A Look Inside the U.S. News Best High Schools Rankings presented by Bob Morse at the PDE Data Summit

September 10, 2019 0 By Stanley Isaacs

[00:00:10] Baron Rodriguez: How private is anonymous?
How many of you fill out anonymous surveys or send in anonymous e-mails? It’s kind
of funny because about, maybe it was a year ago or two years ago, we received at the Privacy
Technical Assistance Center an anonymous e-mail from somebody that was accusing us of being
terrorists, and that they were going to kill us and our children, and things like that.
So our security guy, who’s not here, just kind of did a little random trace, and in
about 10 minutes he got back to me and say, “Oh, this guy lives in Buffalo. He’s a
retired police officer. Here’s the company that he owns. Here’s a picture of his house.
Here’s his license plate number.” And this was all within 10 minutes. So what you
may think is private, in the technical world is not necessarily. And that’s really what
we’re going to talk about today. A LONG, LONG TIME AGO… Baron Rodriguez: So, a long, long time ago,
we used to get our files moved from place to place. When I moved from school to school,
I had a “cume” file. Right? That’s what we used to call them in the old days. BUT NOW… Baron Rodriguez: Well, now we have information
stored everywhere. On the cloud, in foreign countries, when you are storing information
on the cloud many of you don’t know where that information is being stored. It could
be in India. It could be in Mexico. Anywhere that there are server farms. Baron Rodriguez: So, this is exactly where
we are today. People know that and people are concerned about where their children’s
data is going specifically. IT’S 9AM. DO YOU KNOW WHERE YOUR CHILDREN’S
DATA IS? Baron Rodriguez: Fifty-two percent of organizations
expect to fall victim to a cyber attack in the next 12 months, 52 percent. I would tell
you that probably 25 more percent are being very optimistic. The number of breaches are
occurring on a more daily basis. [00:02:21] A LONG, LONG TIME AGO… Baron Rodriguez: A long time ago, we also
didn’t have hackers. Did you know that there are over 400,000 registered hackers in China
alone? Just in China. Audience member: Registered? Baron Rodriguez: Registered. You can register.
There are good hackers and bad hackers, right? Audience: [laughter] Baron Rodriguez: No, there are. Okay, so the
guy that I was talking about, he actually is one of the good hackers. He works for the
Privacy Technical Assistance Center, but he also does some work for some of those secret
agencies, such as NSA and others, and they bring him on to actually see if he can penetrate
their systems. Baron Rodriguez: Hacking has become a commodity
though, going back to the registered hackers. You can go on YouTube and learn how to hack.
You can get tools for free that can actually go and penetrate websites and other information.
We now see that you can go onto websites and you can buy identities for – I think it’s
$4 a pop for children’s identities, other Social Security numbers. It’s all available
online. 2014’S GREATEST HACKS Baron Rodriguez: So here are just some of
the biggest hacks of 2014. Obviously, JP Morgan Chase, 83 million households and small businesses.
That affected 65 percent of all U.S. households. Home Depot had the 56 million credit and debit
cards. Sony movie was held hostage, right? They couldn’t give it out for fear of some
sort of terrorist activity. Anthem Blue Cross, thank you very much, I got my letter in the
mail. I keep getting more and more letters. I still don’t know what the impact is, right?
How many of you have had your identity stolen? And how difficult was it to find out about
exactly how you were impacted, whether people were doing it, using your credit? It’s a
very frustrating process and you really don’t know until something bad happens, right? [00:04:32] Baron Rodriguez: eBay had 145 million, and
this was only e-mail addresses and login credentials, but people could purchase stuff on your behalf.
And I was one of the 145 million there too. Target, 110 million credit card numbers. So
this is just the best of 2014, or the worst I guess you could say. BREACHES GOING FORWARD Baron Rodriguez: Since 2005, more than 75
data breaches of one million or more have been reported. It’s been estimated that
only 10 to 15 percent of data breaches are actually reported or known about. So it may
not be that they’re not reporting it. They don’t know. Recently we found a large education
institution that it appeared that their website was being owned – we call it powned – but
owned by an outside entity. They didn’t know. They were continuing to conduct business
on that website, but we established that someone was essentially scraping the information.
