Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Data Privacy & Security
1Attachment A
Introduction
• Using data effectively and responsibly is fundamental to making the best decisions in today’s schools about improving student performance. Capturing accurate information is necessary for public, state, and federal reporting. It’s also needed to create accurate school and district performance reports.
• The Family Educational Rights Privacy Act (FERPA) establishes baseline parameters for what is permissible when sharing student information. WCSD uses additional guidelines and strict processes to protect the privacy of every student and to ensure the confidentiality and security of all data collected and managed.
2
Data Definitions
• There are two types of student data we deal with in the district that are covered by FERPA (Family Educational Rights and Privacy Act). They are:
• “Directory Information” and; • “PII”, or Personally Identifiable
Information
3
Directory Information• Certain information is made available to most individuals
(those not listed under "Who can obtain personally identifiable information") only with parental written permission.
• Activities such as awards, scholarships, college/technical school information and various school publications such as yearbooks and athletic programs, however, require the use of some general information about students.
• Such information is called directory information and this information may be provided to a third party without parental consent.
Source – WCSD Website 4
Directory Information• The Washoe County School District defines directory
information as:– name, address, telephone listing, electronic mail address, date
and place of birth, photographs, participation in officially recognized activities and sports, field of study, weight and height of athletes, enrollment status, degrees and awards received, dates of enrollment, most recent previous school attended, grade level, grade point average range for college recruitment.
• Schools do use discretion when they receive requests for directory information and will not release such information if releasing that information would not be in the best interest of the student.
Source – WCSD Website 5
PII - Personally Identifiable Information
• PII includes, but is not limited to: • The student's name• The name of the student's parent or other family
members• The address of the student or student's family• A personal identifier, such as the student's social
security number, student number*, or biometric record • Other indirect identifiers, such as the student's date of
birth, place of birth, and mother's maiden name* A student ID number is considered directory information when combined with
a means of authentication such as a password, biometric method, etc. before access to educational records is granted.
Source – U.S. Government Publishing Office6
• Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
• Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.
PII - Personally Identifiable Information
Source – U.S. Government Publishing Office
7
• COPPA - The Children’s Online Privacy Protection Act
• COPPA requires companies to have a clear privacy policy, provide direct notice to parents, and obtain parental consent before collecting information from children under 13. Teachers and other school officials are authorized to provide this consent on behalf of parents for use of an educational program, but only for use in the educational context. This means the company can only collect personal information from students for the specified educational purpose, and for no other commercial purpose. The company may keep the information only as long as necessary to achieve the educational purposes.
Protection Laws
8
• PPRA - The Protection of Pupil Rights Amendmentoutlines restrictions for the process when students might be asked for information as part of federally funded surveys or evaluations.• For example, surveys might be used to better understand the
effects on students of drug and alcohol use (i.e. school climate survey). Surveys might also seek to understand the impact on students with family backgrounds that include violence, or variations in home life such as family makeup or income levels. In order to administer such surveys, schools must be able to show parents any of the survey materials used, and provide parents with choices for any surveys that deal with certain sensitive categories.
• Student surveys asking for sensitive information, like in the example above, are anonymous. Students cannot be identified and no one has access to individual student responses.
Protection Laws
9
• CIPA - The Children's Internet Protection Act• CIPA was enacted by Congress in 2000 to address
concerns about children's access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools districts that receive discounts for Internet access or internal connections through the E-rate program – a program that makes certain communications services and products more affordable for eligible schools.
Protection Laws
10
• AB221, 2015 Legislative Session• Existing state law requires a public school to comply
with federal law governing: confidentiality of the education records of a pupil. (NRS 392.029)
• AB 221/NRS 386 provides for the disclosure of data that includes any personally identifiable information (PII) of a pupil to include: (1) express provisions to protect the privacy and security of such information; and (2) a penalty for intentional or grossly negligent noncompliance with the terms of the contract.
Protection Laws
11
• NRS 385A determines much of what districts must collect
• Student demographics• Enrollment, attendance, and transiency data• Program participation (i.e. ELL, SPED, FRL, CIT
status)• Test scores and grades• Information on learning or physical disabilities, if
applicable• Interventions• Graduation, dropout, and remediation information• Discipline and behavior data
What student information do we collect?
12
District Systems Containing Student/Staff Data
• Infinite Campus – majority of student data is in IC• BIG (Business Intelligence Gateway) Data Warehouse
– a subset of what we have in Infinite Campus• Business Plus – Payroll info, address, Social Security
#’s, etc.• SearchSoft – Applicant management system• Office365 – email and user document storage• Microsoft Active Directory – student & staff names,
student ID numbers• Easy IEP – Special education information• MAP - Measured academic progress (of students)• CogAT – Gifted and Talented testing
13
Who has Access?
