Education Privacy PDF

Summary

This document, part of a chapter from a higher education course, discusses education privacy laws. It focuses on the Family Educational Rights and Privacy Act (FERPA), and its implications regarding student records and online activities.

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP CHAPTER 10 Education Privacy Although education in the U.S. has been governed largely at the state and local level, education records for institutions that receive federal funding have privacy and security protections under U.S. law. The logic is that grades, disciplinary actions, and other school information about a particular student deserve protection. This chapter discusses the Family Educational Rights and Privacy Act of 1974 (FERPA), the Protection of Pupil Rights Amendment of 1978 (PPRA), as amended, and the interaction between FERPA and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. In addition to these federal laws, practitioners in this area should be careful to follow any state and local laws that apply. Next, this chapter discusses the issue of education technology (“ed tech”) companies, where details of students’ online activities can be collected when they use ed tech products. Advances in technology and online communications have dramatically changed the landscape of education in the U.S. In past generations, educators utilized textbooks, photocopies, and filmstrips to teach a classroom full of students. Today’s classrooms increasingly employ content personalized to each student; social media help students collaborate across classrooms; and online portals to allow students to access grades. The prevalence of ed tech increased dramatically during the COVID-19 pandemic, when many schools across the U.S. moved from in-person classroom learning to remote learning, for both K-12 schooling and universities. 1 As of the writing of this book, most learning has returned to in-person classroom learning, yet many schools have decided to maintain some level of ed tech to supplement traditional inperson classroom learning. This chapter concludes by examining cybersecurity requirements both K-12 schooling and universities. 10.1 The Family Educational Rights and Privacy Act FERPA is a federal statute that provides students with control over disclosure and access to their education records. 2 FERPA is often referred to as the Buckley Amendment, in reference to Senator James Buckley, who supported its enactment. 10.1.1 Overview of FERPA The statute generally prevents schools from divulging education record information, such as grades and behavior, to parties other than the student without that student’s consent. 3 FERPA includes major aspects of Fair Information Practice Principles (FIPPs), such as notice, consent, access and correction, security, and accountability. FERPA applies to all educational institutions that receive federal funding— both K-12 schooling and universities. 4 This type of federal funding exists for virtually all public and most private schools, especially at the university level. Specifically, the statute protects the rights of students by providing them with the right to: 1 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP Control the disclosure of their education records to others Review and seek amendment of their own education records Receive annual notice of their rights under FERPA File complaints with the U.S. Department of Education 5 10.1.2 Key Definitions in FERPA FERPA includes key definitions including: “student,” “education record,” “personally identifiable information (PII),” and “directory information.” 10.1.2.1 Student “Student” is defined as “any individual who is or has been in attendance at an educational agency or institution.” 6 Attendance is broadly defined to include individuals who are present on-campus as well as those who participate via the Internet. 7 The definition of student excludes those individuals who only applied to an educational institution, and even those students who were accepted by the educational institution but did not enroll. 8 10.1.2.2 Education Record “Education record” has a broad meaning. FERPA defines it to include all records that are directly related to the student and maintained by or on behalf of the K-12 school or university. This extends beyond grades and other academic records to include financial aid records, disciplinary records, and others related to the student. 9 With regard to the more technical aspects of the definition, FERPA defines “record” as “any information recorded in a way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche.” 10 All electronic records and emails are covered by the term computer media. The term education record has several important exceptions. 11 The following records are not considered education records under FERPA: Campus police records created and maintained by campus police for law enforcement purposes 12 Employment records, when the employee is not a student at the university Applicant records of those who are not enrolled in the university Alumni records created by a K-12 school or university after the individual is no longer a student Grades on peer-graded papers, before they are collected and recorded by a faculty member or other university representative 13 Treatment records or health records, subject to several requirements 14 10.1.2.3 Personally Identifiable Information The Department of Education’s definition of PII is similar to other statutory definitions. 15 It includes, but is not limited to: The student’s name 2 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP The name of the student’s parent or other family members The student or student’s family’s address Personal identifiers such as the Social Security number or student number Other identifiers, such as date of birth and place of birth Other information that, alone or in combination, can be linked to a student and would allow the student to be identified with reasonable certainty Information requested by a person whom the school reasonably believes knows the identity of the student to which the education record is linked 16 Practitioners should be aware that FERPA’s definition of “personally identifiable information” can have overlap with types of information that can be covered by the definition of “directory information” (discussed in Section 10.1.2.4). Examples would include date of birth and place of birth. The distinctions of how “personally identifiable information” and “directory information” are handled, relevant to disclosures of education records, are discussed in Section 10.1.4. 