CLOUD COMPUTING AND PRIVACY

Similar documents
CLOUD COMPUTING AND PRIVACY CURRENT PRACTICES IN FAIRFAX COUNTY PUBLIC SCHOOLS

WHAT YOU DON T KNOW CAN HURT YOU

Apple Deployment Programs Apple ID for Students: Parent Guide

1/23/2015. MSBO Technology Committee January 22, Examples of Online Educational Services

2014 NMSBA School Law Conference

Policy Student Data Protection and Privacy/Cloud-based Issues

2015 NMSBA SCHOOL LAW CONFERENCE

Cloud Computing. What is Cloud Computing?

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

Privacy Policy and Notice of Information Practices

Information Collected. Type of Information Collected. We may collect two general types of information when you use the Site:

Estée Lauder Companies Global Jobs Website Privacy Policy

Cloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015

Introduction to Cloud Services

Cloud Computing; What is it, How long has it been here, and Where is it going?

Zep Inc.: Global Online Privacy Notice

RezScore SM Privacy Policy

Your use of this site is subject to the following privacy policy statement and the web site terms of service.

PRIVACY POLICY. Your Personal Information will be processed by Whistle Sports in the United States.

Cloud Computing. Chapter 1 Introducing Cloud Computing

Written Testimony of. Brendan Desetti Director of Education Policy Software & Information Industry Association

1. The information we collect and how we collect it.

WHAT DOES CREDIT ONE BANK, N.A. DO WITH YOUR PERSONAL INFORMATION?

ios Education Deployment Overview

DESTINATION MELBOURNE PRIVACY POLICY

Cloud Computing Technology

Student Online - First of January 0

Cloud Computing. Bringing the Cloud into Focus

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Whether information is on paper or online, the basic privacy rights for students and parents remain the

Healthcare Enterprise View of Cloud What is Cloud Additional Needs Cloud Models Cloud Economics 101 Stack Decision Framework

Online and Mobile Privacy Notice ( Privacy Notice )

Privacy Policy. If you have questions or complaints regarding our Privacy Policy or practices, please see Contact Us. Introduction

Webstore - Reselling Cloud

Cloud Computing. Chapter 1 Introducing Cloud Computing

NBA Math Hoops Privacy Statement and Children s Privacy Statement Updated October 17, 2013.

Electronic Records Storage Options and Overview

YOUR PRIVACY IS IMPORTANT TO SANDERSONS ARCHIVING SOLUTIONS LIMITED

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

Understanding The Cloud

Cloud Computing Overview

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

The Importance of Data Exchange in Education

How cloud computing can transform your business landscape

Privacy Policy. MSI may collect information from you on a voluntary basis when you:

Privacy Policy/Your California Privacy Rights Last Updated: May 28, 2015 Introduction

Talen Energy Corporation Website Privacy Notice

BUSINESS CHICKS, INC. Privacy Policy

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

H&R Block Digital Tax Preparation, Online, and Mobile Application Privacy Practices and Principles

Quick guide: Using the Cloud to support your business

Software as a Service (SaaS) Requirements

Security Issues in Cloud Computing

Cloud Computing: Risks and Auditing

Privacy Statement. What Personal Information We Collect. Australia

Zubi Advertising Privacy Policy

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

What is FERPA? This act is enforced by the Family Policy Compliance Office, U.S. Department of Educational, Washington, D.C.

Virtualization and Cloud Computing

Clinical Trials in the Cloud: A New Paradigm?

VES Privacy Policy Effective Date: June 25, 2015

Privacy Policy Last Modified: April 3,

Cloud Computing Services In Libraries: An Overview

Chicagoland Burger Build Off Privacy Policy

Cloud Computing. Chapter 1 Introducing Cloud Computing

Cloud Computing: Legal Risks and Best Practices

Cloud Computing. Cloud computing:

Privacy Policy. log in to the Services with social networking credentials;

PTAC Toolkit for LEAs: Staff Policies and Teacher Access March 24, 2014

What Factors Determine Cloud Computing Adoption by Colleges and Universities? Bill Klug Instructor, BCIT

Online Lead Generation: Data Security Best Practices

SKoolAide Privacy Policy

Outline. What is cloud computing? History Cloud service models Cloud deployment forms Advantages/disadvantages

Leveraging Technology New Horizons Computer Learning Center of Memphis

Technology and Data Privacy Committee June 30, 2014

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Contact Us. Information We Collect. Petzi s Privacy Policy: Last Updated: October 8, 2015

Information About Our Organization and General Data Collection Practices. Lotlinx Website and Dealer Customers Marketing Efforts

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Unified Communications and the Cloud

Young Scholars of Central Pennsylvania Charter School 1530 Westerly Parkway State College, PA School Year

Beasley Broadcast Group, Inc. Privacy Policy

Managing Cloud Computing Risk

Type of Personal Data We Collect and How We Use It

1.1 Personal Information is information about an identifiable individual such as your name, address, telephone number and address.

