Policy Student Data Protection and Privacy/Cloud-based Issues

Transcription

1 Policy Student Data Protection and Privacy/Cloud-based Issues DATE: March 7, 2016 PREVIOUS ITEM: None ENCLOSURES: CABE s Suggested Policy CABE s January 23, 2015 Policy Update REASON: To Remove Policy from Table with Possible Action BACKGROUND: This policy was tabled at the January 19, 2016 Board of Education Meeting. This is a suggested policy from CABE, and does not currently exist in our policies. It was reviewed by the Supervisor of Information Technology and he is recommending adopting CABE s suggested policy. CABE s suggested policy addresses privacy concerns for student data that may be managed in the "cloud" by third party providers. It also addresses student s data that is saved and maintained by students if we move storage to the "cloud". While we do not do this currently there has been discussion of moving out student information system E School Plus to the "cloud" to be managed by SunGard. This policy would address any privacy concerns with moving such data to the cloud. ACTION: Accept or Reject

2 (a) A new policy to consider. Data-Based Information and Management Systems Student Data Protection and Privacy/Cloud-based Issues The Board of Education (Board) may, pursuant to this policy, enter into a contract with a third party for either or both of the following purposes: 1. To provide services, including Cloud-based services, for the digital storage, management, and retrieval of student records. 2. To provide digital educational software that authorizes a third-party provider of digital educational software to access, store, and use student records in accordance with the contractual provisions listed below. The Board, when entering into a contract with a third party for purposes listed above, shall ensure the contract contains all of the following: 1. A statement that student records continue to be the property of and under the control of the Board. 2. A description of the means by which students may retain possession and control of their own student-generated content, if applicable, including options by which a student may transfer student-generated content to a personal account. 3. A prohibition against the third party using any information in the student record for any purpose other than those required or specifically permitted by the contract. 4. A description of the procedures by which a parent, legal guardian, or eligible student may review personally identifiable information (PII) in the student s records and correct erroneous information. 5. A description of the actions the third party will take, including the designation and training of responsible individuals, to ensure the security and confidentiality of student records. Compliance with this requirement shall not, in itself, absolve the third party of liability in the event of an unauthorized disclosure of student records. 6. A description of the procedures for notifying the affected parent, legal guardian, or eligible student in the event of an unauthorized disclosure of the student s records.

3 (b) Data-Based Information and Management Systems (continued) Student Data Protection and Privacy/Cloud-based Issues (continued) 7. A certification that a student s records shall not be retained or available to the third party upon completion of the terms of the contract and a description of how that certification will be enforced. This requirement shall not apply to student-generated content if the student chooses to establish or maintain an account with the third party for the purpose of storing that content pursuant to item #2 above. 8. A description of how the Board and the third party will jointly ensure compliance with the federal Family Educational Rights and Privacy Act (FERPA). 9. A prohibition against the third party using personally identifiable information in student records to engage in targeted advertising. In addition to any other penalties, a contract that fails to comply with the requirements of this policy shall be rendered void if, upon notice and a reasonable opportunity to cure, the noncompliant party fails to come into compliance and cure any defect. Written notice of noncompliance may be provided by any party to the contract. All parties subject to a contract voided under this section of the policy shall return all student records in their possession to the Board of Education. The Board prohibits an operator of an Internet website or online service from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile the personal information of a minor for the purpose of marketing or advertising specified types of products or services. This prohibition is also applicable to an advertising service that is notified by an operator of an Internet website, online service, online application, or mobile application that the site, service, or application is directed to a minor. The Board prohibits an operator of an Internet website, online service, online application, or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians, using covered information to amass a profile about a K-12 student, selling a student s information, or disclosing covered information, as provided. The Board requires an operator to implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, to protect the information from unauthorized access, destruction, use, modification, or disclosure, and to delete a student s covered information if the school or District requests deletion of data under the control of the school or District. The Board authorizes the disclosure of covered information of a student under specified circumstances.