So, you know, have you heard about those credit card scrapers where people put them in gas
machines and ATM machines where it takes some information off your debit or credit card
or ATM card? Same type of thing. It looked and acted like the regular website, yet the
hackers were getting all of that personal information as people were entering it into
this large university’s website. Baron Rodriguez: It’s estimated that 43
percent of companies had a data breach in 2014. All this is to say that, again, there
are very real concerns by these privacy advocates out there. A lot of times they may seem a
little bit ridiculous, but when you think of it in that context and you watch the news
and the fear around this, parents have good reason for being concerned. [00:06:25] A LONG, LONG TIME AGO… Baron Rodriguez: A long, long time ago, there
also weren’t laws on privacy. There weren’t laws on data breach notification, vendor responsibilities,
and all of these legislative bills that specifically focus on privacy, and privacy of education
records more specifically. BUT NOW… Baron Rodriguez: Now, nearly every state has
a data breach notification law, with some civil. And there are even some states, like
Louisiana, that have criminal penalties if there are education data breaches. Imagine
being a school district person, like you all here, and being responsible or being held
responsible criminally for a data breach in one of your systems. And believe me, when
one state starts one of those legislative laws, the kind of cascade to the rest of the
states. Baron Rodriguez: Nearly 40 states have education
data bills strengthening the bar set by FERPA. So, remember, FERPA is a federal law, it’s
the lowest common denominator of what you have to do as far as protecting student records.
States can certainly make those laws stricter, and many have. There are also some civil penalties
in some of these laws for collecting data that isn’t in state or federal statute.
So they are getting very serious about the amount of data collected. Why is that though?
When you think about exactly why this is going on, there’s not a whole lot of output of
this data. A lot of data is being collected but not a lot necessarily being given back
to the parents or community. We are getting there, but we still have a ways to go. Baron Rodriguez: The same kind of thing, we
recently got a request from another state asking, “You know, under FERPA, do we have
to give parents this information at the state level? You know, we’re working with a contractor,
they’re asking the contractor for the data. We’d like to say that we can’t give it
to them.” “Why?” was my question to them. “Why? What are you trying to hide?”
Because at the end of the day, that’s just going to bring on the media and the questions
and the suspicions by folks. [00:08:37] Baron Rodriguez: So, there’s been a lot
going on on the national level as it relates to privacy, right? The White House has put
out a Privacy Bill of Rights. Congress is currently looking at revamping FERPA. We’ll
see if they actually get something done with it, but at the end of the day, there could
be some major changes to FERPA as it relates to how you can share education records. VENDOR RESPONSE Baron Rodriguez: The software, the vendor
community now has really gotten engaged going, “We’ve really got to get ahead of this.
You know, we’re being put in a spot. We don’t understand our relation to our responsibilities
around educational data.” So the Future of Privacy Forum and the Software & Information
Industry Association announced a Pledge to safeguard student privacy built around a dozen
community commitments around collection, maintenance, and use of that personal information. Baron Rodriguez: How many of you have heard
of the Student Privacy Pledge? Not many of you. So the vendor industry is starting to
get on board with this because they realize that they have responsibilities around this. Baron Rodriguez: Now, you remember last year
we talked about, and some folks asked questions about, Google and their use of student information,
mining e-mail and things like that. Since then, we’ve discovered that there are other
companies that are doing the exact same thing. Most vendors really want to do the right thing.
Many of the vendors you have here really want to protect that data and want to be good stewards
of it. It’s those few that put a black mark on all of us. Same with the sharing of information
with parents. It’s those few examples that make national news that end up on the national
news network that really make things difficult for us in the education community to be able
to use data like this conference is promoting. [00:10:31] PLEDGE DETAILS Baron Rodriguez: So what’s in the Pledge?
