Student Data Protection Act Advances in technology and our ability to use student data. to inform instruction and practice have created both unprecedented opportunities and unique challenges for educator. It response to this the State Legislature passed a Student Data Protection Act in 2016 which takes effective this school year. Passed 2016 Effective 2017
STUDENT DATA PROTECTION ACT Adopt policies Designate student data manager Create Student Data Governance Plan and Meta Data Dictionary Prepare and distribute Student Data Disclosure Statement The new state law requires the District to adopt policies to protect student data; designate a student data manager; create a student data governance plan and meta data dictionary; and prepare and distribute student data disclosure statement. We have been working to implement these steps. This presentation will explain how we do that.
Adopt policies to protect student data STUDENT DATA PROTECTION ACT Adopt policies to protect student data To the first requirement; adopt policies to protect student data. Protecting student’s personal information that the District collects and uses to administer its education program is not a new idea.
OTHER PRIVACY LAWS Children’s Internet Protection Act (CIPA) Children’s Online Privacy Protection Act (COPPA) Family Educational Rights and Privacy Act (FERPA) Protection of Pupil Rights Amendment (PPRA) Utah Family Educational Rights and Privacy Act There are many federal and state laws protecting student information. Utah Administrative Code R277-484 Data Standards Military Recruiters - ESEA Uninterrupted Scholars Act
District Policies/Procedures 7SS-001 Information Systems Security Information Systems Security Standards and Procedures Acceptable Use Agreements 7SS-003 Technology Resources and Internet Safety Internet/Intranet Publishing Guidelines Social Media Guidelines 11IR-110 Family Educational Rights and Privacy (FERPA) In response to these laws the District has many policies and procedures already in place. Model Letter of Permission (Classroom, Sex Education, Counseling Directory Information Notice
Designate a student data manager STUDENT DATA PROTECTION ACT Designate a student data manager Designate a student data manager to authorize and manage the sharing, outside of the District, of personally identifiable student data from a cumulative record maintained by the District and to act as the primary local point of contact for the state student data officer
Bryce Barth Assessment Department Bryce
STUDENT DATA PROTECTION ACT Create and maintain a Student Data Governance Plan and a metadata dictionary Create and maintain a Student Data Governance Plan and a metadata dictionary. We have created a Student Data Privacy webpage. The Student Data Governance Plan: contains a statement on each of the elements required in the law; glossary of terms; provides a listing of privacy laws (both federal and state); In an effort to make readily available to students, parents, and employees about our policies and practices relating to student privacy protection; we have gathered all policies and procedures (shown in the earlier slide) that the District already has in place addressing protection and use of student information by listing them and providing a link from the website to these documents. Metadata Dictionary: IT Security Plan: website
Third Party Providers Review Procedures Evaluating and approving services School official vs directory information With the review of our practices. We found an area that we would like to focus on. Establishing a district-wide procedure for evaluating and approving online education services prior to implementation. In cases where providers need PII from students’ education records in order to deliver the agreed-upon services. A District employee may not enter into an agreement without approval of the student data manager. This is true not only for formal contracts, but also for consumer-oriented “Click-Wrap” software that is acquired simply by clicking “accept” to the provider’s terms of service or TOS. With Click-Wrap agreements, the act of clicking a button to accept the TOS services to enter the provider the end-user (in this case, the school or district) into a contractual relationship akin to signing a contract. What is required by student privacy laws if PII from students’ education records is disclosed to a provider? Subject to exceptions, the general rules is that a school or district cannot disclose PII from education records to a provider unless the school or district has first obtained written consent from the parents. Accordingly, schools and districts must either obtain consent, or ensure that the arrangement with the provider meets one of FERPA’s exceptions to the written consent requirement. While disclosures of PII to create user accounts or to set up individual student profiles may be accompanied under the directory information exception, more frequently this type of disclosure will be made under FERPA’s school official exception. Examples of directory information include student name, address, phone number, date and place of birth. To disclose student information under this exception, specifically identify directory information in the school’s public notice and give parent’s the right to opt out of disclosure under this exception, thereby precluding the sharing of information about those student with providers. Given the number of parents who elect to opt out of directory information, this exception may not be feasible for disclosing PII from education records to providers to create student accounts or profiles. The school official exception is more likely to apply to use of online educational services. Under the school exception, schools and districts may disclose PII from student’s education records to a provider as long as the provider has: been determined to meet the criteria set forth in the school’s or district’s annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records; satisfies the direct control requirement by restricting the provider from using the PII for unauthorized purposes. MOU vs TOS
Memorandum of Understanding Share Students’ PII Internal Request Memorandum of Understanding Share Students’ PII MOU When a school or District department would like to use a third party provider for the purpose of providing education services the school/department shall fill out a District Internal Request to Share Student’s Personally Identifiable Information to a Third Party Provider describing the parties involved; the purpose of the education service; what student PII will be shared; and how student PII will be used. Along with a signature of principal/director indicating that he/she has reviewed what this educational product or service being provided; has evaluated the benefit of its use and the risk of harm associated with each student data element potentially being shared; and agrees that the benefit of the education product or service outweighs the risk associated with sharing identified student data elements with the third party vendor. This internal request need to be given the Bryce Barth who will initiate an MOU outlining parties’ responsibilities regarding the protection of students’ PII to be signed by the provided and the District-- prior to released any students’ PII.