10.1.2.4 Directory Information “Directory information” is broadly defined by FERPA to include information “that would not generally be considered harmful or an invasion of privacy if disclosed.” 17 FERPA does not designate specific information types as directory information for every educational institution; rather, it rather allows individual educational institutions to create their own definitions based on lists of examples provided in the statute and rules laid down by the Department of Education. 18 The examples include name, date and place of birth, address, email address, telephone number, field of study, and honors received. 19 Before an educational institution can declare information to be directory information and begin using it as such, the institution must provide students with an opportunity to opt out, or block, the release of their directory information. Students cannot use this opt-out to prevent the release of information that falls under a FERPA exception. 20 The regulations promulgated under FERPA specifically exclude the use of Social Security numbers or student identification numbers as directory information. An educational institution, however, may use student identification numbers as directory information if that number cannot be used to access education records without another factor known only by the authorized user. 21 Therefore, a K-12 school or university cannot use a student identification number as directory information if other information included in directory information combined with the student identification number would enable an unauthorized user to access the student’s records. 22 Practitioners should be aware that the treatment of “directory information” under FERPA is similar to its treatment under HIPAA. While both statutes require opt-in consent for the use of most personal information, directory information is treated differently—requiring the person to opt out if they do not want this category of information to be released. 23 10.1.3 Holder of the Rights under FERPA High schools as well as colleges and universities should remain alert to the complex interplay that exists regarding whether the parent or the student holds the rights related to FERPA. The rules regarding the holder of the rights under FERPA are distinct: when the student is enrolled in high 3 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP school, when the student is enrolled in a college or university, and with regard to the status of the student on their parent’s tax return. 10.1.3.1 Student Enrolled in High School While the student is enrolled in high school, the parent holds the rights under FERPA so long as the student is under the age of 18. When the student turns 18 years old, the rights transfer from the parent to the student. A student may sign a written consent form to grant their parents’ permission to view their education records. 10.1.3.2 Student Enrolled in a College or University For a student who is attending classes at a college or university while also attending high school, the rules regarding high school attendance apply. Once a student is only attending a college or university, the student is the holder of the FERPA rights—regardless of age. When the student holds the FERPA rights, the student may sign a written consent form to grant their parents’ permission to view their education records. 10.1.3.3 Status of the Student on Their Parents’ Tax Return Even after the rights under FERPA have transferred to the student, a school may disclose to the parents the educational records of the student—without the student’s consent—in the circumstance where the student is a dependent for tax purposes. 10.1.4 Disclosure of Education Records FERPA permits the disclosure of education records in numerous circumstances. One of these instances, when consent is provided by the holder of the FERPA rights, is discussed in detail. 10.1.4.1 Circumstances when Disclosure is Permitted Disclosure of education records is permitted only if one of the following conditions is met: The information is not “personally identifiable” The information is “directory information” whose release the student has not blocked Consent has been provided by the holder of the rights under FERPA The disclosure is made to the holder of the rights under FERPA 24 A statutory exception applies, such as for health or safety purposes 25 PII may still be disclosed if it is determined to be “directory information.” 26 Other than the exceptions noted above, nondirectory information, such as grade-point average (GPA), grades, or transcripts are not released without valid consent. 27 10.1.4.2 Consent Under FERPA Valid student consent to disclosure must be signed (by hand or electronically), dated and written. It must also identify: The record(s) to be disclosed The purpose of disclosure To whom the disclosure is being made 4 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP Under several statutory exceptions, a school is authorized to disclose PII from an education record without student consent. Educational institutions need meet only one exception for the disclosure to be valid. Schools, however, must use “reasonable methods” to verify the identity of the party to whom they disclose the information. Reasonable methods include PINs, passwords, personal security questions, smart cards and tokens, biometric indicators, and other factors known or possessed only by the user. 28 Exceptions to the FERPA consent requirements include the following: Disclosure to school officials who have determined a “legitimate educational interest” in the records. A legitimate educational interest exists if the record is relevant and necessary to the school official’s responsibilities. This group includes school employees and board members as well as third-party vendors (1) to whom the school outsources duties and (2) who are under the direct control of the school regarding use and maintenance of the record. 