keeping your head in the cloud: how to do amazing things ... · protection of pupil rights...
TRANSCRIPT
Keeping Your Head in the Cloud:How to Do Amazing Things in EdTech
Without Exposing Your School to Legal Liability
Presented by: Karen Haase
Two Common Legal Approaches to EdTech
Legal Battles Related to Student Data• Morgan Hill Concerned Parents Assoc. v. California Dept. of Ed, No.
2:11-cv-03471-KJM-AC (E.D. Cal. March 1, 2016)• Class action related to alleged statewide violations of IDEA• Court ordered disclosure of all records of students who attended any
public school in the state since 2008
• Scott v. Minneapolis Pub. Schs., A05-649 (Minn. Ct. App. 2006)• $60,000 in past damages• $80,000 in future damages• $45,000 in attorneys fees (reduced on appeal)
Legal Battles Related to Student Data• In re ConnectEDU, Inc., No. 14-11238 (Bankr. S.D.N.Y. 2014)
• Student data sold to multiple vendors as a result of bankruptcy• FTC intervened in an attempt to protect student data; unsuccessful
• K12, Inc. v. Socratic Learning, Inc., 1:2009cv00230 (E.D. Va. 2009)• Ed tech company sent student essays to India for review• Blogger in AZ discovered practice• Lawsuit over disclosure of information to blogger not over protection of
student data
• Electronic Frontier Foundation v. Google, Inc. (filed before the FTC 2015)
Student Data
Applicable Laws and Regulations• Federal Laws
• Family Educational Rights and Privacy Act (FERPA)• Children’s Online Privacy Protection Act (COPPA)• Protection of Pupil Rights Amendment (PPRA)• Uninterrupted Scholars Act (USA)• Every Student Succeeds Act (ESSA)
• Applicable State Laws
110bills related to student data privacy in
36states
2014 State Legislative Activity
184
2015 State Legislative Activity
bills related to student data privacy in
46states
Federal Laws Governing Student Data Privacy
FERPA
• Requires the protection of the privacy of students’ education records and afford parents and eligible student certain rights to inspect and review education records, to amend these records and to consent to the disclosure of personally-identifiable information (PII) from education records.
• In general FERPA prohibits the disclosure of PII from education records without written consent.
FERPA
• Requires the protection of the privacy of students’ education records and afford parents and eligible student certain rights to inspect and review education records, to amend these records and to consent to the disclosure of personally-identifiable information (PII) from education records.
• In general FERPA prohibits the disclosure of PII from education records without written consent.
FERPA• PII
• Direct identifiers (e.g. student’s or other family member’s name)• Indirect identifier (e.g. DOB, mother’s maiden name)
• Education records • “education record” means materials which “contain information
directly related to a student [and] maintained by an educational agency”
• Series of cases related to e-mail• S.A. v. Tulare County Office of Educ., 109 LRP 60382 (E.D. Cal. 2009)• Red Lion Area Sch. Dist., 112 LRP 2720 (Penn. SEA 2011)• Washoe County Sch. Dist. (Washoe II), 114 LRP 25728 (Nev. May 23, 2014)
What about Metadata?
• Metadata = information that provides meaning and context to other data being collected• E.g. how long a student hovers the cursor over an answer
• US Privacy Technical Assistance Center: “Metadata that have been stripped of all direct and indirect identifiers are not considered protected information under FERPA because they are not PII.”
• *That means metadata can be used for any purpose vendor wishes unless contract says otherwise.
FERPA talks about Student Records
• We should really be thinking of student data
• The same laws apply, but the form of the ”record” is now different
So How Do Schools Do Business in light of FERPA?
• Consent • Directory Information Exception• School Official Exception• (lots of other exceptions)
Consent
• Parents can always give consent to the disclosure of student information
• Be wary of giving parents too much power• E.g.