What about TOS Agreements? Many providers of online educational services and mobile applications relay on a Terms of Service agreement that requires a user to click to accept the agreement in order to access the service or application for the first time. Depending on the content, TOS agreements, commonly referred to as Click-Wrap agreements, may lead to violations student privacy laws. When a school or District employee would like to use an online educational service or mobile application to provide education services that replays on a TOS, and the school or District would need to provide students’ PII to the service or application. The following procedure shall be followed prior to sharing any student PII. This includes free applications or services.
read Before you CLICK use sharing security destruction website Read the Terms of Service. The act of clicking a button to accept the TOS services enters the provider and the end-user (in this case, the school or district) into a contractual relationship akin to signing a contract. You need to understand commonly used provisions to evaluate whether to consent to a Click-Wrap or other TOS agreement for online educational services and mobile applications. Data use is only for the purpose of fulfilling its duties and providing services under the agreement; will not be used to advertise or market to students or their parent; will not sell or transfer data to another party; security statement that provider will store and process data in accordance with industry best practices and notify school/district in the event of a security or privacy incident; must ensure that all data in providers possession will be destroyed or transferred to the school/district when the data are no longer needed for their specified purpose; provider will not change how data are collected, used or shared without notice and consent of the District. We have provided more detailed information on what to look for and an explanation of why a provision should be included in a TOS. Explanation provides context to help you interpret the rationale behind the provisions. website
read print form approve Before you CLICK PRINT If the agreement generally complies with these provisions, print the agreement and proceed to next step. If the agreement does not provide the appropriate protections, look for another service or application that will provide necessary protection of students’ PII FORM Complete an Internal Request TOS Agreement form similar to the MOU request form. APPROVE Submit the form and printed agreement to the student data manager. approve
Prepare & distribute a student data disclosure statement STUDENT DATA PROTECTION ACT Prepare & distribute a student data disclosure statement Prepare and distribute to parents and students a student data disclosure statement that is a prominent, stand-alone document; is annually updated and published on the District website. This document will be pushed out from the District level in the same manner as the Acceptable Use Agreement. We will be adding this next school year.
STUDENT DATA THE DISTRICT COLLECTS Student data includes: name; date of birth; sex; parent contact information; custodial parent information; contact information; a student identification number; local, state, and national assessment results or an exception from taking a local state, or national assessment; courses taken and completed, credit earned, and other transcript information; course grades and grade point average; grade level and expected graduation date or graduation cohort; degree, diploma credential attainment, and other school exit information; attendance and mobility; drop-out date; immunization record or an exception from an immunization record; race; ethnicity; tribal affiliation; remediation efforts; an exception from a vision screening or information collected from a vision screening; information related to the Utah Registry of Autism and Developmental Disabilities; student injury information; a cumulative disciplinary record; information that is related to an Individual Education Plan or needed to provide special needs services; and information that is required for a student to participate in a federal or other education-related program. STUDENT DATA THE DISTRICT COLLECTS The District does not collect a student’s social security number, biometric records, or criminal records. States the student data the District collects; States the student data that the District may not or will not collect.
The District uses student data that it collects to inform educational decisions about the student to improve student outcomes. The District has established a metadata dictionary that shows clear ownership and stewardship of each data element being collected and how we use it. USE OF STUDENT DATA States how student data is used
SHARING OF STUDENT DATA The District may not share a student’s personally identifiable student data if the personally identifiable student data is not shared in accordance with the Family Educational Rights and Privacy Act and the Utah Student Data Protection Act. De-identified data, aggregate data, or anonymized data that could not be used to identify a particular student is not considered personally identifiable and may be released without consent or authorization. States how student data may be shared
PROTECTING STUDENT DATA The District maintains an Information Technology security program that is updated at least annually. The program consists of annual security training, third-party risk assessments, security testing, and audits. District systems are updated regularly to prevent unauthorized access to our systems. The District maintains a variety of agency policies that address data and information privacy which are intended to secure all media containing sensitive or confidential data. States how student data is protected
REQUIRED STATEMENT And includes the following statement - The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student data accordingly. The document will be posted on the website and pushed out to parents from the District level in the same manner as the Acceptable Use Agreement. The collection, use, and sharing of student data has both benefits and risks. Parents and students should learn about these benefits and risks and make choices regarding student data accordingly.
SB102 Utah Student Privacy Act This bill enacted in 2017 provides provisions regarding access to education records. Requires a public school to make a list of individuals who are authorized to access education records; requires training on student privacy laws; and requires individual who are authorized to access education records to acknowledge they have completed the required training and understand student privacy requirement. train - list - acknowledge
Encore Document Signing
Encore Document Signing Privacy of Student Information
Encore Document Signing Privacy of Student Information Acknowledge
Encore Document Signing Privacy of Student Information Acknowledge List
TRAINING