. 16
    17. 17. The Challenge of OnlineThe Challenge of Online Educational ServicesEducational Services  Schools and districts are increasingly contracting out school functions  We have new types of data, and much more of it!  Many online services do not utilize the traditional 2-party written contractual business model  Increasing concern about the commercialization of personal information and behavioral marketing  We need to use that data effectively and appropriately, and still protect students’ privacy 17
    18. 18. The U.S. Department ofThe U.S. Department of Education’s Role in ProtectingEducation’s Role in Protecting Student PrivacyStudent Privacy  Administering and enforcing federal laws governing the privacy of student information – Family Educational Rights and Privacy Act (FERPA) – Protection of Pupil Rights Amendment (PPRA)  Raising awareness of privacy challenges  Providing technical assstance to schools, districts, and states  Promoting privacy & security best practices 18
    19. 19. Poll: FERPA AwarenessPoll: FERPA Awareness Please rate your familiarity with FERPA: A) “FERPA, what’s FERPA?” B) I know enough to be dangerous C) You could add me to your national cadre of experts on FERPA: I’m an expert. 19
    20. 20. Family Educational RightsFamily Educational Rights and Privacy Act (FERPA)and Privacy Act (FERPA)  Gives parents (and eligible students) the right to access and seek to amend their children’s education records  Protects personally identifiable information (PII) from education records from unauthorized disclosure  Requirement for written consent before sharing PII – unless an exception applies 20
    21. 21. But wait! There areBut wait! There are exceptions!exceptions! Two of FERPA’s exceptions to the parental consent requirement are most relevant when using education technology: – Directory information exception – School official exception There are many other FERPA exceptions. 21
    22. 22. Directory InformationDirectory Information ExceptionException  Students don’t attend school anonymously.  Allows schools to release certain information without consent. A few examples: – name, address, telephone listing, electronic mail address; – date and place of birth; – photographs; – weight and height of athletes; – degrees & awards received. 22
    23. 23. Directory InformationDirectory Information ExceptionException  Common uses: – Yearbooks – Concert programs – Telephone directories  Remember that parents have a right to opt-out 23
    24. 24. School Official ExceptionSchool Official Exception  Schools or LEAs can use the School Official exception to disclose education records to a third party provider (TPP) if the TPP: – Performs a service/function for the school/district for which it would otherwise use its own employees – Is under the direct control of the school/district with regard to the use/maintenance of the education records – Uses education data in a manner consistent with the definition of the “school official with a legitimate educational interest,” specified in the school/LEA’s annual notification of rights under FERPA – Does not re-disclose or use education data for unauthorized purposes 24
    25. 25. Poll: PPRA AwarenessPoll: PPRA Awareness Please rate your familiarity with PPRA: A)(Yawn) I know all about it. B)I’ve worked with it, but only in regard to the survey provisions. C)I have limited knowledge about PPRA D)Oh yes, that stands for “Pen Pal Research Association” right? 25
    26. 26. Protection of Pupil RightsProtection of Pupil Rights Amendment (PPRA)Amendment (PPRA)  Amended in 2001 with No Child Left Behind Act  Mostly known for provisions dealing with surveys in K-12  Includes limitations on using personal information collected from students for marketing  Parental notification and opportunity to opt out may be required  Development of policies in conjunction with parents may be required  However … a significant exception for “educational products or services” 26
    27. 27. Question 1:Question 1: Is student information used in online educational services protected by FERPA? 27
    28. 28. Is student information used inIs student information used in online educational servicesonline educational services protected by FERPA?protected by FERPA? It depends! Some data used in online educational services is protected by FERPA. Other data may not be. Schools and Districts will typically need to evaluate the use of online educational services on a case by case basis to determine if FERPA-protected information is implicated. 28
    29. 29. Question 2:Question 2: What does FERPA require if PII from students’ education records is disclosed to a provider? 29
