Module 5: Privacy, Rights, Terms of Service, and Accessibility
Parents or eligible students who believe their rights under PPRA have been violated may file a complaint with the...
Family Policy Compliance Office.
Schools subject to CIPA have two additional certification requirements:
1) their Internet safety policies must include monitoring the online activities of minors; and 2) as required by the Protecting Children in the 21st Century Act, they must provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyberbullying awareness and response.
FERPA allows schools to disclose those records, without consent, to the following parties or under the following 9 conditions
1. School officials with legitimate educational interest; 2. Other schools to which a student is transferring; 3. Specified officials for audit or evaluation purposes; 4. Appropriate parties in connection with financial aid to a student; 5. Organizations conducting certain studies for or on behalf of the school; 6. Accrediting organizations; 7. To comply with a judicial order or lawfully issued subpoena; 8.Appropriate officials in cases of health and safety emergencies; and 9. State and local authorities, within a juvenile justice system, pursuant to specific State law.
In early ______, the FCC issued rules implementing CIPA and provided updates to those rules in ____.
2001, 2011
Under FERPA, a school must comply with a request from a parent or eligible student for access to education records within a reasonable period of time, but not more than ___ days after it has received the request. Some States have laws that require access to education records sooner than ___ days.
45, 45
According to a PBS survey, ___% of teachers have access to computers but only about ___% say they have access to the right level of technology.
91, 20
Is there a time limit on the limitations governing the use of personal information collected from students for marketing purposes?
No so, for example, while PPRA would not limit the use of information collected from college students for marketing, it would restrict the use of information collected from students while they were still in high school (if no notice or opportunity to opt-out was provided) even after those students graduate.
FERPA is not the only statute that limits what providers can do with student information. The _______________ ___ _____ _______ ___________ provides parents with certain rights with regard to some marketing activities in schools.
Protection of Pupil Rights Amendment (PPRA)
When drafting and reviewing these contracts, the Department recommends the inclusion of certain provisions (6)
Security and Data Stewardship Provisions Collection Provisions Data Use, Retention, Disclosure, and Destruction Provisions Data Access Provisions Modification, Duration, and Termination Provisions. Indemnification and Warranty Provisions
that student information that has been properly de-identified or that is shared under the "directory information" exception, is...
not protected by FERPA, and thus is not subject to FERPA's use and re-disclosure limitations
Schools and districts will typically need to evaluate the use of online educational services ___________________________________________________________ to determine if FERPA-protected information (i.e., PII from education records) is implicated. If so, schools and districts must ensure that ___________ ___________ are met (as well as ________________________________________________________________________________________)
on a case-by-case basis; FERPA requirements; the requirements of any other applicable federal, state, tribal, or local laws
Student information collected or maintained as part of an online educational service may be protected under FERPA, under PPRA, under both statutes, or not protected by either. Which statute applies depends...
on the content of the information, how it is collected or disclosed, and the purposes for which it is used
PPRA also requires schools and districts to provide: (3)
parents and students with effective notice of their PPRA rights, to provide notice to parents of district policies (developed and adopted in consultation with parents) regarding specific activities, and to notify them of the dates of specific events and the opportunity to opt out of participating in those events.
Further, the FERPA regulations require educational agencies and institutions to use reasonable methods to identify and authenticate the identity of _______________________________________________________ before disclosing or permitting access to PII
parents, students, school officials, and other parties
The primary goal of COPPA is to...
place parents in control over what information is collected from their young children online.
The Rule of COPPA was designed to ________________________ while ______________________
protect children under age 13, accounting for the dynamic nature of the Internet.
Under CIPA, before adopting this Internet safety policy, schools and libraries must...
provide reasonable notice and hold at least one public hearing or meeting to address the proposal.
FERPA requires the use of _____________________________________ to __________________________________________________________
reasonable methods to authenticate the identity of parties to whom educational agencies and institutions disclose education records, help educational agencies and institutions improve the transparency and availability of education data while protecting the privacy and security of education records by increasing the effectiveness of access controls.
