Student Privacy Laws and Best Practices in Education Sector

Slide Note
Embed
Share

Legislatures across various states are actively introducing and considering new student privacy laws, focusing on safeguarding online personal information and enhancing data transparency and security. Key themes include the introduction of privacy bills, the passing of data privacy laws, and the establishment of strict responsibilities for states, districts, and vendors. Provisions such as appointing Chief Privacy Officers, creating metadata dictionaries, and enhancing oversight of data handling practices form crucial components of these legislative efforts.

nam_e
nam_e Follow

Uploaded on Oct 03, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. AUDIT PREPAREDNESS & YOU TURNING AUDIT APPREHENSION INTO AUDIT ACCOLADES 2017 SLDS Best Practices Conference 1

  2. PRIVACYAND SECURITYINTHE SPOTLIGHT Since 2013, 49 states and the District of Columbia have introduced student privacy bills As of 2016, 36 states have passed 73 data privacy bills into law * Source: Data Quality Campaign 2017 SLDS Best Practices Conference 2

  3. STUDENT ONLINE PERSONAL INFORMATION PROTECTION ACT (SOPIPA) Passed in 2014, California s privacy law was the first attempt to legislate at the state level the permissible activities of school service providers in the digital age 2017 SLDS Best Practices Conference 3

  4. STUDENT DATA TRANSPARENCYAND SECURITY ACT Passed in 2016, Colorado s new privacy law provides strict responsibilities for the state, districts and vendors. Key provisions include: Transparency around data use State support for building capacity at the local level Requiring districts and charters to adopt a privacy policy 2017 SLDS Best Practices Conference 4

  5. HB 358 Utah s Privacy Bill passed in 2016. Its provisions include: Appointing a State Student Data Officer (Chief Privacy Officer) Creation of a metadata dictionary Discloses all data collected, used, stored, and shared o Rules on data destruction Increased oversight of vendors 2017 SLDS Best Practices Conference 5

  6. PRIVACYAND SECURITYINTHE SPOTLIGHT Legislatures continue to introduce and consider new student privacy laws 79 bills pending in 21 states o 64 K12, 14 higher education, and 1 early education o 43 bills are legislating LEAs, 18 are legislating SEAs, 17 are legislating vendors, and 16 are legislating (directly or indirectly) education research o 10 are modeled on SOPIPA, 1 is modeled on SUPER Act, and 1 is modeled on the Oklahoma Student DATA Act o 16 bills are attempting to amend or repeal last year's Connecticut student privacy law * Source: Future of Privacy Forum 2017 SLDS Best Practices Conference 6

  7. AUDITS EXPLAINED Tracking Data Breaches 1,400+ Breaches 2017 SLDS Best Practices Conference 7

  8. AUDITS EXPLAINED Tracking Data Breaches 783 Organizations 2017 SLDS Best Practices Conference 8

  9. AUDITS EXPLAINED Tracking Data Breaches 14.7 Million People 2017 SLDS Best Practices Conference 9

  10. AUDITS EXPLAINED Tracking Data Breaches 3,377 2017 SLDS Best Practices Conference 10

  11. AUDITS EXPLAINED Since 2009: 6 Data Breaches at State Departments of Education - - - - 300,000 students identities at risk More than half a million dollars lost 50,000+ teachers information leaked Lost SSNs, addresses, emails, demographic info 2017 SLDS Best Practices Conference 11

  12. AUDITS EXPLAINED Who: U.S. Department of Education Office of the Inspector General (OIG) Why: Ensure that SLDS grantees are putting appropriate security and privacy controls in place to protect PII in SLDSs 2017 SLDS Best Practices Conference 12

  13. AUDITS EXPLAINED What does an audit look like? Team of inspectors Lots of coordination activity (documentation, discussion, etc.) A few days to ~1 week on site Out-brief and report Follow up 2017 SLDS Best Practices Conference 13

  14. AUDITS EXPLAINED Data security is a focus of the department Grantees are required to comply with applicable federal standards (FERPA, etc.) and stated privacy and security guidelines 2 audits published in 2016 o Virginia Department of Education (2016) o Oregon Department of Education (2016) More audits are coming 2017 SLDS Best Practices Conference 14

  15. RECENT AUDITSCHALLENGES Documentation: Missing or insufficient plans and policies Information Security Plan Supporting processes and policies not documented Not mapping to state security standards Policy / operations gap Policies and plans not representative of reality Operational documentation doesn t support stated policy Documented evidence Process outputs demonstrate compliance and continuous monitoring 2017 SLDS Best Practices Conference 15

  16. RECENT AUDITSCHALLENGES Operations: Risk Assessments No periodic risk assessment = fail Do you take action on assessment results? Vulnerability Management Configuration Management CCB ? Software / hardware baselines, artifacts Contingency Planning Incident response policy and plan / training Disaster recovery 2017 SLDS Best Practices Conference 16

