The Friday Institute for Educational Innovation’s Digital Learning Plan for North Carolina—to be presented to the North Carolina General Assembly in Fall 2015, with the start of implementation planned for the 2017-18 school year—will chart a course for the state’s conversion to statewide digital learning.

An important part of the planning process is careful consideration of data privacy as the state transitions to a learning environment that will increase the amount of data maintained and transmitted digitally. For example, a critical component of the Digital Learning Plan will be personalization of instruction for students, which will require ongoing access to comprehensive student data to inform that instruction. In order for these data to be readily available for teachers in an online Learning Management System (LMS), the state must provide teachers with a means of access that ensures data privacy and security.

Many current digital platforms in use in North Carolina are based in the state’s Education Cloud, which gives teachers secure access to data. However, expansion of the digital learning landscape will increase the number of applications and LMSs in which student Personally Identifiable Information (PII) may be stored—not all of which will be hosted in the Education Cloud. In order to maximize data security, North Carolina will need to review the training it provides educators on data handling and security to ensure that it promotes best practices, and the state also will need to review its technical controls and contract language requirements.

This document highlights existing North Carolina legislation and policy related to the security of PII and identifies areas for potential additional data security action. As North Carolina continues to expand its digital learning environments, the state will need to balance measures for securely storing PII with measures to ensure that such data remain accessible to those who need this information.

Refinements to Legal Definitions

Recommendation: No additional changes to statute or policy necessary.

Personally Identifiable Information (PII): Information that can be used alone or combined with other information to identify and/or locate individual people. Many discrete types of student and personnel data, as well as some combinations of otherwise non-identifying student and personnel data, are PII data.

As defined by North Carolina legislation (Session Law 2014-50, Ensuring Privacy of Student Records), PII includes:

  • Student name;
  • Name of the student’s parent or other family members;
  • Address of the student or student’s family;
  • Personal identifier, such as the student’s social security number or unique student identifier;
  • Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name;
  • Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; and
  • Information requested by a person who the Department of Public Instruction or local school administrative unit reasonably believes knows the identity of the student to whom the education record relates.

Uniform Education Reporting System (UERS): North Carolina’s term for a set of statewide policies and procedures that govern Local Education Agency (LEA) transmission of education data (including student and personnel PII) to the State in a standardized form.

SL 2014-50 identifies the system used to manage student data as a discrete component of the UERS.1

More specifically, North Carolina General Statutes Chapter 115C Section 12 outlines a “Duty to Develop and Implement a Uniform Education Reporting System, Which Shall Include Standards and Procedures for Collecting Fiscal and Personnel Information. –

  • The State Board of Education shall adopt standards and procedures for local school administrative units to provide timely, accurate, and complete fiscal and personnel information, including payroll information, on all school personnel.
  • The State Board of Education shall develop and implement a Uniform Education Reporting System that shall include requirements for collecting, processing, and reporting fiscal, personnel, and student data, by means of electronic transfer of data files from local computers to the State Computer Center through the State Communications Network.
  • The State Board of Education shall comply with the provisions of G.S. 116-11(10a) to plan and implement an exchange of information between the public schools and the institutions of higher education in the State. The State Board of Education shall require local boards of education to provide to the parents of children at a school all information except for confidential information received about that school from institutions of higher education pursuant to G.S. 116-11(10a) and to make that information available to the general public.
  • The State Board of Education shall modify the Uniform Education Reporting System to provide clear, accurate, and standard information on the use of funds at the unit and school level. The plan shall provide information that will enable the General Assembly to determine State local, and federal expenditures for personnel at the unit and school level. The plan also shall allow the tracking of expenditures for textbooks, educational supplies and equipment, capital outlay, at-risk students, and other purposes.
  • When practicable, reporting requirements developed by the State Board of Education as part of the Uniform Education Reporting System under this subdivision shall be incorporated into the PowerSchool application or any other component of the Instructional Improvement System to minimize duplicative reporting by local school administrative units.”

1 SL 2014-50: “Student data system. – The student information management system used by the State Board of Education and Department of Public Instruction as part of the Uniform Education Reporting Systems for collection and reporting of student data from local boards of education.”


 

Authorization of Use of Student Data

Recommendation: No additional changes to statute or policy necessary.

