Educators and Privacy

As a teacher, children’s librarian or school administrator, you are faced with providing a new level of guardianship to the children whom you educate. Now that the internet is so fully integrated into the educational process, it is your responsibility to protect the personal information of your minor students from being shared (either by the school administration or by the students themselves).

Federal privacy regulations with acronyms like FERPA and CIPA might make your school district’s attorneys edgy, but compliance with these regulations can be achieved in a very straightforward way, through the combination of Google Apps for Education and an integrated cloud-based security platform. Here’s an overview of how today’s schools and libraries can keep student information safe:

Understanding FERPA

The letters in FERPA stand for Family Educational Rights and Privacy Act. This law, also known as the “Buckley Act,” has been on the books since 1974, long before anyone imagined the internet. It was enacted in order to give students and their parents the right to inspect and correct a student’s educational records. The law also governs who else (besides the student and parents) is legally allowed to see the student’s record.

SysCloud - ferpa compliance and google apps - image

FERPA governs the privacy of students’ academic records

Since FERPA was enacted before the internet sprayed information in all directions, the law was less focused on HOW records might be shared or released, and more focused on WHO might have access to them. FERPA includes a list of nine different entities who are allowed access to student records without student or family consent. By establishing this list of permitted recipients, FERPA effectively makes student records off-limits to everyone else (unless the student or family requests in writing that the records be released.)

Who is allowed access to student records under FERPA?

Under FERPA, the permitted recipients of student records and information are officials of the school itself or other schools to which a student might transfers; researchers or auditors who might be examining records in the course of their work; financial aid or accreditation officials; and various representatives of the government or the justice system. This is just a descriptive overview – any institution that’s in the process of setting up their compliance system will want to have your lawyer review the fine print and make sure that access is granted only to people who are entitled to it by law.

Additional FERPA regulations about student information

FERPA has a few additional minor clauses that further define those who are allowed to see student information. For example, it allows schools to produce student directories, which list names and addresses and phone numbers. These directories are also allowed to list dates of attendance, birth dates, and awards or honors received. However, parents and adult students do have the right to control the release of this information, which means that schools must give them a way to “opt out” of such directories. Schools are also required to inform student’s families about their rights to privacy under FERPA every year.

Of course, a student may actually want their academic records released — to an employer, perhaps, or some other private party. This is always possible; it simply requires that the adult student or the parent or guardian of a minor student must give consent in writing for this disclosure.

What is CIPA?

CIPA is also concerned with protecting student information, although it has other purposes as well. The letters in CIPA stand for Children’s Internet Protection Act, and this law was passed by Congress in 2000 and updated in 2011.

CIPA prevents children from sharing their own personal information

To comply with CIPA, schools and libraries are required to develop a way to keep minor children from disclosing personal information when using email and other direct online communication. CIPA also requires teachers and librarians to monitor the online activity of minors, preventing them from accessing harmful or obscene material and blocking them from engaging in “hacking” or other illegal activities.

CIPA compliance is tied to federal funding — specifically, the E-rate program. This program provides affordable internet services to schools and libraries.

So, those are the basics of FERPA and CIPA; both laws center around a new form of protection and supervision which schools are expected to provide for children.

Both acts govern the circulation of PII

PII, or Personally Identifiable Information, is at the heart of both CIPA and FERPA. PII is a term coined by the U.S. government that refers to “information that can be used to distinguish or trace an individual’s identity.” This is exactly the information that can put people of any age at risk when it is shared with unauthorized recipients.

Before the internet age, protecting student information was fairly straightforward: it was simply a matter of declaring who should be allowed to receive certain types of information. Once schools and libraries went online, all of a sudden it was an information free-for-all: Teachers, librarians, school administrators and district offices hadn’t initially organized themselves to handle the new flow of information, and student data was spilling in every direction. Teachers began to have email accounts and many of them used this new communication channel to share student records directly with parents (or with whoever might happen to read the email that they sent). Meanwhile, various online student directories were created and published with abandon. A teacher might bring student records home and store them all on a home computer, or a child at a library computer might email her home address to someone without thinking twice about it. Everyone was just beginning to figure out how privacy should work as education and academic records went online.

Information in the cloud is easier to govern

Without recapping the history of how online security developed, let’s just take a shortcut and jump to where the technology has brought us in 2015: cloud-based information systems. This is where Google Apps for Education comes into the story.

Google Apps for Education is an entire suite of tools used by schools around the world. You’re probably already familiar with it; if not, we won’t define it here because Google has already done a splendid job of describing it. Google offers deployment guides for schools to learn how to migrate their entire informational universe into this constantly expanding online suite. Teacher academies, webinars, lesson plans and user groups are all available from Google to help educators realize the incredible potential of Apps for Education.

With great potential comes great responsibility, however. What we want to tell you about is how a separate software suite can integrate with Google Apps to protect student data and ensure that all federal privacy regulations are effortlessly enforced. Here’s how it works:

Full integration with Google Apps

In a marketplace collaboration with Google, SysCloud’s software suite provides customized safeguards for all our clients’ Google Apps data. Every bit of student-related information that travels through a school district’s Google Apps for Education system can be backed up and securely protected through a single software application.

The nuts and bolts

SysCloud locks its security features into Google Drive to automatically enforce security policies that comply with FERPA and CIPA requirements, protecting PII in real-time from accidental exposure.

You’re protected against data loss

When you add SysCloud backup to your school system’s domain through the Google Apps Marketplace, you can back up every bit of data, including PII, on your premises as well as in the cloud. Archiving is continuously managed by SysCloud, and access to sensitive student information is strictly limited by access policies that we help you set.

Continuous scanning provides unbroken security

Every user’s documents in the entire domain are scanned when any sharing is initiated. The school’s administrator or admin team can set customized security controls for authorized sharing, so that no PII is ever accidentally leaked. Anytime a document is shared by more than one single individual, an alert is triggered and the sharing is controlled by the policy your district has set.

A complete audit trail is created

Compliance with federal regulations such as FERPA and CIPA must be proven to regulators through an unbroken audit trail. SysCloud’s record-keeping function establishes auditable proof anytime a special information sharing request is made and granted. Furthermore, our Compliance Library lets you choose which policies you want to implement, and then customize those policies for the configuration of your particular educational system.

Enforcement is available at your fingertips

As a system administrator, you can customize enforcement policies at whatever level you prefer: PII sharing that might violate FERPA or CIPA can be automatically eliminated, or it can activate a real-time alert that allows you to manually control access.

On your SysCloud dashboard, you can see exactly what information is shared and who has access to it, no matter how many people are using your Google App. You can run reports on users at the most detailed level you want, tracking all information exchange and exposure.

As more and more educational systems recognize the unmatched benefits offered by Google Apps for Education, protecting students’ personal information has been greatly simplified. SysCloud’s Domain Security app streamlines compliance with federal regulations, and allows your educational system to step confidently into the new information era.