Protecting Student Data

Data breaches at schools can happen... … they can be avoided Schools will experience loss of goodwill with parents and the community, and incur significant media coverage if a data breach occurs. While incidents have been few, districts are authorized in most Acceptance Use Policy (AUP) to consider disciplinary action when a data breach occurs. Most breaches are caused by agency personnel. Data breaches can be avoided by training

Commitment to protecting student data The Kern County Data Warehouse Agreement states “[districts participating in KIDS] are committed to sharing and using student records all while maintaining data security, confidentiality, and privacy, and in compliance with laws and regulations for access, storage, management, and deletion of shared student records.”

Laws that protect student data FERPA: Family Educational Rights and Privacy Act FERPA is the federal law that protects the privacy of student education records. SOPIPA: Student Online Personal Information Protection Act SOPIPA ensures educators use student data for educational purposes and nothing else. CA Education Code 49073.1 This law protects the privacy of student records when an LEA enters a contract with a third party.

Complying with student data privacy laws Districts are required to impose security procedures by which unauthorized personnel cannot access data contained in the system. ...and Districts are required to secure confidential data from unauthorized disclosure.

Understanding the type of data you are responsible for protecting Personally Identifiable Information (PII) De-identified Information Personally identifiable information includes the student’s name, address, social security, date of birth, parent information, health records, grades, disciplinary records, and any information that can be linked to a specific student. Nothing prohibits aggregated de-identified data to be shared. Aggregated data prevents a student’s identity from being linked to a specific student. Can only be shared for legitimate educational interests, otherwise PII cannot be shared Can be shared with other appropriate school officials

When sharing personally identifiable student information, ask yourself…. Can this information personally identify a specific student? Is there a legitimate educational reason for sharing the information? Is there an unauthorized person around who can hear the information? Can an unauthorized person get hold of this information? Is this information being shared to the internet? Are you using a personal device to view and/or communicate student information? If you can answer “yes” to any of these questions, you are at risk of a

Types of Data Scenarios Type of Data Shared Was it OK to share? A general education teacher and a special education teacher are discussing the academic progress of a student with special needs around teachers who do not share the student. Personally identifiable information - academic information Other individuals, who do not share the student, cannot be present while PII is discussed. No. How can a data breach be prevented? The general ed. and special ed. teachers discuss the information without other individuals present. A teacher displays on the board the class roster with the final quarter grades of all students. Personally identifiable information - grades Student should not be able to see the grades of other students in the class besides their own. No. How can a data breach be prevented? Each student receives their individual grade.

Types of Data Scenarios Type of Data Shared Was it OK to share? During a PLC, teachers are discussing grade level assessment results by student group. A teacher shares out the following information: 85% of all students met Standard A 70% of English Learners met Standard A 65% of Students with Disabilities met Standard A Aggregated information - assessment results by student group Yes. By reporting student group information, a single student was not identified. A principal is meeting with the attendance clerks in her office. The principal pulls up a list of chronically absent students. The door to the office is closed, but the office has windows facing a student walkway, and the computer screen is clearly visible. Personally identifiable information - attendance information No. Anyone walking who looks inside the principal’s office can see the information. How can a data breach be prevented? Face the monitors away from the windows and/or place a privacy screen on your monitor.

Best practices for protecting student information Make every effort to prevent unauthorized people from viewing your screen while you are accessing student information. Be aware of those around you when discussing personally identifiable information regarding students. Avoid writing down username and password information where an unauthorized person can get ahold of the information When training or creating presentations, use demo data for screenshots. If you must use live data, make sure to obscure the student information using a graphical editing tool (such as a blurring tool) Ensure that you successfully log out of KIDS and/or computer before leaving your computer unattended Secure digital documents using password protected folders and secure paper documents in locked cabinets

Things to Avoid To avoid violating student data privacy laws, DON’T leave student data lying around DON’T send any personally identifiable information via email DON’T publicly post students’ personal information online DON’T display or post students’ grades in the classroom that includes names or student IDs DON’T discuss student records with others unless they have legitimate educational interest in the information DON’T share your login username and password with others

Golden Rule for Protecting Student Data Treat others’ personally identifiable information as if it is your own.

Title Insert