Student Privacy Laws and Best Practices in Education Sector
Legislatures across various states are actively introducing and considering new student privacy laws, focusing on safeguarding online personal information and enhancing data transparency and security. Key themes include the introduction of privacy bills, the passing of data privacy laws, and the establishment of strict responsibilities for states, districts, and vendors. Provisions such as appointing Chief Privacy Officers, creating metadata dictionaries, and enhancing oversight of data handling practices form crucial components of these legislative efforts.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
AUDIT PREPAREDNESS & YOU TURNING AUDIT APPREHENSION INTO AUDIT ACCOLADES 2017 SLDS Best Practices Conference 1
PRIVACYAND SECURITYINTHE SPOTLIGHT Since 2013, 49 states and the District of Columbia have introduced student privacy bills As of 2016, 36 states have passed 73 data privacy bills into law * Source: Data Quality Campaign 2017 SLDS Best Practices Conference 2
STUDENT ONLINE PERSONAL INFORMATION PROTECTION ACT (SOPIPA) Passed in 2014, California s privacy law was the first attempt to legislate at the state level the permissible activities of school service providers in the digital age 2017 SLDS Best Practices Conference 3
STUDENT DATA TRANSPARENCYAND SECURITY ACT Passed in 2016, Colorado s new privacy law provides strict responsibilities for the state, districts and vendors. Key provisions include: Transparency around data use State support for building capacity at the local level Requiring districts and charters to adopt a privacy policy 2017 SLDS Best Practices Conference 4
HB 358 Utah s Privacy Bill passed in 2016. Its provisions include: Appointing a State Student Data Officer (Chief Privacy Officer) Creation of a metadata dictionary Discloses all data collected, used, stored, and shared o Rules on data destruction Increased oversight of vendors 2017 SLDS Best Practices Conference 5
PRIVACYAND SECURITYINTHE SPOTLIGHT Legislatures continue to introduce and consider new student privacy laws 79 bills pending in 21 states o 64 K12, 14 higher education, and 1 early education o 43 bills are legislating LEAs, 18 are legislating SEAs, 17 are legislating vendors, and 16 are legislating (directly or indirectly) education research o 10 are modeled on SOPIPA, 1 is modeled on SUPER Act, and 1 is modeled on the Oklahoma Student DATA Act o 16 bills are attempting to amend or repeal last year's Connecticut student privacy law * Source: Future of Privacy Forum 2017 SLDS Best Practices Conference 6
AUDITS EXPLAINED Tracking Data Breaches 1,400+ Breaches 2017 SLDS Best Practices Conference 7
AUDITS EXPLAINED Tracking Data Breaches 783 Organizations 2017 SLDS Best Practices Conference 8
AUDITS EXPLAINED Tracking Data Breaches 14.7 Million People 2017 SLDS Best Practices Conference 9
AUDITS EXPLAINED Tracking Data Breaches 3,377 2017 SLDS Best Practices Conference 10
AUDITS EXPLAINED Since 2009: 6 Data Breaches at State Departments of Education - - - - 300,000 students identities at risk More than half a million dollars lost 50,000+ teachers information leaked Lost SSNs, addresses, emails, demographic info 2017 SLDS Best Practices Conference 11
AUDITS EXPLAINED Who: U.S. Department of Education Office of the Inspector General (OIG) Why: Ensure that SLDS grantees are putting appropriate security and privacy controls in place to protect PII in SLDSs 2017 SLDS Best Practices Conference 12
AUDITS EXPLAINED What does an audit look like? Team of inspectors Lots of coordination activity (documentation, discussion, etc.) A few days to ~1 week on site Out-brief and report Follow up 2017 SLDS Best Practices Conference 13
AUDITS EXPLAINED Data security is a focus of the department Grantees are required to comply with applicable federal standards (FERPA, etc.) and stated privacy and security guidelines 2 audits published in 2016 o Virginia Department of Education (2016) o Oregon Department of Education (2016) More audits are coming 2017 SLDS Best Practices Conference 14
RECENT AUDITSCHALLENGES Documentation: Missing or insufficient plans and policies Information Security Plan Supporting processes and policies not documented Not mapping to state security standards Policy / operations gap Policies and plans not representative of reality Operational documentation doesn t support stated policy Documented evidence Process outputs demonstrate compliance and continuous monitoring 2017 SLDS Best Practices Conference 15
