Technology and Data Privacy Committee June 30, 2014

Transcription

1 Technology and Data Privacy Committee June 30, 2014

2 Agenda 6/30 Committee Chair FERPA Review Policies Policy Example Tech Initiative - Title 1 Schools 1-to-1 Wrap-up Calendar Data Governance update

3 Today Family Educational Rights and Privacy Act (FERPA) FERPA 101 with Jim Branum Next Meeting Deeper Dive into FERPA with Kristin Edgar JRA/JRC Policy Review Vendor Contract Language

4 FERPA 101: An Overview Technology and Data Privacy Advisory Committee June 30, 2014

5 FERPA 101: Basics Family Educational Rights and Privacy Act Enacted U.S.C. 1232g and 34 CFR Part 99 Enforced by the Family Privacy Compliance Office within the U.S. Department of Education Applies to educational agencies that receive federal funding

6 FERPA 101: What Does it Do? Parents and eligible students have the right to inspect and seek amendment of their education records Generally prohibits the disclosure of personally identifiable information from education records, subject to certain exceptions

7 FERPA 101: Key Definitions Education records means records that are directly related to a student and maintained by a school or a party acting for the school Record means any information recorded in any way, including, but not limited to, hand writing, print, computer media, video or audio tape, film, microfilm, and microfiche

8 FERPA 101: Key Definitions Personally identifiable information includes student s name, parent/family member names, address of student/student s family, social security number or biometric record, date of birth, place of birth, mother s maiden name, and other information, that alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty

9 FERPA 101: Key Exceptions School officials who have a legitimate educational interest in the records School official may include a contractor, consultant, volunteer, or other party to whom a school has outsourced institutional services or functions Organizations conducting studies for, or on behalf of schools to develop, validate, or administer predictive tests, administer student aid programs, or improve instruction

10 FERPA 101: Key Exceptions Authorized representatives of the Comptroller General, the Attorney General, the Secretary, or state and local educational authorities Authorized representative means any entity or individual designated by a state or local educational authority or an agency headed by one of the officials listed above to conduct with respect to federal or state-supported education programs any audit or evaluation, or any compliance or enforcement activity in connection with federal legal requirements that relate to these programs

11 FERPA 101: Key Exceptions Directory information if a school has given public notice to parents and eligible students of the personally identifiable information designated as directory information Parents and eligible students have the right to refuse to let the school designate any or all of those types of information as directory information

12 FERPA 101: 2008 Revisions More exceptions added to the prior consent requirement: Records may be disclosed to accrediting organizations Records may be disclosed when, in the judgment of school officials, there is a threat to the health or safety of students Records disclosed to parents of eligible students under certain circumstances (e.g., eligible student is a dependent for tax purposes) Records disclosed to juvenile justice authorities as permitted by state law

13 FERPA 101: 2008 Revisions Disclosure of de-identified records permitted without consent for educational research purposes PII definition expanded to include biometric records, date of birth, mother s maiden name, and other information that would allow identification of a specific student

14 FERPA 101: 2008 Revisions Expand school official exception to include contractors, consultants, volunteers and other outside service providers used by a school to perform institutional services/functions. However, this must be specified in the school s annual FERPA notification. Schools must use reasonable methods to ensure that school officials only access those records in which they have a legitimate educational interest.

15 FERPA 101: 2012 Revisions Changes to directory information regulations to lessen the burden of obtaining consent for more mundane uses of student information. Schools able to adopt limited directory information policies to allow disclosure for specific, limited purposes. Parents who opt out of directory information designation may not prevent a school from requiring students to wear IDs or badges.

16 FERPA 101: 2008 Revisions Clarify studies exception Schools who disclose records under the studies exception must enter into a written agreement with the recipient organization that specifies the purpose/scope/duration of the study, limits use of the records, and limits redisclosure of the records Expands list of institutions that may redisclose education records without consent Now Federal and state officials that receive education records under the audit, evaluation, and compliance exceptions may redisclose records under certain conditions

17 FERPA 101: 2012 Revisions Changes to audit/evaluation and studies exceptions Broadens the definition of authorized representative. Previously did not include non-educational State and Federal agencies. Regulations revised to define an authorized representative as any entity or individual designated by a State or local educational authority or an agency headed by an official listed in 99.31(a)(3) who is involved in Federal- or State-supported education programs. State and local education authorities now able to share data with other government agencies that are not under their direct control, provided those agencies are involved in Federal- or State-supported education programs.

