National Consortium on Deaf-Blindness 2.0
Privacy and Security Considerations for Projects Using Web 2.0
Web 2.0 technologies are becoming an increasingly important part of education and technical assistance. Video, for example, is a powerful tool for demonstration, reflection, evaluation, and improvement of teaching skills. Wikis, blogs, Nings, and other social media offer the potential to increase a project’s reach to its core constituencies. NCDB has encouraged Deaf‐Blind projects to avail themselves of Web 2.0 tools when delivering technical assistance. Web 2.0 offers powerful tools for educators and TA providers. These tools must be used with prudence, however. Any time projects collect, aggregate, store and/or share data on students, they must make certain that they are doing their best to protect the rights of students, parents, and guardians. Knowledge of pertinent laws and regulations, awareness of state and organizational policies, and exercising good judgment can help projects keep data from being misused in the context of Web 2.0 environments. This brief is in no way intended to provide legal advice, but rather is intended to increase state Deaf‐Blind projects awareness of basic definitions and to suggest best practices related to collecting and keeping information and data about children safe in web‐based environments. In particular, this brief will provide considerations for projects using Web 2.0 as part of distance mentorship or consultation. U.S. Department of Education Efforts The U.S. Department of Education (USDOE) has undertaken extensive efforts to inform educational agencies about their responsibilities to protect student privacy. Recently ,the USDOE released a brief called “Safeguarding Student Privacy” http://www2.ed.gov/policy/gen/guid/fpco/ferpa/safeguarding‐ student‐privacy.pdf. This brief states, in part, “Students and their parents should expect that their personal information is safe, properly collected and maintained and that it is imperative to protect students’ privacy to avoid discrimination, identity theft or other malicious and damaging criminal acts.” The Privacy Technical Assistance Center The USDOE has established a Privacy Technical Assistance Center (PTAC) www.ed.gov/ptac to serve as a “one stop” center for information regarding privacy and confidentiality. PTAC has released a very informative brief called “Frequently Asked Questions‐Cloud Computing”. This document answers common questions related to privacy and cloud computing. While the intended audience for this brief is geared toward State Education Agencies and others who work with longitudinal data systems, the information contained in the brief can be helpful for state Deaf‐Blind projects. FERPA The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Terms Defined: (from the SDS Technical Brief; IES National Center for Education Statistics; Nov. 2010, Brief 1; NCES2‐11‐601). ◊ Personally Identifiable Information The term ‘personally identifiable information’ refers to information that can be used to distinguish or trace an individual’s identity, such as their name, Social Security Number,
biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Personally identifiable information, as defined in FERPA, includes, but is not limited to: 1. The student’s name; 2. The name of the student’s parent or other family members; 3. The address of the student or student’s family; 4. A personal identifier, such as the student’s Social Security Number, student number, or biometric record; 5. Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name; 6. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; 7. Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates. (34 CFR § 99.3) ◊
Privacy “The concept of privacy relates to individual autonomy and each person’s control over their own information (Report of the National Academy of Science 1993 Panel Report Private Lives and Public Policies, p. 3). This includes each person’s right to decide when and whether to share personal information, how much information to share, and the circumstances under which that information can be shared (Report of the National Academy of Science 1993 Panel Report Private Lives and Public Policies, p. 22).” ◊ Confidentiality “Confidentiality relates to the management of another individual’s personally identifiable information.” ◊ Disclosure “There are three types of disclosure—authorized, unauthorized, and inadvertent. FERPA authorizes or permits specific users and uses of personally identifiable information in student education records without the written consent of the parent or eligible student. An unauthorized disclosure occurs when personally identifiable information from a student’s education record is made available to a third party who does not have legal authority to access the information. An inadvertent disclosure occurs when information about an individual is unintentionally revealed through information released to the public.” School Confidentiality Agreements Many schools require their employees to sign a confidentiality agreement. Employees under these agreements agree to use confidential information related to students only when pertinent to fulfill their job duties. An example of a confidentiality agreement can be found here: http://www.msbo.org/library/HumanRes/Misc/ConfidentialityAgree.pdf