RECENT AUDITSCHALLENGES Operations: Risk Assessments No periodic risk assessment = fail Do you take action on assessment results? Vulnerability Management Configuration Management CCB ? Software / hardware baselines, artifacts Contingency Planning Incident response policy and plan / training Disaster recovery 2017 SLDS Best Practices Conference 16
RECENT AUDITSCHALLENGES Staffing: Leadership turnover Institutional knowledge gap Inevitable tweaks to policy lead to gaps IT security staffing is limited Sometimes there are no staff dedicated to security CISOs not empowered to make needed changes 2017 SLDS Best Practices Conference 17
RECENT AUDITSCHALLENGES Understanding what is in scope : SLDS Architecture Complexity leading to confusion over what is being audited SLDS interpretations at the state level differ from OIG view Assuming Audit Scope SLDS is not just a data source or matching service Can include other systems that contain data servicing the SLDS to include authentication systems 2017 SLDS Best Practices Conference 18
WAR STORIES Please welcome Jeff Hudnall, Indiana 2017 SLDS Best Practices Conference 19
FROMTHE AUDITORS PERSPECTIVE What auditors are looking for: Are you doing what you said you would do? Grant agreements State Laws and Policies Best Practices 2017 SLDS Best Practices Conference 20
FROMTHE AUDITORS PERSPECTIVE 2017 SLDS Best Practices Conference 21
FROMTHE AUDITORS PERSPECTIVE Auditors Tools: Document Review Architecture Policy and governance Procedures Interviews Leadership (executive leadership, directors, delegates) Responsible parties Inspection Show me Casual observation 2017 SLDS Best Practices Conference 22
FROMTHE AUDITORS PERSPECTIVE Warning Signs: Lack of (or out of date) documentation Clunky response to pre-audit information requests No clearly defined roles / responsibilities Divergence from standard formats Evidence of previous security incidents 2017 SLDS Best Practices Conference 23
PREPARINGFORAN AUDIT Audit Selection Criteria: Total amount of SLDS funding Status and extent of grant program participation Number of reported breaches (ITRC) 2017 SLDS Best Practices Conference 24
PREPARINGFORAN AUDIT Before You Know: Align your policies to state requirements! Most grants require adherence to state standards Implement best practices regardless of system Update and review! 2017 SLDS Best Practices Conference 25
PREPARINGFORAN AUDIT Before You Know: Align your policies to state requirements! Most grants require adherence to state standards Implement best practices regardless of system Update and review! Two major items to address: Information Security Plan and supporting policies Annual risk assessments / IRT and DR exercise Document what you are doing Track vulnerabilities to fix action 2017 SLDS Best Practices Conference 26
PREPARINGFORAN AUDIT Before the Audit: Make sure everyone knows what they do Convene a meeting and ensure everyone is ready Identify benchmarks and ugly spots (we all have them) Gather and Prepare Documentation Process and Operations Cleanup Coordinate schedules for key personnel If something is broken, fix it now Continuous Communications 2017 SLDS Best Practices Conference 27
PREPARINGFORAN AUDIT During the Audit: Provide a Team Liaison Maximize Time Effectiveness Ensure key people are available and ready Prepare an agenda, but be ready to change Provide Direct, Complete, and Succinct Answers Answer the question, and only the question Have evidence prepared for anticipated questions in advance Don t improvise; if you don t know say so Lots of Communications 2017 SLDS Best Practices Conference 28
PREPARINGFORAN AUDIT Concluding the Audit: Out-Brief Team will present their findings to leadership There should be no surprises here Disagreements Handled by leadership / advice from counsel Work with team to clarify misunderstandings Conduct After-Action Lessons Learned If able, self-correct and update team immediately Develop plans for longer term fix actions 2017 SLDS Best Practices Conference 29
MAKINGTHE MOSTOFAN AUDIT Audits are Opportunities! The Department of Education provides resources that can help prepare for an audit, and to implement recommended changes through the State Support Team (SST) and the Privacy Technical Assistance Center (PTAC). https://nces.ed.gov/programs/slds/techassistance.asp http://ptac.ed.gov/ 2017 SLDS Best Practices Conference 30