Well, the Pledge makes clear that service providers are accountable to not sell student
information, not behaviorally target advertising. Now you know that COPPA, many of you are familiar
with that, actually protects student information from marketing. And the FTC, unlike FERPA,
actually has some teeth to what they do. They do fine companies for doing that. If they
find out that they are marketing to children, they actively go out and find those companies. Baron Rodriguez: You can use data – you
can only use data for authorized purposes only. Not change privacy policies without
notice and choice. This one is really interesting. Baron Rodriguez: So how many of you have iPhones
or Androids? Pretty much everybody, right? And there’s maybe two people who have a
Windows phone in here. Don’t raise your hand. So for the rest of us, when you download
an app, how many of you just click “accept” and don’t actually read through it? I mean,
don’t lie, I do it too. You don’t actually read through those. Well, in some of those
there are actually clauses that state, “We may change these and you accept any future
changes to this privacy policy without notice.” Why would any of us agree to that? Think about
that. You’re agreeing to any…They could essentially stick anything in there going
forward. A lot of these click-wrap agreements have that kind of information in them. They
reserve the right to change the terms of the policy without notice. So this Pledge is saying
that these companies who sign up for this Pledge are not going to do that. Baron Rodriguez: They’re going to enforce
strict limits on data retention, so they are not going to keep the data forever. They’re
going to support parental access to, and correction of errors in, their children’s information.
Vendors don’t necessarily have a responsibility in that, but in this case they are saying
we will also allow that access. Now, of course, in many cases they’re going to need to work
very closely with the school districts and make sure that the right person is getting
that information. They shouldn’t just give it to someone who says they are the parent. [00:12:42] Baron Rodriguez: Providing comprehensive security
standards. So they are actually starting to develop the kinds of security standards that
need to be in place. And then, be transparent about collection and use of the data. So those
are the main keys, going forward, that they are looking for. CHANGES A COMING? Baron Rodriguez: So recently, Congress has
been having hearings with the focus on expanding the legal definition of an educational record.
I know, I can’t tell you how many questions we’ve received at the Family Policy Compliance
Office of the Department of Education around when an e-mail record becomes part of the
student record. And the answer is always it depends, because a lot of times it does depend.
Now they’re looking at including digital data and metadata generated by software, websites,
applications, and online learning platforms as being part of education records. What does
that mean? That means that information that’s being used in the classroom for apps and things
like that would be subject to FERPA protections. Baron Rodriguez: They’re also looking at
expanding FERPA to apply to vendors and not just educational entities. Right now, penalties
are only to people receiving or agencies that receive education funds. They don’t extend
to the vendor community. Going forward, they’re looking at possibly expanding that to include
that vendors have a responsibility around FERPA. There have been times and some things
in the media where we’ve seen vendors actually have the breach, yet the school or district
is ultimately responsible for that breach at the end of the day. I know a lot of the
state legislative bills hold the public entities responsible. Baron Rodriguez: They are also looking at
including a “graduated,” enforceable series of penalties for FERPA violators, allowing
individual families a private right of action. So that could be a major change. Again, families
could then take action if FERPA was found to be violated. [00:14:43] Baron Rodriguez: And then including requirements
around data security standards and notification of data breaches. Right now, unlike HIPAA,
FERPA does not have security standards. It has what they call reasonable methods. And
if you come to my FERPA 101, we’ll talk a little bit more about what that means. But,
essentially, it leaves the ball in your courts to decide what’s considered reasonable. Baron Rodriguez: All right, now we’re going
to watch a short video. This one is one we just released and it’s focused on using
online services, online applications. It kind of explains it. The actual document is 14
or 15 pages, so for those of you who don’t like to read 14 or 15 pages of guidance, we
created a nine-minute video. So if we’d start that video… YOUR RESPONSIBILITY FOR STUDENT PRIVACY Video: Computers and the Internet have changed
the way we live and learn. We work, shop, communicate, share pictures and video, research
information, and play games online. Many schools and districts have embraced the new technologies
and are using them to improve education services and instruction. Today, we are going to talk
about your responsibility as teachers and administrators for student privacy when using
online educational resources. Because the fact is, no matter where student records reside,
they should still be protected. Video: Let’s take a look at the ways teachers,
administrators, and staff can practice good data management when using online educational
apps and services. Then, we’ll talk about how you can protect the privacy and security
of student data when using these types of services in your schools and districts. KEY PRIVACY LAWS Video: Before using educational apps or services,
it’s important to learn about the variety of federal, state, and local laws, imposed
requirements and restrictions, on how student data can be used and the conditions under
which it can be shared with application developers or online service providers. Let’s examine
some key privacy laws that may apply. [00:16:48] Video: The first is the Family Educational
Rights and Privacy Act, or FERPA. FERPA is a federal law which protects the privacy of
student education records. Most public schools and districts are required by law to comply
with FERPA. Simply put, FERPA restricts how PII, that’s Personally Identifiable Information,
from education records may be released without the parent’s consent. Video: FERPA may allow schools to disclose
certain information, like student’s name, date of birth, or photos, without consent
as directory information. This is often done in school yearbooks and athletic programs.
