iNACOL Leadership Webinar "Protecting Student Privacy in Blended and Online Learning"

Protecting Student Privacy in Blended and Online Learning: New FERPA Guidance from the US Department of Education

• Frank E. Miller, Management and Program Analyst, U.S. Department of Education

• Ross Lemke, Technical Assistance Manager, Privacy Technical Assistance Center, U.S. Department of Education

• Themy Sparangis, Chief Technology Director, Los Angeles Unified School District

• Maria Worthen, Vice President for Federal and State Policy, iNACOL

April, 2014

Introductions & Overview

Maria Worthen

Vice President, Federal & State Policy

iNACOL

• Palm Springs, Ca – Nov. 4-7, 2014

• Registration available soon.

• Over 2200 experts, educators and thought leaders in the field of online and blended learning and competency based education

Webinar Format

• Feel free to type questions in the chat box

• The webinar is being recorded and archived. Link will be emailed out to you within 2 days after the webinar

• Also posted in iNACOL Member Forum

iNACOL’s mission is to ensure all students have access to a world-class education and quality blended and online learning opportunities that prepare them for a lifetime of success.

iNACOL Strategic Priorities

• Development of new learning models

• Quality assurance for blended and online learning

• Policy and advocacy

State Policy Priority Issues1. Create competency-based education systems

2. Improve equity and access for students to blended & online learning opportunities

3. Ramp up quality assurance

4. Provide room for innovation.

5. Support new learning models through connectivity, data systems, and security.

Priority Area: Support new learning models through connectivity, data systems, and security.• Broadband telecommunications

infrastructure

• Statewide longitudinal data systems

• Secure and ethical use of student data.

Without data, we cannot personalize instruction at scale.

Without sensible data governance, we cannot sustain new learning models powered

by blended and online learning.

Protecting Student Privacy While Using Online Educational Services

An Overview of Recent Department of Education Guidance

April 9, 2014 Frank MillerTeam Lead, Family Policy Compliance OfficeU.S. Department of Education

Ross LemkeTechnical Assistance ManagerPrivacy Technical Assistance Center

QuestionsQuestions

Please type your questions in the chat box in the lower left hand corner of the webinar window.

11

Poll: Who is in the Audience?Poll: Who is in the Audience?

Please indicate which sector you represent:A) K-12 Administration

B) K-12 Faculty

C) Post-Secondary Administration or Faculty

D) Education Technology Industry

E) Other (e.g., parent/student, non-profit org., etc.)

12

OverviewOverview

The changing landscape of education technology in schools

The U.S. Department of Education’s role in protecting student privacy

Legal protections for students’ information used in online educational services– How FERPA and PPRA protect student information used in online

educational services– Other laws to consider

Beyond compliance: best practices for protecting student privacy

13

14

Use of Education Technology in Use of Education Technology in SchoolsSchools

Student Information Systems Productivity applications Educational applications Fundamental school services

15

Online Educational ServicesOnline Educational Services

This guidance relates to the subset of education services that are:Computer software, mobile applications (apps), or web-based tools;Provided by a third-party to a school or district;Accessed via the Internet by students and/or parents; ANDUsed as part of a school activity.

This guidance does not cover online services or social media used in a personal capacity, nor does it apply to services used by a school or district that are not accessed by parents or students.

16

The Challenge of Online The Challenge of Online Educational ServicesEducational Services

Schools and districts are increasingly contracting out school functions

We have new types of data, and much more of it! Many online services do not utilize the traditional

2-party written contractual business model Increasing concern about the commercialization

of personal information and behavioral marketing We need to use that data effectively and

appropriately, and still protect students’ privacy

17

The U.S. Department of The U.S. Department of Education’s Role in Protecting Education’s Role in Protecting Student PrivacyStudent Privacy

Administering and enforcing federal laws governing the privacy of student information– Family Educational Rights and Privacy Act (FERPA)– Protection of Pupil Rights Amendment (PPRA)

Raising awareness of privacy challenges Providing technical assstance to schools, districts,

and states Promoting privacy & security best practices

18

Poll: FERPA AwarenessPoll: FERPA Awareness

Please rate your familiarity with FERPA:A) “FERPA, what’s FERPA?”