    30. 30. What does FERPA require ifWhat does FERPA require if PII is disclosed to aPII is disclosed to a provider?provider?  Parental consent for the disclosure; OR  Disclosure under one of FERPA’s exceptions to the consent requirement. Typically, either: – Directory Information exception • Remember parents’ right to “opt-out” – School Official exception • Annual FERPA notice • Direct control • Use for authorized purposes only • Limitation on re-disclosure • Remember parents’ right to access their student’s education records 30
    31. 31. Question 3:Question 3: Under FERPA and PPRA, are providers limited in what they can do with the student information they collect or receive? 31
    32. 32. Are providers limited in whatAre providers limited in what they can do with the studentthey can do with the student information they collect orinformation they collect or receive?receive? If PII is disclosed under the Directory Information exception: – No limitations If PII is disclosed under the School Official exception: – PII from education records may only be used for the specific purpose for which it was disclosed – TPPs may not sell or share the PII, or use it for any other purpose except as directed by the school/district and as permitted by FERPA When personal information is collected from a student, the PPRA may also apply! – PPRA places some limitations on the use of personal information collected from students for marketing 32
    33. 33. Are providers limited in whatAre providers limited in what they can do with the studentthey can do with the student information they collect orinformation they collect or receive?receive? Remember, schools and districts have an important role in protecting student privacy. Additional limitations and restrictions (beyond what FERPA, PPRA, and other laws require) may be written into the agreement between the school/district and the provider! 33
    34. 34. Question 4:Question 4: What about metadata? Are there restrictions on what providers can do with metadata about students’ interactions with their services? 34
    35. 35. What about metadata?What about metadata? “Metadata” are pieces of information that provide meaning and context to other data being collected, for example: – Activity date and time – Number of attempts – How long the mouse hovered before clicking an answer Metadata that have been stripped of all direct and indirect identifiers are not protected under FERPA (NOTE: School name and other geographic information can be indirect identifiers in student data) Properly de-identified metadata may be used by providers for other purposes (unless prohibited by other laws or by their agreement with the school/district) 35
    36. 36. Other laws to considerOther laws to consider  Childrens Online Privacy and Protection Act (COPPA) – Applies to commercial Web sites and online services directed to children under age 13, and those Web sites and services with actual knowledge that they have collected personal information from children – Schools may exercise consent on behalf of parents in certain, limited circumstances (e.g., when it is for the use/benefit of the school and there is no other commercial purpose) – Administered by the Federal Trade Commission – See http://www.business.ftc.gov/privacy-and-security/childrens-privacy for more information  State, Tribal, or Local Laws 36
    37. 37. Best Practices forBest Practices for Protecting Student PrivacyProtecting Student Privacy  Maintain awareness of other relevant laws  Be aware of which online educational services are currently being used in your district  Have policies and procedures to evaluate and approve proposed educational services  When possible, use a written contract or legal agreement  Be transparent with parents and students  Consider that parental consent may be appropriate 37
    38. 38. Best Practices forBest Practices for Protecting Student PrivacyProtecting Student Privacy  Maintain awareness of other relevant laws  Be aware of which online educational services are currently being used in your district  Have policies and procedures to evaluate and approve proposed educational services  When possible, use a written contract or legal agreement  Be transparent with parents and students  Consider that parental consent may be appropriate 38
    39. 39. Best Practices forBest Practices for Protecting Student PrivacyProtecting Student Privacy  Maintain awareness of other relevant laws  Be aware of which online educational services are currently being used in your district  Have policies and procedures to evaluate and approve proposed educational services  When possible, use a written contract or legal agreement  Be transparent with parents and students  Consider that parental consent may be appropriate 39