18 FERPA 101: 2012 Revisions Changes to audit/evaluation and studies exception continued: Defines education program as any program that is principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, and any program that is administered by an educational agency or institution. Education program includes more than just schools.

19 James Branum, Esq

20 Deeper Dive into FERPA In preparation for our deeper dive, do you have any questions that were not answered in the FERPA 101 presentation? In preparation for the upcoming policy review of JRA/JRC, Jeffco s FERPA policy, what questions do you have at this time?

21 Policy Review Review format Scope Summary Challenges served by the policy Compare education challenge to business JS Student use of the internet JSA Student use of personal devices

22 JS Student Use of Internet Applies to all students using Jeffco network resources Applies to Jeffco students using Jeffco devices outside district buildings Ensures that students are safe online and practice good digital citizenship Part of our policy and control set ensuring CIPA compliance and E-Rate funding

23 JS Student Use of Internet Outline Use is a privilege No expectation of privacy Place a student at a resource at a time Limit harassment Limit profane material Limit hacking Collaborative technologies Limit blending of personal and professional life Limit digital footprint

24 JSA Student Use of Personal Devices Applies to all students connecting personal devices to the District s network Addresses complex issues that arise as personal and professional lines are blurred Policy along with technical controls tie a student to a device at a time

25 JSA Student Use of Personal Devices Outline Use is a privilege Registration process (no shared access) Network protections No expectation of privacy Limit District s liability Limit District s responsibility for support

26 Tech Initiative Title 1 Schools 1-to-1

27 Calendar Review Technology and Data Privacy Advisory Committee Agenda Calendar Housekeeping Schedule Minutes Policy Review Technology Initiatives/Activities Other Risk, reports and follow-up Responsibilities and Activities Frequency Meeting Dates June July Aug Sept Oct Nov Dec Jan Feb Mar Apr 6/30 7/17 Committee Meetings 1 2 Schedule meetings for the fiscal year. Review and approve Committee minutes Annual - Monthly? Quarterly Policy Review Schedule a. Scope b. Summary c. What challenges are covered by the policy d. Compare challenges between district and business JS - Student Use of the Internet JSA - Student Use of Personal Devices JRA/JRC - Student Records/Release of Information on Students EHB - Cloud Vendor Assessment EHBA - Electronic Signatures EHBB - Technology Acquisition Policy GBEE - Staff Use of Internet GBEE-R - Elevated Privileges EH - Data Management EH-R - Data Classification EHA - Internet DMZ EHA-R - Key Escrow Management EHA-E1 - Linux Server Hardening EHA-E2 - Windows Server Hardening EHA-E3 - Router Switch Network Device Hardening EHAA - Computer Security EHAA-R1 - Audit Policy EHAA-R2 - Authentication Policy EHAA-R3 - Encryption Policy EHAA-R4 - Risk Assessment EHAC - Exception Management Policy EHAA-E - Incident Handling Overview of Technology Initiatives/Activities FERPA Overview and changes; prep for JRA/JRC policy review July Title 1 Schools 1-to-1 Initiative IT Security Overview Technology Plan Mobile Device Readiness (MDR) Data Privacy Presentation from legal consultant, Dave Navetta (tentative) Technology Acquisition approval process Data Lifecycle Data Transparency Data Governance Status Risk Management Reports/Updates 1 2 3?? Monthly May Jun

28 Data Governance Review * Scope Privacy & Security Policies, Audit, Encryption Policy review, update, new; 95% Data Quality Identify, Map, Master, Metadata, Lifecycle Dataset inventory 90%; Review phase Governance Awareness, Training, Planning, Monitoring DGIQ Conference best practices, tools Continuing the framework of quality; refining the bucket list