A school may provide directory information without consent to third parties, such as
service providers, only if they publicly notify parents about its directory information policy.
This notice has a number of requirements, like it must state what personal information
is considered directory information, and that parents have a right to opt out. But be careful,
because parents can opt out at a later time, so using directory information with online
services can be tricky. Video: Another FERPA provision that permits
PII from education records to be disclosed to third parties without consent is the School
Official Exception. Schools often use this exception to outsource IT and other institutional
functions. It is sometimes advantageous to outsource school functions to save money or
to get better services. If your school outsources under FERPA’s School Official Exception,
you must make sure that the third party is providing a service or function that the school
would otherwise provide itself, and you must be sure to retain direct control over the
use and maintenance of the information you disclose. [00:18:40] Video: Sorry, FERPA isn’t the only federal
law in question. Let’s briefly review a few others that might apply. Video: Another law is the Children’s Online
Privacy Protection Act, or COPPA. It applies to websites, apps, and online services that
collect information from children who are under the age of 13. COPPA requires verifiable
parental consent prior to collecting personal information from children online. In some
cases, like when a student must use a website or an app for school and there is no commercial
purpose, COPPA allows schools to exercise consent on behalf of parents. Video: In addition to FERPA and COPPA, other
federal laws may apply, like the Protection of Pupil Rights Amendment, or PPRA, and the
Individuals with Disabilities Education Act, or IDEA. While we are not discussing them
here, these other laws may impose additional requirements on your use of online apps or
services. Video: As you might expect, not all laws apply
in all circumstances. To spare yourself a headache, spend a little time researching
which requirements apply to your particular situation before signing up for a new service.
Oh, and don’t forget about the laws in your own state. They may apply as well. Video: You may wonder, “Does FERPA allow
schools to share PII from education records with online service providers?” Yes. FERPA
does allow you to share PII from educational records with online providers in some instances.
With prior written parental consent, it’s always acceptable to share PII from education
records through the Directory Information Exception and under the School Official Exception.
But remember, officials can only use PII from education records to perform the specific
service or function that you directed them to provide. [00:20:39] WRITTEN AGREEMENTS, CONTRACTS, AND TERMS OF
SERVICE Video: We just reviewed how FERPA protects
students’ education records. But the truth is that FERPA may not apply to all of the
data collected by online service providers. That is why you must pay close attention to
written agreements, contracts, and terms of service. Video: If your school or a school district
wants to use third-party online educational services, it is important to get your ducks
in a row and create a proper written agreement. Even if it’s not required, it is always
best to create one. A written agreement sets expectations for necessary security controls
as well as specifying data collection, use, redisclosure, and retention and destruction
procedures. Your contract should specify how long the agreements will last and how they
can be modified or terminated. When drafting a written agreement, remember all applicable
legal requirements. This process may be difficult but a little pain now can save a lot of pain
later. Video: So far we’ve covered what you should
do when contracting for online services in a conventional manner through a written agreement.
Increasingly, however, online services and applications use a licensing model known as
click-through, or click-wrap, where you can sign up by simply clicking a button or a checkbox
to accept the terms of service. This can lead to potential problems. Video: Meet Ms. Jones, a high school teacher.
She just found a great new app to help kids with math through games. Her students love
to play games and the app is free. More and more teachers like Ms. Jones are making use
of apps and online services. Many providers offer innovative and helpful content, often
– ah-hem – for “free.” But be wary that sometimes the saying “nothing is free”
might apply. [00:22:34] Video: Some apps require the acceptance of
terms of service. These can be long, boring, and full of complicated legal language. Ms.