Vodafone New Zealand Microsoft Privacy Statement Dated: August 2013

PRIVACY POLICY Effective Date:, INTRODUCTION AND OVERVIEW

How To Understand Cloud Usability

FERPA and Homelessness A Technical Assistance Tool for NAEHCY Members

Managing your Information Assets in the Cloud

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Business Case for Voltage Secur Mobile Edition

Enterprise Cloud Computing Standards, Innovation & Shifts

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

We may collect the following types of information during your visit on our Site:

ZOOMIN.TV PRIVACY POLICY Last updated: 5 August 2014

GETTING THE MOST FROM THE CLOUD. A White Paper presented by

ETHICAL ELECTRIC PRIVACY POLICY. Last Revised: December 15, 2015

The Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP

Transcription:

CLOUD COMPUTING AND PRIVACY VSBA School Law Conference June 6, 2014 PRESENTERS Carol A. Marchant, Assistant Division Counsel, Fairfax County Public Schools Jim Siegl, Technology Architect, Fairfax County Public Schools Co-Chair, Privacy Toolkit, COSN/Harvard Law School AGENDA Recent Technology, Privacy and Ed Tech Trends The Goal and the Challenges The Legal Framework: FERPA, PPRA, COPPA The Technical Framework: Cloud Computing Benefits and risks Models of cloud in K12 Recent Progress, Apple and Google Contracting for Cloud Services Recommendations and Best Practices 1

RECENT TECHNOLOGY, PRIVACY AND ED TECH TRENDS Technology Industry Trends: App Stores, Cloud Only software delivery (Adobe, Microsoft), Freemium /Ad supported Business Models, Big Data, Internet of Things. Privacy Trends: Privacy was 2013 word of the year (dictionary.com), NSA/Snowden Disclosures. Education Technology Trends: 1:1 and Mobile Devices, Bring Your Own Device (BYOD), Increased Use of Data. Student Data Privacy Trends: Over 90 education data privacy bills pending in 30 state legislatures and 1 Federal Bill. One major company (inbloom) closed due perceived privacy concerns. THE GOAL AND THE CHALLENGES Goal: To balance educational technology innovation and privacy, security and safety. Challenges: Technologies change far more rapidly than laws, policies and cultural norms. Increasing need to separate fact from fiction and rhetoric in the public privacy debate. LAWS THAT AFFECT USE OF THE CLOUD BY SCHOOL DIVISIONS Family Educational Rights & Privacy Act (FERPA) Child Online Privacy Protection Act (COPPA) Protection of Pupil Rights Amendment (PPRA) 2

WHAT DOES FERPA PROTECT? Protects personally identifiable information (PII) from education records from unauthorized disclosure. Education Records: Materials that are maintained by an educational agency or institution or by a person acting for such an agency or institution, and contain information directly related to a student. Personally Identifiable Information (PII): PII is the name of a student or family member, address, personal identifiers (e.g. social security number), indirect identifiers (e.g. date of birth), and other information whereby a reasonable person in the school community could identify the student. PARENTS RIGHTS AND SCHOOL RESPONSIBILITIES UNDER FERPA Parents and eligible students have the right to access and seek to amend education records. School and school districts cannot disclose PII from education records to a provider unless: Receive written permission from parents or eligible students. Disclose under a regulatory exception, e.g. Directory Information or School Official exception. FERPA DIRECTORY INFORMATION Information contained in an education record that would not generally be considered harmful or an invasion of privacy if disclosed. Typically can include: name, address, telephone number, date of birth, major course of study, participation in school activities or sports, weight and height if a member of an athletic team, dates of attendance, grade level, degrees and awards received, most recent school attended, class schedule, photograph, email address and enrollment status. Schools must publish an annual FERPA notice and list data elements or categories. Parents and eligible students have a right to opt out. 3

