Data Privacy & Security

1Attachment A

Introduction

• Using data effectively and responsibly is fundamental to making the best decisions in today’s schools about improving student performance. Capturing accurate information is necessary for public, state, and federal reporting. It’s also needed to create accurate school and district performance reports.

• The Family Educational Rights Privacy Act (FERPA) establishes baseline parameters for what is permissible when sharing student information. WCSD uses additional guidelines and strict processes to protect the privacy of every student and to ensure the confidentiality and security of all data collected and managed.

2

Data Definitions

• There are two types of student data we deal with in the district that are covered by FERPA (Family Educational Rights and Privacy Act). They are:

• “Directory Information” and; • “PII”, or Personally Identifiable

Information

3

Directory Information• Certain information is made available to most individuals

(those not listed under "Who can obtain personally identifiable information") only with parental written permission.

• Activities such as awards, scholarships, college/technical school information and various school publications such as yearbooks and athletic programs, however, require the use of some general information about students.

• Such information is called directory information and this information may be provided to a third party without parental consent.

Source – WCSD Website 4

Directory Information• The Washoe County School District defines directory

information as:– name, address, telephone listing, electronic mail address, date

and place of birth, photographs, participation in officially recognized activities and sports, field of study, weight and height of athletes, enrollment status, degrees and awards received, dates of enrollment, most recent previous school attended, grade level, grade point average range for college recruitment.

• Schools do use discretion when they receive requests for directory information and will not release such information if releasing that information would not be in the best interest of the student.

Source – WCSD Website 5

PII - Personally Identifiable Information

• PII includes, but is not limited to: • The student's name• The name of the student's parent or other family

members• The address of the student or student's family• A personal identifier, such as the student's social

security number, student number*, or biometric record • Other indirect identifiers, such as the student's date of

birth, place of birth, and mother's maiden name* A student ID number is considered directory information when combined with

a means of authentication such as a password, biometric method, etc. before access to educational records is granted.

Source – U.S. Government Publishing Office6

• Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or

• Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

PII - Personally Identifiable Information

Source – U.S. Government Publishing Office

7

• COPPA - The Children’s Online Privacy Protection Act

• COPPA requires companies to have a clear privacy policy, provide direct notice to parents, and obtain parental consent before collecting information from children under 13. Teachers and other school officials are authorized to provide this consent on behalf of parents for use of an educational program, but only for use in the educational context. This means the company can only collect personal information from students for the specified educational purpose, and for no other commercial purpose. The company may keep the information only as long as necessary to achieve the educational purposes.

Protection Laws

8

• PPRA - The Protection of Pupil Rights Amendmentoutlines restrictions for the process when students might be asked for information as part of federally funded surveys or evaluations.• For example, surveys might be used to better understand the

effects on students of drug and alcohol use (i.e. school climate survey). Surveys might also seek to understand the impact on students with family backgrounds that include violence, or variations in home life such as family makeup or income levels. In order to administer such surveys, schools must be able to show parents any of the survey materials used, and provide parents with choices for any surveys that deal with certain sensitive categories.

• Student surveys asking for sensitive information, like in the example above, are anonymous. Students cannot be identified and no one has access to individual student responses.

Protection Laws

9

• CIPA - The Children's Internet Protection Act• CIPA was enacted by Congress in 2000 to address

concerns about children's access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools districts that receive discounts for Internet access or internal connections through the E-rate program – a program that makes certain communications services and products more affordable for eligible schools.

Protection Laws

10

• AB221, 2015 Legislative Session• Existing state law requires a public school to comply

with federal law governing: confidentiality of the education records of a pupil. (NRS 392.029)

• AB 221/NRS 386 provides for the disclosure of data that includes any personally identifiable information (PII) of a pupil to include: (1) express provisions to protect the privacy and security of such information; and (2) a penalty for intentional or grossly negligent noncompliance with the terms of the contract.

Protection Laws

11

• NRS 385A determines much of what districts must collect

• Student demographics• Enrollment, attendance, and transiency data• Program participation (i.e. ELL, SPED, FRL, CIT

status)• Test scores and grades• Information on learning or physical disabilities, if

applicable• Interventions• Graduation, dropout, and remediation information• Discipline and behavior data

What student information do we collect?

12

District Systems Containing Student/Staff Data

• Infinite Campus – majority of student data is in IC• BIG (Business Intelligence Gateway) Data Warehouse

– a subset of what we have in Infinite Campus• Business Plus – Payroll info, address, Social Security

#’s, etc.• SearchSoft – Applicant management system• Office365 – email and user document storage• Microsoft Active Directory – student & staff names,

student ID numbers• Easy IEP – Special education information• MAP - Measured academic progress (of students)• CogAT – Gifted and Talented testing

13

Who has Access?