The Federal Trade Commission (FTC) has interpreted COPPA to allow...
schools to exercise consent on behalf of parents in certain, limited circumstances
The use of online educational services may give rise to...
situations where the school or district provides FERPA-protected data to open accounts for students, and subsequent information gathered through the student's interaction with the online educational service which involves PPRA.
Complaints under PPRA must contain...
specific allegations of fact giving reasonable cause to believe that a violation of PPRA occurred.
PPRA is also concerned with what 3 other areas?
student privacy, parental access to information, and the administration of certain physical examinations to minors.
What is single-factor authentication?
Single-factor authentication requires a user to confirm identity with a single factor, such as a PIN; an answer to a security question; or a fingerprint.
Which exception is more likely to apply to schools' and districts' use of online educational services?
The FERPA school official exception
What are Online Educational Services?
computer software, mobile applications (apps), and web-based tools provided by a third-party to a school or district that students and/or their parents access via the Internet and use as part of a school activity.
What is Identity Authentication?
"Authentication of identity" means ensuring that the recipient of education records or the party who receives or transmits students' records is, in fact, the authorized or intended recipient or sender.
FERPA defines education records as "records that are:
(1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution"
Under CIPA, the protection measures must block or filter Internet access to pictures that are: (3)
(a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors)
Congress enacted the Children's Online Privacy Protection Act (COPPA) in
1998
What are examples of Online Educational Services?
Examples include online services that students use to access class readings, to view their learning progression, to watch video demonstrations, to comment on class activities, or to complete their homework.
Is Student Information Used in Online Educational Services Protected by FERPA?
It depends. Because of the diversity and variety of online educational services, there is no universal answer to this question. The Family Educational Rights and Privacy Act (FERPA) (see 20 U.S.C. § 1232g and 34 CFR Part 99) protects personally identifiable information (PII) from students' education records from unauthorized disclosure.
Do FERPA and the Protection of Pupil Rights Amendment (PPRA) Limit What Providers Can Do with the Student Information They Collect or Receive?
On occasion, providers may seek to use the student information they receive or collect through online educational services for other purposes than that for which they received the information, like marketing new products or services to the student, targeting individual students with directed advertisements, or selling the information to a third party. If the school or district has shared information under FERPA's school official exception, however, the provider cannot use the FERPAprotected information for any other purpose than the purpose for which it was disclosed.
Who does PPRA apply to?
Only to k-12 institutions that receive funding from the U.S. Department of Education, the programs and activities of a State educational agency (SEA), and the programs and activities of a local educational agency (LEA),
While FERPA protects _______________________________________, ________________, PPRA is invoked
PII from education records maintained by a school or district, when personal information is collected from the student.
What happens when a student starts college and turns 18?
The parents' FERPA rights are transferred to the student
Authentication factors like PINs, passwords, and security tokens are only effective if the user is the only party who knows this information or possesses the token but why may this be a problem?
This sometimes makes it difficult to recover a user's ability to access the data from a system if the user has forgotten the password or misplaced his or her token.
How can an educational agency or institution determine the appropriate level of identity authentication assurance?
To address this question, an organization should conduct a risk assessment to determine the threats to its data and evaluate the likelihood of inappropriate data disclosure based on its specific situation. This assessment should include a review of a potential impact of unauthorized disclosure or, conversely, of inappropriate denial of access to education data (e.g., when an authorized staff member is unable to perform his or her duties due to limited access to data).
Are there exceptions to this written consent rule?
Yes
PPRA governs the administration to students of a survey, analysis, or evaluation that concerns one or more of the following eight protected areas:
• political affiliations or beliefs of the student or the student's parent; • mental or psychological problems of the student or the student's family; • sex behavior or attitudes; • illegal, anti-social, self-incriminating, or demeaning behavior; • critical appraisals of other individuals with whom respondents have close family relationships; • legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers; • religious practices, affiliations, or beliefs of the student or student's parent; or, • income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program).