  17. RECENT AUDITSCHALLENGES Staffing: Leadership turnover Institutional knowledge gap Inevitable tweaks to policy lead to gaps IT security staffing is limited Sometimes there are no staff dedicated to security CISOs not empowered to make needed changes 2017 SLDS Best Practices Conference 17

  18. RECENT AUDITSCHALLENGES Understanding what is in scope : SLDS Architecture Complexity leading to confusion over what is being audited SLDS interpretations at the state level differ from OIG view Assuming Audit Scope SLDS is not just a data source or matching service Can include other systems that contain data servicing the SLDS to include authentication systems 2017 SLDS Best Practices Conference 18

  19. WAR STORIES Please welcome Jeff Hudnall, Indiana 2017 SLDS Best Practices Conference 19

  20. FROMTHE AUDITORS PERSPECTIVE What auditors are looking for: Are you doing what you said you would do? Grant agreements State Laws and Policies Best Practices 2017 SLDS Best Practices Conference 20

  21. FROMTHE AUDITORS PERSPECTIVE 2017 SLDS Best Practices Conference 21

  22. FROMTHE AUDITORS PERSPECTIVE Auditors Tools: Document Review Architecture Policy and governance Procedures Interviews Leadership (executive leadership, directors, delegates) Responsible parties Inspection Show me Casual observation 2017 SLDS Best Practices Conference 22

  23. FROMTHE AUDITORS PERSPECTIVE Warning Signs: Lack of (or out of date) documentation Clunky response to pre-audit information requests No clearly defined roles / responsibilities Divergence from standard formats Evidence of previous security incidents 2017 SLDS Best Practices Conference 23

  24. PREPARINGFORAN AUDIT Audit Selection Criteria: Total amount of SLDS funding Status and extent of grant program participation Number of reported breaches (ITRC) 2017 SLDS Best Practices Conference 24

  25. PREPARINGFORAN AUDIT Before You Know: Align your policies to state requirements! Most grants require adherence to state standards Implement best practices regardless of system Update and review! 2017 SLDS Best Practices Conference 25

  26. PREPARINGFORAN AUDIT Before You Know: Align your policies to state requirements! Most grants require adherence to state standards Implement best practices regardless of system Update and review! Two major items to address: Information Security Plan and supporting policies Annual risk assessments / IRT and DR exercise Document what you are doing Track vulnerabilities to fix action 2017 SLDS Best Practices Conference 26

  27. PREPARINGFORAN AUDIT Before the Audit: Make sure everyone knows what they do Convene a meeting and ensure everyone is ready Identify benchmarks and ugly spots (we all have them) Gather and Prepare Documentation Process and Operations Cleanup Coordinate schedules for key personnel If something is broken, fix it now Continuous Communications 2017 SLDS Best Practices Conference 27

  28. PREPARINGFORAN AUDIT During the Audit: Provide a Team Liaison Maximize Time Effectiveness Ensure key people are available and ready Prepare an agenda, but be ready to change Provide Direct, Complete, and Succinct Answers Answer the question, and only the question Have evidence prepared for anticipated questions in advance Don t improvise; if you don t know say so Lots of Communications 2017 SLDS Best Practices Conference 28

  29. PREPARINGFORAN AUDIT Concluding the Audit: Out-Brief Team will present their findings to leadership There should be no surprises here Disagreements Handled by leadership / advice from counsel Work with team to clarify misunderstandings Conduct After-Action Lessons Learned If able, self-correct and update team immediately Develop plans for longer term fix actions 2017 SLDS Best Practices Conference 29

  30. MAKINGTHE MOSTOFAN AUDIT Audits are Opportunities! The Department of Education provides resources that can help prepare for an audit, and to implement recommended changes through the State Support Team (SST) and the Privacy Technical Assistance Center (PTAC). https://nces.ed.gov/programs/slds/techassistance.asp http://ptac.ed.gov/ 2017 SLDS Best Practices Conference 30

Related


Understanding Data Privacy Laws and Regulations in Saudi Arabia

Understanding Data Privacy Laws and Regulations in Saudi Arabia

twyla
Understanding the Privacy Paradox: Attitudes vs. Behaviors

Understanding the Privacy Paradox: Attitudes vs. Behaviors

clai_evi
Data Privacy Best Practices Training for Libraries

Data Privacy Best Practices Training for Libraries

teo_nah
Understanding Privacy in Information Security Training

Understanding Privacy in Information Security Training

lillia
Kansas Student Data Privacy Legislation Overview

Kansas Student Data Privacy Legislation Overview

herme
NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

haley
Privacy-Preserving Analysis of Graph Structures

Privacy-Preserving Analysis of Graph Structures

bilal
Understanding Privacy Rights in Europe: A Comprehensive Overview

Understanding Privacy Rights in Europe: A Comprehensive Overview

jesu_26
Understanding Breach of Confidence and Privacy Rights in English Law

Understanding Breach of Confidence and Privacy Rights in English Law

teodor
Safeguarding Student Privacy in Educational Technology: A Comprehensive Guide

Safeguarding Student Privacy in Educational Technology: A Comprehensive Guide

huey
Privacy Training Workshop on Media and Freedom of Expression Law

Privacy Training Workshop on Media and Freedom of Expression Law

lyka119
Understanding Breach of Confidence and Privacy Rights in Legal Context

Understanding Breach of Confidence and Privacy Rights in Legal Context

harmo
Enhancing Online Patron Privacy in Library Websites

Enhancing Online Patron Privacy in Library Websites

weld852
FMCSA Privacy Awareness Training Overview for 2022

FMCSA Privacy Awareness Training Overview for 2022

natan
Evolution of Education Data Privacy Laws in the U.S.