4 (c) Data-Based Information and Management Systems (continued) Student Data Protection and Privacy/Cloud-based Issues (continued) Definitions 1. Deidentified information means information that cannot be used to identify an individual student. 2. Eligible student means a student who has reached 18 years of age. 3. Student-generated content means materials created by a student, including, but not limited to, essays, research reports, portfolios, creative writing, music or other audio files, photographs, and account information that enables ongoing ownership of student content. Student-generated content does not include student responses to a standardized assessment where student possession and control would jeopardize the validity and reliability of that assessment. 4. Student records means both of the following: a. Any information directly related to a student that is maintained by the school district. b. Any information acquired directly from the student through the use of instructional software or applications assigned to the student by a teacher or other district employee. Student records does not mean any of the following: a. Deidentified information, including aggregated deidentified information, used by the third party to improve educational products for adaptive learning purposes and for customizing student learning. b. Deidentified information, including aggregated deidentified information, used to demonstrate the effectiveness of the operator s products in the marketing of those products. c. Deidentified information, including aggregated deidentified information, used for the development and improvement of educational sites, services, or applications.

5 (d) Data-Based Information and Management Systems (continued) Student Data Protection and Privacy/Cloud-based Issues (continued) Definitions (continued) 5. Third party (provider or vendor) refers to a provider of digital educational software or services, including Cloud-based services, for the digital storage, management, and retrieval of student records. These are outside companies providing Internet-based educational services to schools, school districts, teachers, parents, students and communities. 6. Operator means the operator of an Internet website, online service, online application, or mobile application with actual knowledge that the site, service, or application is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes. 7. Online service includes Cloud computing services, which must comply with this policy if they otherwise meet the definition of an operator. 8. Covered information means personally identifiable information or materials, in any media or format that meets any of the following: a. Is created or provided by a student, or the student s parent or legal guardian, to an operator in the course of the student s, parent s, or legal guardian s use of the operator s site, service, or application for K-12 school purposes. b. Is created or provided by an employee or agent of the K-12 school, school district, local education agency, to an operator. c. Is gathered by an operator through the operation of a site, service, or application and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student s educational record or , first and last name, home address, telephone number, address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.

6 (e) Data-Based Information and Management Systems (continued) Student Data Protection and Privacy/Cloud-based Issues (continued) Definitions (continued) 9. K-12 school purposes means purposes that customarily take place at the direction of the K-12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. The Board, through this policy, places restrictions on an operator as defined in this policy. An operator shall not knowingly engage in any of the following activities with respect to their site, service, or application: 1. Engage in targeted advertising on the operator s site, service, or application; or 2. Target advertising on any other site, service, or application when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator s site, service, or application.. 3. Use information, including persistent unique identifiers, created or gathered by the operator s site, service, or application, to amass a profile about a K-12 student except in furtherance of K-12 school purposes; 4. Sell a student s information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this policy with respect to previously acquired student information; 5. Disclose covered information unless the disclosure is made: a. In furtherance of the K-12 purpose of the site, service, or application, provided the recipient of the covered information disclosed shall not further disclose the information unless done to allow or improve operability and functionality within that student s classroom or school;

7 (f) Data-Based Information and Management Systems (continued) Student Data Protection and Privacy/Cloud-based Issues (continued) b. To ensure legal and regulatory compliance; c. To respond to or participate in judicial process; d. To protect the safety of users or others or security of the site; or e. To a service provider, provided the operator contractually; i. prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, ii. prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and iii. requires the service provider to implement and maintain reasonable security procedures and practices. The Board expects an operator to fulfill the following requirements: 1. Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure. 2. Delete a student s covered information if the school or district requests deletion of data under the control of the school or district. 3. Disclose covered information of a student under the following circumstances: a. If provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information. b. For legitimate research purposes: i. as required by state or federal law and subject to the restrictions under applicable state and federal law, or

8 (g) Data-Based Information and Management Systems (continued) Student Data Protection and Privacy/Cloud-based Issues (continued) ii. as allowed by state or federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K-12 school purposes. c. To a state or local educational agency, including schools and school districts, for K- 12 school purposes, as permitted by state or federal law. This policy does not prohibit an operator from using deidentified student covered information as follows: 1. Within the operator s site, service, or application or other sites, services, or applications owned by the operator to improve educational products. 2. To demonstrate the effectiveness of the operator s products or services, including in their marketing. This policy does not prohibit an operator from sharing aggregated deidentified student covered information for the development and improvement of educational sites, services, or applications. This policy shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to a court order. This policy does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes. This policy does not apply to general audience Internet websites, general audience online services, general audience online applications, or general audience mobile applications, even if login credentials created for an operator s site, service, or application may be used to access those general audience sites, services, or applications.

