inacol leadership webinar "protecting student privacy in blended and online learning"
DESCRIPTION
The Family Educational Rights and Privacy Act (FERPA) is the federal law that protects personally identifiable information from students’ education records from unauthorized disclosure. The US Department of Education’s Privacy Technical Assistance Center (PTAC) recently issued new FERPA guidance specific to online learning environments, “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices". This webinar was presented by officials from the US Department of Education Privacy Assistance Center. http://ptac.ed.gov/TRANSCRIPT
Protecting Student Privacy in Blended and Online Learning: New FERPA Guidance from the US Department of Education
• Frank E. Miller, Management and Program Analyst, U.S. Department of Education
• Ross Lemke, Technical Assistance Manager, Privacy Technical Assistance Center, U.S. Department of Education
• Themy Sparangis, Chief Technology Director, Los Angeles Unified School District
• Maria Worthen, Vice President for Federal and State Policy, iNACOL
April, 2014
Introductions & Overview
Maria Worthen
Vice President, Federal & State Policy
iNACOL
• Palm Springs, Ca – Nov. 4-7, 2014
• Registration available soon.
• Over 2200 experts, educators and thought leaders in the field of online and blended learning and competency based education
Webinar Format
• Feel free to type questions in the chat box
• The webinar is being recorded and archived. Link will be emailed out to you within 2 days after the webinar
• Also posted in iNACOL Member Forum
iNACOL’s mission is to ensure all students have access to a world-class education and quality blended and online learning opportunities that prepare them for a lifetime of success.
iNACOL Strategic Priorities
• Development of new learning models
• Quality assurance for blended and online learning
• Policy and advocacy
State Policy Priority Issues1. Create competency-based education systems
2. Improve equity and access for students to blended & online learning opportunities
3. Ramp up quality assurance
4. Provide room for innovation.
5. Support new learning models through connectivity, data systems, and security.
Priority Area: Support new learning models through connectivity, data systems, and security.• Broadband telecommunications
infrastructure
• Statewide longitudinal data systems
• Secure and ethical use of student data.
Without data, we cannot personalize instruction at scale.
Without sensible data governance, we cannot sustain new learning models powered
by blended and online learning.
Protecting Student Privacy While Using Online Educational Services
An Overview of Recent Department of Education Guidance
April 9, 2014 Frank MillerTeam Lead, Family Policy Compliance OfficeU.S. Department of Education
Ross LemkeTechnical Assistance ManagerPrivacy Technical Assistance Center
QuestionsQuestions
Please type your questions in the chat box in the lower left hand corner of the webinar window.
11
Poll: Who is in the Audience?Poll: Who is in the Audience?
Please indicate which sector you represent:A) K-12 Administration
B) K-12 Faculty
C) Post-Secondary Administration or Faculty
D) Education Technology Industry
E) Other (e.g., parent/student, non-profit org., etc.)
12
OverviewOverview
The changing landscape of education technology in schools
The U.S. Department of Education’s role in protecting student privacy
Legal protections for students’ information used in online educational services– How FERPA and PPRA protect student information used in online
educational services– Other laws to consider
Beyond compliance: best practices for protecting student privacy
13
14
Use of Education Technology in Use of Education Technology in SchoolsSchools
Student Information Systems Productivity applications Educational applications Fundamental school services
15
Online Educational ServicesOnline Educational Services
This guidance relates to the subset of education services that are:Computer software, mobile applications (apps), or web-based tools;Provided by a third-party to a school or district;Accessed via the Internet by students and/or parents; ANDUsed as part of a school activity.
This guidance does not cover online services or social media used in a personal capacity, nor does it apply to services used by a school or district that are not accessed by parents or students.
16
The Challenge of Online The Challenge of Online Educational ServicesEducational Services
Schools and districts are increasingly contracting out school functions
We have new types of data, and much more of it! Many online services do not utilize the traditional
2-party written contractual business model Increasing concern about the commercialization
of personal information and behavioral marketing We need to use that data effectively and
appropriately, and still protect students’ privacy
17
The U.S. Department of The U.S. Department of Education’s Role in Protecting Education’s Role in Protecting Student PrivacyStudent Privacy
Administering and enforcing federal laws governing the privacy of student information– Family Educational Rights and Privacy Act (FERPA)– Protection of Pupil Rights Amendment (PPRA)
Raising awareness of privacy challenges Providing technical assstance to schools, districts,
and states Promoting privacy & security best practices
18
Poll: FERPA AwarenessPoll: FERPA Awareness
Please rate your familiarity with FERPA:A) “FERPA, what’s FERPA?”
B) I know enough to be dangerous
C) You could add me to your national cadre of experts on FERPA: I’m an expert.
