How would you even know?
The goal is to protect student information, student records and student-generated content from unauthorized access, destruction, use, modification or disclosure based on the sensitivity of the data and the risk from unauthorized access. The implementation is a moving target, as the technologies and methodologies often refer to meeting or exceeding
- industry standards,
- the HIPPA Security Rule as amended from time to time, and
- the current guidance and recommendation from Health IT Policy Committee.
Student security applies to any entity that knows that their service is designed, marketed, and used for school purposes. If a student or school is using a product that does not meet these criteria, the privacy laws may not be applicable for that company or that product.
Student information, student records, or student-generated content cannot be used for any purposes that have not been spelled out in a contract, and specifically cannot be used for targeted advertising, and the information cannot be sold, rented, shared, or traded. While a company can advertise, the advertisement cannot be based on any information acquired or access through school purposes.
Student identifiable information cannot be stored for longer than is required based on the educational purposes, and all student generated content is owned by the student and parents.
A supplier can use student identifiable information in order to improve their service.
A suppler can de-identify student information, and use it to improve their product and to demonstrate effectiveness, and it may share de-identified student information to improve their services.
Generally, in case of a breach, the supplier is required to notify the local or regional board of education (and sometimes students and parents) within a specified amount of time, sometimes within 30 days.
Generally, any use of school data or systems must be under contract, and all contracts should include at least the following provisions:
- A statement that student information, student records and student-generated content are not the property of or under the control of a contractor;
- A description of the means by which the local/ regional board of education may request the deletion of student information, records or generated content in the possession of the contractor;
- A statement that the contractor shall not use student information, records and generated content for any purposes other than those authorized pursuant to the contract;
- A description of the procedures by which a student, parent or legal guardian of a student may review personally identifiable information contained in student information, records or generated content and correct erroneous information, if any, in such student record;
- A statement that the contractor shall take actions designed to ensure the security and confidentiality of student information, records and generated content;
- A description of the procedures that a contractor will follow to notify the local/ regional board of education, in accordance with the provisions of section 4 of this act, when there has been an unauthorized release, disclosure or acquisition of student information, records or generated content;
- A statement that student information, records or generated content shall not be retained or available to the contractor upon completion of the contracted services unless a student, parent or legal guardian of a student chooses to establish or maintain an electronic account with the contractor for the purpose of storing student-generated content;
- A statement that the contractor and the local/regional board of education shall ensure compliance with the FERPA of 1974, 20 USC 1232g, as amended from time to time;
- A statement that the laws of the state of Connecticut shall govern the rights and duties of the contractor and the local/regional board of education and
- A statement that if any provision of the contract or the application of the contract is held invalid by a court of competent jurisdiction, the invalidity does not affect other provisions/applications of the contract which can be given effect without the invalid provision or application.
If the contract is missing one or more provision, the entire contract might be void.
What should be your take-away?
If you are going to use an applicable product or service, or if you are intending to provide a product or service into schools, you need documentation that
- There are security measures that meet industry standards for use of student data.
- There are security breach notification procedures.
- Uses of any data is limited to approved purposes, especially regarding advertising and marketing strategies.
- Agreements exist with any and all third parties cover the security and privacy requirements of the state.
I want to note that some of the descriptions and language come from the Connecticut Act surrounding student data and privacy.