New tool for navigating federal privacy laws
(District of Columbia) A recent cyberattack that sent one school district’s field test of a new online state assessment into a tailspin earlier this year was enough to strike panic into the hearts of school district administrators everywhere. If malfeasance can disrupt the flow of internet traffic during a critical testing window, could it also steal private student data, tamper with transcripts, or take down a district’s entire network?
And perhaps more pressing is the rising tide of parent voices concerned that their children’s private information — like grades, health issues, addresses and birthdays — could be accessed by third parties for non-educational purposes.
Hoping to help districts prevent such alarming developments and apply best practices in educational technology, the Washington, D.C. based Consortium for School Networking has released two new resources to help school systems avoid violations of student privacy and vulnerabilities to their data systems.
“Over the last year, everyone has seen a great increase in the United States on the issue of privacy,” Keith Krueger, CEO of the consortium, a national association for district technology leaders that maintains chapters in 20 states, said in an interview.
He noted that a national furor over privacy protection has been spurred by developments both outside and within education. The National Security Agency’s collection of U.S. citizens’ phone data, as well as the theft of private financial information from more than 40 million Target customers, has raised awareness about data vulnerability over the last year.
Within education, Krueger noted the demise of inBloom, the ambitious student data collection effort backed by the Gates and Carnegie foundations that ceased operations last spring in the face of public concerns over student privacy and the potential mining of student data.
To help district technology leaders put in place best practices for handling student data, CoSN developed “10 Privacy Steps Every School District Should Take” with support from technology giant Intel Corporation. The document, available on the consortium’s website, lists concrete actions to boost the protection of student data.
Among the advice:
- designate a district privacy official;
- seek legal counsel from someone who understands federal privacy laws;
- provide training to any school employee who handles student data, adopts online education apps or contracts with service providers;
- inform parents about measures the district is taking to protect private student information.
Evidence of the rising concern over student privacy can be seen in the rush of state legislation aimed at ensuring that private information remains private. In the 2014 legislative sessions, more than 80 bills in 32 states addressed student-data protection issues, according to the Data Quality Campaign, a Washington-based group that seeks to promote the use of educational data to improve student achievement.
New York successfully established a state-level chief privacy officer charged with the protection of student data. In Idaho, lawmakers passed legislation requiring school districts to adopt model policies for protecting student information. And Florida schools have been barred by the state legislature from collecting biometric information — like fingerprints — from its students.
The second resource, “Security Questions to ask of an Online Service Provider” is a detailed list of key questions district personnel should discuss with a potential internet service provider before agreeing to a service level agreement. A contract between the provider and the district, the service level agreement specifies metrics such as the percentage of time services will be available, the number of users that can use the network simultaneously and the security measures the provider guarantees.
The list includes more than three dozen questions the consortium thinks district administrators should know the answers to. Among them:
- What data does the provider collect?
- Are all network devices located in secure facilities and under controlled circumstances (e.g. ID cards, entry logs)?
- Are backups performed and tested regularly and stored off-site?
- Are the physical server(s) in a secured, locked and monitored environment to prevent unauthorized entry and/or theft?
- Does the provider perform background checks on personnel with administrative access to servers, applications and customer data?
- Does the provider subcontract any functions, such as analytics?
- How does the provider assure the proper management and disposal of data?
- Does the provider notify the School System about any changes that will affect the security, storage, usage, or disposal of any information received or collected directly from the School?
Both documents are intended to complement a toolkit released earlier this year on the consortium website that helps district technology leaders make decisions while staying in compliance with a pair of federal laws that govern student privacy.
The 1974 Family Education Rights and Privacy Act protects student educational records and the Children’s Online Privacy Protection Act from 2000 regulates the collection, use, and disclosure by commercial web sites and online services of personally identifiable information from children.
“The legal context in which we think of privacy has existed for many years,” Krueger said. “These laws all predate the technology in which they’re being applied. We want to make sure that as school districts are putting things in the cloud or utilizing apps we understand how the privacy laws apply. We want to have good practices for implementation, not just minimal compliance, and ensure that we are identifying aspirational practices.”
The Protecting Student Privacy in Connected Learning toolkit is organized in the form of a decision tree, or flowchart, and addresses FERPA and COPPA compliance issues as well as suggested practices for district technology directors. It was developed in conjunction with Harvard Law School and with support Microsoft Corporation.
In the fall, Krueger said, CoSN will update the toolkit with additional sections covering the Protection of Pupil Rights Amendment (PPRA) and the Health Insurance Portability & Accountability Act (HIPAA) – filling out the privacy guide with all four federal privacy laws applied to K-12 education.
“What we find is there’s a lot of anxiety, that people don’t really know what they should be doing,” Krueger said. “That’s at the heart of what CoSN wants to be doing over the coming months and years, to identify those aspirational practices. Checking a box for compliance is critical but insufficient for what we need to expect around privacy.”
Click here to access CoSN’s resources for protecting student privacy.