Privacy in the 21st Century: Issues for Schools

1
Privacy in the 21st Century Issues for Schools
Libraries
2003 WEMA Conference
Bob Bocher robert.bocher_at_dpi.state.wi.us Dept.
of Public Instruction

• Helen Adams
• hadams_at_coredcs.com
• Rosholt School District

www.dpi.state.wi.us/dltcl/pld/privacy.html
2
Topics to Cover

• An overview of privacy issues
• Federal and state protections and actions
• Tips on online privacy
• Privacy issues in schools
• Privacy resources

3
Privacy Concerns and PII(Personally Identifiable
Information)

• Privacy concerns are high on consumer polls.
  Key concerns include
• Identity theft and fraud
• .Coms selling your PII
• Government misuse of your PII
• Security of your medical and financial data
• Privacy concerns increase as
• More people are online
• Residential broadband access increases (now 20)
• Use of wireless communication increases
• More people shop and conduct business online

Identity theft is one of the fastest growing
crimes in the state. Its about time law
enforcement officials had the tools to bring down
these high tech con artists. State Rep Mark
Gundrum (R-New Berlin), Chair, Assembly TF on
Identity Theft (April 8, 2003)
4
Personally Identifiable Information (PII)

• Typical PII includes
• Name
• Address (work, residence)
• Email address
• Telephone number
• Other ID (SSN, etc.)
• Non-PII includes
• Demographic
• Age, gender, race/ethnicity
• Education level, job, income
• Preferences, interests, hobbies

How much of this data is in your schools
database?
5
Federal Protections and Action

• 4th and 5th amendments
• Federal Trade Commission (FTC) is lead privacy
  agency
• Many federal laws have privacy provisions,
  including
• Gramm-Leach-Bliley Act (GLB, 1999)
• Health Insurance Portability and Accountability
  Act (HIPAA, 1996)
• Rules (93 pages) effective, April 14
• USA Patriot Act (2001)
• Childrens Online Privacy Protection Act (COPPA,
  1998)
• Family Educational Rights and Privacy Act
  (FERPA, 1974)
• 34 privacy-related bills are pending in Congress

6
FTCs Fair Information Practice Principles (FIPPs)
"The key to privacy protection is enforcement.
Now, there's no financial harm for not having or
following a privacy policy." Andrew Shen, EPIC
7
USA Patriot Act (PL10756, Sections 214216)

• Quickly passed following Sept 11, 2001
• 342 pages that revises more than 15 other laws
• Expands Foreign Intelligence Surveillance Act
  (FISA)
• Provisions extend beyond terrorism
• Increases counterfeiting penalties
• Russ Feingold was only senator to vote no
• Patriot II act has been drafted
• Total Information Awareness (TIA) system,
  research continues

In our haste to develop legislation to help
America, we went too far. Sen. Feingold, 9-02
8
USA Patriot Act Some Privacy Issues

• Expands monitoring laws (beyond phone taps) to
  include Internet traffic
• Email addresses, IP addresses/routing, Web search
  terms
• Monitoring at various levels, from PC to the ISP
• Allows nationwide monitoring
• Expands surveillance with less judicial review
• Former probable cause was higher legal bar than
  new relevant to an ongoing investigation
• ALA advises librarians to avoid creating
  unnecessary records
• Is this a new Library Awareness Program?

9
State Protections and Action

• Student privacy protections are in state statutes
  
• WI library privacy law
• DPI approves school district technology plans
• Plans often include privacy provisions in
  relation to NCIPA

10
WI Library Privacy Law

• Library privacy law (43.30(1)) covers the
  following
• Any library supported by public funds
• Any information indicating the identity of an
  individual
• Any use of a librarys materials or other
  resources or services may not be disclosed except
  by court order. (emphasis added)

Includes public libraries, public K-12 schools,
UW and WTCS libraries.
Includes any individual, regardless of age,
residence, etc.
Includes circulation records, Internet use
(email, Web logs, history files, sign-up sheets)
meeting room use, etc.
11
Tips on Personal Privacy

• Read closely any Websites privacy policy
• Keep a clean email address
• Home cable and DSL users are especially
  vulnerable
• Never enter sensitive PII without a secure
  connection
• Enter only minimal data, look for opt-out check
  boxes
• Look for compliance with groups like BBBOnline,
  TRUSTe and HON
• Be aware of your surroundings
• Security cameras in Times Square

12
Schools and Privacy 12 Issues Answers
Helen Adams hadams_at_coredcs.com Rosholt School
District
13
Privacy in Schools Issue 1Confidentiality of
Student Records (federal law)

• Family Educational Rights and Privacy Act (FERPA,
  1974)
• Applies to schools accepting DOE funds
• Requires districts to establish written policies
  and procedures protecting student PII
• Defines educational records and who has access
• Parental permission required to disclose student
  PII

14
Privacy in Schools Issue 1Confidentiality of
Student Records (state law)

• Chapter 118.125 WI State Statutes
• All student records in public schools are
  confidential, including
• Behavioral, directory data, progress records,
  physical health
• Access to records granted
• To parents
• To staff with legitimate educational interest
• For legal reasons
• For an audit of state or federal program

15
Privacy in Schools Issue 2Privacy Language in
the AUP

• Addressing privacy in the AUP
• N-CIPA requires schools receiving E-rate
  discounts to adopt an Internet Safety Policy
• Must address unauthorized disclosure, use, and
  dissemination of PII regarding minors.
• Minor defined as someone less than 17 years old
• Requires public hearing and formal Board adoption

