Electronic Security Issues for Schools
-
Upload
brett-napier-mba -
Category
Education
-
view
44 -
download
7
Transcript of Electronic Security Issues for Schools
![Page 1: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/1.jpg)
Electronic Security Issues for SchoolsPresented by:Joanne RinardoPartnerDeutsch [email protected] 593 0616
![Page 2: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/2.jpg)
Why Data Integrity Has Become Important to Schools
•More technology use in the education sector
•New privacy and compliance challenges•More collection of student data•Outside contractors•Online courses
![Page 3: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/3.jpg)
Protection of Pupil Rights Amendment (PPRA)
Applies to programs of:▫State Educational Agency (SEA)▫Local Educational Agency (LEA)▫Or other recipient of funds under any
program funded by the U.S. Department of Education
![Page 4: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/4.jpg)
Governs Administering to Student•Any survey•Analysis•Evaluation in certain areas
![Page 5: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/5.jpg)
The 8 protected areas include:• Political affiliations of the
student/parent• Mental issues of the
student/student’s family• Sex behavior or attitudes• Illegal, anti-social, self-
incriminating, or demeaning behavior
• Critical appraisals of those who have close family relationships to students
• Legally recognized privileged relationships (lawyers, physicians and ministers)
• Religious practices, affiliations, or beliefs of the student/student’s parents
• Income
![Page 6: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/6.jpg)
PPRA also addresses•Marketing surveys/areas of student
privacy;•Parental access to information; and•Administration of certain physical
examinations to minors
![Page 7: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/7.jpg)
Third Party Providers
•Written consent before sharing PII not always required
![Page 8: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/8.jpg)
What Information is Protected?•Depends on the circumstances. •FERPA protects student profile information
![Page 9: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/9.jpg)
What are Exceptions to FERPA?•Directory Information Exception
•School Official Exception
![Page 10: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/10.jpg)
Directory Information Exception •For PII disclosed in the school’s annual
notice as Directory Information•No other limitations on other uses of data
![Page 11: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/11.jpg)
School Official Exception •For TPP delivery of education services to the
student. •Remember:▫For service that school would use own
employees; ▫School maintains data used by TPP;▫For a legitimate education interest; ▫Data not used for unauthorized purposes; and▫Consider a written contract regarding use
restrictions
![Page 12: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/12.jpg)
FERPA does not apply to •An online portal for watching tutorials • Interactive exercises without logging in or
using individual accounts.
![Page 13: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/13.jpg)
MetadataPieces of information that provide meaning and context to data collected, or contextual information
![Page 14: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/14.jpg)
Metadata examples in testing • Date and time the student
performed the activity;• Number of attempts they
made to answer;• How long their mouse
hovered over the answer button; and
• Whether they changed their answer before submitting it
![Page 15: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/15.jpg)
Metadata Not Usually Protected• If stripped of all their direct and in direct
identifiers •Can be disseminated to TPPs •School name/geographic information can
be indirect identifiers
![Page 16: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/16.jpg)
Best Practices to Protect Data•Know what
information is being collected or shared,
•By whom, and •For what purposes
![Page 17: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/17.jpg)
Best Practices•Develop policies evaluate and approve
proposed on-line education services. ▫Ex. - new software must be reviewed before
implementation•Be cautious of “free” educational services •Free apps can introduce security
vulnerabilities into your school networks •Be transparent with the parents use of
data is being used
![Page 18: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/18.jpg)
Retention Requirements•FERPA has no requirement for physical or
electronic record retention •School districts establish their own policy
and procedures •Common standard is 5-7 years after student leaves •Some schools just retain transcripts
![Page 19: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/19.jpg)
Individuals with Disabilities Education Act, (“IDEA”) • Public agencies must inform parents when any PII is
no longer needed • Parents may request it be destroyed •Defined as the “physical destruction or removal of
personal identifiers from information so that the information is no longer personally identifiable”
•Must inform parents before student records are destroyed
•Must inform parents they can request destruction once child leaves
• Parents can request that their child’s record be amended
![Page 20: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/20.jpg)
Title IX•Keep
compliance information for seven years
•Applies to electronic data as well
![Page 21: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/21.jpg)
Destruction/Disposal Best Practices
•Deleting a digital record or file is insufficient
•Use specific technical methods used to dispose of the data
![Page 22: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/22.jpg)
Electronic Management Systems (“EMS”) •Allows school to have rules as to who can
access certain documents;•Can be updated as regulations change; •Easier to move data to long-term storage
media; and•Provides transaction trail
![Page 23: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/23.jpg)
Defining Custodial of Records•Each school should have an official records
custodian, •Even if records not under his/her personal
control •Often Principal or Asst. Principal•Goal - To prevent the unauthorized access
to student records.
