4. How To
• Create a school culture that embraces
technological opportunities
• Explore communication strategies with
parents, students and staff
• Privacy K-12 curriculum that teaches
students about their rights and
responsibilities in the digital
environment.
8. How to know:
Type of data collected, how it is used, who
has access to it and how secure is it
9.
10. Everyone Needs a Roadmap
Framework to . . .
• Identify and minimize
risks of mishaps
• Establish clear policies
• Create an incident
response plan
• Train employees
• Educate students and
parents
12. Download the Roadmap for Schools at:
iKeepSafe.org/roadmap
Or email: info@ikeepsafe.org
Mhancock@iKeepSafe.org
13. Marsali,
Below are several slides from Nancy’s
original PPT. Feel free to re-insert into the
presentation if you find them useful.
Thanks!
14. Family Educational Rights and
Privacy Act
• FERPA
• mandates that schools must keep
educational records confidential
and that student data can only be
used for educational purposes.
Using student data to sell or
market products is prohibited.
• Changes are being considered (Sen.
Markey)
15. Children’s Online Privacy
Protection Act
• COPPA
• Mandates operators of websites or
online services directed to children
obtain verifiable parental consent
before collecting, using or
disclosing personal info of children
under 13
• School may provide consent in
some circumstances
16. Child Internet Protection Act
• CIPA
• Requires schools that use software
or technology to block access to
inappropriate materials
• Safety education requirement
• Tied to e-Rate Funding
17. The Protection of Pupil Rights
Act
• PPRA
• Protects the privacy of students in
surveys, medical exams and
marketing.
• Has Opt-in and Opt-out
requirements that schools must
comply with.
18. Civil Liberties
The First Amendment
• Balancing a robust expression of ideas
while restricting those
communications that invade others’
privacy, are defamatory, contribute to
a hostile environment or otherwise
cause harm.
19. Civil Liberties
The Fourth Amendment
• Searching & seizing electronic
Devices
• BYOD, school-provided devices, cell
phones, laptops, e-readers
• What are your school policies
around electronic devices?
20. How to establish clear
policies and procedures?
• Notice
• Confidentiality and Disclosures
• Security
• Changes
• Training
Editor's Notes
My name is Nancy Gifford. I am the Sr. Director of Law & Policy for iKeepSafe. I am honored to be talking to you this morning about iKeepSafe’s work. I will be discussing the six key skills and competencies that we know through research must be addressed to help youth responsibly navigate our digitally connected culture. I will also talk about iKeepSafe’s recent publications and work around privacy, including an issue that has been getting a lot of attention here in the U.S. -- the collection, protection and use of student data
>
iKeepSafe’s mission is to help youth around the globe thrive in the digital environment.
While our mission is youth focused, we know that to be successful, we cannot simply be speaking to youth. To help youth thrive, we need everyone (parents, policymakers, educators, community leaders, law enforcement, medical health experts) to be sharing a similar message about using technology responsibly. So we work with everyone to increase an evidence-based awareness of the risks and opportunities in our connected world --- increasing everyone’s competence and confidence in technology.
When we work with schools, we take a holistic approach – ensuring that the message we give to students about ethical use of technology is mirrored in our practices and our policies and is communicated clearly to parents, students and staff.
With the help of nationally recognized thought leaders, iKeepSafe used research to create the first-ever framework around all known (not perceived) online safety risks affecting kids.
We then grouped them into the 6 positive-focused topics and core-competencies.
Each concept is a key letter in the acronym “BE a PRO”. The idea is that you can easily commit this to memory to keep in mind when you're out and about and engaging with technology!
Group Activity: have groups discuss privacy challenges and solutions they want to discuss today.
Schools are increasing relying upon technology – such as mobile applications, online resources and cloud-based storage options – to collect, manage and analyze personal information from and about their students.