SCHOOL OFFICIAL EXCEPTION Schools can use the School Official exception to disclose education records to a third party provider (TPP) if the TPP: Performs a service/function for the school/district for which the educational organization would otherwise use its own employees. Is under the direct control of the organization with regard to the use/maintenance of the education records. Uses education data in a manner consistent with the definition of the school official with a legitimate educational interest, specified in the school/lea s annual notification of rights under FERPA. Does not re-disclose or use education data for unauthorized purposes. CHILDREN S ONLINE PRIVACY PROTECTION ACT (COPPA) COPPA affects commercial websites that knowingly collect information about or target children under the age of 13. Enforcement is against commercial websites, not schools. Requires verifiable parental consent for collection of data. July 2013 update extended regulation to apps and 3 rd party plug-ins (e.g. tracking networks) and expanded the definition of personally identifiable information (PII) to include: geolocation data, files that contain a child s image or voice, and persistent identifiers (e.g. tracking cookies) that could be used to build a profile over time and across different websites or online services. COPPA WHAT SCHOOLS NEED TO KNOW Does not apply to school districts that contract with websites to offer online programs solely for the benefit of their students and for no other commercial purpose. Provides for the school s ability to consent on behalf of the parent where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose. Does not preclude schools from acting as parental intermediaries (e.g. collecting permission slips). http://w w w.business.f tc.g ov/docum ents/c omplying -w ith-c OPPA -Frequently - Asked- Questions#Schools 4

PROTECTION OF PUPIL RIGHTS AMENDMENT (PPRA) PPRA applies to personal information collected from the student. PPRA requires schools to: directly notify parents of students who are scheduled to participate in the collection, disclosure, or use of personal information for marketing purposes, or to sell or otherwise provide that information to others for marketing purposes, and give parents the opportunity to opt out of these activities. PPRA requires districts to develop and adopt policies, in consultation with parents, about these activities. CLOUD COMPUTING IS* 1. A contracting and delivery method (a form of outsourcing) 2. Typically Services are delivered via the Internet (e.g. via a browser, or an app) 3. A Scalable Shared Pool of Resources 4. Often a Pay-per-use model of Utility computing like... Water, Gas, Electricity, Phone, and Data Telephone Conference Lines (charged per minute, per user) * Based on definition from National Institutes of Standards and Technology HOW ARE SCHOOLS USING CLOUD COMPUTING? Community Outreach BoardDocs Keep In Touch (Emergency Notification) Facebook and Twitter (social media) Mapquest (Driving Directions) SurveyMonkey Finance MyLunchMoney.com (ecommerce) ebilling for Fees (B of A) Human Resources CareerQuest (BrassRing) Pick-a-Time (Flu shot scheduling) Facilities/Transportation FSDirect (Community Use) Professional Development MyPLT, PD 360 Information Technology elearnit (Training) CAPPIES (Microsoft Azure Platform) Schools/Instructional Services Credit Card Processing (ACE) Delicious (Social Bookmarks) Streaming Video (Learn360) Elluminate (Web Conferencing) Online Textbooks, Library Books (MyON, TumbleBooks) and Research Databases epals ( pen pal community) Turn-It-In (Plagiarism detection) Substitute scheduling ManageBAC (IB Program Tracking) VoiceThread (Presentation Tool) Blackboard and Naviance (LMS, Guidance) Horizon (Assessment) Google Apps Microsoft IT Academy 5

THREE LAYERS OF CLOUD COMPUTING (PRIVACY IS PRIMARILY AN SaaS ISSUE) Cloud Computing Traditional Computing Software-as-a-service (SaaS) Finished applications or components that you rent and access via a browser, typically shared with other users (e.g. Google Apps, BoardDocs, etc.) End-user facing Internally or Externally Hosted Software Finished applications that you purchase and host (COTS Applications e.g. Exchange) Platform-as-a-service (PaaS) Developer platforms that abstract the infrastructure, OS, and middleware (e.g. Microsoft Azure) Infrastructure-as-a-service (IaaS) Externally Hosted on-demand Virtual Deployment platforms that abstract the infrastructure (e.g. Amazon Elastic Computing Cloud or Private Cloud e.g. VMWare) IT facing Application Platforms Developer platforms such as Java, ColdFusion, ASP.NET, SQL for building in-house applications Infrastructure In-House platforms that provide physical infrastructure (e.g. Servers, Networks, Operating Systems, and Storage) POTENTIAL BENEFITS OF CLOUD COMPUTING Available Anywhere: Users access services over the Internet from web and mobile devices. Responsive: Rapid provisioning and deployment of new services. Schools gain the flexibility of being able to respond quickly to requests for new and innovative services. Cloud services are updated and upgraded regularly. Cost B enefits: Leverages economies of scale through Shared infrastructure. Allows for Measured Payment (Pay per Use ). Large number of free options. Specialization: Cloud providers specialize in particular applications and services, and this expertise allows them to efficiently manage upgrades and maintenance, backups, disaster recovery, and failures. A ggregation: Improved features or services from combining data from multiple services. POTENTIAL PRIVACY RELATED RISKS OF CLOUD COMPUTING Users access services over the Internet. Potential increased security risk (Data Breach, or accidental data disclosure by users). Rapid provisioning and deployment of new services. Large number of free services Ease of signing up lends itself to unregulated/unapproved use. Cloud services are updated and upgraded regularly. No control over changes. Impact on training/communication. Changes to privacy policies and terms of service. Privacy related risks or bugs introduced through new features. Leverages economies of scale through Shared infrastructure. Risks of shared infrastructure/database. Unwilling or Unwitting Collection and A ggregation of p ersonally identifiable data. 6