    40. 40. Question 5:Question 5: Can individual teachers sign up for free (or “freemium”) education services? 40
    41. 41. Using free educationalUsing free educational servicesservices Remember the FERPA’s requirements for schools and districts disclosing PII under the school official exception. – Direct control – Consistency with annual FERPA notice provisions – Authorized use – limits on re-disclosure These services may also introduce security vulnerabilities into your school networks It is a best practice to establish district/school level policies governing use of free services, and to train teachers and staff accordingly. 41
    42. 42. Best Practices forBest Practices for Protecting Student PrivacyProtecting Student Privacy  Maintain awareness of other relevant laws  Be aware of which online educational services are currently being used in your district  Have policies and procedures to evaluate and approve proposed educational services  When possible, use a written contract or legal agreement  Be transparent with parents and students  Consider that parental consent may be appropriate 42
    43. 43. Best Practices forBest Practices for Protecting Student PrivacyProtecting Student Privacy  Maintain awareness of other relevant laws  Be aware of which online educational services are currently being used in your district  Have policies and procedures to evaluate and approve proposed educational services  When possible, use a written contract or legal agreement  Be transparent with parents and students  Consider that parental consent may be appropriate 43
    44. 44. Best Practices forBest Practices for Protecting Student PrivacyProtecting Student Privacy  Maintain awareness of other relevant laws  Be aware of which online educational services are currently being used in your district  Have policies and procedures to evaluate and approve proposed educational services  When possible, use a written contract or legal agreement  Be transparent with parents and students  Consider that parental consent may be appropriate 44
    45. 45. Question 6:Question 6: What provisions should be in a school’s or district’s contract with a provider? 45
    46. 46. Best Practices for ContractBest Practices for Contract Provisions for OnlineProvisions for Online Educational ServicesEducational Services  Security and data stewardship provisions  Data collection provisions  Data use, retention, disclosure, and destruction provisions  Data access provisions  Modification, duration, and termination provisions  Indemnification and warranty provisions 46
    47. 47. Question 7:Question 7: What about online educational services that use “click-wrap” agreements instead of traditional contracts? 47
    48. 48. What to look for in “click-What to look for in “click- wrap” agreementswrap” agreements When reviewing “click-wrap” agreements, schools and districts should also: Check amendment provisions Print (or save) the Terms of Service Specify authority to accept the Terms of Service 48
    49. 49. Read the GuidanceRead the Guidance DocumentDocument http://ptac.ed.gov/document/protecting-student-privacy- while-using-online-educational-services 49
    50. 50. ResourcesResources  Family Policy Compliance Office, U.S. Department of Education, Model Notice for Directory Information  PTAC Cloud Computing Best Practices  Federal Trade Commission Resources on COPPA and Children’s Privacy  National Institute of Standards and Technology, Cloud Computing Guidelines for Managing Security and Privacy 50
    51. 51. QuestionsQuestions  Please type your questions in the chat box in the lower left corner of the webinar screen. 51
    52. 52. Contact InformationContact Information 52 Telephone: (855) 249-3072 Email: privacyTA@ed.gov FAX: (855) 249-3073 Website: www.ed.gov/ptac
    53. 53. FERPA and Student Privacy Protections: District Perspective Themy Sparangis, Ed.D. Chief Technology Director Los Angeles Unified School District
    54. 54. • What are the benefits of using data to personalize instruction? • How does LAUSD handle student data? • What is the impact of the new FERPA guidance on your work and what do other district leaders need to know? • What approaches do you hope policymakers will take in your state?
    55. 55. Q&A • Please type questions or comments in the chat box on the left side of your screen.
    56. 56. Contact Information • Frank Miller, Management and Program Analyst, U.S. Department of Education, Frank.E.Miller@ed.gov • Ross Lemke, Technical Assistance Manager, Privacy Technical Assistance Center, U.S. Department of Education, ross.lemke@aemcorp.com • Themy Sparangis, Chief Technology Director, Los Angeles Unified School District, themy.sparangis@lausd.net • Maria Worthen, Vice President for Federal and State Policy, iNACOL, mworthen@inacol.org

    ×