The document discusses the complexities of student data privacy, outlining compliance programs, existing regulations such as FERPA and COPPA, and the implications of technology in education. It emphasizes the need for schools to create policies that protect student information while leveraging technology for learning. Additionally, it provides guidance on assessing new technologies and establishing communication plans for privacy rights and responsibilities.

1. Demystifying Student
Data Privacy
© 2015 Hobsons
Linnette Attai, President of PlayWell, LLC and Privacy
Advisor to Hobsons

2. 2
About Us
• Linnette Attai
- President, PlayWell, LLC
Compliance consulting
Privacy, safety, advertising, marketing,
content
Education and entertainment sectors
- Data Privacy Advisor to Hobsons

3. • Hobsons:
- Creating solutions to maximize student
success and institutional effectiveness to
create the world-changers of tomorrow
- Supporting over 7.3 million students across
over 8,400 schools worldwide
- Measure our achievements by those of our
clients
3
About Us

4. 4
Agenda
• Why is student data privacy so complicated?
• Creating your school compliance program
• Assessing new technologies
• Q&A – use the “chat window” to submit your
questions

5. Why is student data privacy so
complicated?
5

6. 6
Benefits of Technology
• Enhancing student learning and success
- Identifying strengths and learning styles
- Delivering personalized learning
- Supporting at-risk students
- Providing opportunities for accomplishment
and creativity
- College and career planning and preparation

7. • Management and efficiency
- Record-keeping for students and staff
- Data analysis
- Vendor and contract management
- Operations management
7
Benefits of Technology

8. 8
Technology in the Classroom
New
Technology
New Uses
for Data
New Privacy
Frameworks

9. • Data privacy and security as separate but related
terms:
- Privacy: collection, use, handling and sharing
or transfer of data
- Security: protective measures applied to
prevent unauthorized access, and to preserve
the integrity of the data
9
Privacy vs. Security

10. • Existing federal regulation:
- FERPA, PPRA, CIPA, COPPA
• Existing state regulation
• Emerging federal and state regulation
10
Regulatory Climate

11. • Applies to all schools that receive federal funds
• Protects privacy of student education records
• Provides parents and eligible students (ages 18+)
with access to education records
- Rights to review and request amendment or
correction
11
Family Educational Rights and
Privacy Act (FERPA)

12. • Education records: directly related to a student
and maintained by an educational agency
− Must obtain consent from parent or eligible
student prior to release of student education
records
FERPA
12

13. • Exceptions for obtaining prior consent for release
of education records
−School officials with legitimate educational interest;
−Other schools to which a student is transferring;
−Specified officials for audits or evaluations;
−Appropriate parties in connection with financial aid;
−Organizations conducting certain studies on behalf of a school;
−Accrediting organizations;
−To comply with a judicial order or subpoena;
−Certain officials in cases of health and safety emergencies;
−State and local authorities, within a juvenile justice system, in
accordance with certain state law.
FERPA
13

14. • School official:
− Contractor to whom a school or institution has
outsourced institutional services or functions
− Must be performing an institutional service or function
for which the agency would otherwise use employees
− Must be under the direct control of the agency or
institution with respect to the use and maintenance of
education records
FERPA
14

15. • Sets requirements around notice prior to
disclosure of directory information
• Requires annual notice to parents of FERPA
rights
15
FERPA

16. • Provides rights to parents of minor students
around collection of sensitive information through
surveys, analysis or evaluations
• Requires consent prior to collection of “protected”
information
• Opt out rights for certain surveys, physical exams
and information disclosure for marketing
purposes
16
Protection of Pupil Rights
Amendment (PPRA)

17. • Requires schools to establish policies for
collection, disclosure or use of personal
information about students for commercial
purposes
PPRA
17

18. • Applies to schools or libraries that receive
discounts for Internet access or internal
connections via E-rate
• Requires:
- Blocking or filtering of certain images
- Internet safety policy that includes monitoring
online activities of minors
- Education for minors about appropriate online
behavior
18
Children’s Internet Protection Act
(CIPA)

19. • Applies to operators:
- of commercial websites and online services
directed to children under 13
- with actual knowledge that they are collecting
personal information from children under 13
• Requires clear, comprehensive privacy policy
• Maintain reasonable data security and deletion
measures
19
Children’s Online Privacy
Protection Act (COPPA)