Schools and libraries subject to CIPA are required to adopt and implement an Internet safety policy addressing: (5)
1. Access by minors to inappropriate matter on the Internet; 2. The safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications; 3. Unauthorized access, including so-called "hacking," and other unlawful activities by minors online; 4. Unauthorized disclosure, use, and dissemination of personal information regarding minors; and 5. Measures restricting minors' access to materials harmful to them.
Schools and libraries must certify they are in compliance with CIPA before they can receive E-rate funding with what three exceptions?
1. CIPA does not apply to schools and libraries receiving discounts only for telecommunications service only; 2. An authorized person may disable the blocking or filtering measure during use by an adult to enable access for bona fide research or other lawful purposes. 3. CIPA does not require the tracking of Internet use by minors or adults.
What are five questions, according to Arne Duncan, that schools and school districts should be asking themselves?
1. Do you know what online services your schools and teachers use? 2. Are you offering teachers timely approval of technologies that they want to use in the classroom? 3. Do your contracts explicitly lay out the ownership and appropriately limit the use of any data collected? 4. Are you transparent with parents about how your district uses that data? 5. Do your schools allow students to bring their own devices as tools for learning and do your policies protect them?
What are some benefits Arne Duncan gave for how technology improves teaching? (4)
1. It can enable teachers to focus their time on the things they do best like teaching critical thinking skills. 2. helping the children who are struggling the most by providing up to the minute information about where students are doing well and where they need the most help 3. It can help them reinvent the most traditional (some would say boring) school experiences. 4. empower parents giving them a stronger connection to what their kids are actually doing
PPRA is intended to protect the rights of parents and students in two ways:
1. It seeks to ensure that schools and contractors make instructional materials available for inspection by parents if those materials will be used in connection with an ED-funded survey, analysis, or evaluation in which their children participate; and 2. It seeks to ensure that schools and contractors obtain written parental consent before minor students are required to participate in any ED-funded survey, analysis, or evaluation that reveals certain information.
Under the school official exception, schools and districts may disclose PII from students' education records to a provider as long as the provider: (4)
1. Performs an institutional service or function for which the school or district would otherwise use its own employees; 2. Has been determined to meet the criteria set forth in in the school's or district's annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records; 3. Is under the direct control of the school or district with regard to the use and maintenance of education records; and 4. Uses education records only for authorized purposes and may not re-disclose PII from education records to other parties (unless the provider has specific authorization from the school or district to do so and it is otherwise permitted by FERPA).
The Commission's original COPPA Rule became effective on ________________. The Commission issued an amended Rule on ____________________. The amended Rule took effect on ____________.
April 21, 2000, December 19, 2012, July 1, 2013
What is authentication?
Authentication is the process by which an educational agency or institution establishes the appropriate level of identity authentication assurance, or confidence in the identity of the person or entity requesting access to the records.
Extra caution and extra steps are warranted before employing Click-Wrap consumer apps: (3)
Check Amendment Provisions. In addition to reviewing for the above terms, you should review the TOS to determine if the provider has retained the right to amend the TOS without notice Print or Save the TOS Limit Authority to Accept TOS.
What is CIPA, when was it enacted, and who does it apply to?
Children's Internet Protection Act; CIPA was enacted by Congress in 2000 to address concerns about children's access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program - a program that makes certain communications services and products more affordable for eligible schools and libraries.
What is COPPA?
Children's Online Privacy Protection Act; The primary goal of COPPA is to place parents in control over what information is collected from their young children online. COPPA was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.
What is FERPA?
Family Educational Rights and Privacy Act: This federal law applies to all schools that receive funds from the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records.
What does FERPA protect and give you the right to do what three things?
It protects identifiable information about students in records kept by schools and gives you the right to access these records, to seek to correct it, and to generally consent to its disclosure.
What are the three types of authentication factors?
