1/23/2015. MSBO Technology Committee January 22, Examples of Online Educational Services
Size: px
Start display at page:

Download "1/23/2015. MSBO Technology Committee January 22, 2015. Examples of Online Educational Services"

Transcription

1 MSBO Technology Committee January 22, 2015 Technology Policies Online Educational Services 2015 Mika Meyers Beckett & Jones PLC All Rights Reserved Presented by: Jennifer A. Puplava Mika Meyers Beckett & Jones PLC 900 Monroe Avenue NW Grand Rapids, MI (616) Examples of Online Educational Services Internet-accessed (gmail, hotmail, etc.) Software applications hosted in the Cloud (Office 365, Google apps, etc.) Social networking tools (Facebook, Twitter, etc.) Mobile applications Other web-based tools Relevant Laws & Guidances Family Educational Rights & Privacy Act ( FERPA ) Protection of Pupil Rights Amendment ( PPRA ) Children's Online Privacy Protection Act ( COPPA ) Children s Internet Protection Act ( CIPA ) Department of Education guidance documents State law (e.g. Internet Privacy Protection Act, data breach notification requirements, etc.) Student privacy pledge (future privacy forum, Software and Information Industry Association) New federal legislation on the horizon? 1

2 Examples of Relevant Required Policies Internet safety (CIPA) Handling of electronic protected health information (HIPAA) Parental access to instructional material (PPRA) Handling of student education records (FRPA) Intellectual property (control procedures under Copyright Act, etc.) Collection of personal information from students (COPPA) Other Potentially - Affected Policies and Procedures Acceptable use/responsible use/code of Conduct Cloud computing policy Collection, maintenance and dissemination of student records Contracting and procurement Staff authority FERPA If personally identifiable information ( PII ) from an education record is supplied to a provider of online educational services, FERPA requirements must be met FERPA statute and regulations require schools to manage education records and PII securely Parents/students must be able to access education records School/district is responsible for privacy and security of educational data in the cloud 2

3 FERPA Education Records Not every or other electronic document created by a teacher or school administrator is an education record Difficult to determine what is an education record Many new technologies are likely to result in the storage or transmission of information that will be considered as education record Determination of what is an education record must be on a case-by-case basis Not an Education Record Directory information Required to send notice to parents (generally included in annual FERPA notice) What if parents opt out of disclosure of directory information? Presumption that disclosure of directory information is not harmful is eroding School Official FERPA Exception Requirements for exception: Must perform service or function for which the school would otherwise use its own employees School/district must have control Provide sufficient parental notice of student data-sharing practices Include in FERPA notice criteria for who constitutes as a school official and what constitutes a legitimate educational interest 3

4 School Official FERPA Exception (Cont d) The vendor must be under the direct control of the school with regard to use and maintenance of the records Exception can be established through a contract or terms of service agreement 2014 ED Guidance arguably necessitates physical, technological, and administrative controls to prevent unauthorized access Must use the records only for authorized purposes (i.e., no marketing) Must not disclose education records to third parties Examples under FERPA Storing student information in the cloud is not prohibited Interactive exercises offered by a provider without login may not trigger FERPA De-identified/stripped metadata may not trigger FERPA s? PPRA Schools make certain instructional materials available to parents and obtain parental consent before requiring students from participating in some surveys, analysis or evaluations School must have a policy addressing the collection, disclosure, or use of student PII for the purpose of marketing or selling Exception: use of PII for exclusive purpose of developing, evaluating or providing educational products or services Be wary of online service providers having interactions with students address in written contract or check TOS 4

5 COPPA COPPA imposes requirements on operators to give parents control over which information is collected from children online Schools/districts must be careful to avoid unwittingly providing consent to operators Understand fully the purpose for which any personal information is collected and how it is used or shared by the operator CIPA Internet Safety Policy Technology protection measure that protects against Internet access to obscene materials, child pornography, material harmful to minors Monitoring online activities of minors Minors will be educated about appropriate online behavior CIPA Internet Safety Policy (Cont d) Access by minors to inappropriate matter on the Internet Safety and security of minors when using electronic resources Hacking and other unlawful online activities Unauthorized disclosure, use and dissemination of PII Measures designed to restrict minors access to materials harmful to them 5

6 HIPAA Compliance with HIPAA security standards Implementation specifications for electronic protected health information (e-phi) Physical and technical safeguards Organizational requirements Procurement Policy/Process Make decisions regarding appropriate sites/services at a school/district level instead of at classroom level Individual educators deploying new tech in their classrooms are creating great risk to the school/district Have written agreements with all vendors All agreements (click through or formal) need to be vetted Written agreements are better than standard terms of service never assume terms are nonnegotiable Conduct due diligence of operators/vendors Best Practices Using Policies See preceding slides for policy topics Monitor applicable laws and regulations Regularly review and update policies Use policies and procedures to establish clear processes for evaluating and approving online educational services Communicate policies with all staff, administrators, and faculty, and provide training Consistent information and communication with students, parents, and the community about privacy rights, school practices and policies 6

7 Best Practices to Protect Privacy Privacy assessment conduct an inventory of data and of online educational resources used within school/district What data is collected? How is data collected and disclosed? How is data used? Does law or policy restrict what can be done with data? Best Practices FERPA/PPRA Carefully word annual FRPA/PPRA notice Define school officials carefully Use only those services in which the terms of service allow the school/district to retain actual control Establish direct control requirements through contract terms Use written contract or legal agreement wherever possible Review vendor policies, understand the purpose for which information will be collected, and how it will be used, and whether actual parental consent will be required Identify and provide appropriate notices to parents and obtain required consents Best Practices for Minimizing Security Risk Encryption Security software/patches; antivirus software Monitoring and oversights Policies, audits, training Due diligence of vendors and solutions Contracts 7

8 Best Practices Contractual Terms Set limits on how operator/vendor can use student, staff, faculty data Implement appropriate measures where vendors/operators plan to make collateral commercial use of student personal information Address whether storage and processing out of the US will be allowed Address ownership of data Address confidentiality of data Incorporate regulatory restrictions (including rerelease restrictions in FERPA, etc.) Best Practices Contractual Terms Establish security and access provisions State operator/vendor s responsibility in the event of a data breach Require security of data in transit through the use of SSL or other means Address how data will be treated upon contract termination Ensure the school will be able to accept data in a specified format Best Practices Contractual Terms Identify the parties liabilities and indemnification obligations Address retention, modification, and destruction Address service levels and remedies Include intellectual property warranties and other IP issues State pricing and payment terms Address accessibility of data by parents, school, students 8

9 Best Practices Contractual Terms Extra steps for clickwrap licenses Determine whether the TOS can be amended without notice Print and save a copy of the TOS Limit authority to accept TOS Best Practices Acceptable Use Policy Code of conduct for student, staff, faculty use of technology Statement regarding compliance with applicable laws Disclaimer of responsibility/limitation of liability Description of consequences for violating the AUP Helpful Links Privacy Technical Assistance Center: Privacy Pledge: Consortium for School Networking: NSBA: EDUCAUSE: 9

10 Questions? Jennifer Puplava (616) Disclaimer: This presentation is to assist in a general understanding of some of the legal issues involved, and is not intended as legal advice. Persons with particular questions should seek the advise of counsel. 10

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information