19
Family Educational Rights and Family Educational Rights and Privacy Act (FERPA)Privacy Act (FERPA)
Gives parents (and eligible students) the right to access and seek to amend their children’s education records
Protects personally identifiable information (PII) from education records from unauthorized disclosure
Requirement for written consent before sharing PII – unless an exception applies
20
But wait! There are But wait! There are exceptions!exceptions!
Two of FERPA’s exceptions to the parental consent requirement are most relevant when using education technology:
– Directory information exception
– School official exception
There are many other FERPA exceptions.
21
Directory Information Directory Information ExceptionException
Students don’t attend school anonymously. Allows schools to release certain information
without consent. A few examples:– name, address, telephone listing, electronic
mail address; – date and place of birth; – photographs; – weight and height of athletes; – degrees & awards received.
22
Directory Information Directory Information Exception Exception
Common uses:– Yearbooks– Concert programs– Telephone directories
Remember that parents have a right to opt-out
23
School Official ExceptionSchool Official Exception
Schools or LEAs can use the School Official exception to disclose education records to a third party provider (TPP) if the TPP:
– Performs a service/function for the school/district for which it would otherwise use its own employees
– Is under the direct control of the school/district with regard to the use/maintenance of the education records
– Uses education data in a manner consistent with the definition of the “school official with a legitimate educational interest,” specified in the school/LEA’s annual notification of rights under FERPA
– Does not re-disclose or use education data for unauthorized purposes
24
Poll: PPRA AwarenessPoll: PPRA Awareness
Please rate your familiarity with PPRA:
A)(Yawn) I know all about it.
B)I’ve worked with it, but only in regard to the survey provisions.
C)I have limited knowledge about PPRA
D)Oh yes, that stands for “Pen Pal Research Association” right?
25
Protection of Pupil Rights Protection of Pupil Rights Amendment (PPRA)Amendment (PPRA)
Amended in 2001 with No Child Left Behind Act Mostly known for provisions dealing with surveys in K-12 Includes limitations on using personal information
collected from students for marketing Parental notification and opportunity to opt out may be
required Development of policies in conjunction with parents may
be required However … a significant exception for “educational
products or services”
26
Question 1:Question 1:
Is student information used in online educational services protected by FERPA?
27
Is student information used in Is student information used in online educational services online educational services protected by FERPA?protected by FERPA?
It depends!
Some data used in online educational services is protected by FERPA.
Other data may not be.
Schools and Districts will typically need to evaluate the use of online educational services on a case by case basis to determine if FERPA-protected information is implicated.
28
Question 2:Question 2:
What does FERPA require if PII from students’ education records is disclosed to a provider?
29
What does FERPA require if PII What does FERPA require if PII is disclosed to a provider?is disclosed to a provider?
Parental consent for the disclosure; OR Disclosure under one of FERPA’s exceptions to the
consent requirement. Typically, either:– Directory Information exception
• Remember parents’ right to “opt-out”
– School Official exception• Annual FERPA notice• Direct control• Use for authorized purposes only• Limitation on re-disclosure• Remember parents’ right to access their student’s
education records
30
Question 3:Question 3:
Under FERPA and PPRA, are providers limited in what they can do with the student information they collect or receive?
31
Are providers limited in what they Are providers limited in what they can do with the student can do with the student information they collect or information they collect or receive?receive?
If PII is disclosed under the Directory Information exception:– No limitations
If PII is disclosed under the School Official exception:– PII from education records may only be used for the specific purpose for
which it was disclosed– TPPs may not sell or share the PII, or use it for any other purpose except
as directed by the school/district and as permitted by FERPA
When personal information is collected from a student, the PPRA may also apply!
– PPRA places some limitations on the use of personal information collected from students for marketing
32
Are providers limited in what they Are providers limited in what they can do with the student can do with the student information they collect or information they collect or receive?receive?
Remember, schools and districts have an important role in protecting student privacy.
Additional limitations and restrictions (beyond what FERPA, PPRA, and other laws require) may be written into the agreement between the school/district and the provider!
33
Question 4:Question 4:
What about metadata? Are there restrictions on what providers can do with metadata about students’ interactions with their services?
34
What about metadata?What about metadata?