9 (h) Data-Based Information and Management Systems (continued) Student Data Protection and Privacy/Cloud-based Issues (continued) This policy does not limit Internet service providers from providing Internet connectivity to schools or students and their families. This policy shall not be construed to prohibit an operator of an Internet website, online service, online application, or mobile application from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered by this policy. This policy does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents. If the provisions of this policy are in conflict with the terms of a contract in effect before the adoption date of this policy, the provisions of this policy shall not apply to the District or the third party subject to that agreement until the expiration, amendment, or renewal of the agreement. (cf Information Security Breach and Notification) (cf Electronic Information Security) (cf Data-Based Information Management System Confidentiality Policy) (cf Student Records) (cf Surveys of Students/Student Privacy) Legal Reference: Connecticut General Statutes 1-19(b)(11) Access to public records. Exempt records Destruction of documents b Access of parent or guardians to student s records Records not to be public. 11-8a Retention, destruction and transfer of documents 11-8b Transfer or disposal of public records. State Library Board to adopt regulations.

10 (i) Data-Based Information and Management Systems (continued) Student Data Protection and Privacy/Cloud-based Issues (continued) Legal Reference: Connecticut General Statutes (continued) 46b-56(e) Access to Records of Minors. Connecticut Public Records Administration Schedule V - Disposition of Education Records (Revised 1983). Federal Family Educational Rights and Privacy Act of 1974 (section 438 of the General Education Provisions Act, as amended, added by section 513 of P.L , codified at 20 U.S.C.1232g). Dept. of Educ, 34 C.F.R. Part 99 (May 9, FR 30802) regs. implementing FERPA enacted as part of 438 of General Educ. Provisions Act (20 U.S.C. 1232g) parent and student privacy and other rights with respect to educational records, as amended 11/21/96. Protection of Pupil Rights Amendment (PPRA) 20 U.S.C. 1232g (2014) Children s Online Privacy Protection Act (COPPA) 15 U.S.C et seq. (2014) Policy adopted: EAST HARTFORD PUBLIC SCHOOLS East Hartford, Connecticut

11 T CLOUD COMPUTING/STUDENT PRIVACY ISSUES FOR SCHOOL DISTRICTS PAGE 1 UPDATE MAILING NO. 2 JANUARY 23, 2015 echnology is being used in ways that are innovative in scope and reach, accessing the latest software applications and using electronic pathways to store and process information. It is becoming rare for a school district to house, process, and transmit the trove of educational and business records necessary to keep a school system operating effectively on servers maintained solely by a district IT department. School districts are now doing much of its computing online. The shift to a new digital infrastructure has been made necessary by the ubiquity of personal devices such as tablets and cell phones. We expect to access, transmit, and store vast amounts of information instantly. This technological marvel that involves both process and substance, and hardware and software is more than the Internet. It has come to be known simply as the Cloud. The Cloud s presence in both our personal and professional lives has happened so quickly and so subtly that most of us barely perceive its operation, although we feel its impact. In fact, many of the educational tools employed by teachers and district offices operate through an Internet connection only. The advantages of Cloud-based platforms and learning tools are obvious ease, convenience, 24/7 accessibility, less staff time maintaining on-site servers, individualized learning, and compliance with testing requirements, to name a few. However, along with these benefits come serious challenges, particularly the potential for loss of privacy that accompanies the transfer of personal student information to the Cloud. Concerns about data privacy are real and must be addressed by public school districts. While Cloud computing presents a great opportunity for schools, it also creates data protection and privacy issues by placing a very large amount of student, teacher, and institution data into the hands of a third-party provider. There is increased concern about protecting student data privacy. We are all more aware now about the kinds of personal information being exchanged through digital devices. The news about government surveillance programs, research reports, surveys, and official guidance from the U.S. Department of Education have focused the national spotlight on data privacy, particularly privacy of student data. With the increased public attention to this issue has come a wave of state-level proposed legislation, and federal legislation is anticipated. School leaders need to articulate the district s commitment to protect student privacy, and its policies and practices. Teachers and administrators must understand the necessity of taking steps to ensure that Cloud services deployed throughout district s offices and classrooms comply with all applicable laws and district policies. The school district community, including parents should be consulted and educated about the district s use of the Cloud. Community feedback may significantly influence the direction a school district goes with restrictions placed on student data in the Cloud. One community may influence school board policy that absolutely prohibits the disclosure and use of aggregate data by third parties for advertising and commercial purposes. Another community may be less concerned with the use of data for commercial purposes if that meant a cost savings for the district and/or a product that is easier for teachers, students, and families to use.