29 These third parties are not permitted to disclose record information to any other party without consent, and cannot use the record for any other purpose than for which the disclosure was made. 30 Disclosure to educational institutions in which a student seeks or intends to enroll, or is currently enrolled, when the disclosure is for a purpose related to the student’s enrollment or transfer. Disclosure in connection with financial aid that the student has received or for which the student will apply, when the purpose of the disclosure is to determine the student’s eligibility for aid or conditions to or amount of financial aid. Disclosure to organizations doing research studies for, or on behalf of, educational institutions for the purpose of developing predictive tests, administering student aid programs, or improving school instruction. Disclosure to accrediting organizations to fulfill accrediting duties. Disclosure to the alleged victim of a forcible or nonforcible sex offense. Disclosure of information related to sex offenders and others when the information is provided to the school under federal registration and disclosure requirements. Disclosure to a person or entity that is verified as the party that provided or created that record. For example, if a student transfers high schools, the second school can disclose a student’s transcript to the original school to verify its authenticity. Disclosure to law enforcement or otherwise to comply with a judicial order or subpoena. The school must make reasonable efforts to notify the student prior to the disclosure, unless it is a legal matter that orders nondisclosure. Disclosure to appropriate parties in connection with a “health or safety emergency,” if knowledge of this information is necessary to protect the health or safety of the student or others. The threat of harm must be “articulable and significant,” and the school can take the totality of the circumstances into account in making this determination. Information can be disclosed to any individual with the ability to assist in the situation—this includes parents, law enforcement, school officials, spouse or partner, and other educational institutions, among others. 31 5 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP A school is safe from federal scrutiny of its health and safety emergency determination as long as, based on the information available at the time, there is rational basis for the determination. In that case, the Department of Education will not question the determination. 10.1.5 Rights under FERPA Under the federal law, students have the right to access and review most education records and the right to correction in appropriate circumstances. 10.1.5.1 Right to Access and Review FERPA provides students with the right to access and review their education records. Once a student has issued a request, the educational institution must provide access to the records within 45 days of that request. 32 It also must respond to reasonable requests from students for explanations of the records. As with other disclosures to third parties, the educational institution must use reasonable measures to verify the identity of the student making the record request. There are several exceptions to the right of inspection. Students do not have the right to inspect the financial records of their parents, confidential letters of recommendation (if the student has waived the right to inspect those documents), treatment records, attorney-client privileged information, or records excluded from the definition of education records (such as law enforcement records). Also, when the request pertains to a record containing information about more than one student, the requesting students may access only the parts pertaining to themselves. 33 10.1.5.2 Right to Correction Students can request corrections to their education records if they believe the records to be inaccurate, misleading, or in violation of their privacy. 34 This access is intended to allow students to address incorrect records and is not for other purposes. If the request is granted, the records must be corrected within a reasonable time. If the request is denied, the student has a right to request a hearing, which must meet several requirements: The student must receive prior and reasonable notice of the time, place and date. It must be held within a reasonable time after the request is made. It must be conducted by a party without a direct interest in the outcome. The student must be afforded a “full and fair” opportunity to present their case, with or without assistance or representation. The decision must be based on the evidence presented at the hearing, delivered, in writing, within a reasonable amount of time after the hearing, and must contain a summary and explanation for the decision. If the hearing affirms the student’s request, the education record must be amended, and the student must be notified in writing; if the request is denied, however, the institution must notify the student of their right to place a written statement in the file about the contested record. The statement must then be maintained and disclosed with any release of the contested record. 10.1.6 Enforcement Parents or eligible students who believe their rights have been violated under FERPA can file formal complaints with the Department of Education. 35 The Family Policy Compliance Officer (FPCO) at the 6 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP Department of Education investigates complaints. If concerns are found, the FPCO typically provides technical assistance to the educational institution. Violations of FERPA can result in loss of federal funding for the educational institution. 