![Page 24: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/24.jpg)
FERPA Applies to All Records•Not just those records kept in the
student’s file •Security cameras in school and on busses •Electronic records
![Page 25: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/25.jpg)
Custodian Best Practices•Develop listing of all student data kept;•Develop custodian log for request trail;
and•Develop records release form.
![Page 26: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/26.jpg)
Extracted Data•Data that originally resided in the Student
Records System •Now also resides in a special file
![Page 27: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/27.jpg)
Best Practices for Extracted Data •PII must be de-identified whenever there is
public reporting; •Mask of data sufficiently so individual
students not identified from extracted data;•Use only for legitimate educational purposes;•Abide by security and information release
requirements;•Never release updated extract data as school
data
![Page 28: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/28.jpg)
Internal Emails May Be Educational Records • If E-mails are maintained by school and •Are “directly related” to a student•Unless falls in one of the six “carve-outs” •E-mail to, from, or about student may be
education record
![Page 29: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/29.jpg)
Courts have ruled inconsistently
•S.A. v. Tulane County Office of Ed., (CA)
•President and Trustees of Bates College v. Congregation Beth Abraham et al., (ME)
•Williams v. District Bd. of Trustees of Edison Community College, FL,
![Page 30: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/30.jpg)
S.A. v. Tulane County Office of Ed., (CA)
•Only printed emails part of records under IDEA
•Others had been deleted; thus, not maintained
![Page 31: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/31.jpg)
President and Trustees of Bates College v. Congregation Beth Abraham et al., (ME)
•Email about complaints, part of the student’s records
•Even though generated outside normal academic activities
•Court noted FERPA does not limit the definition of “other materials.”
![Page 32: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/32.jpg)
Williams v. District Bd. of Trustees of Edison Community College, FL,
•Was sending students’ grades via the internet violated FERPA
•Florida Commission on Human Relations found no violation
•Make sure there are sufficient protections regarding access
![Page 33: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/33.jpg)
Release of E-Mail Addresses•FERPA protection if not included in
Directory Information•Proper notice of that fact has been given.
![Page 34: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/34.jpg)
Relevant Cases
![Page 35: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/35.jpg)
Artisita Records v. Does 1-: , •Students’ Media Access Control (MAC)
addresses Directory Information.
![Page 36: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/36.jpg)
Fonovisa v. Does 1-14, •MAC not was Directory Information, but
not education record and could be shared
![Page 37: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/37.jpg)
Warner Bros. Records v. Does 1-14, •FERPA allows release of e-mail addresses,
contained in the student’s records if subpoenaed.
![Page 38: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/38.jpg)
UMG Recordings, Inc. v. Doe, •Name, address, telephone number, e-mail
address and MAC address is contained in educational records
•Which triggered notification requirements of FERPA.
•Court: information “detailing how a student uses the Internet, when they use it, and what they do on it” is protected under FERPA.
![Page 39: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/39.jpg)
Louisiana Law •La. Rev. Stat. § 17:81(Q):•Public school must develop policies
electronic communication by an employee at a school to a student enrolled at that school
•To protect student •And school if violation by employee
![Page 40: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/40.jpg)
Facebook•Can have educational applications•Communicate about projects;•Make assignment interactive; and •Create learning group
![Page 41: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/41.jpg)
Caution •Do not use to post grades or information
that educational record; and•Use safeguards to keep others from
accessing the information.
![Page 42: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/42.jpg)
Other Social Communications•Anti-fraternization
prohibitions would extend to on-line communications.
•Laws banning such communication
• Issue of constitutional right to free speech.
![Page 43: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/43.jpg)
Why not to “friend” student
•Can undercut professional relationship;
•Opens teacher to misuse of social media by the student;
•Can be abused by the teacher or misinterpreted by the student; and
•Can be seen as invasion of privacy
![Page 44: Electronic Security Issues for Schools](https://reader036.fdocuments.us/reader036/viewer/2022062523/58ed8e751a28ab53628b45cf/html5/thumbnails/44.jpg)
Other Considerations •Adult students v. Minor students•Former Students v. Current Students v.
Future Students•Privacy Settings