16
Privacy in Schools Issue 3Privacy Policy on a
Districts Website

• All school sites should post a privacy policy
• Present on every major page of site
• Examples
• Anchorage (Alaska) School District
• www.asd.k12.org/privacy.asp
• School District of Greenville County (SC)
• www.greenville.k12.sc.us/district/web/policy/priva
  cy.htm
• Valley Elementary School (Utah)
• www.weber.k12.ut.us/LegalNotice/privacy.html

17
Privacy in Schools Issue 4Identifying Students
on the Districts Website

• FBI recommends districts not publish student
  photos
• Increased arrests of pedophiles
• Study 12 of kids meet unknown person
• Districts approach the issue in different ways
• Pictures and names
• Pictures with no names
• Pictures and names separated
• No photos or names
• Mankato (MN) S.D. 77
• www.isd77.k12.mn.us/webguide.php

18
Privacy in Schools Issue 5Protecting the
Confidentiality of Library Records

• Records kept for library management
• No federal law protects confidentiality
• Legislation in 48 states and DC varies
• Wisconsin Library Privacy Law covers
• Patron information, circulation records
• Records associated with use of the Internet
• Use of in-house databases
• Can release only by court order

19
Privacy in Schools Issue 6Privacy and Security
of Electronic Student Records

• Student management systems allow access to
  records via LAN and WAN
• Include directory, attendance, grade,
  disciplinary, and other records
• Levels of security for data
• Confidentiality and privacy policies
• LAN/WAN network security procedures
• Teacher access
• Parents access childs records via Web
• Grades, attendance, discipline, and health records

20
Privacy in Schools Issue 7Conducting Market
Research on Students

• Companies have offered districts incentives for
  info on student use of the Internet
• Equipment, email accounts, host Website
• Student Privacy Protection Act (Dec. 2001)
• Requires schools to develop and adopt policies
• Collection, disclosure, or use of personal
  information collected from students for the
  purpose of marketing or selling

21
Privacy in Schools Issue 8Students Providing
PII About Themselves

• Students have little concept of privacy
• Annenberg The Internet and the Family 2000
  study
• Teenagers more likely to give information
• Teach Stranger danger online and off
• Wisconsin Rapids (WI) School District AUP
• No PII transmitted from district computers

22
Privacy in Schools Issue 9Access to Student
Information by Military Recruiters

• NCLB Act 2001 requirement
• H.S.s must supply military recruiters with
  students names, addresses, and phone numbers
  (including unlisted s)
• District policies keep student information
  confidential under Family Educational Rights and
  Privacy Act (1974)
• Oct. 2002 letter sent to districts by federal
  officials
• Parents can opt out

23
Privacy in Schools Issue 10Internet Use Logs
as Public Record

• 2 legal battles over whether Internet logs are
  public records and available
• 1998 Utah Supreme Court granted right to review
  logs of Utah Educational Network
• 2000 New Hampshire judge ruled Internet
  history logs of 2 school districts are public
  records and may be reviewed
• Student PII must be removed first
• Person requesting logs bears the cost for removal
• WiscNets policy

24
Privacy in Schools Issue 11Use of Email to
Conduct School Business

• Monitoring of employees
• 63 monitor email and Internet use
• Personal email and recreational surfing cost
  money
• Employers have the right to monitor without
  informing employees
• Court cases
• No legal or factual basis for extending right of
  privacy to cover business-related
  communications.
• Employers should establish use policy
• Reasonable use vs. abuse

25
Privacy in Schools Issue 11Use of Email to
Conduct School Business

• Email communication by administration and school
  boards
• email issues discussion may violate open records
  and open meetings laws
• Archiving district email
• Content, not format, determines if
  documentsrequire archiving and length of time
• Madison (WI) School District case 2001
• Oshkosh (WI) School District case 2002

It is the public policy of this state that all
persons are entitled to the greatest possible
information regarding the affairs of government.
WI Stat. 19.31
26
Privacy in Schools Issue 12Use of Surveillance
Cameras

• Dept. of Justice Safe Schools Manual
• Allows use of surveillance technology to protect
  health, welfare, and safety of students and
  staff
• Generally in places students and staff lack
  reasonable expectation of privacy
• Hallways, cafeteria, stairways, parking lot,
  entrances
• School libraries and computer labs
• Installed to prevent vandalism, enforce school
  rules, provide security
• Notification of public
• Signs on doors, notice in district newsletter,
  letters to parents, highlighted in orientation
  meetings

27
Actions Schools Can Take

• Add privacy language to Internet AUP
• Add privacy statement to district Website
• Review how Internet logs are archived
• Maintain minimal library records
• Provide staff training on privacy issues
• Teach students about privacy issues
• Students should know their rights
• They should learn to protect their own privacy
• Inform parents of district policies related to
  privacy

28
Privacy in the 21st Century Issues for Schools
Libraries
? Questions ?
Bob Bocher robert.bocher_at_dpi.state.wi.us Dept. of
Public Instruction

• Helen Adams
• hadams_at_coredcs.com
• Rosholt School District

www.dpi.state.wi.us/dltcl/pld/privacy.html
29
Map showing over 120 security cameras in Times
Square area. Most predate Sept 11. As
Security Cameras Sprout, Someones Always
Watching, NYT Sept. 29, 2002
return
30
Monday, Feb. 10, 2003 FRANKFORT, Kentucky (AP)
Over 2,000 state PCs sold as surplus still
had confidential files on them naming thousands
of people with AIDS and other STDs. "It's a lot
of information with lots of names and things like
the sexual partners of those diagnosed with AIDS.
It's a terrible security breach."
KY State Auditor Ed Hatchett KY Health
Services Secretary Marcia Morgan has ordered an
investigation.
B.J. Bellamy from the Kentucky Auditor's Dept.
checks a hard drive on a PC owned by the state.
return