B) I know enough to be dangerous

C) You could add me to your national cadre of experts on FERPA: I’m an expert.

19

Family Educational Rights and Family Educational Rights and Privacy Act (FERPA)Privacy Act (FERPA)

Gives parents (and eligible students) the right to access and seek to amend their children’s education records

Protects personally identifiable information (PII) from education records from unauthorized disclosure

Requirement for written consent before sharing PII – unless an exception applies

20

But wait! There are But wait! There are exceptions!exceptions!

Two of FERPA’s exceptions to the parental consent requirement are most relevant when using education technology:

– Directory information exception

– School official exception

There are many other FERPA exceptions.

21

Directory Information Directory Information ExceptionException

Students don’t attend school anonymously. Allows schools to release certain information

without consent. A few examples:– name, address, telephone listing, electronic

mail address; – date and place of birth; – photographs; – weight and height of athletes; – degrees & awards received.

22

Directory Information Directory Information Exception Exception

Common uses:– Yearbooks– Concert programs– Telephone directories

Remember that parents have a right to opt-out

23

School Official ExceptionSchool Official Exception

Schools or LEAs can use the School Official exception to disclose education records to a third party provider (TPP) if the TPP:

– Performs a service/function for the school/district for which it would otherwise use its own employees

– Is under the direct control of the school/district with regard to the use/maintenance of the education records

– Uses education data in a manner consistent with the definition of the “school official with a legitimate educational interest,” specified in the school/LEA’s annual notification of rights under FERPA

– Does not re-disclose or use education data for unauthorized purposes

24

Poll: PPRA AwarenessPoll: PPRA Awareness

Please rate your familiarity with PPRA:

A)(Yawn) I know all about it.

B)I’ve worked with it, but only in regard to the survey provisions.

C)I have limited knowledge about PPRA

D)Oh yes, that stands for “Pen Pal Research Association” right?

25

Protection of Pupil Rights Protection of Pupil Rights Amendment (PPRA)Amendment (PPRA)

Amended in 2001 with No Child Left Behind Act Mostly known for provisions dealing with surveys in K-12 Includes limitations on using personal information

collected from students for marketing Parental notification and opportunity to opt out may be

required Development of policies in conjunction with parents may

be required However … a significant exception for “educational

products or services”

26

Question 1:Question 1:

Is student information used in online educational services protected by FERPA?

27

Is student information used in Is student information used in online educational services online educational services protected by FERPA?protected by FERPA?

It depends!

Some data used in online educational services is protected by FERPA.

Other data may not be.

Schools and Districts will typically need to evaluate the use of online educational services on a case by case basis to determine if FERPA-protected information is implicated.

28


What does FERPA require if PII from students’ education records is disclosed to a provider?

29

What does FERPA require if PII What does FERPA require if PII is disclosed to a provider?is disclosed to a provider?

Parental consent for the disclosure; OR Disclosure under one of FERPA’s exceptions to the

consent requirement. Typically, either:– Directory Information exception

• Remember parents’ right to “opt-out”

– School Official exception• Annual FERPA notice• Direct control• Use for authorized purposes only• Limitation on re-disclosure• Remember parents’ right to access their student’s

education records

30


Under FERPA and PPRA, are providers limited in what they can do with the student information they collect or receive?

31

Are providers limited in what they Are providers limited in what they can do with the student can do with the student information they collect or information they collect or receive?receive?

If PII is disclosed under the Directory Information exception:– No limitations

If PII is disclosed under the School Official exception:– PII from education records may only be used for the specific purpose for

which it was disclosed– TPPs may not sell or share the PII, or use it for any other purpose except

as directed by the school/district and as permitted by FERPA

When personal information is collected from a student, the PPRA may also apply!

– PPRA places some limitations on the use of personal information collected from students for marketing

32

Are providers limited in what they Are providers limited in what they can do with the student can do with the student information they collect or information they collect or receive?receive?

Remember, schools and districts have an important role in protecting student privacy.

Additional limitations and restrictions (beyond what FERPA, PPRA, and other laws require) may be written into the agreement between the school/district and the provider!

33


What about metadata? Are there restrictions on what providers can do with metadata about students’ interactions with their services?

34

What about metadata?What about metadata?