• Authorized school and central office personnel• Access to all of these systems is granted based on

the right and need to access it. See:

Board Policy 7205 - Information Technology – Data Access Policy

• Contracted vendors with signed privacy obligations

14

• Allocation of state funding and services• State assessment data – to measure

school performance • Determining individual student growth

and school growth• Remediation information• Determining student instructional needs• Intervention and enrichment effectiveness• Facilitate school/parent communications

How is Individual Student PII Information Used?

15

• Aggregate data – is information about “groups” of students without any PII

• Uses:– To report to parents and the community to

determine how districts and schools are performing

– Monitor and evaluate specific programs– Reports to the federal government in order to

receive funding for program participation. (note: the federal government does not have the authority to collect individual student data)

– Health and safety

Aggregate Data

16

How is Data Protected?

• Access Control – Rights granted on a “need to know” basis

• Encryption – at rest and in transit• Secure Transit – data encapsulation and

tunneling• Physical Security –securing access to servers

and the data on them• Contracts and TOS (Terms of Service)

agreements• Account security

17

Data Encryption At Rest & In Transit

WCSD Data Center

WCSD Site

WAN – Internet Office365-Azure

Infinite Campus

WCSD Router

WCSD LAN/Intranet

WCSD PC

WCSD Laptop

WCSD Firewall

Data Warehouse

WCSD Wireless AP

MS Firewall

Public Computer

Public Laptop

BusinessPlus

MS File Storage

MS Email Servers

Connections and data transmitted on the WCSD LAN/Intranet are encryptedConnections and data transmitted between WCSD Firewall and MS Firewall on the WAN/Internet are encryptedConnections and data transmitted in the Office365-Azure environment are encryptedConnections between Public Computers and Internet is not encrypted by default

18

Data Mining/Analytics

• The district performs analytics on the data already in its possession

• We don’t “mine” it from other locations, we already have the data

• Per their privacy statements and customer agreements, neither Microsoft nor Google access, mine, analyze, or scan student data

• Data stored within the cloud is in a sense more secure than it is in our own data centers

• The reason is, Microsoft & Google provide 24/7/365 monitoring and security at the physical and network levels

19

Vendors and Third-Party Applications• For contracts involving student data, WCSD Purchasing department

uses best practices and terms of conditions from the Privacy Technical Assistance Center (PTAC) from the US Department of Education.

• Vendors can only collect, use, or share PII for the purposes outlined in the contract. If they want to use data in another way, they must obtain district or parent permission

• Our contracts prohibit vendors from selling PII, to use student PII for the purposes of targeted advertising, or to create a personal profile of a student outside of the requirements of the contract (unless parent permission is obtained)

• Vendors must destroy student PII upon the request of the District, upon termination of the contract and the contained timelines, or when the data is no longer needed for the performance of the contract

• Governed by AB221, from the 2015 Legislative Session20

Online Educational Services

• Educational applications and software are all different and are governed by the Terms of Service (TOS) and licensing agreements of the individual vendor.

• Subgroup of TAG (including IT, Legal, and Purchasing) are reviewing the TOS

• Applications such as Microsoft, Google, Google Apps for Education (GAFE), and Edmodo all have signed the Student Privacy Pledge www.studentprivacypledge.org

• The pledge is endorsed by the National PTA and the National School Boards Association (NSBA), to name a few

• Basic tenants of the pledge:– Not collect, maintain, use or share student personal information

beyond that needed for authorized educational/school purposes, or as authorized by the parent/student.

– Not sell student personal information.21

Common Sense…

• The District encourages teachers to be creative and innovative– Online educational services (apps and websites) help

teachers teach and students learn

• Common Sense Media Privacy Policy Browser– Rates hundreds of classroom applications on

Safety, Privacy, Security, and Compliance– Parents can get information and make informed

decisions about the potential privacy implications of educational technology used to support teaching and learning.

https://privacy.commonsense.org22

Common Sense…

23

TAG

• TAG (Technology Advisory Group)• Meet monthly and work online as a group

and as sub groups• Considers all technology related issues in

WCSD from student, staff, and community viewpoints

• Application approval is a current agenda item• Addressing digital citizenship, grade level

expectations, student logins and security, and prioritizing technology needs across the district

24

Supporting Student Success

• The use of data helps guide parents, teachers, schools, districts, and state leaders to improve student achievement so all children graduate ready for college or a career.

• WCSD takes seriously its moral and legal responsibility to protect student data and privacy and to ensure data confidentiality.

• WCSD has an obligation to use data to support every student, to ensure our resources are used wisely, and to communicate in a transparent manner with our community.

25

Additional Detail & Information

• Data Security & Privacy FAQ’s• Student Privacy Pledge • Board Policy 7200 – Digital Learning• Board Policy 7205 - Information Technology – Data Access Policy• FERPA• WCSD21 Plan

26