Education Committee on Data Practices and Security
Linda Bell Testimony – February 25th, 2016 @ 1PM
Yesterday I shared my concerns over data security. While many of us are indeed concerned and interested in how these behemoth data systems are protected against hackers, I wanted to point out that teachers, staffs and administrators are not being annually training in best practices concerning data security.
When you see two organizations like the ACLU and the Tenth Amendment Center coming forward with model legislation, it’s clear that this is an important issues for constituents across the U.S. as well as in Minnesota. We hope a data bill would add protection for our state’s children and families! However, until schools are training staffs how to use data, it will not matter if our data systems are protected, for the people closest to the children may be the ones unknowingly leaking student data.
Good afternoon Madam Chair and Committee Members. My name is Linda Bell and I am a career public school teacher and parent.
As a former public school teacher, the issue of data security is very important to me and my family. I am thrilled that such a hearing is occurring and I thank you for allowing my testimony.
Long gone are the days when I kept my little red grade book in my desk at school. I closed the desk drawer without even a lock. Those grades were seen by no one except my students who received paper report cards, the school office and myself. Today, student grades and other sensitive information are held in student databases within districts, outside districts as well as parent and student portals by organizations like TIES, Infinite Campus, and JMC. Technology is a great benefit. However all of this information is now at high risk. Schools and their data are a target!
Districts such as Wayzata and Minnetonka have had data breaches within the last ten years. Some breaches are suppressed within districts, with notification only to specific parents. Rarely are these breaches reported in local or state media. The public is generally unaware.
Each week we hear from parents who have received no notice regarding surveys, questionnaires, screeners, and testing. Many of these are violations of the PPRA law. Do the school districts understand their duty to protect student data? Do they truly understand FERPA and PPRA? Our members wonder.
Discussing data issues with my teaching colleagues, I find they know very little about the two big laws that cover student data, namely FERPA and PPRA. How and when will they learn how to keep their student’s data protected? Many teachers from multiple districts tell me they have not received such training.
The 40 year old law, FERPA (Family Education Rights and Privacy Act), was initially focused on paper records. Now that schools use multiple resources online, times have changed. PPRA (Pupil Privacy and Protection Amendment) protects students from invasive data collection including political and religious beliefs, invasive questions about familial status, sexual attitudes and mental health.
Our own Minnesota Department of Education and US Department of Education have many wonderful resources to help train school staff and administrators. I want to bring up three items of Best Practice.
I. Best Practices stated for FERPA:
- Annual IT training on security
- FERPA training for entire staff (some states already do this)
- Statewide secure transcripts in encrypted format
- Training is crucial, ongoing staff in-service
- Information should NOT be on laptop; free wifi outlets are a no-no
- Continually manage, assess risk
- Understanding the difference with mobile apps
**Often staff training only occurs when something BAD happens.**
II. Best Practices for the PPRA:
- Are school’s aware of what teachers are using for online resources?
- Have online resources been vetted by IT/Technology Department?
- ASK: “DOES THIS SERVICE PROTECT MY STUDENTS’ PRIVACY?”
III. Best practices for data notification by a school district include:
- Annual notification of FERPA
- Annual notification of PPRA
- Directory Information notice on opt out
This notification should be prominently featured on each school website.
Do all of our districts have this notification readily available for parents? No!
Comparing federal and state law, there are several differences governing access to student records, according to Legislative Analyst, Lisa Larson, in 12.2015 document, Federal and State Government Access to Student Records. http://www.house.leg.state.mn.us/hrd/pubs/studrec.pdf
“A school must give notice when asking students for information about themselves. Minnesota law, unlike federal law, contains a notice requirement that is often called the Tennessen warning after the author of the legislation. A school must give students a Tennessen warning any time it collects private or confidential data about students. When a school asks students for such data, it must tell them how and for what purpose it intends to use the data, whether the students may refuse to supply the data and the consequences of providing or not providing the data, and identify those who are allowed to receive the data under federal or state law.”
There are federal and state sanctions for violating data practices law. Under federal law, a school that fails to comply with FERPA can lose all federal education funding. A harmed individual may file a civil lawsuit alleging tortious wrongdoing, including invasion of privacy, defamation, or libel, or may file a section 1983 (civil rights) action.
So, it would seem that we have state laws, like the Tennessen warning, as well as federal and/or state laws, regarding FERPA and PPRA, that would protect a student’s data. What we do not have is the training occurring at the local level!
How do we make this happen? How do we make sure that student data is protected when teachers and administrators have never been trained? The FERPA Training bill would go far in helping teachers and administrators to safeguard student data by requiring annual training in FERPA and PPRA.
A teacher’s job now requires managing online resources. Teachers and schools must have best practices in place to manage risks and liabilities of the students and families they serve.