12 CLOUD COMPUTING/STUDENT PRIVACY ISSUES FOR SCHOOL DISTRICTS PAGE 2 UPDATE MAILING NO. 2 JANUARY 23, 2015 Online or Cloud-based Tools and Student Data Privacy Every device and application with a connection to the Internet potentially collects student data, from the school district s system to the videorecording app a teacher directs his/her students to use via digital tablets in the classroom. Perhaps the most obvious example of a Cloud-based application is Internet-accessed . Services like Gmail, Yahoo mail, and Hotmail allow users to access and send s anytime and anywhere through an Internet connection. The applications are installed, maintained, and upgraded remotely in the Cloud by a third-party service provider. School districts can work to protect student data privacy more directly through districtwide systems such as and records management, where the district has some control over the terms of the contract with the provider. Districts across the country are working hard to configure their data systems to allow for the greatest efficiency while still maintaining security for student and employee privacy. More difficult student data privacy issues arise with the universe of applications available to individual staff and students through a simple Internet connection, often to a device that can fit in a pocket. These applications create separate doors to district data that it may not be able to control in every case. Both types of applications, the district-wide data management systems and the myriad tools available for specific pedagogical needs, create opportunities for release of student data. Once school district information is transferred or stored in the Cloud, as opposed to on an on-site server, it is housed on a system operated by others, usually on shared servers. This means that the school district does not have physical control over the data, even if the contract states that the district retains control. School networking professionals note the following potential issues that may arise: Data breach caused by faulty configuration, patching, and updates, or software viruses or exploits; Data loss by users who, knowingly or not, expose information by sharing or sending it; Password reuse due to lax controls (i.e., password written on a sticky note); and Collection and aggregation of personally identifiable data and metadata for potential use in advertising and sale to third parties. Data breaches tend to receive a great deal of public attention. The greatest concern is the ability of service providers to collect and store profiles of students or their families on their use of an application that is gathering concern. Such information could be used to target advertising to students or their families.

13 CLOUD COMPUTING/STUDENT PRIVACY ISSUES FOR SCHOOL DISTRICTS PAGE 3 UPDATE MAILING NO. 2 JANUARY 23, 2015 Laws to Protect Student Data Privacy There are numerous laws that potentially govern student data privacy. The most directly applicable to school districts and service providers are the Family Educational Rights and Privacy Act (FERPA) and its sister statute, the Protection of Pupil Rights Amendment (PPRA), which apply to educational institutions that receive federal financial assistance; and the Children s Online Privacy Protection Act (COPPA), which applies to operators of websites and mobile apps that are directed to or known to be used by children under the age of 13. Today, student records are often maintained electronically. School districts are moving their work, including innovative learning tools, and the data they collect and store to Cloud-based platforms to reduce the need for servers on-site and to allow anytime/anywhere access. In addition, teachers and students are taking advantage of Internet and Cloud-based learning tools separate from any official school district program. Vendors are creating apps daily that will allow them to collaborate and communicate. The implementation of the Common Core and the emphasis on testing to assess and improve student achievement and to individualize learning has resulted in school districts collecting and using student data like never before. Family Educational Rights and Privacy Act (FERPA): FERPA prohibits school districts from disclosing, except in limited instances, personally identifiable information (PII) contained in students education records without the consent of the parent or eligible student. Educational records may include a range of written and electronic files. Generally, anything that is considered PII in an education record, including s and other communications or documents created by students, teachers, and administrators, is governed by FERPA. Any time a school district (or even a classroom teacher) deploys new technology; the administration should consider the FERPA implications. Under FERPA, elementary and secondary education records include records, files, documents, and other materials that: (1) contain information directly related to a student; and (2) are maintained by an educational agency or institution or by a person acting for such agency or institution. Many new technologies are likely to result in the storage or transmission of information that also will be considered an education record under FERPA, but a few may not. It may be prudent for school district policy to presume that all data created by students, teachers, and staff related to students is an education record, and to retain control over it. This presumption will help the administration direct third-party technology providers as to how they should handle the data, how they can use it, and with whom they can share it. Storing student information in the Cloud is permitted under FERPA. The FERPA statute and regulations require schools to manage education records and student PII securely. Best practices suggested by the U.S. Department of Education and elsewhere indicate that the school or district should authorize its staff to use only those services in which the terms of service allow the school/district to retain enough control, and provide sufficient parental notice, to invoke the school official exception described below.

