This document discusses electronic security and privacy issues related to student data for schools. It covers regulations like FERPA, PPRA, and Title IX that govern how student data can be collected and shared. Best practices for schools include knowing what data is collected and how it is used, being transparent with parents, retaining data appropriately, and protecting student data when working with third parties or sharing extracted data. The document also discusses how regulations apply to student records stored electronically, like emails and social media.

1. Electronic Security Issues for
Schools
Presented by:
Joanne Rinardo
Partner
Deutsch Kerrigan
jrinardo@deutschkerrigan.com
504 593 0616

2. Why Data Integrity Has Become
Important to Schools
• More technology use in the education sector
• New privacy and compliance challenges
• More collection of student data
• Outside contractors
• Online courses

3. Protection of Pupil Rights
Amendment (PPRA)
Applies to programs of:
▫ State Educational Agency (SEA)
▫ Local Educational Agency (LEA)
▫ Or other recipient of funds under any program
funded by the U.S. Department of Education

4. Governs Administering to Student
• Any survey
• Analysis
• Evaluation in certain
areas

5. The 8 protected areas include:
• Political affiliations of the
student/parent
• Mental issues of the
student/student’s family
• Sex behavior or attitudes
• Illegal, anti-social, self-
incriminating, or demeaning
behavior
• Critical appraisals of those
who have close family
relationships to students
• Legally recognized privileged
relationships (lawyers,
physicians and ministers)
• Religious practices, affiliations,
or beliefs of the
student/student’s parents
• Income

6. PPRA also addresses
• Marketing surveys/areas of student privacy;
• Parental access to information; and
• Administration of certain physical examinations
to minors

7. Third Party Providers
• Written consent before sharing PII not always
required

8. What Information is Protected?
• Depends on the circumstances.
• FERPA protects student profile information

9. What are Exceptions to FERPA?
• Directory
Information
Exception
• School Official
Exception

10. Directory Information Exception
• For PII disclosed in the school’s annual notice
as Directory Information
• No other limitations on other uses of data

11. School Official Exception
• For TPP delivery of education services to the
student.
• Remember:
▫ For service that school would use own
employees;
▫ School maintains data used by TPP;
▫ For a legitimate education interest;
▫ Data not used for unauthorized purposes; and
▫ Consider a written contract regarding use
restrictions

12. FERPA does not apply to
• An online portal for watching tutorials
• Interactive exercises without logging in or using
individual accounts.

13. Pieces of information that provide
meaning and context to data collected,
or contextual information

14. Metadata examples in testing
• Date and time the student
performed the activity;
• Number of attempts they made
to answer;
• How long their mouse hovered
over the answer button; and
• Whether they changed their
answer before submitting it

15. Metadata Not Usually Protected
• If stripped of all their direct and in direct
identifiers
• Can be disseminated to TPPs
• School name/geographic information can be
indirect identifiers

16. Best Practices to Protect Data
• Know what
information is being
collected or shared,
• By whom, and
• For what purposes

17. Best Practices
• Develop policies evaluate and approve
proposed on-line education services.
▫ Ex. - new software must be reviewed before
implementation
• Be cautious of “free” educational services
• Free apps can introduce security vulnerabilities
into your school networks
• Be transparent with the parents use of data is
being used

18. Retention Requirements
• FERPA has no requirement for physical or
electronic record retention
• School districts establish their own policy and
procedures
• Common standard is 5-7 years after
student leaves
• Some schools just retain transcripts

19. Individuals with Disabilities
Education Act, (“IDEA”)
• Public agencies must inform parents when any PII is
no longer needed
• Parents may request it be destroyed
• Defined as the “physical destruction or removal of
personal identifiers from information so that the
information is no longer personally identifiable”
• Must inform parents before student records are
destroyed
• Must inform parents they can request destruction
once child leaves
• Parents can request that their child’s record be
amended

20. Title IX
• Keep compliance
information for
seven years
• Applies to
electronic data as
well

21. Destruction/Disposal Best Practices
• Deleting a digital
record or file is
insufficient
• Use specific
technical methods
used to dispose of
the data

22. Electronic Management Systems
(“EMS”)
• Allows school to have rules as to who can
access certain documents;
• Can be updated as regulations change;
• Easier to move data to long-term storage media;
and
• Provides transaction trail

23. Defining Custodial of Records
• Each school should have an official records
custodian,
• Even if records not under his/her personal
control
• Often Principal or Asst. Principal
• Goal - To prevent the unauthorized access to
student records.

