Student Data Transparency and Security Act: What You Need to Know (HB 16-1423) CALET 2017 Winter Conference
Agenda Overview & Breakdown Panel Q&A Table Top Next Steps Resources
Overview 2 Years in the Making Sponsors worked collaboratively with: CASE/CALET, Parents, Vendors Intent is to increase transparency and security of student personally identifiable information (PII) We all have a role: State Board of Education Colorado Department of Education (CDE) Local Education Providers Software Vendors
Overview Caplan & Earnest: Breakdown: Quick Reference Guide: https://goo.gl/NSgN48 Similarities to FERPA Breakdown: Definitions Policy Transparency Contract Rules
Key Definitions District School Teacher "STUDENT PERSONALLY IDENTIFIABLE INFORMATION" means information that, alone or in combination, personally identifies a student or the student's parent or family, and that is collected, maintained, generated, or inferred by a public education entity, either directly or through a school service, or by a school service contract provider or school service on-demand provider. "SCHOOL SERVICE" Means an internet website, online service, online application, or mobile application that: (I) is designed and marketed primarily for use in a preschool, elementary school, or secondary school; (II) is used at the direction of teachers or other employees of a local education provider; and (III) collects, maintains, or uses student personally identifiable information. Exception: Does not include a service provider that is designed and marketed for use by individuals or entities, even if also marketed to schools "CONTRACT PROVIDER“ & "ON-DEMAND PROVIDER" District School Teacher
Policy - State Board of Education Requirements Explain the types of student PII collected and create policies to protect the collected student PII Make available: A data dictionary with definitions and purpose including PII that LEPs must report for state/federal mandates Policies to comply with FERPA All data sharing agreements Detailed data security plan (including authorizing access, compliance standards, privacy and security audits, security breach procedures, PII retention, staff training) Requirements on how and why student data is shared
Policy - CDE Requirements Develop a process for handling external data requests Must maintain on its website a list of all PII data agreements and associated contracts Cannot require LEP to provide PII, criminal records, health records, social security numbers, biometric info, political affiliations, or beliefs unless required by state/federal law Support and provide for LEPs: Sample privacy and protection policy Sample service provider contract language Data retention and destruction procedures Security breach planning Security and privacy training materials and, upon request, training services
Policy - LEP BOE Requirements No later than 12/31/2017, must adopt policy for: student information privacy & protection hearing complaints from parents concerning the LEP's data policies If a contract provider “commits a material breach”, the BOE must hold a public meeting “within a reasonable time” to: Discuss material breach Allow response from contract provider Allow for public testimony Determine whether or not to continue with contract
Transparency - LEP Requirements CONTRACT PROVIDERS: LEP Must maintain on website: Explanation of student PII data elements that the LEP collects and maintains Link to CDE’s data dictionary List of all service contract providers that the LEP contracts with and associated contract ON-DEMAND PROVIDERS: Must maintain on website “to the extent practicable, a list of the school service on-demand providers“ If the LEP has evidence of non-compliance with Terms of Service (ToS) or Act, the LEP is “strongly encouraged to cease or refuse to use” Must notify CDE and maintain on LEP website a list of on- demand providers with whom LEP ceases or refuses to do business
Transparency – Site Examples Fountain – Ft. Carson http://www.ffc8.org/Page/2667 Denver Public Schools https://atm.dpsk12.org/
Transparency – Parent’s Rights Right to inspect and review student's PII Request a paper or electronic copy of student's PII Request corrections to factually inaccurate student PII that an LEP maintains Can notify the LEP and provide “evidence” of any “substantial” non-compliance with “Terms of Service (ToS)” or Act
Contract – LEPs & Contract Provider Requirements New or renewed agreements with contract providers must include the Act's restrictions & requirements Data Transparency Must provide clear information on what PII is collected and how it is used on website and to LEP Use of Data Can only use student PII for purposes authorized by the contract Cannot sell PII Cannot use PII for targeted advertising Must notify LEPs of material breach Data Destruction Must destroy student PII at the LEPs request or end of contract Various exceptions are allowed e.g. personalized learning, improving products, safety/security, etc. Caplan & Earnest, CASB, CDE
Timeline Timeframe Action Now New or renewed agreements with contract providers must include the Act's restrictions & requirements 12/31/17 Must adopt policy, school service providers on website, educate staff 7/1/18 Small Rural districts get 6 additional months (CDE identifies “small rural” on geographic size of the district that enrolls fewer that 1,000 students K-12)
Panel Q&A Marcia Bohannon Chief Information Officer Colorado Department of Education Lawrence DeHerrera Technology Administrator Fountain-Fort Carson School District 8 Sharyn Guhman Denver Public Schools Jarred Masterson Director of Technology East Central BOCES
Table Top Discussion What steps have you taken in your district? Are you vetting the on demand providers and how? Have you discussed with Cabinet, Legal & BOE? How can CALET be helpful?
Next Steps Data Privacy & Security Addendum with new and renewed District contracts Work with schools to: Identify existing contract providers Include District data privacy & security addendum Change software procurement process Begin collecting contract provider’s contracts & PII Begin designing collection and review of on-demand providers Discuss with LEP Leadership, Legal, Administrators, etc. Work with CDE for policy, recommendations, and training
Resources https://goo.gl/T4niXQ THIS PRESENTATION CoSN – Protecting Privacy Toolkit https://goo.gl/Y40CnP DQC – Who Uses Student Data? https://goo.gl/6ZnroJ Caplan & Ernest – Quick Reference Guide https://goo.gl/NSgN48 Caplan & Ernest – Data Protection Addendum https://goo.gl/YXRKT9 CDE Data Privacy & Security https://goo.gl/8ytRlx Lewis Palmer - Infographic https://goo.gl/qmHstH Lewis Palmer - Presentation https://goo.gl/6527kr BVSD - Infographic https://goo.gl/GjD5cg CASB https://goo.gl/xwULXt Common Sense Media Education https://goo.gl/2Ecr2K DoE - Privacy Technical Assistance Center https://goo.gl/chhrfY