Jones needs to fully understand what she is agreeing to in the terms of service. We may
not think of clicking an “accept” button as the same thing as signing a written contract,
but they can be legally binding agreements. For these reasons, and more, Ms. Jones should
talk to the appropriate individuals about the school’s policies and procedures before
signing up for the app. Administrators should review the app and the terms of service to
make sure it won’t adversely affect student privacy or the security of the school’s
systems. If your school or school district doesn’t already have a process for reviewing
and approving apps and online services for classroom use, you should create one. Video: Here are a few suggestions for reviewing
apps or services that use a click-wrap agreement. Identify who within your school or district
will be responsible for approving the use of apps and services. Create an easy way for
faculty to receive feedback about third-party apps or services they would like to use in
the classroom. Use this process to screen out those that may pose security or privacy
risks. Read through terms of service carefully. They may be long and full of legalese, so
talk to your administrative or legal team to help make sense of them. Print and save
a copy of the terms of service for your records. Online providers sometimes include provisions
in the terms which enable them to change the terms at will. Check often to ensure that
the terms have not been changed unacceptably. Video: Technology in classrooms can improve
education by expanding our knowledge, communication, and productivity. But as we enjoy these new
tools, we must be mindful of
the risks they bring and follow best practices to secure and protect students’ private
information. [00:24:33] Video: We have discussed how to protect privacy
when using online educational services, but there is a lot more to know. Talk to your
school or school district administrators about local policies and procedures for using online
services. Also, check out the U.S. Department of Education’s Privacy Technical Assistance
Center website at www.ptac.ed.gov for more information on protecting student privacy
while using online educational services. Baron Rodriguez: All right, so how many of
you are familiar with your policies and enforce those policies with teachers in the classroom
on downloading applications and having students enter information in them, or having students
use those apps? I don’t see a lot of hands raised. If you take nothing else from this
presentation, one of the things you should do is look at your policies and start to think
about what is being used in the classroom. You may be giving away students’ privacy
without parents’ permission by using those applications. Baron Rodriguez: How many of you have virus
software on your handheld devices? Not very many. The number one distribution of viruses
right now are on your iPads and on these handheld devices. In fact, you’re probably giving
away your privacy right now if you don’t have virus software. I loaded it on shortly
after I found out that, and found that two apps were actually sharing information from
my contacts and things like that. They were very popular applications, these were not
fly-by-night applications. So be really careful. [00:26:20] Baron Rodriguez: I’m going to go back one
slide. The other thing that we actually are just going to release on April 6 is Model
Terms of Service. This is where we talk about what kinds of things should be in your terms
of service. I’m going to go over some of that today because I already have the document,
obviously, I’ve seen it. But a lot of districts have said, “That’s great, don’t just
tell us this. Tell us what we should be looking for in our terms of service.” So we put
together a guidance document that talks about that. USE OF EDUCATION TECHNOLOGY IN SCHOOLS Baron Rodriguez: All right, so as that video
showed, student information systems, productivity applications, educational applications, and
then fundamental school services – these are all online education apps. They are usually
what you contract out to do. ONLINE EDUCATIONAL SERVICES Baron Rodriguez: This guidance related to
this subset of education services that are computer software, mobile applications, or
web-based tools, that are provided by a third-party to a school district, and accessed via the
Internet by students, and used as part of a school activity. BUT WAIT! THERE ARE EXCEPTIONS! Baron Rodriguez: So, again, it’s important
to remember that that information is still protected if it’s got student information.
