Information Security in Education/Security Regulations

Introduction
Today's schools face numerous regulations, guidelines and protocols that must be met in order for the students, faculty and staff to safely utilize networked resources. Along with meeting these regulations in order to be in compliance, meeting these same regulations can also directly impact access to state and federal technology monies. Two significant laws and corresponding guidelines that schools must be in full compliance with at all times are the Children’s Internet Protection Act and The Family Educational Rights and Privacy Act. A third law, the Health Insurance Portability Accountability Act can also come into play in certain school settings.

Key Terms
A national and local Record is a compilation of records, files, documents, and other materials that contain information directly related to a student and maintained by educational agencies or institutions, or by individuals acting on behalf of the agencies."

Confidentiality refers to your obligation not to disclose or transmit information to unauthorized persons.

Privacy is a uniquely personal right that reflects an individual’s freedom from intrusion.

Security refers to technical procedures that ensure that only authorized and intended parties have access to data.

Disclosure includes permitting access to, revealing, releasing, transferring, disseminating, or otherwise communicating all or part of any individual record orally, in writing, or by electronic or any other means to any person or entity.

Protection Principle: Information users should use appropriate technical and managerial controls to protect the confidentiality and integrity of personal information. (1997).

CIPA
"The Children’s Internet Protection Act (CIPA) is a federal law enacted by Congress to address concerns about access to offensive content over the Internet on school and library computers. CIPA imposes certain types of requirements on any school or library that receives funding for Internet Access or internal connection from the E-rate program-a program that makes certain communications technology more affordable for eligible schools and libraries"(CIPA, 2001). At the beginning of 2001, the Federal Communications Commission issued a set of rules that would be used by the FCC to implement CIPA in all E-rate funded schools and libraries. These rules required all funded schools and libraries to have an Internet Safety Policy that included technology protection measures that address such issues as the filtering and blocking of content by means of email, chat rooms or other means of electronic communications. The protection measured used must specifically block access to content or pictures that are deemed obscene, child pornography or harmful to minors. All schools must include this Internet safety policy (including these technology protection measures) in their application for funding. Prior to adopting this policy, schools are also required to "provide reasonable notice and hold at least one public hearing" (CIPA, 2001). regarding this policy and plans to adopt it. The CIPA regulations do not affect the E-rate funding received by schools for such things as telecommunications or telephone service.

COPPA
The Children's Online Privacy Protection Act, effective April 21, 2000 regulates the collection of personal information about children under the age of 13 by websites accessed by children through a school Internet connection. According to COPPA, all website hosts must have a clearly stated privacy policy that states the requirement of parental permission before collecting personal information about a student.

"The Children's Online Privacy Protection Act and Rule apply to individually identifiable information about a child that is collected online, such as full name, home address, email address, telephone number or any other information that would allow someone to identify or contact the child. The Act and Rule also cover other types of information -- for example, hobbies, interests and information collected through cookies or other types of tracking mechanisms -- when they are tied to individually identifiable information"(COPPA, 2000).

All website operators must post a notice of their information gathering processes on the home page of their website and a notice containing the same information must be given to parents prior to their signing of a consent form. Parental consent can be obtained by email for internal uses of personal information only. All external uses of this information require a signed consent form.

There are several exceptions to this policy. According to COPPA, "prior parental consent is not required when: an operator collects a child's or parent's email address to provide notice and seek consent; an operator collects an email address to respond to a one-time request from a child and then deletes it; an operator collects an email address to respond more than once to a specific request -- say, for a subscription to a newsletter. In this case, the operator must notify the parent that it is communicating regularly with the child and give the parent the opportunity to stop the communication before sending or delivering a second communication to a child; an operator collects a child's name or online contact information to protect the safety of a child who is participating on the site. In this case, the operator must notify the parent and give him or her the opportunity to prevent further use of the information; an operator collects a child's name or online contact information to protect the security or liability of the site or to respond to law enforcement, if necessary, and does not use it for any other purpose"(COPPA, 2000).

All new requests for personal information require a new signed consent form. Parents may choose to revoke their consent at any time and direct the operator to delete all previously collected information. The Federal Communications Commission may at any time "bring enforcement actions and impose civil penalties for violations of this rule"(COPPA, 2000).

FERPA
"The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C 123g: 34 CFR Part 99) is a Federal Law that protects the privacy of student educational records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

FERPA gives parents certain rights with respect to their children's educational records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom rights have transferred are eligible students"(FERPA, 1974). Under this law, parents and students have the right to: inspect and review the students educational records maintained by the school; request that the school correct records which they believe are incorrect or misleading; decide when and to whom their educational records are released.