Knowledge Factors (something the user knows): The requesting party demonstrates that it has knowledge of some unique data associated with the party whose identity is being authenticated, such as a password, security questions, or a PIN. Ownership Factors (something the user has): The requesting party demonstrates that it has possession of something uniquely associated with the party whose identity is being authenticated, such as a security token (see Glossary for definition), email account, ID card, or a mobile device (in the case of a mobile device, ownership can be confirmed by sending a one-time password to the device that has been pre-registered with the organization). Inherence Factors (something the user is or does): The requesting party demonstrates that it has a feature inherent to the party whose identity is being authenticated, such as a matching fingerprint, iris pattern, or facial features (these techniques are commonly referred to as "biometrics").
PPRA has an important exception which is
Neither parental notice and the opportunity to opt-out nor the development and adoption of policies are required for school districts to use students' personal information that they collect from students for the exclusive purpose of developing, evaluating, or providing educational products or services for students or schools.
Are Metadata that have been stripped of all direct and indirect identifiers considered protected information under FERPA?
No because they are not PII.
Does FERPA require a written agreement for use in disclosures under the school official exception?
No but in practice, schools and districts wishing to outsource services will usually be able to establish direct control through a contract signed by both the school or district and the provider. In some cases, the "Terms of Service" (TOS) agreed to by the school or district, prior to using the online educational services, may contain all of the necessary legal provisions governing access, use, and protection of the data, and thus may be sufficient to legally bind the provider to terms that are consistent with these direct control requirements.
If a school is going to publish directory information under the "directory information exception" it must what?
To disclose student information under this exception, individual school districts must establish the specific elements or categories of directory information that they intend to disclose and publish those elements or categories in a public notice giving parents and eligible students the opportunity to "opt out" in a reasonable amount of time.
What is two-factor or multifactor authentication?
Two-factor and multifactor approaches require the use of two or more methods to authenticate an individual's identity. For example, in addition to the PIN, a user has to provide an ID card and/or have a matching iris pattern.
What are Authentication Factors?
Typically, an individual's identity is authenticated through the use of one or more factors, such as a Personal Identification Number (PIN), password, or some other factor known or possessed only by the authorized user.
Schools and districts are encouraged to remember that FERPA represents a ______ __ of requirements to follow.
minimum set, Thus, even when sharing PII from education records under an exception to FERPA's consent requirement, it is considered a best practice to adopt a comprehensive approach to protecting student privacy when using online educational services.
True or false: No agency officials should be able to recover passwords or security tokens for any reason.
With that in mind, full, unencrypted passwords in plain text should never be stored within electronic systems. We recommended that you work with your Information Technology (IT) Administrator or Security Officer to ensure that stored passwords are encrypted using a strong cryptographic algorithm. This approach reduces the risk of password data leakage and prevents administrators or school officials from being able to access actual passwords, increasing the assurance level of the system
What is the Privacy Technical Assistance Center (PTAC)?
a "one-stop" resource for answering questions and addressing concerns related to privacy, confidentiality, and security practices
Some types of online educational services do use FERPA-protected information. For example,
a district may decide to use an online system to allow students (and their parents) to log in and access class materials. In order to create student accounts, the district or school will likely need to give the provider the students' names and contact information from the students' education records, which are protected by FERPA
A Statement of Basis and Purpose is...
a document an agency issues when it promulgates or amends a rule, explaining the rule's provisions and addressing comments received in the rulemaking process.
other types of online educational services may not implicate FERPA-protected information. For example...
a teacher may have students watch video tutorials or complete interactive exercises offered by a provider that does not require individual students to log in. In these cases, no PII from the students' education records would be disclosed to (or maintained by) the provider.
Does FERPA require colleges and universities to release records to student's parents?
no but it does allow colleges and universities to do this if the parents claim their kid on their federal tax return
The same degree of certainty in the requester's identity should be required for _________________________________________________________________. This means that although educational agencies and institutions most commonly provide access to education records by computer or telephone, they must have procedures in place to be able to establish ____________________________________________________________________ regardless of whether the data are accessed via electronic systems, mail, fax, telephone, or in person.
access to data of the same sensitivity level, the same level of identity authentication assurance
While FERPA and PPRA provide important protections for student information...
additional use or disclosure restrictions may be advisable depending on the situation and the sensitivity of the information. Any additional protections that a school or district would like to require should be documented in the written agreement (the contract or TOS) with the provider.