Directory Information Exception• “Directory Information” = information contained in the
education records that would not be an invasion of privacy if disclosed• Name, e-mail address, grade, sports played, etc.• Must be included in district policy on what it considers “directory”
• *Mandatory homework if you use social media• Information disclosed must be included in policy
• Can’t include grades, social security info, special ed. status, etc.• Parents must be able to opt-out
Directory Information Exception: Take the Bitter with the Sweet
• The bitter• Significant limitations in what can be included • School loses control of data• Parents can opt out
• The sweet• Vendor can use information without limitation
School Official Exception• FERPA allows disclosure if third-party provider:
• Performs function school would otherwise use its own employees to complete
• Is included in annual notification of FERPA rights as being a school official with a legitimate educational interest
• *more homework• Is under the direct control of the school district with regard to use
and maintenance of education records• Uses education records only for authorized purposes and does not
re-disclose without authorization• Written agreement not required (but recommended)
School Official Exception: Take the Bitter with the Sweet
• The bitter• School obligated to establish “direct control”• Parents entitled to review• Provider cannot use the information for any other purpose• School records subject to public records and special ed laws
• The sweet• Parents cannot opt out• Can add/change vendors midyear (if policy is general enough) • Can share any student information (as long as there is legitimate
educational interest)
Got it?
But wait, there’s more!
Protection of Pupil Rights Amendment (PPRA)
• Provides parents with rights related to marketing activities in school
• School must notify parents of students who are scheduled to participate in activities involving collection, disclosure or use of personal information collected for students for marketing purposes or to sell or otherwise provide that information to others for marketing purposes
• Parents must be able to opt-out
Protection of Pupil Rights Amendment (PPRA)
• FERPA protects information gleaned from education records
• PPRA protects information gathered directly from students • The same data may be protected by FERPA, PPRA or
both (or neither)• *No time limit to this protection (so it applies to graduates
as well unless notice and opt-out was provided)• *Does not prohibit non-targeted advertisements
Children’s Online Privacy Protection Act (COPPA)
• Requires parental consent collection or use of any personal information about children under 13 years old
• Now covers third parties, including social plug-ins and ad networks
• Significance for schools:• Some operators (e.g. Instagram) flatly prohibit all use under 13• schools may exercise consent on behalf of parents when for the
use/benefit of the school and there is no commercial purpose• Should reference COPPA agency in district’s policy
• *more homework
Children’s Online Privacy Protection Act (COPPA)• Operators must:
• Post a clear and comprehensive privacy policy on their website; • Provide direct notice to parents and obtain verifiable parental consent,
before collecting personal information from children; • Give parents the choice of consenting to the operator’s collection and
internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties;
• Provide parents access to their child’s personal information to review and/or have the information deleted;
• Give parents the opportunity to prevent further use or online collection of a child’s personal information;
• Maintain the confidentiality, security, and integrity of information they collect from children.
Every Student Succeeds Act (ESSA)
• Requires grant recipients to articulate understanding that they are covered by FERPA
• Prohibits a national database of student PII• Allows Title II professional development grants to be used
for activities including data literacy and data privacy
Uninterrupted Scholars Act (USA)
• Allows schools to disclose academic information about students who are in foster care to the relevant child welfare agency
• Not required to limit CWA’s subsequent use of data
OK, So What to Do With All This Information?
Action Step 1: Check District Policies
• Check your FERPA policies• Definition of “school official”• List of data included as “directory Information”• Process for honoring opt-out
• Student acceptable use policy• Be sure you aren’t giving parents opt-out rights you don’t have to
give them• Be sure your staff is honoring your AUP
• Check your PPRA Policy• Look for COPPA agent authorization in district policies
Action Step 1: District Policy Issues (con’t)
• Check for data breach policies and procedures• PTAC’s checklist
• App Deployment• Paid vendors (student information systems, learning management
systems, special education templates)• “Click-Wrap” software• District needs clear policy on both
Using Free* Educational Services
• First step: always ask, ”how is the developer making money on this project?”• Advertising? Potential problems with FERPA, PPRA and COPA• Data collection/sales? Potential problems with FERPA, PPRA,
COPA and IDEA• The federal laws are the same for “free” services as paid
vendors (some variance with state laws)• Potential for network security issues• Check your district’s policies.