“Metadata” are pieces of information that provide meaning and context to other data being collected, for example:
– Activity date and time– Number of attempts– How long the mouse hovered before clicking an answer
Metadata that have been stripped of all direct and indirect identifiers are not protected under FERPA (NOTE: School name and other geographic information can be indirect identifiers in student data)
Properly de-identified metadata may be used by providers for other purposes (unless prohibited by other laws or by their agreement with the school/district)
35
Other laws to considerOther laws to consider
Childrens Online Privacy and Protection Act (COPPA)– Applies to commercial Web sites and online services directed to children
under age 13, and those Web sites and services with actual knowledge that they have collected personal information from children
– Schools may exercise consent on behalf of parents in certain, limited circumstances (e.g., when it is for the use/benefit of the school and there is no other commercial purpose)
– Administered by the Federal Trade Commission– See http://www.business.ftc.gov/privacy-and-security/childrens-privacy
for more information
State, Tribal, or Local Laws
36
Best Practices for Protecting Best Practices for Protecting Student PrivacyStudent Privacy
Maintain awareness of other relevant laws Be aware of which online educational services are
currently being used in your district Have policies and procedures to evaluate and approve
proposed educational services When possible, use a written contract or legal agreement Be transparent with parents and students Consider that parental consent may be appropriate
37
Best Practices for Protecting Best Practices for Protecting Student PrivacyStudent Privacy
Maintain awareness of other relevant laws Be aware of which online educational services are
currently being used in your district Have policies and procedures to evaluate and approve
proposed educational services When possible, use a written contract or legal agreement Be transparent with parents and students Consider that parental consent may be appropriate
38
Best Practices for Protecting Best Practices for Protecting Student PrivacyStudent Privacy
Maintain awareness of other relevant laws Be aware of which online educational services are
currently being used in your district Have policies and procedures to evaluate and
approve proposed educational services When possible, use a written contract or legal agreement Be transparent with parents and students Consider that parental consent may be appropriate
39
Question 5:Question 5:
Can individual teachers sign up for free (or “freemium”) education services?
40
Using free educational servicesUsing free educational services
Remember the FERPA’s requirements for schools and districts disclosing PII under the school official exception.
– Direct control– Consistency with annual FERPA notice provisions– Authorized use– limits on re-disclosure
These services may also introduce security vulnerabilities into your school networks
It is a best practice to establish district/school level policies governing use of free services, and to train teachers and staff accordingly.
41
Best Practices for Protecting Best Practices for Protecting Student PrivacyStudent Privacy
Maintain awareness of other relevant laws Be aware of which online educational services are
currently being used in your district Have policies and procedures to evaluate and approve
proposed educational services When possible, use a written contract or legal
agreement Be transparent with parents and students Consider that parental consent may be appropriate
42
Best Practices for Protecting Best Practices for Protecting Student PrivacyStudent Privacy
Maintain awareness of other relevant laws Be aware of which online educational services are
currently being used in your district Have policies and procedures to evaluate and approve
proposed educational services When possible, use a written contract or legal agreement Be transparent with parents and students Consider that parental consent may be appropriate
43
Best Practices for Protecting Best Practices for Protecting Student PrivacyStudent Privacy
Maintain awareness of other relevant laws Be aware of which online educational services are
currently being used in your district Have policies and procedures to evaluate and approve
proposed educational services When possible, use a written contract or legal agreement Be transparent with parents and students Consider that parental consent may be appropriate
44
Question 6:Question 6:
What provisions should be in a school’s or district’s contract with a provider?
45
Best Practices for Contract Best Practices for Contract Provisions for Online Educational Provisions for Online Educational ServicesServices
Security and data stewardship provisions Data collection provisions Data use, retention, disclosure, and destruction provisions Data access provisions Modification, duration, and termination provisions Indemnification and warranty provisions
46
Question 7:Question 7:
What about online educational services that use “click-wrap” agreements instead of traditional contracts?
47
What to look for in “click-What to look for in “click-wrap” agreementswrap” agreements
When reviewing “click-wrap” agreements, schools and districts should also:Check amendment provisionsPrint (or save) the Terms of ServiceSpecify authority to accept the Terms of Service
48
Read the Guidance DocumentRead the Guidance Document
http://ptac.ed.gov/document/protecting-student-privacy-while-using-online-educational-services
49
ResourcesResources
Family Policy Compliance Office, U.S. Department of Education, Model Notice for Directory Information
PTAC Cloud Computing Best Practices
Federal Trade Commission Resources on COPPA and Children’s Privacy
National Institute of Standards and Technology, Cloud Computing Guidelines for Managing Security and Privacy
50
QuestionsQuestions
Please type your questions in the chat box in the lower left corner of the webinar screen.
51
Contact InformationContact Information
52
Telephone: (855) 249-3072
Email: [email protected]
FAX: (855) 249-3073
Website: www.ed.gov/ptac
FERPA and Student Privacy Protections: District Perspective
Themy Sparangis, Ed.D.
Chief Technology Director
Los Angeles Unified School District
• What are the benefits of using data to personalize instruction?
• How does LAUSD handle student data? • What is the impact of the new FERPA guidance on your
work and what do other district leaders need to know? • What approaches do you hope policymakers will take in your
state?
Q&A
• Please type questions or comments in the chat box on the left side of your screen.
Contact Information• Frank Miller, Management and Program Analyst, U.S.
Department of Education, [email protected] • Ross Lemke, Technical Assistance Manager, Privacy
Technical Assistance Center, U.S. Department of Education, [email protected]
• Themy Sparangis, Chief Technology Director, Los Angeles Unified School District, [email protected]
• Maria Worthen, Vice President for Federal and State Policy, iNACOL, [email protected]