“Metadata” are pieces of information that provide meaning and context to other data being collected, for example:

– Activity date and time– Number of attempts– How long the mouse hovered before clicking an answer

Metadata that have been stripped of all direct and indirect identifiers are not protected under FERPA (NOTE: School name and other geographic information can be indirect identifiers in student data)

Properly de-identified metadata may be used by providers for other purposes (unless prohibited by other laws or by their agreement with the school/district)

35

Other laws to considerOther laws to consider

Childrens Online Privacy and Protection Act (COPPA)– Applies to commercial Web sites and online services directed to children

under age 13, and those Web sites and services with actual knowledge that they have collected personal information from children

– Schools may exercise consent on behalf of parents in certain, limited circumstances (e.g., when it is for the use/benefit of the school and there is no other commercial purpose)

– Administered by the Federal Trade Commission– See http://www.business.ftc.gov/privacy-and-security/childrens-privacy

for more information

State, Tribal, or Local Laws

36

Best Practices for Protecting Best Practices for Protecting Student PrivacyStudent Privacy

Maintain awareness of other relevant laws Be aware of which online educational services are

currently being used in your district Have policies and procedures to evaluate and approve

proposed educational services When possible, use a written contract or legal agreement Be transparent with parents and students Consider that parental consent may be appropriate

37





38



currently being used in your district Have policies and procedures to evaluate and

approve proposed educational services When possible, use a written contract or legal agreement Be transparent with parents and students Consider that parental consent may be appropriate

39


Can individual teachers sign up for free (or “freemium”) education services?

40

Using free educational servicesUsing free educational services

Remember the FERPA’s requirements for schools and districts disclosing PII under the school official exception.

– Direct control– Consistency with annual FERPA notice provisions– Authorized use– limits on re-disclosure

These services may also introduce security vulnerabilities into your school networks

It is a best practice to establish district/school level policies governing use of free services, and to train teachers and staff accordingly.

41




proposed educational services When possible, use a written contract or legal

agreement Be transparent with parents and students Consider that parental consent may be appropriate

42





43





44


What provisions should be in a school’s or district’s contract with a provider?

45

Best Practices for Contract Best Practices for Contract Provisions for Online Educational Provisions for Online Educational ServicesServices

Security and data stewardship provisions Data collection provisions Data use, retention, disclosure, and destruction provisions Data access provisions Modification, duration, and termination provisions Indemnification and warranty provisions

46


What about online educational services that use “click-wrap” agreements instead of traditional contracts?

47

What to look for in “click-What to look for in “click-wrap” agreementswrap” agreements

When reviewing “click-wrap” agreements, schools and districts should also:Check amendment provisionsPrint (or save) the Terms of ServiceSpecify authority to accept the Terms of Service

48

Read the Guidance DocumentRead the Guidance Document

http://ptac.ed.gov/document/protecting-student-privacy-while-using-online-educational-services

49

ResourcesResources

Family Policy Compliance Office, U.S. Department of Education, Model Notice for Directory Information

PTAC Cloud Computing Best Practices

Federal Trade Commission Resources on COPPA and Children’s Privacy

National Institute of Standards and Technology, Cloud Computing Guidelines for Managing Security and Privacy

50

QuestionsQuestions

Please type your questions in the chat box in the lower left corner of the webinar screen.

51

Contact InformationContact Information

52

Telephone: (855) 249-3072

Email: [email protected]

FAX: (855) 249-3073

Website: www.ed.gov/ptac

FERPA and Student Privacy Protections: District Perspective

Themy Sparangis, Ed.D.

Chief Technology Director

Los Angeles Unified School District

• What are the benefits of using data to personalize instruction?

• How does LAUSD handle student data? • What is the impact of the new FERPA guidance on your

work and what do other district leaders need to know? • What approaches do you hope policymakers will take in your

state?

Q&A

• Please type questions or comments in the chat box on the left side of your screen.

Contact Information• Frank Miller, Management and Program Analyst, U.S.

Department of Education, [email protected] • Ross Lemke, Technical Assistance Manager, Privacy

Technical Assistance Center, U.S. Department of Education, [email protected]

• Themy Sparangis, Chief Technology Director, Los Angeles Unified School District, [email protected]

• Maria Worthen, Vice President for Federal and State Policy, iNACOL, [email protected]