Classroom Services and Apps: Two Approaches• Centralized Review
• District has a list of pre-approved classroom apps• Specific staff authorized to negotiate contracts• Contracts are ideally consistent• List of vendors available to parents (e.g. on website)
• De-centralized Review • Staff allowed to adopt apps useful in their classroom• District must provide guidance to all staff on data issues• District may require parent consent and/or opt-out options• District should still have central repository listing all deployed apps
Classroom Services and Apps: TOS Privacy Checklist*
• Age restrictions: do TOS specify under 13?• What data is collected?• Is student data shared with third parties?• Can provider change TOS without notice to users/district?• Can student data be used to advertise to students?• Is PII defined? (if so is it broad?)• Is use of “de-identified” data and metadata permitted?• Do TOS refer to compliance with all applicable US law?*Forum Guide to Education Data Privacy, National Forum on Education Statistics, July 7, 2016
Action Step 2: Review Vendor Contracts
Action Step 2: Review Vendor Contracts
• Data Collection • What data is collected?• Cookies? Geotags? Tracking pixels?• Why is it being collected?• Should articulate FERPA/PPRA/COPPA/IDEA implications
• Data Security and Data Stewardship• Who owns the data? (what FERPA exception are you using?)• What do you do in the event of a data breach?• Where is the data physically stored?• Process for destruction of old data (FIOA and IDEA issues here)
Action Step 2: Review Vendor Contracts (con’t)• Data Access
• School should always be able to access its own data• If vendor is a “school official” parents must be able to review
record/data within 45 days of a request • If the data is not an “education record” it might be a “public record”
subject to state FIOA requests • If data is considered a “trade secret” it may be an “asset”• What about metadata?
• Modification, Duration and Termination• How long will the agreement be in force? (PPRA has no sunset) • Mutual consent for modification (best practice, but not the norm)
Action Step 2: Review Vendor Contracts (con’t)
• Indemnification and Warranty• Vendor indemnification of the district is good• Be leery of school indemnification of vendor (and check state law) • FERPA and PPRA require school compliance, so clearly
shift/share responsibility to vendor• Remedy for breach of privacy provisions (including attorneys fees)• Check for mandatory arbitration and choice of law provisions
• Applicability to successors and assigns
Special Steps for “Click-Wrap” Licenses
• Policy issues • Print/Save TOS• Check Amendment Provisions
• If vendor is allowed to change unilaterally, school official FERPA exception is problematic given “direct control” requirement
• Consider parental consent as an alternative
Student Data – Vendor Questions
• What personal student data is being collected? Why?• Who has access to that information? Is it shared with a
third party or service provider?• How is data maintained and stored?• How long is it stored for?• If a product is free, how is the company making money?
“Student Privacy Pledge”Signatories pledge to• Not see student information• Not behaviorally target advertising• Not change privacy policies without notice and choice• Enforce strict limits and data retention• Support parental access to and correction of errors in their
children’s information• Provide comprehensive security standards• Be transparent about collection and use of data
GAFE• Standard Google Apps for Education (GAFE) agreement:
• “The School District "acknowledges and agrees that it is solely responsible for compliance with the Children's Online Privacy Protection Act of 1998, including but not limited to, obtaining parental consent concerning collection of students' personal information used in connection with the provision and use of the Services by the Customer and End Users.“
• Read it• Ask for indemnification
FTC’s 2015 Guidance • Schools can only consent to a website or app’s collection,
use or disclosure of personal information from students when the on-line programs are offered solely for the benefit of their students and for the school, and for no other commercial purpose.
• Any agreement between the website/app and the school must address the requirements of COPPA and make clear that the website or app will only use the data collected for permissible purposes
FTC’s 2015 Guidance
• School districts and not individual schools or teachers, should select apps/web services
• Parents should be provided with notice of what apps are being used and about what information is being collected
• No PII may be used for commercial purposes
Action Step 3: Train Staff and Third Parties
• All staff (including paraeducators) need to be trained on your district’s protocol on app usage and student data privacy
• E.g.s of third parties• State departments of ed• HHS• Volunteers• ESUs
US DOE’s Privacy Technical Assistance Center
CommonSense EdTech Product Privacy Evaluations
Action Step 4: Communicate with Parents
Action Step 4: Communicate with Parents
• Must provide annual notices to parents of:• FERPA rights (including to whom records/data is disclosed)• Directory Information • PPRA rights
• Consider student data collection on website• Links to relevant policies • Instructions on how to request review• List of apps used by district • Third party review of privacy provisions (e.g. CommonSense) • Contracts for major vendors
Resources• PTAC’s Protecting Student Privacy While Using Online
Educational Services: Requirements and Best Practices• PTAC’s Data Breach Checklist• Forum Guide to Education Data Privacy (2016)• Californian AG’s Recommendations for the Ed Tech
Industry to Protect the Privacy of Student Data (2016)• CommonSense EdTech Product Privacy Evaluations• FTC Rule on COPPA• FPCO guidance on PPRA
Other Resources
• The Data Quality Campaign has great resources for demonstrating the value of education data and how it is used to support decision-making. http://dataqualitycampaign.org/
• A Parent’s Guide to Student Data Privacy, created by ConnectSafely, Future of Privacy Forum and the PTA