36 FERPA does not provide a private right of action to parents and eligible students. 37 10.1.7 Preemption According to the Department of Education, FERPA was intended to establish “a minimum federal standard for record confidentiality and access.” FERPA does not preempt state law in this area. 38 10.1.8 State Laws In addition to protections at the federal level, student privacy is safeguarded at the state level. Multiple states have provisions in their constitutions or state laws that protect privacy generally, including in the education context. 39 Nearly all states have enacted at least one law specifically focused on student privacy. 40 In addition, the majority of states have enacted laws supplementing FERPA. 41 In response to recent concerns over the use of student data for targeted advertising, California enacted the first law in the country to prohibit this practice for non-educational purposes – the Student Online Personal Information Protection Act (SOPIPA). 42 California’s law became a template for other states around the country that have passed education privacy laws to address the practices of ed tech companies. 43 Privacy practitioners should be alert to the changing landscape in this area of privacy regulation. 44 10.2 FERPA and the Protection of Pupil Rights Amendment FERPA applies only to information stored in education records, defined above as information that (1) directly relates to a student and (2) is maintained by the educational institution or on behalf of the institution. All other general student information that falls outside this definition is not covered by FERPA’s consent and disclosure requirements. 45 This has traditionally allowed schools to sell student directory information to commercial entities such as banks or credit card companies unless a parent or student opts out. 46 Congress addressed specific concerns in FERPA by passing the Protection of Pupil Rights Amendment in 1978 and the No Child Left Behind Act in 2001. 10.2.1 Protection of Pupil Rights Amendment of 1978 Congress responded to concerns about the collection and disclosure of student information for commercial purposes by amending FERPA in 1978 with the Protection of Pupil Rights Amendment (PPRA). PPRA requirements apply to all K-12 schools that receive federal funding; the statute, however, does not apply to colleges and universities. PPRA provides certain rights to parents of minors with regard to the collection of sensitive information from students through surveys. These areas include: Political affiliations Mental and psychological problems potentially embarrassing to the student and their family 7 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP Sex behavior and attitudes Illegal, antisocial, self-incriminating, and demeaning behavior Critical appraisals of other individuals with whom respondents have close family relationships Legally recognized privileged or analogous relationships, such as those of lawyers, physicians and ministers Religious practices, affiliations or beliefs of the student or student’s parent Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program) 47 10.2.2 No Child Left Behind Act of 2001 The No Child Left Behind Act of 2001 broadened the PPRA to limit the collection and disclosure of student survey information. 48 The amended PPRA now requires schools to: Enact policies regarding the collection, disclosure or use of personal information about students for commercial purposes 49 Allow parents to access and inspect surveys and other commercial instruments before they are administered to students 50 Provide advance notice to parents about the approximate date when these activities are scheduled 51 Provide parents the right to opt out of surveys or other sharing of student information for commercial purposes 52 10.3 Individuals with Disabilities Education Act The Individuals with Disabilities Education Act (IDEA) is a federal law that ensures eligible students, who are age 3 to 21, receive a free appropriate public education (FAPE). 53 IDEA requires schools to provide special education services that are tailored to each eligible student through the student’s individualized education program (IEP). 54 IDEA provides parents or adult students with the right to inspect educational records, to request explanation of educational records, and to ask that educational records be amended. 55 The privacy and confidentiality of records for students receiving special education services are protected by IDEA as well as by FERPA (as described above). IDEA includes specific protections related to the records pertaining to the student’s disability as well as to the student’s IEP. Schools generally must inform parents or adult students when information related to special education services is no longer needed. Except for certain information that is needed for permanent education records, the school must destroy the information that is no longer needed upon the request of the parents or adult students. 56 8 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP Privacy practitioners should be alert that, in addition to FERPA and IDEA, the records of students with disabilities may be protected by additional federal laws such as the Rehabilitation Act of 1973 and the Americans with Disabilities Act of 1990. 57 10.4 FERPA and the HIPAA Privacy Rule Privacy protections for student medical records has been a concern of federal regulators for decades. FERPA became law in the United States in 1974. When HIPAA was enacted in 1996, one important question for the U.S. Department of Health and Human Services (HHS) to address in the Privacy Rule for HIPAA was whether schools would be covered. 58 Although initial drafts of the HIPAA Privacy Rule included schools, the final version of the rule exempted schools where educational records were already subject to the privacy regime of FERPA. 59 This means that the general rule is that health records are subject to FERPA—and not HIPAA— where a public elementary or secondary school provides a nurse for student health issues. 