Other Guidance: Where applicable, you may want to contact your sponsoring agency, State Department of Education, or Attorneys General as they may already have policies in place to which you may need to adhere. Implications for Practice According to PTAC’s brief, “the Family Educational Rights and Privacy Act (FERPA) does not prohibit the use of cloud computing solutions for the purpose of hosting education records; rather FERPA requires states to use reasonable methods to ensure the security of their information technology (IT) solutions.” This caution would also apply to state Deaf‐Blind projects when using Web 2.0 tools to conduct technical assistance activities. Given what is known about the importance of student privacy, we encourage projects to consider reasonable methods to keep student data safe when working with local districts and teams as part of distance consultation or mentorship. ◊ Informed Parental Consent In advance of a distance consultation or mentorship, projects will want to explain to parents the purpose of the technical assistance activity, what information and/or data will be captured, where it will be stored, who can access it, how it will be used, and when (and how) it will be deleted. This information should be written, in simple language, in the parent or guardian’s preferred language. Parents must know that they can withdraw permission at any time and request any data collected be returned or deleted permanently. ◊ Professional Ethics Reminder State Deaf‐Blind Projects are encouraged to remind all employees and collaborators in team consults (with the exception of parents/guardians) about adhering to their professional ethics when accessing and working with student data and information. Passwords and other measures to protect data should not be shared with those who do not have specific permission to access the data. Capturing Video Clips Video clips that show student faces would be considered biometric data, as defined by FERPA. As such, projects should ensure that video clips only capture children whose parents have granted permission as part of the technical assistance activity. Devices that are used to capture pictures of videos of students should be stored securely and require passwords to activate the device. Photos and video clips should be transferred to a secure site immediately and all data should be removed from the capture device (camcorder, tablet computer, smart phone, etc.). ◊ Use of Wikis Projects should refrain from including personally identifiable information on wiki sites. Social security numbers, last names, addresses, or other such identifiers should not be included on these sites. Parents or guardians should be considered “owners” of the site and encouraged to manage the site when the TA activity ends. ◊ Video Hosting Sites If projects use cloud‐based video hosting services, they should read the privacy policies of the chosen cloud‐based service. Projects should understand what privacy settings are available, what they do, and how to prevent or allow access to the videos. Those given permission to visit the hosting site should be reminded not to share their passwords with others or allow others to see site content. Many video hosting sites are blocked because of inappropriate content. Select video hosting sites that are not “searchable” and/or prohibit inappropriate or adult content.
◊
Working with School Information Technology (IT) Departments Projects are encouraged to work with IT departments in local districts as part of distance mentorship or consultation efforts. IT staff might be able to provide server space to store video clips, for example. IT staff can also make sure wiki sites are available to those team members who are participating in a technical assistance consult.
Links Web 2.0 tools allow projects the ability to improve and expand technical assistance services, especially consultations and mentorship activities. Projects are encouraged to be aware of federal laws designed to protect student privacy and to use reasonable measures to ensure confidentiality and privacy. Other resources related to student privacy can be found here: Privacy Technical Assistance Center http://ptac.ed.gov Family Education Rights and Privacy Act http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html U.S. Education Department Launches Initiative to Safeguard Student Privacy http://www.ed.gov/news/press‐releases/us‐education‐department‐launches‐initiatives‐ safeguard‐student‐privacy Privacy Considerations in Cloud‐Based Teaching and Learning Environments http://net.educause.edu/ir/library/pdf/ELI3024.pdf
May 2012 (800)
438-9376 Voice
(800) 854-7013 TTY
[email protected] www.nationaldb.org
The National Consortium on Deaf-Blindness is funded through grant award #H326T060002 by the U.S. Department of Education, OSERS, Office of Special Education Programs.