170 likes | 180 Views
Understand the laws and best practices for protecting student privacy in schools. Learn about FERPA, COPPA, and NMSA 1978 Section 22-21-2, and how they apply to data collection and disclosure. Discover strategies to prevent unintentional data leaks through network security, password protection, access policies, and more.
E N D
Data Privacy Updates and Best Practices Dan Hill General Counsel, Public Education Department Randi Johnson General Counsel, State Personnel Office
The Basics: Schools and school districts are responsible for complying with state and federal laws meant to protect student privacy and allow students and parents access to information. We all have heard of FERPA. (Hopefully.) But, a number of other laws apply as well. Complying with these laws requires at least knowing they exist.
FERPA: —FERPA is a federal law that prohibits schools from disclosing personally identifiable information from an educational record without the of the student or the student’s prior written consent parent. —It also gives parents and eligible students the right to inspect and review their own education records, and the right to seek to amend education records.
COPPA —The Children’s Online Privacy Protection Act (“COPPA”) gives parents control over the information collected from their young children. Among other things, the law requires operators of commercial websites or online services (“Operators”) to notify parents and obtain parental consent before collecting personal information from children under the age of 13. But, wait. Does this apply to schools? Kind of.
COPPA • —Students access online content while at school. So, when and how can schools consent to the collection of students’ personal information? • Per the FTC, schools or districts may contract with online educational program providers and consent to the collection of personal information from children under the age of 13 only if: • The programs are solely for the benefit of students and the school system (for example, homework help, individualized education modules, online research, online organizational tools, web-based testing services), and • The Operator collects personal information from the students only “for the use and benefit of the school,” not for any commercial purpose.
NMSA 1978, Section 22-21-2 A. No person shall sell or use student, faculty or staff lists with personal identifying information obtained from a public school or a local school district for the purpose of marketing goods or services directly to students, faculty or staff or their families by means of telephone or mail. The provisions of this section shall not apply: (1) to legitimate educational purposes, which shall be determined by rules and regulations developed by the department of education [public education department]; or (2) when a parent of a student authorizes the release of the student's personal identifying information in writing to the public school or local school district. For the purposes of this subsection, "personal identifying information" means the names, addresses, telephone numbers, social security numbers and other similar identifying information about students maintained by a public school or local school district.
Inspection of Public Records Act 14-2-1. Right to inspect public records; exceptions. A. Every person has a right to inspect public records of this state… Yes, student records are considered public records under IPRA. BUT WHAT ABOUT FERPA?!?!?!?!? There are exceptions to IPRA. Applying the correct exception, “Every person has a right to inspect public records except as otherwise provided by law.” *NOTE, this does not apply to “directory information.” In other words, the exception only applies to what is protected by FERPA. It also does not apply when consent has been obtained.
Inspection of Public Records Act What if a vendor files an IPRA request for contact information of all students and parents in the district? Does FERPA apply? What about NMSA 1978, Section 22-21-2? How does this apply to COPPA? All of this assumes that the school or district has control of its data, and the only releases of data and records is intentional. The next part of the presentation is about how to prevent unintentional disclosures.
How to Prevent Data Leaks • Best Practices • Network Security • Password Protection/Encryption • Audit Logs • Access Policies • Employment Practices • Policies & Procedures • Professional Development/Training • Discipline
Policies & Procedures Why have a FERPA-specific policy? Notice to employees (and students) Operational needs Consistency Continuous Improvement Manage Risk
Policies & Procedures, Cont. What should a FERPA-specific policy contain?
Policies & Procedures, Cont. • What should a FERPA-specific policy contain? • Introduction with FERPA overview • Definitions of: Education Records, Directory Information, and any other important terms of art. • Statement of Policy (What do you expect of Staff and Students?) • Disclosure of Education Records to Student (Student Inspection) • Disclosure to School Officials • Disclosure to Others • School Right of Refusal • Challenge and Correction of Education Records • Compliance (Discipline) • Statement of Procedures (How do you expect Staff and Students to follow the policy?) • Procedure for Student Inspection • Procedure for Disclosure to School Officials • Procedure for Disclosure to Others • Procedure for Challenges and Corrections to Records • Get a signed Acknowledgment & Understanding Form!
Professional Development & Training • PD & Training regarding FERPA for everyone, often. • PD & Training regarding District policies for everyone, often. • If the training is out-of-house, keep copies of certifications of attendance or completion in personnel files. • If the training is in-house, utilize sign-in sheets, and maintain records of attendance.
Discipline • “Justcause” means a reason that is rationally related to an employee's competence or turpitude or the proper performance of the employee's duties and that is not in violation of the employee's civil or constitutional rights. • Other Considerations: • Notice • Investigation • Liability Exposure • Equal Treatment
Activity 1 School has a FERPA policy that states: If Staff negligence results in a violation of FERPA, Staff may be subject to discipline, up to and including dismissal. The School Nurse at a middle school printed FERPA protected student health records. Prior to retrieving the records, the School Nurse received a telephone call and became distracted. The School’s Administrative Assistant was printing training materials for a National School Conference being held in Santa Fe. The Administrator included the student health records in materials distributed to hundreds of non-district employees at the National School Conference. Should the Nurse be disciplined? Should the Administrator? If so, what levels of discipline should they receive?
Activity 2 School has a FERPA policy that states: If Staff intentionally cause a FERPA violation, Staff may be subject to disciplinary action, up to and including dismissal. A student is expelled from school for violence, and for threatening to bomb the school. The student’s disciplinary record and a photo of him are provided to School Security to prevent the student from accessing campus. The media picked up on the student’s actions, and had already run several stories that included the student’s identity. One of the security guard’s wife works at News Channel 4, and he provides her with a copy of the disciplinary record and photo. The Security guard thought the information had already been released. Should he be disciplined? If so, what level of discipline?
Activity 3 School has a FERPA policy that states: If Staff negligence results in a violation of FERPA, Staff may be subject to discipline, up to and including dismissal. School also designates names, addresses, telephone numbers, email addresses, and honors and awards received as directory information. A non-profit organization that has programs for special needs children requests directory information for students with disabilities, so that they can organize a special awards ceremony for the children. The School’s STARS designee released the information because he thought that he was only releasing directory information. The STARS designee immediately called the non-profit when he realized his mistake, and the non-profit returned the information to be destroyed. Should there be discipline imposed? If so, what level?