Education data collection, security and use: Why and how ...file/Ed… · Information Security...
Transcript of Education data collection, security and use: Why and how ...file/Ed… · Information Security...
![Page 1: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/1.jpg)
Study Session State Board of Education
Education data collection, security and use: Why and how student data is different in the age of the cloud.
February 12, 2014
![Page 2: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/2.jpg)
“Privacy and Cloud Computing in Public Schools”
“As public schools in the United States rapidly adopt cloud-computing services to fulfill their educational objectives, and transfer increasing quantities of student information to third-party providers, privacy issues become more salient and contentious. “
Center for Law and Information Policy (CLIP) Fordham University December, 2013
![Page 3: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/3.jpg)
Context for the presentation Current CDE practices and procedures Current Colorado law CDE policies Policy ideas from other states Next steps Discussion
Overview
3
![Page 4: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/4.jpg)
Monitor student progress and diagnose needs Inform/improve instruction School safety Educator effectiveness Program evaluation District and school accountability
Why do we collect student and educator data?
4
![Page 5: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/5.jpg)
WHAT student information is collected by the state? WHY is it collected? HOW is it used and safeguarded? WHERE is it kept and for how long? WHO has access?
Current State: State-Level Student Data Collection
and Protection
5
![Page 6: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/6.jpg)
Applies to CDE, schools, and local educational agencies that receive grant funds from the U.S. Dept. of Education Provides parents rights to inspect and challenge the contents
of their children’s education records Prohibits schools and local educational agencies from
disclosing students’ education records without written parental consent Prohibits disclosure of personally identifiable information in
students’ education records unless an exception permits disclosure Sharing aggregate student data that cannot be traced to
individual students is permissible
Family Educational Rights and Privacy Act (FERPA): Summary
6
![Page 7: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/7.jpg)
Conditions where prior consent is not required to disclose personally identifiable information – when the disclosure is: To other school officials Under certain circumstances, an educational institution may disclose to
a contractor or consultant To officials of another school, school system, or institution of
postsecondary education where the student seeks to enroll To state and local educational authorities, under some circumstances To organizations conducting studies on behalf of educational agencies or
institutions In connection with a health or safety emergency Under other very specific circumstances where disclosure may be
required
FERPA: Summary
7
![Page 8: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/8.jpg)
Office of Information Technology: Information Security Plans, § 24-37.5-
404, C.R.S. Each public agency shall develop an
information security plan The information security plan shall include: Assessments of risk A process for providing adequate information security Security awareness training Periodic evaluation of the effectiveness of information
security A process for detecting, reporting, and responding to
security incidents
![Page 9: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/9.jpg)
Each school year the department shall calculate adequate longitudinal academic growth for each student for that school year in each subject that is included in the statewide assessments. § 22-11-203, C.R.S. The department must ensure that the state data reporting system is
capable of protecting the privacy of students. § 22-11-501, C.R.S. The state board may promulgate additional rules as it finds
necessary, including rules establishing a numbering system to uniquely identify individual students. § 22-11-104, C.R.S. Data Pipeline, which moves required education information from
school districts to the CDE, assigns each student a unique student ID that stays with the student throughout her public school career.
Student Longitudinal Data
9
![Page 10: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/10.jpg)
Exchange of Student Records, § 23-1-119.3, C.R.S.
The department of higher education and the department of education shall: Establish a procedure that allows for the direct, electronic exchange of
student unit record data for students enrolled in Colorado public high schools. Identify the student data relevant to high school students’ transitions to
the postsecondary system that will be shared. Collect student authorization for the transfer of data.
Data may be used to provide students with relevant information concerning the transition from high school to higher education public institutions. Data may be used in the admission of eligible students to higher education
public institutions.
![Page 11: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/11.jpg)
School District Protection of Student Data, § 22-1-123, C.R.S.
A school district shall not release the education records of a student to any person, agency, or organization without the prior written consent of the parent or legal guardian of the student, except as provided for by FERPA.
A school district shall not release directory information to any
person, agency, or organization without complying with the FERPA requirement of allowing parents to prohibit release without prior consent.
![Page 12: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/12.jpg)
School District Protection of Student Data, § 22-1-123, C.R.S.