14 CLOUD COMPUTING/STUDENT PRIVACY ISSUES FOR SCHOOL DISTRICTS PAGE 4 UPDATE MAILING NO. 2 JANUARY 23, 2015 There are two exceptions to FERPA s requirement of parental consent that may allow school staff to disclose PII in education records under certain circumstances. Directory information under FERPA is not an education record, but is information that historically has not been considered harmful if disclosed, such as a student name or address. Directory information may be released without parent or student consent, provided that the district has designated and published in a public notice the specific types or categories of information that will be disclosed as such. Because parents must be able to opt out of disclosure of directory information, however, it is difficult for school districts to rely regularly on the directory information rules to transfer student information to third parties. More often, when a school district employs online educational services, it will do so under the school official exception, which allows a district to disclose FERPAprotected records without consent to a contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions. A district may use the so-called school official exception for disclosure of education records to online service providers, but the requirements of that exception must be met: 1. The designated school official must perform a function that the school or district would otherwise have used its own employees to perform. 2. The school district must set up reasonable methods to ensure that the service provider/school official accesses only student records in which it has a legitimate educational interest; that the service provider is under the direct control of the district with regard to the use and maintenance of the records; and that the provider uses FERPA-protected information only for the purposes for which the disclosure was made, and refrains from disclosure to other parties without authorization. What can Cloud service providers do with the student data once it is in the Cloud? FERPA regulates educational agencies or institutions, not Cloud service providers. The school district is responsible for privacy and security of educational data in the Cloud. When the school official exception is in play, the provider may not use FERPAprotected information for any other purpose than that for which it was disclosed, but it is the district s responsibility to enforce that requirement. If student information is transferred to a provider through an app or service, does FERPA require that the district give parents notice? It depends on which FERPA rule the school district is using. If the disclosure is made under the directory information concept, it must fall under one of the elements/categories of directory information that has been listed and published previously in a public notice (usually the annual FERPA notice sent home to parents). Under the school official exception, the district must specify in its annual FERPA notice the criteria for determining who constitutes a school official and what constitutes a legitimate educational interest.

15 CLOUD COMPUTING/STUDENT PRIVACY ISSUES FOR SCHOOL DISTRICTS PAGE 5 UPDATE MAILING NO. 2 JANUARY 23, 2015 Rather than undertaking the practically impossible task of identifying which bits of school district student data are subject to FERPA, it may be prudent for school officials and attorneys to craft policy that presumes that all data created by students, teachers and staff related to students is afforded education record status for purposes of directing third-party technology providers on how they should handle the data, how they can use it, and with whom they can share it. Personally Identifiable Information (PII) becomes a particularly difficult concept to apply in the Cloud. Determining what portions of an education record should be considered PII is a challenging and contextspecific inquiry that is the school district s responsibility by law. Therefore, school districts should preclude third-party service providers from making determinations about what elements of an education record are or are not PII. The most conservative course to take is to consider all data protected by FERPA. Protection of Pupil Rights Amendment (PPRA): including district testing. School districts must give parents at least annual notice of PPRA policies, an opportunity to opt out of instructional activities related to these subjects, and notice of specific events surrounding these subjects. Children s Online Privacy Protection Act (COPPA): COPPA imposes certain requirements on website (and mobile app) operators to place parents in control over what information is collected from their young children online. The Federal Trade Commission (FTC) enforces COPPA, and it has issued rules and guidance that apply to operators that collect, use, or disclose personal information from children, and those with actual knowledge that they are collecting, using, or disclosing personal information from children under the age of 13. Personal information includes: geolocation data, photos, videos, and audio files that contain a child s image or voice, and persistent identifiers (tracking cookies). COPPA requires that such operators obtain parental consent before undertaking such activities. The PPRA requires schools and contractors to make certain instructional materials available for inspection by parents and to obtain written parental consent before requiring minor students to participate in some surveys, analyses, or evaluations that reveal information concerning certain subjects. The law also requires school districts to develop policies in consultation with parents on the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that information, though there is an exception to this requirement for educational products or services,

