Student Data Transparency and Security Act Overview
The Student Data Transparency and Security Act (HB 16-1423) aims to increase transparency and security of student personally identifiable information (PII). The act involves collaboration between sponsors, parents, vendors, and education entities to protect student data. Key components include defining PII, outlining requirements for data protection policies, and ensuring compliance with FERPA. State Board of Education and Colorado Department of Education play crucial roles in implementing and regulating the act.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Student Data Transparency and Security Act: What You Need to Know (HB 16-1423) CALET 2017 Winter Conference
Agenda Overview & Breakdown Panel Q&A Table Top Next Steps Resources
Overview 2 Years in the Making Sponsors worked collaboratively with: CASE/CALET, Parents, Vendors Intent is to increase transparency and security of student personally identifiable information (PII) We all have a role: State Board of Education Colorado Department of Education (CDE) Local Education Providers Software Vendors
Overview Caplan & Earnest: Quick Reference Guide: https://goo.gl/NSgN48 Similarities to FERPA Breakdown: Definitions Policy Transparency Contract Rules
Key Definitions "STUDENT PERSONALLY IDENTIFIABLE INFORMATION" means information that, alone or in combination, personally identifies a student or the student's parent or family, and that is collected, maintained, generated, or inferred by a public education entity, either directly or through a school service, or by a school service contract provider or school service on-demand provider. "SCHOOL SERVICE" Means an internet website, online service, online application, or mobile application that: (I) is designed and marketed primarily for use in a preschool, elementary school, or secondary school; (II) is used at the direction of teachers or other employees of a local education provider; and (III) collects, maintains, or uses student personally identifiable information. Exception: Does not include a service provider that is designed and marketed for use by individuals or entities, even if also marketed to schools "CONTRACT PROVIDER & "ON-DEMAND PROVIDER" Teacher District School
Policy - State Board of Education Requirements Explain the types of student PII collected and create policies to protect the collected student PII Make available: A data dictionary with definitions and purpose including PII that LEPs must report for state/federal mandates Policies to comply with FERPA All data sharing agreements Detailed data security plan (including authorizing access, compliance standards, privacy and security audits, security breach procedures, PII retention, staff training) Requirements on how and why student data is shared
Policy - CDE Requirements Develop a process for handling external data requests Must maintain on its website a list of all PII data agreements and associated contracts Cannot require LEP to provide PII, criminal records, health records, social security numbers, biometric info, political affiliations, or beliefs unless required by state/federal law Support and provide for LEPs: Sample privacy and protection policy Sample service provider contract language Data retention and destruction procedures Security breach planning Security and privacy training materials and, upon request, training services
Policy - LEP BOE Requirements No later than 12/31/2017, must adopt policy for: student information privacy & protection hearing complaints from parents concerning the LEP's data policies If a contract provider commits a material breach , the BOE must hold a public meeting within a reasonable time to: Discuss material breach Allow response from contract provider Allow for public testimony Determine whether or not to continue with contract
Transparency - LEP Requirements CONTRACT PROVIDERS: LEP Must maintain on website: Explanation of student PII data elements that the LEP collects and maintains Link to CDE s data dictionary List of all service contract providers that the LEP contracts with and associated contract ON-DEMAND PROVIDERS: Must maintain on website to the extent practicable, a list of the school service on-demand providers If the LEP has evidence of non-compliance with Terms of Service (ToS) or Act, the LEP is strongly encouraged to cease or refuse to use Must notify CDE and maintain on LEP website a list of on- demand providers with whom LEP ceases or refuses to do business
Transparency Site Examples Fountain Ft. Carson http://www.ffc8.org/Page/2667 Denver Public Schools https://atm.dpsk12.org/
Transparency Parent s Rights Right to inspect and review student's PII Request a paper or electronic copy of student's PII Request corrections to factually inaccurate student PII that an LEP maintains Can notify the LEP and provide evidence of any substantial non-compliance with Terms of Service (ToS) or Act
Contract LEPs & Contract Provider Requirements New or renewed agreements with contract providers must include the Act's restrictions & requirements Data Transparency Must provide clear information on what PII is collected and how it is used on website and to LEP Use of Data Can only use student PII for purposes authorized by the contract Cannot sell PII Cannot use PII for targeted advertising Must notify LEPs of material breach Data Destruction Must destroy student PII at the LEPs request or end of contract Various exceptions are allowed e.g. personalized learning, improving products, safety/security, etc. Caplan & Earnest, CASB, CDE
Timeline Timeframe Now Action New or renewed agreements with contract providers must include the Act's restrictions & requirements Must adopt policy, school service providers on website, educate staff Small Rural districts get 6 additional months (CDE identifies small rural on geographic size of the district that enrolls fewer that 1,000 students K-12) 12/31/17 7/1/18
Panel Q&A Marcia Bohannon Chief Information Officer Colorado Department of Education Fountain-Fort Carson School District 8 Denver Public Schools East Central BOCES Lawrence DeHerrera Technology Administrator Sharyn Guhman Jarred Masterson Chief Information Officer Director of Technology
Table Top Discussion What steps have you taken in your district? Are you vetting the on demand providers and how? Have you discussed with Cabinet, Legal & BOE? How can CALET be helpful?
Next Steps Data Privacy & Security Addendum with new and renewed District contracts Work with schools to: Identify existing contract providers Include District data privacy & security addendum Change software procurement process Begin collecting contract provider s contracts & PII Begin designing collection and review of on-demand providers Discuss with LEP Leadership, Legal, Administrators, etc. Work with CDE for policy, recommendations, and training
Resources THIS PRESENTATION https://goo.gl/T4niXQ https://goo.gl/Y40CnP https://goo.gl/6ZnroJ https://goo.gl/NSgN48 https://goo.gl/YXRKT9 https://goo.gl/8ytRlx https://goo.gl/qmHstH https://goo.gl/6527kr https://goo.gl/GjD5cg https://goo.gl/xwULXt https://goo.gl/2Ecr2K https://goo.gl/chhrfY CoSN Protecting Privacy Toolkit DQC Who Uses Student Data? Caplan & Ernest Quick Reference Guide Caplan & Ernest Data Protection Addendum CDE Data Privacy & Security Lewis Palmer - Infographic Lewis Palmer - Presentation BVSD - Infographic CASB Common Sense Media Education DoE - Privacy Technical Assistance Center