MODELS OF CLOUD IN K12 Private: District hosted SIS, LMS (e.g. Blackboard) Contracted: (Microsoft Office 365, Google Apps, Textbooks etc.) Shared Longitudinal Databases and Data exchanges (e.g. inbloom, Clever) Free (and clear): e.g. Khan Academy Free with a catch: Ad supported services Freemium +: Freemium for a user/or class, with an individual, class/school/district upsell (e.g. Edmodo, edublogs, Evernote ) Traditional and Mobile Operating System and App Stores : Apple, Google, Microsoft, Amazon, Amplify, Edmodo Identity Ecosystems: e.g. Sign-in with Facebook, Twitter, Google. Other Areas of Privacy Concern Extended Social Networks: Facebook, G+, twitter including like buttons and other social commenting systems Search Engines, 3 rd Party Tracking Networks (cookies, web beacons etc.), Data Brokers CLOUD IS MORE THAN JUST ONLINE Mobile apps and click-thru Agreements are the Norm Software Tested in FCPS Nov. 12- Nov. 13 (214 applications) Mobile 67.29% Web 17.76% Windows 11.68% Multiple 3.27% 5 were via contract, 1 via RFP SOME PROGRESS APPLE ID FOR STUDENTS UNDER 13 IN A 1:1 ENVIRONMENT Apple ID for Students program allows districts to request IDs for students under 13. Batch CSV web upload (centrally or delegated by school) that includes parent contact information. Apple ID accounts are then approved by the parent or guardian. Apple IDs for students under 13 include the following features: Allows access to icloud, iwork, ibooks, itunesu, itunes and App store and find my iphone services and storing documents in icloud. icloud Mail is not activated by default. Can use allowance, gift cards, codes or (optionally) make purchases. The following can be managed/disabled via policy, or parental controls: Make FaceTime video calls, send photos, videos, and texts using imessages, share and receive photos and videos via PhotoStream, interact in Game Center. Student Account Restrictions Account settings, such as email address and date of birth, cannot be changed. No credit card is attached to the account at setup. Limit Ad Tracking is turned on for the account to ensure the student does not receive targeted advertising from Apple. Students can t opt-in to receive marketing materials. Once students reach age 13, the Apple ID converts to a full account. 7

SOME PROGRESS: GOOGLE APPS FOR EDUCATION CLARIFICATIONS AND POLICY CHANGES Google Apps for Education is a free service used by more than 50% of the school districts in the US (and at least 70% of VA districts) In May 2014 Google clarified that prior to May 2014: Content was not scanned unless a school actively turned display ads on (the default in off). Scanning for ads was only performed in email and no other google product. IF ads were displayed it was only in gmail not on other websites that use google ad sense. In Google Search, if a student is logged in to their Google Apps for Education account, they do not see targeted ads. That after May 2014, turning ad display/scanning on is not an option CONTRACTING CONSIDERATIONS* What data will be collected (e.g. cookies, tracking pixels, etc.)? Data use, retention, disclosure, and destruction Designation as a school official For what (limited) purposes may data be used? With whom may data be shared (re-disclosed)? Is foreign storage permitted? Specification of whether other government agencies may gain access without end-user consent What data archival and destruction requirements exist? Data Transfer through Bankruptcy or Acquisition. Specification of data ownership, security and breach notification responsibilities Responsibilities for granting end-user access and correction requests Prohibition on unilateral modification Audit rights * Similar questions should be answered when using websites and apps obtained through click-thru terms and conditions DISTRICT EXAMPLE H T T P : / / W W W. S D 4 3. B C. C A / R E S O U R C E S / D I G I TA L C I T I Z E N S H I P / PAG E S / D I G I TA L T O O L S. A S P X 8

HOUSTON ISD HTTP://WWW.HOUSTONISD.ORG/PAGE/109830 BEST PRACTICES Conduct an inventory of the online educational services being used. Establish policies and procedures to evaluate and approve vendors prior to implementation. Use a written contract or legal agreement, when possible, to maintain required direct control over the use and maintenance of student data. Be transparent with parents and students about how the school collects, shares, protects, and uses student data. Consider on a case-by-case basis whether obtaining parental consent may be appropriate. QUESTIONS 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information