24. FERPA Applies to All Records
• Not just those records kept in the student’s file
• Security cameras in school and on busses
• Electronic records

25. Custodian Best Practices
• Develop listing of all student data kept;
• Develop custodian log for request trail; and
• Develop records release form.

26. Extracted Data
• Data that originally resided in the Student
Records System
• Now also resides in a special file

27. Best Practices for
Extracted Data
• PII must be de-identified whenever there is
public reporting;
• Mask of data sufficiently so individual students
not identified from extracted data;
• Use only for legitimate educational purposes;
• Abide by security and information release
requirements;
• Never release updated extract data as school
data

28. Internal Emails May Be Educational
Records
• If E-mails are maintained by school and
• Are “directly related” to a student
• Unless falls in one of the six “carve-outs”
• E-mail to, from, or about student may be
education record

29. Courts have ruled inconsistently
• S.A. v. Tulane County Office
of Ed., (CA)
• President and Trustees of
Bates College v.
Congregation Beth Abraham
et al., (ME)
• Williams v. District Bd. of
Trustees of Edison
Community College, FL,

30. S.A. v. Tulane County Office of Ed.,
(CA)
• Only printed emails part of records under IDEA
• Others had been deleted; thus, not maintained

31. President and Trustees of Bates
College v. Congregation Beth
Abraham et al., (ME)
• Email about complaints, part of the student’s
records
• Even though generated outside normal
academic activities
• Court noted FERPA does not limit the definition
of “other materials.”

32. Williams v. District Bd. of Trustees of
Edison Community College, FL,
• Was sending students’ grades via the internet
violated FERPA
• Florida Commission on Human Relations found
no violation
• Make sure there are sufficient protections
regarding access

33. Release of E-Mail Addresses
• FERPA protection if not included in Directory
Information
• Proper notice of that fact has been given.

35. Artisita Records v. Does 1-: ,
• Students’ Media Access Control (MAC)
addresses Directory Information.

36. Fonovisa v. Does 1-14,
• MAC not was Directory Information, but not
education record and could be shared

37. Warner Bros. Records v. Does 1-14,
• FERPA allows release of e-mail addresses,
contained in the student’s records if
subpoenaed.

38. UMG Recordings, Inc. v. Doe,
• Name, address, telephone number, e-mail
address and MAC address is contained in
educational records
• Which triggered notification requirements of
FERPA.
• Court: information “detailing how a student uses
the Internet, when they use it, and what they do
on it” is protected under FERPA.

39. Louisiana Law
• La. Rev. Stat. § 17:81(Q):
• Public school must develop policies electronic
communication by an employee at a school to a
student enrolled at that school
• To protect student
• And school if violation by employee

40. Facebook
• Can have educational applications
• Communicate about projects;
• Make assignment interactive; and
• Create learning group

41. Caution
• Do not use to post grades or information that
educational record; and
• Use safeguards to keep others from accessing
the information.

42. Other Social Communications
• Anti-fraternization
prohibitions would
extend to on-line
communications.
• Laws banning such
communication
• Issue of
constitutional right to
free speech.

43. Why not to “friend”
student
• Can undercut professional
relationship;
• Opens teacher to misuse of
social media by the student;
• Can be abused by the
teacher or misinterpreted by
the student; and
• Can be seen as invasion of
privacy

44. Other Considerations
• Adult students v. Minor students
• Former Students v. Current Students v. Future
Students
• Privacy Settings