FERPA requires that schools and districts issue ...
an annual notification to parents and eligible students explaining their rights under FERPA
What is directory information?
basic information about students like name, picture, address, grade level telephone number, date and place of birth, honors and awards, and dates of attendance. "Directory information" is information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy if disclosed
Why would the "directory information exception" not be feasible for disclosing PII from education records to providers to create student accounts or profiles?
because of the number of parents (and eligible students) who elect to opt out of directory information
What are some best reasonable authentication practices? (5)
conducting privacy risk assessments to determine potential threats to the data; selecting authentication levels based on the risk to the data (the higher the risk, the more stringent the authentication); developing a process to securely manage any secret authenticating information, or, "authenticators" (e.g., passwords) throughout their creation, use, and disposal; enforcing policies to reduce the possibility of authenticator misuse (e.g., encrypting stored passwords, locking out accounts with suspicious activity, etc.); and managing user identities through creation, provisioning, use, and disposal (with periodic account recertification, to confirm that a user account has been properly authorized and is still required by the user).
Online educational services increasingly collect a large amount of ____________ or _____________ data as part of their operations, often referred to as
contextual, transactional, "metadata."
FERPA also defines the term PII, which includes
direct identifiers (such as a student's or other family member's name) and indirect identifiers (such as a student's date of birth, place of birth, or mother's maiden name)
A provider that has been granted access to PII from education records under the school official exception may not use any metadata that are not linked to FERPA-protected information for other purposes, unless otherwise prohibited by the terms of their agreement with the school or district: true or false?
false
If a student or their parents (if under 18) and a school disagree about the student's records, FERPA does what?
gives the student or their parents the right to request a hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.
What are examples of some kinds of records FERPA protect?
grades, special needs information, disciplinary actions
Examples of metadata are?
information about how long a particular student took to perform an online task has more meaning if the user knows the date and time when the student completed the activity, how many attempts the student made, and how long the student's mouse hovered over an item (potentially indicating indecision).
Metadata refer to...
information that provides meaning and context to other data being collected
For online systems, organizations should implement basic authentication controls to reduce the ability of an attacker to guess at authentication credentials until the correct combination is achieved (known as "brute force password guessing") by...
introducing mechanisms to lockout or prevent repetitive failed authentication attempts (the account can then be unlocked only by a system administrator or help desk). This approach can help to reduce the threat of brute-force attacks.
The rights under PPRA transfer from the parents to a student who...
is 18 years old or an emancipated minor under State law.
COPPA required the Federal Trade Commission to...
issue and enforce regulations concerning children's online privacy
PPRA requires...
that a school district must, with exceptions, directly notify parents of students who are scheduled to participate in activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes, or to sell or otherwise provide that information to others for marketing purposes, and to give parents the opportunity to opt-out of these activities. PPRA also requires districts to develop and adopt policies, in consultation with parents, about these activities.
What are the three keystone federal laws that protect student's privacy?
the Family Educational Rights and Privacy Act (FERPA), the Protection of Pupils Rights Amendment (PPRA), and the Children's Online Privacy Protection Act (COPPA)
In order to ensure that only appropriate individuals and entities have access to education records, organizations must implement various forms of authentication to establish ____________________________________________________________. This process involves ____________________________________________________________.
the identity of the requester of the information with a level of certainty that is commensurate with the sensitivity of the data, identifying and validating the identity of the requesting entity with the required degree of confidence that he or she is who that person claims to be
The choice of the specific authentication method often varies depending on ....
the level of sensitivity of the data that are being disclosed. For example, an organization may determine that a single-factor identity authentication, such as using a standard format username combined with a secret PIN or password, is reasonable for protecting access to student attendance records. Single-factor authentication may not be reasonable, however, for protecting access to highly sensitive information, including health records and information that could be used for identity theft and financial fraud, such as social security numbers (SSNs) and credit card numbers
The analysis of the risks of a potential authentication failure and associated impact should then be used to determine...
the necessary levels of identity authentication assurance the organization needs to establish.