This is reflected at this conference – tech has been a key theme—particularly understanding and using technology to enhance teaching and learning (achieve educational objectives; increase administrative efficiency and to satisfy federal and state academic standards)
“There’s an App for that: 20 Apps Principals Can’t Live without”
“The Dynamic Classroom” – Energizing the classroom with technology-rich activities
Identifying Quality Apps, Websites and Games for Learning
The Digital Principal
Social Media: (keeping you connected)
Technopalooza: Celebrating the Integration of Technology to Increase Student Achievement
Using Twitter
Using Facebook
With this growth in the use of new technology, there are big opportunities –such as dynamic and innovative instructional aids; improved personalized learning; strong communication and administrative efficiencies
But with the tech, there are also new concerns for schools. Issues that are
(1) Policies and Administrative Considerations to protect the privacy of student data: policy related (ensuring that your policies are up to date for these new technologies and that they are compliant with federal, state and district policies. In particular – a concern that schools (and the vendors they rely upon to provide these services) are not adequately safeguarding the privacy of student data).
(2) Core competencies for ethically and responsibly engaging with technology): Focused on ensuring that students are being provided with the instruction needed to become ethical, responsible and resilient digital citizens.--
Curriculum
Digital Citizenship
First, a school system that wants to integrate ed tech needs a comprehensive privacy program. Implementing a formal and robust privacy program will help limit a schools potential for making a damaging privacy mistake that can hurt a student; school’s reputation; and the entire education community.
Not only is this a smart decision – we are seeing more states implementing regulations requiring schools to develop detailed privacy and security plans as well as conducting compliance audits to ensure schools are complying with FERPA.
Most recently NC enacted a statute requiring schools to develop a plan that includes “
b. Privacy compliance standards.
c. Privacy and security audits.
d. Breach planning, notification, and procedures.
e. Data retention and disposition policies.
f. Ensure routine and ongoing compliance by the Department of Public Instruction with FERPA, other relevant privacy laws and policies, and the privacy and security rules, policies, and procedures developed under the authority of this section related to personally identifiable student data in the student data system,
Digital incident response plan
Cyberbullying
Sexting
Harassment
Data security breach response plan
Hacking
Accidental or negligent disclosures
The 1974 Family Educational Rights and Privacy Act or FERPA, mandates that schools must keep educational records confidential and that student data can only be used for educational purposes. Using student data to sell or market products is prohibited.
Education records include disciplinary records…The term "education records" is defined as those records that contain information directly related to a student and which are maintained by an educational agency or institution or by a party acting for the agency or institution.
FERPA generally prohibits the improper disclosure of personally identifiable information derived from education records.
But there is an exception: schools can share “personally identifiable” student information with a contracted third party, for example, an educational software company, provided that information is only used for the purpose the school requested.
Parents are given a set of rights under FERPA and the schools must provide notice to parents about those rights.
Directory Information is excluded Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.
No consent needed for disclosure of education records, or personally identifiable information from education records, to appropriate parties in connection with an emergency, if knowledge of that information is necessary to protect the health or safety of the student or other individuals.
Also – consent is not necessary if we are disclosing in response to Subpoenas / Law Enforcement Requests
Provides parents access to data
Draft Bill released earlier this year by Sens Ed Markey and Orin Hatch – “protecting student privacy act of 2014”
Mandate new data-security safeguards for private companies;
Require districts to maintain a record of all the outside companies that have access to student information;
Promote "data minimization," by seeking to meet data requests with non-personally identifiable information wherever possible; and
Require that all personally identifiable information held by outside parties eventually be destroyed in order to prevent private companies from maintaining permanent dossiers on students.
Under some circumstances, schools can act as a parent’s agent and consent to the collection of kids’ information, as long as that information is used for educational, not commercial purposes.
A requires the adoption and enforcement of an “Internet safety policy” covering the filtering discussed above; “monitoring the online activities of minors.” as well as requiring that the policy include
measures for educating minors about appropriate online behavior
Prior to adoption of an Internet Safety Policy, CIPA requires that “reasonable public notice” and “at least one public hearing or meeting” be held to address the proposed Policy.