• Authorized school and central office personnel• Access to all of these systems is granted based on
the right and need to access it. See:
Board Policy 7205 - Information Technology – Data Access Policy
• Contracted vendors with signed privacy obligations
14
• Allocation of state funding and services• State assessment data – to measure
school performance • Determining individual student growth
and school growth• Remediation information• Determining student instructional needs• Intervention and enrichment effectiveness• Facilitate school/parent communications
How is Individual Student PII Information Used?
15
• Aggregate data – is information about “groups” of students without any PII
• Uses:– To report to parents and the community to
determine how districts and schools are performing
– Monitor and evaluate specific programs– Reports to the federal government in order to
receive funding for program participation. (note: the federal government does not have the authority to collect individual student data)
– Health and safety
Aggregate Data
16
How is Data Protected?
• Access Control – Rights granted on a “need to know” basis
• Encryption – at rest and in transit• Secure Transit – data encapsulation and
tunneling• Physical Security –securing access to servers
and the data on them• Contracts and TOS (Terms of Service)
agreements• Account security
17
Data Encryption At Rest & In Transit
WCSD Data Center
WCSD Site
WAN – Internet Office365-Azure
Infinite Campus
WCSD Router
WCSD LAN/Intranet
WCSD PC
WCSD Laptop
WCSD Firewall
Data Warehouse
WCSD Wireless AP
MS Firewall
Public Computer
Public Laptop
BusinessPlus
MS File Storage
MS Email Servers
Connections and data transmitted on the WCSD LAN/Intranet are encryptedConnections and data transmitted between WCSD Firewall and MS Firewall on the WAN/Internet are encryptedConnections and data transmitted in the Office365-Azure environment are encryptedConnections between Public Computers and Internet is not encrypted by default
18
Data Mining/Analytics
• The district performs analytics on the data already in its possession
• We don’t “mine” it from other locations, we already have the data
• Per their privacy statements and customer agreements, neither Microsoft nor Google access, mine, analyze, or scan student data
• Data stored within the cloud is in a sense more secure than it is in our own data centers
• The reason is, Microsoft & Google provide 24/7/365 monitoring and security at the physical and network levels
19
Vendors and Third-Party Applications• For contracts involving student data, WCSD Purchasing department
uses best practices and terms of conditions from the Privacy Technical Assistance Center (PTAC) from the US Department of Education.
• Vendors can only collect, use, or share PII for the purposes outlined in the contract. If they want to use data in another way, they must obtain district or parent permission
• Our contracts prohibit vendors from selling PII, to use student PII for the purposes of targeted advertising, or to create a personal profile of a student outside of the requirements of the contract (unless parent permission is obtained)
• Vendors must destroy student PII upon the request of the District, upon termination of the contract and the contained timelines, or when the data is no longer needed for the performance of the contract
• Governed by AB221, from the 2015 Legislative Session20
Online Educational Services
• Educational applications and software are all different and are governed by the Terms of Service (TOS) and licensing agreements of the individual vendor.
• Subgroup of TAG (including IT, Legal, and Purchasing) are reviewing the TOS
• Applications such as Microsoft, Google, Google Apps for Education (GAFE), and Edmodo all have signed the Student Privacy Pledge www.studentprivacypledge.org
• The pledge is endorsed by the National PTA and the National School Boards Association (NSBA), to name a few
• Basic tenants of the pledge:– Not collect, maintain, use or share student personal information
beyond that needed for authorized educational/school purposes, or as authorized by the parent/student.
– Not sell student personal information.21
Common Sense…
• The District encourages teachers to be creative and innovative– Online educational services (apps and websites) help
teachers teach and students learn
• Common Sense Media Privacy Policy Browser– Rates hundreds of classroom applications on
Safety, Privacy, Security, and Compliance– Parents can get information and make informed
decisions about the potential privacy implications of educational technology used to support teaching and learning.
https://privacy.commonsense.org22
Common Sense…
23
TAG
• TAG (Technology Advisory Group)• Meet monthly and work online as a group
and as sub groups• Considers all technology related issues in
WCSD from student, staff, and community viewpoints
• Application approval is a current agenda item• Addressing digital citizenship, grade level
expectations, student logins and security, and prioritizing technology needs across the district
24
Supporting Student Success
• The use of data helps guide parents, teachers, schools, districts, and state leaders to improve student achievement so all children graduate ready for college or a career.
• WCSD takes seriously its moral and legal responsibility to protect student data and privacy and to ensure data confidentiality.
• WCSD has an obligation to use data to support every student, to ensure our resources are used wisely, and to communicate in a transparent manner with our community.
25
Additional Detail & Information
• Data Security & Privacy FAQ’s• Student Privacy Pledge • Board Policy 7200 – Digital Learning• Board Policy 7205 - Information Technology – Data Access Policy• FERPA• WCSD21 Plan
26