20. • Provide parents with notice, choice and consent
prior to collecting personal information
• Allows schools to consent to collection of
personal information in certain circumstances:
- Collection is only for use and benefit of the
school
- No other commercial purposes
• Operator may rely on the contract to indicate
consent20
COPPA

21. • 2014: 110 student data privacy bills introduced
across 36 states  28 new laws
• 2015 to date: 128 state bills introduced, along
with new federal regulation
21
State Regulation

22. • California legislation
• Applies to operators of websites, online services
designed, marketed and used primarily for K-12
school purposes
• Restricts use of data from minors for certain
marketing or advertising practices
22
Student Online Personal
Information Privacy Act (SOPIPA)

23. • Prohibits targeted advertising and sale of student
information
• Limits disclosure of “covered” information
• Requires reasonable security, appropriate to the
nature of the covered information
• If requested by a school or district, must delete a
student’s covered information under the school or
district’s control
SOPIPA
23

24. • Different nomenclature and definitions of
protected data:
- Education records
- Directory information
- Protected information
- Personal information
- Covered information
• Prior consent vs. opt out
• Marketing restrictions
Navigating the Terrain
24

25. • Control of the data
• Transparency
• Notice and choice
• Acceptable educational use cases
• Reasonable security measures
Common Threads
25

26. • Responsible for navigating regulatory matrix
• Stewards of district and community norms
• Community relations and communication plans
• Incident response management
26
Voice of Schools

27. Creating your school compliance
program
27

28. • Identify compliance risks and gaps
• Address existing issues
• Create policies and practices to minimize risks
• Establish communications and incident response
plans
• Educate employees, parents and students on
privacy rights and responsibilities
Program Goals
28

29. • Technology audit and assessment
- What technology is currently used to support
school operations?
 Data management platforms
 Support services
- What technology is used in the classroom?
 Devices
 Websites
 Apps
29
Where to Begin?
29

30. • Assemble stakeholders
• Assess current technology use
• Assess resources and infrastructure
• Identify existing capabilities and talent
30
Next Steps

31. • Identify gaps and needs:
- Policies, technology, infrastructure, security,
bandwidth, communications, training
• Consider impacts:
- Financial, personnel, logistics, time, pedagogy
• Create your goals
Planning Process
31

32. • Device use
• Data privacy and security
• App and website compliance assessment
• Social media use
• Data disclosure circumstances
• Incident response plans
32
Policy Development

33. • Notices to parents and students
- Acceptable use policy
- Rules and responsibilities
- Incident report procedures
• Policy and technology updates
• Post-incident information
Communications Plans
33

34. • Educate teams and implement policies and
processes
• Inform parents and establish plans for ongoing
community outreach
34
Transparency and Engagement

35. Assessing new technologies
35

36. • Create assessment and compliance processes
for adding new technology at the district, school
and classroom levels
- Identify stakeholders
- Map out review process
 Who is involved?
 What will be reviewed?
 How will it be reviewed?
 Are additional resources needed?
36
Establish a Review Process

37. • Privacy policies
• Terms of use
• Contract terms
• Questions for vendors
37
Compliance Review Process

38. • What data is collected and why?
• Who has access and for what purposes?
• What are the security protocols?
• How can the school access the data to respond to
a request from a parent?
• What happens to the data when the agreement
ends?
Understanding the Technology
38

39. • What is the process for integrating the technology
into your school?
• How will the vendor support implementation?
• How much time is needed to be operational?
• What are the costs?
• What support is provided after implementation?
• What are the recommendations and resources for
training?
39
Going Beyond Compliance

40. • What were the goals of bringing the technology
into the school?
- Measure and assess the impacts
- Use the results to inform the process for the
future
40
Examining the Results

41. • Use the chat function to submit your questions
• We will send the list of questions and answers to
attendees after the webinar
41
Q & A

42. • US Department of Education
- http://www.ed.gov/
• Privacy Technical Assistance Center (PTAC)
- http://ptac.ed.gov/
• Consortium for School Networking (CoSN):
- http://www.cosn.org/focus-areas/leadership-vision/protectin
• Future of Privacy Forum FERPA|SHERPA:
- http://ferpasherpa.org/
42
Additional Resources

43. • For more information and to review this webinar
again, please visit the events page at:
www.hobsons.com/education-trends/events
43
Thanks for Attending!