60 By contrast, FERPA does not apply to private elementary or secondary schools that do not receive federal funding. Health records maintained by one of these private schools are thus subject to the HIPAA Privacy Rule if the school qualifies as a “covered entity” under the federal law. 61 A university with a healthcare clinic that treats only students is generally subject to the confidentiality requirements of FERPA relating to the student’s health-care records. 62 Both FERPA and the HIPAA Privacy Rule typically apply to the college or university healthcare center that treats both students and nonstudents—such as faculty and staff. In this instance, FERPA applies to the student health records, and the HIPAA Privacy Rule applies to the nonstudent health records. 63 Practitioners in this area should be aware that there may be instances where it is challenging to determine whether FERPA, HIPAA or both apply. For example, there has been controversy over school-based healthcare centers that disclose health information to school officials when related to a lawsuit by the student (for instance, in regard to a rape on campus) that pertains to those health records. 64 Another example is the legal requirement for universities to share records within the institution and beyond its borders in an effort to prevent tragedies involving students with mental health issues. These fact settings may be difficult to navigate, particularly if the records include those from the high-school and the university as well as records from school healthcare providers and nonschool healthcare providers. 65 In these complex legal situations, it may be important to consult an attorney. 10.5 Education Technology Today’s classrooms increasingly employ content personalized to each student; social media help students collaborate across classrooms; and online portals allow students to access grades. The companies that provide the computer software, mobile applications (apps), and web-based tools to educators, students, and parents are often referred to as education technology (“ed tech”) companies. The impacts from the COVID-19 pandemic significantly increased the use of ed tech companies by both schools and universities in the U.S. During the pandemic, in-person classroom learning moved to remote learning that was provided through ed tech, often provided free to those in education settings. Students and parents alike became “instant experts” with ed tech that 9 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP enabled online hosting of teaching material for students, online posting of homework assignments, online communication between teachers and students, and online delivery of grades to students and parents. As of the writing of this book, most learning has returned to inperson classroom learning, yet many schools and universities have decided to maintain some level of ed tech to supplement traditional in-person classroom learning. Because ed tech focuses on ways to assist educators in providing content electronically, the privacy implications of ed tech will continue to increase in importance. 66 The activities of these ed tech companies are subject to the laws discussed in this chapter. Numerous practices of ed tech companies raise potential concerns, including surveillance of students across the Internet and collection of student data for advertising purposes. 67 10.5.1 FERPA and Ed Tech Ed tech was being utilized by schools prior to the COVID-19 pandemic. Google, for example, developed free Apps for Education—a suite of tools that included Gmail, Google Calendar, Google Docs, and Google Classroom. 68 In 2014, students in California who used Apps for Education sued Google, accusing the company of scanning millions of emails sent to and received by the students. 69 The Electronic Privacy Information Center (EPIC), a nongovernmental organization focused on civil liberties and privacy, asserted that Google’s practice violated FERPA and advocated for the Department of Education to investigate the company. 70 Soon after the lawsuit was filed, Google agreed to change its business practices to ensure that the information in the emails could not be used for commercial purposes. 71 During the time period when the lawsuit was pending against Google, the U.S. Department of Education issued guidelines to provide assistance in explaining how FERPA applied in the online arena. 72 This 2014 guidance instructs schools and universities to determine, on a case-by-case basis whether the ed tech companies that they partner with utilized FERPA-protected data. If so, the schools and universities are required to ensure that FERPA requirements are met. 73 In 2020, the U.S. Department of Education’s Student Privacy Policy Office provided resources related to the requirements for virtual learning – the 2014 guidance along with a framework for evaluating the terms of service of ed tech companies. 74 10.5.2 COPPA and Ed Tech In 2022, in response to concerns that students cannot attend class remotely or complete coursework online without being surveilled for commercial purposes, the FTC announced that it would concentrate its scrutiny of potentially illegal practices of ed tech companies through its COPPA enforcement. 75 The focus by the FTC includes the following areas: - Prohibiting Use for Commercial Purposes: COPPA strictly limits how companies that are covered by the law, including ed tech companies, use personal information that is obtained from children. COPPA prohibits ed tech companies from using this information for commercial purposes, such as advertising. 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP - Prohibiting Unreasonable Mandatory Collection: COPPA prohibits ed tech companies from requiring children to provide more information than is reasonably necessary for the child to participate in the activity. - Prohibiting Inappropriate Retention: COPPA prohibits ed tech companies from retaining personal information that is obtained from children for longer than reasonably necessary to fulfill the company’s purpose for which the data was obtained. - Requirements Related to Security: COPPA requires ed tech companies to have procedures related to the confidentiality, security, and integrity of children’s personal data. 76 10.5.3 Self-Regulation and Ed Tech Self-regulation has become a prominent source of privacy rules applied in the educational technology space. The Future of Privacy Forum and the Software and Information Industry Association created a student privacy pledge in 2014, with more than 400 signatories by 2020, including many leading educational technology providers. 