Under the FERPA regulations, schools must have written permission from a parent or eligible student to release any information pertaining to the students academic records. Schools do however have the right to release these records without written consent to: school officials with a valid educational interest; schools to which a student is transferring; school officials for purposes of audits or evaluations; appropriate parties regarding financial aid to the student; accrediting organizations; organizations conducting studies on behalf of the school; to comply with judicial orders; state and local authorities or the juvenile justice system according the state law (FERPA, 1974). Schools may also disclose, without the consent of the parent or eligible student, directory information related to students: name; address; telephone number; date and place of birth; honors and awards; dates of attendance (FERPA, 1974).

Schools must inform a parent or eligible student of the plan to release this information prior to doing so in order to allow the parent or student a "reasonable amount of time to request that the school not disclose directory information about them" (FERPA, 1974).



HIPAA
The Health Insurance Portability and Accountability Act governs how school health services may share student health information with other parts of the school community. In October, 2004, the acting regional director of the U.S. Department of Health and Human Services noted in a letter to his staff that these health records are actually considered part of a student’s educational records and therefore should be covered by the FERPA laws. As a result of this letter, there was confusion on the part of schools and school health services staff. In November 2008, a joint guide published by the United States Department of Health and Human Services and the United States Department of Education helped to clarify these apparent dual regulations and where they were to be applied. According to this guide entitled, "Joint Guide on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) to Student Records," These two departments joined forces in an attempt to clarify once and for all where each of these laws could be rightly applied in a K-12 school setting. What this guide stated was that, because student medical records are part of a student’s educational records, a school is not required to follow the guidelines identified under the HIPAA laws. They are mandated however; to follow all rules and regulations of the FERPA laws because these records are student educational records. Some exceptions to this approach would be adolescent mental health facilities that also provide an educational component and, private schools who do not directly receive educational technology funds.

The common denominator in all of these laws and corresponding regulations is the importance of a comprehensive Information Security Plan. This plan must address all potential threats that could keep the school from being in full compliance with these regulations; especially if they wish to seek federal technology monies such as those available through the E-rate program. All schools receiving federal funds through programs such as the E-rate program must provide an Information Security Plan (including an Acceptable Use Policy) as part of the application process.

Protecting Student Records
The protection of student data is a significant responsibility of a school or district administrator, as well as school medical staff. Access to a student’s educational records (including health information) should only be granted to the administrator, nurse, parent and student. Access by other parties is not permitted unless specific disclosure permission is granted by the minor students’ parents or student who is over 18 years of age and identified as the eligible student. While the restriction of access can be managed by keeping student records in a locked file cabinet and file room in the school administrative and medical offices, this same level of security can be more difficult to manage when these records are kept in an electronic format. As stated previously, there is confusion regarding which regulations apply when the student records in question are medical records. This lack of clarity can be further muddied when the school nursing staff comes from a contracted outside medical agency. In this and all situations pertaining to student medical records, it is advisable to comply with both the HIPAA and FERPA regulations.

Along with the need for strict security measures to protect student data transmitted over a school or district wired Ethernet network (through such means as encryption of data, network firewalls etc),there is also the need to protect information that may be transmitted over wireless devices as well. Any wireless device used by medical personnel in a school setting would fall under the standards identified by Lehtinen(2006)as TEMPEST. Lehtinen defines TEMPEST as Telecommunications Electronics Material Protected from Emanating Spurious Transmissions and these standards apply to the electronic transmission devices utilized by those staff members who are transmitting HIPAA protected data. All electronic transmission equipment used in a HIPAA compliant setting must meet and be approved by these standards. Because of the level of suppression in these devices, they are often larger, heavier and more costly than those available to general consumers. In order for school and medical facilities to be HIPAA compliant, these devices must be used when transmitting student medical data.

As educational technology leaders in a school or district, it is our responsibility, in concert with school and district administrators and medical staff, to make sure that all technology utilized within the school network is CIPA, FERPA and HIPAA compliant. This level of compliance should be stated in the Information Security Plan and, appropriate repercussions for non-compliance on the part of school personnel should be clearly spelled out in the district or school policies and faculty and staff handbook. All school personnel must indicate that they have read and clearly understand these policies before they sign their Acceptable Use Policy contracts.