Applicants must be careful to retain documentation of their Policy adoption
BECAREFUL that your filtering system does not run afoul of the First Amendment:
A federal district court in Missouri held that a School District’s filtering system “systematically allows access to websites expressing a negative viewpoint toward LGBT individuals by categorizing them as ‘religion,’ but filters out positive viewpoints toward LGBT issues by categorizing them as ‘sexuality.” The court also concluded that other filtering systems are available that “are much more effective” at filtering out pornography “and do so without burdening websites that express a positive viewpoint toward LGBT individuals.”
It seeks to ensure that schools and contractors obtain written parental consent before minor students are required to participate in any ED-funded survey, analysis, or evaluation that reveals information concerning:
Political affiliations; Mental and psychological problem; Sex behavior and attitudes; anti-social, self-incriminating and demeaning behavior; Income
School policies must provide employees, students and parents with clear guidance about how the school will respond to harmful or distressing speech within the limits of the 1st Amendment
In its landmark 1969 ruling in Tinker v. Des Moines, the Supreme Court found that students do not "shed their constitutional rights to freedom of speech or expression at the schoolhouse gate." The ACLU argued the case on behalf of Mary Beth Tinker, defending her right to wear a black armband at school to protest the Vietnam War.
The Right to Freedom of Expression is not absolute. The famous “yelling fire in a movie theater” exception
Are we clear about how we will respond to communications conducted by staff/students online?
When will a school respond to those?
How will you respond to a FB page dedicated to threatening a teacher or a student? What about one that involves simply derogatory remarks but not threatening?
Key question: Is it disrupting the educational environment.
Do we understand the circumstances under which we can search and seize electronic devices (personal ones and school-provided)
The United States asserts that a search of all data stored on a cell phone is 'materially indistinguishable' from searches of...[on the person or nearby] physical items. That is like saying a ride on horseback is indistinguishable from a flight to the moon." -SCOTUS, Riley v. California
Aside from the holding itself ("We therefore decline to extend Robinson to searches of data on cell phones, and hold instead that officers must generally secure a warrant before conducting such a search.”), that is my favorite line from Riley. (SEARCH INCIDENT TO ARRST)
f you are allowed to bring a personally owned laptop to school, school officials may confiscate and search your laptop only if there is reasonable suspicion that it contains evidence you violated school rules. The officials must return your laptop once they have the evidence they need, or have dispelled the suspicion of wrongdoing. If the school has a policy that you can't bring your own laptop to school and you do so anyway, school staff can take it away until the end of the school day. The ACLU believes it would be illegal for them to search it without reasonable suspicion that it contains evidence you violated school rules; however, the courts have not yet ruled on this. If the laptop you're using belongs to the school, school officials can take it back from you at any time. The school may be able to search the laptop for files even if there is no suspicion of wrongdoing, but the courts have not ruled on this yet.
Clear Policies and Procedures will help to ensure that the school can articulate the privacy practices the school will follow and provide notice to students/parents/employees about the data collected. The policy must be drafted in clear language – avoiding legalese. (Acceptable Use Polices and Privacy Polices)
The policies should establish rules for maintaining confidentiality and identifying circumstances when data will be disclosed without consent (EXIGENT CIRCUMSTANCES / UNDER DISTRESS -- having a policy in place to address issues around confidentiality involving people in distress can help you manage a situation – failure to share information during a crisis can lead to tragic consequences )
The policies related to data security – you need to think about the technical safeguards put in place by your IT department; but also about how you are disposing of old electronic equipment; and whether to allow staff to remove laptops or USB drives from school – a common source of data breaches. (Perhaps wiping all computers at the end of the school year)
Changes – how will you notify parents / students / staff to any changes in the policy
Annual training of all employees on the policies is instrumental to ensure compliance