Whenever a provider maintains a student's education records...
the school and district must be able to provide the requesting parent (or eligible student) with access to those records. Schools and districts should ensure that their agreements with providers include provisions to allow for direct or indirect parental access.
Identity authentication relies on....
the secrecy of authentication factors. Consequently, it is advisable that all exchanges of passwords or other authenticating information be sent through encrypted channels using a secure transfer protocol, such as Transport Layer Security.
Requirements for specific authentication factors or their combination may vary depending on...(2)
the type of education records being accessed (e.g., more or less sensitive) and the way in which they are accessed (e.g., in person or electronically).
In addition to using multiple authentication factors, higher levels of assurance can be achieved through...
the use of authentication factors that are harder to guess or falsify and by implementing stricter mechanisms to protect their secrecy. Stronger factors (e.g., more complex passwords) and better protection from being compromised through malicious activity (e.g., encrypting passwords with a strong algorithm) offer a greater level of confidence in a user's identity authentication.
Schools and libraries subject to CIPA may not receive the discounts offered by the E-rate program unless...
they certify that they have an Internet safety policy that includes technology protection measures.
With Click-Wrap agreements, the act of clicking a button to accept the TOS serves...
to enter the provider and the end-user (in this case, the school or district) into a contractual relationship akin to signing a contract.
Schools and districts should be aware that neither FERPA nor the PPRA absolutely prohibits them from allowing providers...
to serve generalized, non-targeted advertisements.
under FERPA's school official exception, the provider may not share (or sell) FERPA-protected information, or re-use it for any other purposes, except as directed by the school or district and as permitted by FERPA.: true or false
true
True of false: For electronic systems, well designed account recovery mechanisms and cryptographic protection of the authentication process are of great importance and should be incorporated into the system development process. One unwavering fact of electronic data systems is that users will, at some point,lose or forget their account password, PIN, or other authenticating information.
true It is important that these systems include the ability to safely recover or reset the authenticating information without negatively impacting the integrity of the authentication system. The method might be as simple as an email-based recovery option that asks alternate security questions created during user registration. This type of recovery procedure relies on the knowledge of the security questions, which the user created upon registration, and requires the party being authenticated to have access to the email account utilized for the registration. These two factors together increase the security of the transaction and allow a user to recover information without delay.
While the use of any single factor provides a minimal level of identity authentication assurance, that level is increased greatly by...
using multiple authentication factors of different types. For example, for "in person" transactions, in the case of a parent or student accessing education records from a school office, the school official might request a photo ID to validate the identity of the person requesting the records. This approach utilizes two factors to validate the identity of the requester—an ownership factor in the form of a valid photo ID and an inherence factor, which is the physical resemblance of the person to the one pictured in the photo ID. Often, this type of visual authentication is not possible for electronic and phone transactions (although video cameras can be used for identifying individuals in some cases, such as for granting physical access to a secure facility).
Care should be taken when developing and implementing authentication systems within web applications to ensure that the applications are built... (using what 2 things along with what to prevent attacks like what 3 things)
using secure coding and session management techniques along with thorough validation of user input to prevent attacks like SQL injection, Cross Site Scripting, and Cross Site Request Forgery, among others
Under FERPA, what is necessary for a school to release records generally?
written consent
What are Some Other Best Practices for Protecting Student Privacy When Using Online Educational Services? (7)
•Maintain awareness of other relevant federal, state, tribal, or local laws. FERPA and PPRA are not the only laws that protect student information. Like COPPA • Be aware of which online educational services are currently being used in your district. • Have policies and procedures to evaluate and approve proposed online educational services. • When possible, use a written contract or legal agreement. • Extra steps are necessary when accepting Click-Wrap licenses for consumer apps • Be transparent with parents and students. • Consider that parental consent may be appropriate. Even in instances where FERPA does not require parental consent, schools and districts should consider whether consent is appropriate.