Evolution of Education Data Privacy Laws in the U.S.

leel_696
Dynamic Pricing Algorithms with Privacy Preservation in Personalized Decision Making

Dynamic Pricing Algorithms with Privacy Preservation in Personalized Decision Making

lillia
Privacy Considerations in Data Management for Data Science Lecture

Privacy Considerations in Data Management for Data Science Lecture

maen728
Understanding HIPAA and FERPA Privacy Laws in Schools

Understanding HIPAA and FERPA Privacy Laws in Schools

ronny
Federal Privacy Laws and Regulations for VHA Data

Federal Privacy Laws and Regulations for VHA Data

afust
Powering the Digital Economy: Regulatory Approaches to Securing Consumer Privacy, Trust, and Security

Powering the Digital Economy: Regulatory Approaches to Securing Consumer Privacy, Trust, and Security

arkady
Understanding FERPA: Family Educational Rights and Privacy Act

Understanding FERPA: Family Educational Rights and Privacy Act

portia
Privacy and Registered Training Organisations: Lessons and Insights

Privacy and Registered Training Organisations: Lessons and Insights

isabela
Privacy-Preserving Surveillance: Design and Implementation

Privacy-Preserving Surveillance: Design and Implementation

sofi_955
Expanding the OSI Stack for Privacy Risk Management

Expanding the OSI Stack for Privacy Risk Management

cristoba

More Related Content

Family Laws and Marriage Legalities in Pakistan
Family Laws and Marriage Legalities in Pakistan
Online Privacy Concern in Post-Transition Era: A Study on European Internet Users
Online Privacy Concern in Post-Transition Era: A Study on European Internet Users
Consumer Privacy Rights and Regulations Act (CPRA) Overview
Consumer Privacy Rights and Regulations Act (CPRA) Overview
Enhancing Privacy and Anonymous Communications with Technology
Enhancing Privacy and Anonymous Communications with Technology
Privacy and Data Protection in the Digital Age
Privacy and Data Protection in the Digital Age
Privacy-Aware Smart Buildings: Ensuring Privacy Policies and Preferences
Privacy-Aware Smart Buildings: Ensuring Privacy Policies and Preferences
Understanding Big Data and Privacy Issues in Today's Society
Understanding Big Data and Privacy Issues in Today's Society
Understanding Data Security and Privacy: An Overview of k-Anonymity, l-Diversity, t-Closeness, and Reconstruction Attacks
Understanding Data Security and Privacy: An Overview of k-Anonymity, l-Diversity, t-Closeness, and Reconstruction Attacks
PoSeID-on: Innovative Data Management Platform for Enhanced Privacy
PoSeID-on: Innovative Data Management Platform for Enhanced Privacy
Privacy-Preserving Prediction and Learning in Machine Learning Research
Privacy-Preserving Prediction and Learning in Machine Learning Research
Exploring Computer Ethics and Privacy Principles
Exploring Computer Ethics and Privacy Principles
Social Networks, Privacy, and Freedom of Association in the Digital Age
Social Networks, Privacy, and Freedom of Association in the Digital Age
Security and Privacy in 3G/4G/5G Networks: The AKA Protocol
Security and Privacy in 3G/4G/5G Networks: The AKA Protocol
Town Hall Q&A Session on Privacy and Research Protocols
Town Hall Q&A Session on Privacy and Research Protocols
Understanding VA Privacy Issues and Sensitive Information
Understanding VA Privacy Issues and Sensitive Information
The Importance of Privacy in the Media Landscape
The Importance of Privacy in the Media Landscape
Protecting User Privacy in Web-Based Applications through Traffic Padding
Protecting User Privacy in Web-Based Applications through Traffic Padding
The Economics of Privacy: Evolution and Implications
The Economics of Privacy: Evolution and Implications
Data Privacy in Sharing Sensitive Information
Data Privacy in Sharing Sensitive Information
Understanding the Third-Party Doctrine in Privacy Law
Understanding the Third-Party Doctrine in Privacy Law
Privacy Cases and Damages: European Court of Human Rights Rulings
Privacy Cases and Damages: European Court of Human Rights Rulings
Proposal for IEEE 802.11 Privacy Enhancement
Proposal for IEEE 802.11 Privacy Enhancement
Data Breaches and Privacy Concerns: An Overview
Data Breaches and Privacy Concerns: An Overview
Understanding Differential Privacy in Statistical Analysis
Understanding Differential Privacy in Statistical Analysis