16 CLOUD COMPUTING/STUDENT PRIVACY ISSUES FOR SCHOOL DISTRICTS PAGE 6 UPDATE MAILING NO. 2 JANUARY 23, 2015 When a school contracts with a Cloud vendor to provide online services to students, it may provide consent under COPPA on behalf of the parents under certain circumstances, but school personnel need to understand fully the purpose for which any personal information about students is collected and how it is used or shared by the operator. The FTC has stated that there is a difference between collection, use, or sharing of a child s personal information for the use and benefit of the school, and collection, use, or sharing for other commercial purpose. An operator will need to obtain actual parental consent (not school district consent) when it intends to use or disclose children s personal information for its own commercial purposes in addition to the provision of services to the school. Do FERPA, PPRA, and COPPA cover all student data privacy issues? No. The laws provide a basic framework, but not a complete regulatory scheme for addressing student data privacy issues. As noted by the U.S. Department of Education, simply because an online educational service collects or maintains student information does not mean that such information is protected by FERPA or PPRA. FERPA may not require parental notice or consent for every release of student information. For example, metadata, such as the amount of time a student takes to perform a particular task, how many attempts he or she made, or how long the student s mouse hovered over an item, could be disclosed consistent with FERPA if they are stripped of all direct and indirect student identifiers. Some state legislatures have imposed new data protection requirements, and other states and Congress may do so in the near future. With an incomplete and evolving legal landscape and public opinion leaning in the direction of additional protections for student data, your school board should consider going beyond the current legal requirements and adopting a comprehensive approach to protecting student privacy. Source: This narrative is based on material excerpted from Data in the Cloud, April 2014, NSBA, and Cloud Computing and Student Privacy: A Guide for School Attorneys, NSBA, May 30, In late 2013 and early 2014, at least three national studies and technical papers were released that addressed student data privacy. Fordham Law School s Center on Law and Information Policy released a report in December 2013 based on research regarding how K-12 public school districts address the privacy of student data when they transfer it to Cloud computing service providers. The report, Privacy and Cloud Computing in Public Schools, received a significant amount of media attention, particularly because it identified numerous deficiencies in school district practices regarding safeguarding student privacy. In February 2014, Common Sense Media published the results of a poll it deployed to 800 registered voters nationwide. Nine out of ten respondents were concerned about how private companies with non-educational interests are able to access and use students personal information to market, advertise and sell products and services.

17 CLOUD COMPUTING/STUDENT PRIVACY ISSUES FOR SCHOOL DISTRICTS PAGE 7 UPDATE MAILING NO. 2 JANUARY 23, 2015 In late February 2014, the U.S. Department of Education s Privacy Technical Assistance Center (PTAC) published much-anticipated guidance for schools entitled Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices. It points out that the federal laws governing educational records and websites directed at children do not cover every possible use of student-related data. The Department recommends that schools go beyond the minimum required by these laws, and adopt a comprehensive approach to protecting student privacy when using online educational services. Policy Implications A new policy, # , Student Data Protection and Privacy/Cloud-Based Services, has been developed related to this issue. This policy speaks to the issue of a board entering into a contract with a third party provider for services for digital storage, management and record retrieval, utilizing Cloud-based services and the use of digital educational software to access, store and use student records. In addition, the policy prohibits third-party providers from targeting advertising to students or their parents, using covered information to compile profiles of K-12 students, selling a student s information, or disclosing covered information. In addition, some existing CABE policies and materials also relate to this topic and are provided for consideration. These include: Policy # Information Security Breach and Notification Policy # Electronic Information Security Policy # Data-Based Information Management System Confidentiality Policy Policy #5125 Student Records (Available upon request) Appendix to Policy #5125 Guidance for Reasonable Methods and Written Agreements