Prior written consent from a student’s parent or legal guardian must be obtained before giving a student any survey intended to gather information concerning the student or the student’s parent's or legal guardian's: Political affiliations Illegal, anti-social, self-incriminating, or demeaning behavior Income, except as required by law Social security number Other specific information
The state does not collect this information. The state only collects aggregate data.
![Page 13: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/13.jpg)
School District Protection of Student Data, § 22-1-123, C.R.S.
District forms for obtaining parent consent to release personally identifiable information concerning the parent’s or legal guardian’s child’s education records must specify: Specific records to be released Specific reasons for such release Identity of the person or entity requesting the information Intended use of the information Method by which the records will be released The right to review and receive a copy of the records to be released
![Page 14: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/14.jpg)
When an entity owns computerized data that includes personal information becomes aware of a security system breach, they must conduct a prompt good faith investigation to determine the likelihood that personal information has been or will be misused. Once the breach is discovered, notice must be provided
without unreasonable delay unless a law enforcement agency determines it will impede a criminal investigation.
Notification of Security Breach, § 6-1-716, C.R.S.
14
![Page 15: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/15.jpg)
Intended to improve the collection of data by streamlining the submission and reporting of data from school districts to the CDE to the federal government Creation of data dictionary, which defines the data elements
the department collects and the methods by which the department collects the data through the single statewide data collection system Legislative mandate that the state board must review the rules
for implementing FERPA and adopt an interpretation of FERPA that will facilitate the exchange and sharing of student information to the greatest extent possible in compliance with FERPA
Data Reporting and Technology Act, §§ 22-2-301 - 308, C.R.S.
15
![Page 16: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/16.jpg)
Maintaining and Training on Policies Continual monitoring New employees and targeted data users Internal Use of Data Limited access Data Management Committee Breaches in Security Concerns immediately reported Consequences
Overview of CDE Student Information Security and Privacy Policy (1/3)
16
![Page 17: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/17.jpg)
Disclosure of Educator Data Reasons for collection Protections in place
Disclosure of De-Identified Student Data Institutional Review Board
Disclosure of Personally Identifiable Student Data Use by school officials for legitimate educational purpose Student transfer and enrollment Educational studies Audits or compliance activities
Overview of CDE Student Information Security and Privacy Policy (2/3)
17
![Page 18: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/18.jpg)
Data Sharing Agreements FERPA requirements Additional CDE policies Monitoring and Enforcement of Agreements Third-party data security and data stewardship plans Audits Reviews prior to publication Consequences for failure to comply
Overview of CDE Student Information Security and Privacy Policy (3/3)
18
![Page 19: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/19.jpg)
Creation of Data Index Maintaining, Training and Enforcement of Policies Disclosure of Student Data Data Sharing Agreements Parent Notification and Access to Student Records
Overview of District Guidance on Information Security and Privacy Policies
19
![Page 20: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/20.jpg)
Transparency Oklahoma; Maryland Restrictions on Data Collections Nebraska Protection of Data Oklahoma; Massachusetts Parent Role
New York; Arizona
Activity in Other States
20
![Page 21: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/21.jpg)
WHAT student information is collected by the state (districts)? Feasible and secure ways for parents to review and edit their students’
data WHY is it collected? Impact of parental opt-out on data collection and utility for informing
instruction and “program” evaluation HOW is it used and safeguarded? Agreements with data users and vendor contracts
WHERE is it kept and for how long? Observation-based assessments that involve video recordings of student
behavior WHO has access? Agreements with data users and vendor contracts
Emerging Issues: State-Level Student Data Collection and Protection
21
![Page 22: Education data collection, security and use: Why and how ...file/Ed… · Information Security Plans, § 24-37.5-404, C.R.S. Each public agency shall develop an information security](https://reader035.fdocuments.net/reader035/viewer/2022070714/5ed4fa4f8418162b2d0a4788/html5/thumbnails/22.jpg)
Next Steps
Finalize guidance to LEA’s Develop a resource bank of best practices
Educate CDE staff on data security processes and procedures Work with the legislature to: Consolidate current legislative requirements for educator data
collection and security Strengthen existing safeguards for student and educator data
Stay abreast of new developments in regard to data security