So it may be that your directory information policy says that, but as I’ve gone to school
districts around the country, a lot of folks have not looked at their directory information
policy in years and they are not up to date. So they’re using more vendors, they are
using other types of outsourced or nonprofit organizations that they work with. You should
review your directory information policy and make sure it represents who has access to
those education records. [00:28:08] Baron Rodriguez: The School Official Exception,
that’s part of your annual notification, or some people call it the FERPA notice at
the district level. In that School Official Exception, or the annual notification, you
have to specify who you consider at the district level to have access to education records,
who you consider to have educational – legitimate educational interest. This includes vendors,
you don’t have to list every vendor but you should say types of vendors. “We contract
out with student information service providers, with transportation service providers,”
things like that where we may share information. Now, a lot of parents think that they can
opt out of that information. The only information parents can opt out of is the directory information
policy, okay, so that’s the stuff maybe you share with Jostens or others, you know,
yearbooks and programs that you do for athletic programs. The School Official Exception, you
just have to notify parents that these are the types of people that you give access to,
and that includes vendors, and they can’t opt out of it. You just need to let them know. DIRECTORY INFORMATION EXCEPTION Baron Rodriguez: So directory information.
Again, this policy was changed in 2011, where you can have limited directory information
policy. So a lot of districts thought that you had to, if you give it to one person,
you had to give it to everybody. So we made changes to the regulations to allow districts
the latitude to say here’s what we consider directory information, and we’re only going
to share this information with our yearbook provider, our parent handbook, things like
that. Otherwise, what was happening was many school districts were frustrated or didn’t
put together a directory information policy for fear of a marketer coming to the school
district and saying, “Well, that’s directory information, you have to give it to me.”
Or it could be a child predator, “You have to give me pictures of the kids, it’s directory
information.” Under this new policy, you can limit it to specific individuals or specific
groups rather than just giving it to anybody else. And that can also limit who gets it
for FOIA or whatever your public records laws are here in Pennsylvania. So if you don’t
want that to be part of it, you can narrow the scope of it and it wouldn’t be subject
to that. It would be protected by FERPA then. [00:30:45] Baron Rodriguez: So, again, directory information.
This is the area that parents have the right to opt out of. Not the School Official Exception. SCHOOL OFFICIAL EXCEPTION Baron Rodriguez: A couple of criteria for
the School Official Exception that I want to go over, and this directly relates to working
with vendors. When you work with vendors, it has to be a function which you would otherwise
use your own employees. If you had just unlimited resources you can hire 30 IT programmers and
create your own student information system that didn’t have bugs and didn’t have
upgrades every year, you’d do it. But the fact is you have to contract that out. Baron Rodriguez: The second bullet a lot of
vendors get concerned about, but it’s only direct control as it relates to the use of
your education records. About 18 months ago, New York had a big issue with an outside vendor
possibly using information for other purposes. The State needed to enforce direct control
related to those education records, but it became a public nightmare and kind of got
out of control. But, at the end of the day, your vendors can’t reuse student information
even for marketing purposes. Right? That’s still the districts control the data. That
should be in your contracts and MOUs with them. Baron Rodriguez: The last two, focusing on
redisclosure and using it for unauthorized purposes. Very important. QUESTION 1 Baron Rodriguez: All right, so when you’re
working with these online services, is that information protected by FERPA? Baron Rodriguez: Well, we talked about this.
That’s our favorite – it depends. Some data is protected by FERPA. Others may not
be. You really need to have a process in place, and if you take nothing else away from this,
again, go back and review your policies as it relates to working with applications. There
are a lot of those that are giving away information, they are collecting information and giving
it away on your behalf. [00:32:47] QUESTION 2 Baron Rodriguez: Under FERPA, are providers
limited in what they can do with student information that they collect or receive? Baron Rodriguez: Well, it depends. So, again,
if it’s under the directory information policy, if someone gets it under that, you
have a general directory information policy, there’s no redisclosure, so if someone takes
that yearbook information, they can give it to 30 other providers if they want to. That’s
not subject to FERPA’s redisclosure. Under the School Official Exception they can only
use it for the purpose in your contract with them. They can’t sell that personally identifiable
information and, again, there are some limitations as it relates to the PPRA a for those students
as they are collecting maybe survey information and things like that. WHAT ABOUT METADATA? Baron Rodriguez: Metadata. Are there restrictions
on what people can do with metadata? Baron Rodriguez: Again, this is information
such as there may be tracking click-through and how long it takes them to come to a certain
answer. Again, if this has been stripped of all direct and indirect identifiers, it’s
fine to use that – for them to use that information. The problem is are you, as a
district, going to go through and verify whether that data is actually correctly deidentified? OTHER LAWS TO CONSIDER Baron Rodriguez: And then, of course, you
have COPPA, and this applies to – and I know districts are really good about these,
but I think part of that is because there’s an enforcement mechanism behind it. Right?