77 The updated “Student Privacy Pledge 2020” involves specific provisions, including a prohibition on selling student personal information, a ban on using information collected in schools for behavioral targeting of advertisements to students, and a ban on building profiles of students for any purpose other than authorized educational purposes. 78 Violation of the pledge would make a company subject to enforcement as a deceptive trade practice under Section 5 of the Federal Trade Commission (FTC) Act. 79 10.6 Cybersecurity Requirements The education sector holds troves of sensitive data, such as grades, disciplinary actions, and other school information. Modern K-12 schools and universities make use of cloud computing and ed tech. This means that security lapse can pose significant threats to student privacy. 80 To address cybersecurity concerns, K-12 schools and universities have been encouraged to implement the relevant guidelines in the National Institute of Standards and Technology (NIST) Framework. 81 10.6.1 FERPA and Cybersecurity Under FERPA, schools are expected to take reasonable security measures to protect student records. It is worth noting that FERPA does not require specific security controls. 82 Although data breaches are not explicitly addressed in FERPA, such occurrences can lead to violations of FERPA. Data breaches can be investigated by the U.S. Department of Education. 83 10.6.2 Gramm-Leach-Bliley Act (GLBA) and Cybersecurity With regard to cybersecurity, the U.S. Department of Education has provided guidance to universities in possession of financial aid information to remind these institutions that they are covered by GLBA 84 as financial institutions. The GLBA Safeguards Rule, discussed in Chapter 9, requires financial institutions to take defined steps to ensure the security and confidentiality of student financial aid information, including maintaining an information security program, conducting risk assessments, and selecting service providers who can maintain appropriate safeguards. 85 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 10 – as of 03/04/2024 © IAPP 10.6.3 State Laws and Cybersecurity Numerous states have enacted laws with various approaches to cybersecurity requirements for education data. For example, California’s SOPIPA requires ed tech companies to ensure reasonable security measures for student data. New York’s Education Law 2-D mandates that school districts put in place cybersecurity policies that adhere to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. 86 Also, all 50 states have enacted data breach notification laws. 87 Privacy practitioners should be careful to determine if these laws include data breaches involving K-12 schools as well as universities. 88 10.7 Conclusion Because education has traditionally been regulated primarily at the state and local level in the U.S., privacy practitioners should be alert to state and local requirements focused on schools that relate to privacy and cybersecurity. In addition, schools may be covered by more general state protections – such as state constitutional provisions related to privacy, state comprehensive privacy laws 89 and state data breach notification laws. 90 U.S. law provides the major FIPPs related to education records that schools receiving federal funding must abide by. Such educational institutions therefore must examine their practices to ensure compliance with these relatively detailed rules. High schools as well as colleges and universities should remain alert to the complex interplay that exists regarding student and parent rights related to FERPA. High schools should be aware of the change in legal status that occurs when a student becomes an adult at the age of 18. At that point, the student is the person in control of rights connected to education records, including grades, rather than the parents. If a student has left high school and is attending only a college or university, the rights under FERPA are held by the student—regardless of the student’s age. 91 Even after the rights under FERPA have transferred to the student, however, a school may disclose to the parents the educational records of the student without the student’s consent, in the circumstance where the student is a dependent for tax purposes. 92 The impacts from the COVID-19 pandemic have significantly increased the use of education technology companies (“ed tech”) by both schools and universities in the U.S. Privacy professionals should be alert to continuing developments in the ed tech area because student online activities will continue to generate many new and detailed forms of student personal information. Because the education sector holds troves of sensitive data, such as grades, disciplinary actions, and other school information, privacy practitioners should pay attention to cybersecurity requirements for K-12 schooling as well as universities. 93 In the U.S., elementary schools and secondary schools are often referred to as kindergarten through 12th grade schools (“K-12 schools”). Postsecondary schools include colleges and universities. 2 20 U.S.C. § 1232g, https://www.law.cornell.edu/uscode/text/20/1232g (accessed November 2017). 3 20 U.S.C. § 1232g; 34 CFR 99, https://www.law.cornell.edu/cfr/text/34/part-99 (accessed November 2017). 4 20 U.S.C. § 1221, https://www.law.cornell.edu/uscode/text/20/1221 (accessed November 2017). 5 20 U.S.C. § 1232g, https://www.law.cornell.edu/uscode/text/20/1232g (accessed November 2017); see Mike Chapple, “Understanding FERPA: How K-12 Schools Can Update Their Data Privacy Approach,” EdTech 1 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.