Monday, October 26, 2015

NASBE15 Pre-Conference :: Student Data Privacy :: Wednesday, October 21, 2015 :: 1:00 PM*

Pre-test: Can you identify what the following acronyms stand for?

  • SOPIPA
  • PII
  • SBEs
  • FERPA
  • COPPA
  • PI
  • PPRA
  • SEAs
  • PTAC

Presenters
State Law and Policy Trends:
Rachel Anderson, Senior Associate, Policy and Advocacy, Data Quality Campaign
Amelia Vance, Director of Education Data & Technology, NASBE

Common Pitfalls of Contracting with Education Technology Providers:
Michael Hawes, Statistical Privacy Advisor, US Department of Education

Security 101:
Jim Siegl, Technology Architect, Fairfax County Public Schools

Overcoming Policy Hurdles to Help Kids Succeed:
Elizabeth Laird, Lousiana Deartment of Education

Federal Data Privacy Legislation Panel:
Reg Leichty, Moderator, Founding Partner, Foresight Law + Policy
Jon Bernstein, President, Bernstein Strategy Group
Paige Kowalski, Vice-President of Policy and Advocacy, Data Quality Campaign
Kobie Pruitt, Education Policy Manager, The Future of Privacy Forum
Mark Schneiderman, Vice President for Government Affairs, School Messenger
Elana Zeide, Privacy Research Fellow, NYU Information Law Institute

State Boards of Education (SBEs) have some authority over education data privacy (Here's what's posted on MA/DESE website - remind me to follow up on any further BESE authority).

School as we know it is changing:
  • Technology and information needs are evolving faster than policies.
  • There's a lack of communication with parents and the public about the value of educational data.
  • Talking about privacy can be challenging.
  • How do we address the personal nature of privacy?
Since September 2015, 187 Bills on student data privacy have been introduced in 47 states; legislative themes include:


Thirty-three states have passed student data privacy laws since 2013. Laws prior to 2014 gave State Education Agencies (SEAs) and SBEs^ authority to:
  • Rule-making
  • Override authority
  • Adopt & implement privacy policies
  • Provide a public data inventory
  • Appoint Chief Privacy Officer
  • Review potential new data elements to be collected/linked/shared
  • Ensure role based access to data
  • Notify parents of rights
  • Create a data security review team
  • Provide oversight of vendor contracts
[^ Again - noted for follow-up with DESE]

Rachel Anderson:
  • One thing Congress doesn't do is work from scratch
    • Congress is attempting to use/update FERPA for student data privacy issues - - it's complex because the law was written in 1974 and it has a hard time fitting into today's educational context:
      • 1974 student "educational records" could be locked in filing cabinet with a key...that's out of touch with 2015
      • There's no "educational record" now, there is "student data"

Jim Siegl:
  • There's a trade-off between what's useful and convenient for teachers in the classroom and a rigid system for "protection"
  • Biggest risks to security are the mistakes made by people with access to data in systems every day (as opposed to "data breaches")
    • How is your district handling educator training of day-to-day data?
    • Ongoing staff training is a must - anyone handling student data should be trained in
      • how to use data, and
      • how to protect data

Elizabeth Laird:
  • Welcome to Privacy-pa-looza!
  • Louisiana schools struggle with strict privacy law
  • Louisiana is the only state with criminal penalties
  • Time for a longitudinal data system
  • Lousiana's plan to protect student privacy

Take-aways on student data privacy:
  • SBEs have been collecting student/school data for 100 years
  • Technology and data can sound abstract
    • the philosophy of "protection of data" at the intersection of "education" makes it a challenging issue
  • Need to consider state and federal interaction
    • How to consider investing scarce public resources to student data privacy?
  • What is the appropriate federal role?
    • The "role of consent" in some of the federal bills is an "over-correction" > > > must strike a balance between "privacy" and data's "value"
    • The potential for over-reach; must consider the role of technology in education and the consequence of passing draconian legislation, lest it become too burdensome for educators
  • Still...laws are not enough - we need leadership from the education community to build trust and best practices.

Suggested foundational elements of a state data privacy and security policy to include:
  • Statement of the policy/law's purposes - - To include talking about both the VALUE of educational data and the importance of PROTECTING that data)
  • Select the person/s in charge - - Who will answer people's questions? Who creates policy and guidance? Who enforces the state's laws?
  • Transparency plan - - In the absence of being transparent...anything that can be said will be said...SBEs haven't been good at communicating the VALUE of educational data and the importance of PROTECTING that data. It can (and should) be simple.
    • Explain the "who, what, where, why, and when" of data collection.
    • Make the data easy to find and understand.
    • Give details for those who want to read them.
  • Limiting vendor use of data - - Limit data use for non-educational purposes. Check contract provisions for data use and storage. Define who has signing authority on contracts. Beware of "click-wrap" agreements.
  • Statewide data privacy & security plan - - Have a comprehensive plan to address privacy, and also address administrative, physical, and technical safeguards. Ongoing staff training and methods of encryption.
  • Ongoing staff training - - Anyone who handles student data should be trained in: How to use data and how to protect data

Pre-test answers:
  • SOPIPA: Student Online Personal Information Protection Act. A California law, the first state law to comprehensively address student privacy. Effective January 1, 2016
  • PII: Personally Identifiable Information
  • SBEs: State Boards of Education
  • FERPA: Family Educational Rights and Privacy Act (of 1974!) A federal law designed to protect the privacy of student "educational records". Established the rights of students to inspect and review their educational records.
  • COPPA: Children's Online Privacy Protection Act - a federal law designed to protect the privacy of children under the age of 13
  • PI: Personal Information
  • PPRA: Protection of Pupil Rights Amendment. A federal law that affords certain rights to parents of minor students with regard to surveys that ask questions of a personal nature.
  • SEAs: State Education Agencies
* I found the presentations and panel discussion to be an excellent complement to the morning visit to Halstead Academy.

- - -
Materials from the Session available online:





Parsing Student Privacy: Creating a Parent-Focused Framework for Conversation




Student Privacy Pledge (with statements from NSBA, CCSSO, Software & Information Industry Association (SIIA), National PTA, more)