When you’re working with vendors, they know that they can be fined if they violate those.
So, again, this tends to have a little more teeth to it than FERPA does. BEST PRACTICES FOR PROTECTING STUDENT PRIVACY Baron Rodriguez: So if we want to get through
this, to summarize, if we want to start to change the perception of education data, these
are the things we really think that are important. [00:34:39] Baron Rodriguez: Obviously, know what other
relevant laws here in Pennsylvania apply. Be aware of your online educational services
and how they are being used. You might be surprised if you took an inventory of your
classrooms and found out how many applications are being used and what they are is being
used for. You need policies and procedures to evaluate and approve those. Certainly you
don’t want to keep teachers from being able to do what they need to do, right? You want
to give them that opportunity to be creative, but there still needs to be a process to make
sure that those applications truly are free. Baron Rodriguez: When possible, use a written
contract or legal agreement. Be transparent with parents and students. My district is
a great example in Frederick, they are very transparent with us with what they do with
the data, how they use it, and I get a lot of data back, so I’m pretty comfortable
with the policies that they have there. The district I was at in Oregon, not so much.
They were always collecting information but I never received anything back and it made
me very uncomfortable, so I opted out of everything I could. Baron Rodriguez: And, remember, sometimes
– so we had a teacher recently send us an e-mail and ask, “I want to use this application,
it does collect some personally identifiable information, it collects weight. We’re actually
doing a nutrition type of program. What’s the best way to do this?” And we said, “Well,
the best way would be to get parental consent. You know, it seems like something that could
be a good program, but you really should just go through the process of asking parents to
consent to participating in that particular online nutrition program where they would
enter in calories and how their weight was doing and how much exercise they did, and
things like that.” USING FREE OR “FREEMIUM” EDUCATIONAL SERVICES Baron Rodriguez: Again, you probably should
have policies that don’t have individual teachers just signing up for “freemium”
education services. You should have a process in place to make sure that it truly is free.
Again, if you’re doing this under the School Official Exception, you have to directly control
those third parties as it relates to that, and I doubt the contract terms of service
allow you to control them as it relates to student data. [00:36:52] Baron Rodriguez: The other thing is a lot
of these services can introduce security vulnerabilities into your school networks, so by allowing
these applications on, you might actually be creating a security hole and allowing hackers
a way into your student information systems. TERMS OF SERVICE PROVISIONS Baron Rodriguez: So what’s in this new guidance?
The new guidance that’s going to come out on April 6 represents provisions that may
be found in a terms of service privacy policy or other contract offered by a provider of
online educational services. These are guidance documents to help guide the conversation.
For years, the Department has been kind of silent as it’s related to electronic records.
We’re really seeing guidance documents about every quarter as it relates to this. CLICK-WRAP AGREEMENTS Baron Rodriguez: Click-wrap agreements. Many
providers rely on a terms of service agreement that’s not negotiated. And, again, you’ve
probably, just like me, scrolled past many similar agreements and said “I agree”
when adding an app to your phone or tablet. Remember that some of these could lead to
a violation of FERPA or PPRA. So be very careful about that, be very wary of just the click-through
agreements. You probably should actually read those and make sure they’re not collecting
information and sharing it. EVALUATING TERMS OF SERVICE Baron Rodriguez: So this terms of service
will help you evaluate these terms of service, so you will be able to actually look at the
things we think should be in those terms of service. Again, much of the legalese found
on these are very confusing. By understanding the commonly used provisions, school or district
officials will be better prepared to decide whether consenting to an agreement would be
in the best interest of student privacy. Right? [00:38:36] Baron Rodriguez: Every school district should
have a designated representative who reviews the agreements before they are used in classroom.
So that’s what we are saying in the guidance document, that you, as a school district,
should have a representative who reviews these agreements. It should be inventoried, evaluated,
and support the school’s or district’s broader missions and goals, and this will
help you tie it to the School Official Exception or other appropriate exception. [00:39:13. End.]