Several federal privacy laws—the Family Education Rights and Privacy Act (FERPA), the Children’s Online Privacy and Protection Act (COPPA), the Children’s Internet Protection Act (CIPA), and The Protection of Pupil Rights Amendment (PPRA)—outline rules and regulations for handling and authorizing use of PII data:

  • FERPA (1974) requires consent for the release of student data, by parents or guardians, before a student turns 18 and by students aged 18 and older. FERPA applies to schools that receive funding from the Department of Education, though exceptions are allowed for accrediting agencies, school officials, and organizations conducting research, juvenile courts, and more.
  • COPPA (1998) is administered by the Federal Trade Commission and defines the sections of the privacy policy, when to seek consent, and what an operator needs to do to protect children’s privacy and safety online.
  • CIPA is administered by the Federal Communications Commission and applies to schools and libraries that receive E-rate discounts. It requires these organizations to develop an online safety policy, filter unsavory and harmful content, educate students on safe internet behavior, and monitor online activity by minors.
  • PPRA protects the rights of parents and students by ensuring that (1) schools and contractors make relevant instructional materials available for review by parents, and (2) schools and contractors secure written parental consent before minor students are required to participate in surveys or analyses concerning sensitive topics such as politics, sex, and income. These rights extend to parents and students who are part of programs that receive funding from the United States Department of Education.

In North Carolina, SL 2014-50 requires compliance with these federal policies. It outlines parent rights, personnel authorization requirements, and third party permissions. SL 2014-50 also requires that local boards of education provide parents with notice of and an opportunity to opt out of disclosure of that information. It also limits access to:

  1. Authorized staff of the State Board of Education and Department of Public Instruction and the contractors working on behalf of the Department who require such access to perform their assigned duties.
  2. Authorized North Carolina public school administrators, teachers, and other school personnel and contractors working on behalf of the board of the North Carolina public school who require such access to perform their assigned duties.
  3. Students and their parents or legal guardians, or any individual that a parent or legal guardian has authorized to receive personally identifiable student data.
  4. Authorized staff of other State agencies and contractors working on behalf of those State agencies as required by law and governed by interagency data-sharing agreements.

As of November 6th, 2014 the State Board of Education requires employees to sign a statement indicating that they agree to ensure legal and ethical uses of the data before they are authorized to access student data.

SL 2014-50 addresses authorization of access to student data for third-party contractors, stating that “any contracts for the student data system that include de-identified student data or personally identifiable student data and are outsourced to private contractors include express provisions that safeguard privacy and security and include penalties for noncompliance.”


Use of State-Sourced Data in Non-State-Managed Software Systems and Services

Recommendation: The North Carolina Department of Public Instruction and all other state and local agencies with access to student data should use contract language modeled after the examples in Appendix B in partnerships with third-party software management systems. No additional changes in policy are required.

Contracts involving access to and distribution of PII data should address the following security issues:

  1. Care of information and data
  2. Confidentiality of data and FERPA
  3. Limitation of use and dissemination of data within US only
  4. Assurances that State can verify security and compliance any time
  5. Indication that all subcontractors are bound by laws of the contract
  6. Destruction of all data after contract expiration/termination
  7. Data breaches
  8. Encrypted transfer of data

 

Data Integration, Import, and Export Standards and Services

Recommendation: No additional changes to statute or policy necessary.

S.L. 2014-50 requires the State Board of Education to create a plan for data integration, data import, and data export standards and services. As of November 6th, 2014, the Board authorized NC DPI to release student data to researchers working on their behalf with legitimate educational interests to:

  1. Develop, validate, or administer predictive tests;
  2. Administer student aid programs; or
  3. Improve instruction

Transfers must be overseen by the appointed Data Manager after a memorandum of agreement has been signed by both parties. See contract language in Appendix B for recommended language for data-sharing and usage agreements.


Considerations for Ensuring Data Privacy in Cloud Computing and Non-Cloud Environments in Public Schools

Recommendation: No additional changes to statute or policy necessary at this time, but the state is advised to consider whether current governance and contract practices in this area should be modified.2

Cloud Computing Environments

The Center on Law and Information Policy (CLIP)3 has made recommendations for ensuring data privacy in cloud computing environments in public schools. The standards outlined in SL 2014-50 meet CLIP recommendations for transparency and contract terms, but not recommendations for governance and contract practices:

Governance

“Districts must establish policies and implementation plans for the adoption of cloud services by teachers and staff including in-service training and easy mechanisms for teachers to adopt, and propose technologies for instructional use. Districts must address directly and publicly any policies on the use of student data for advertiser supported services. Districts should create data governance advisory councils for advice and industry should develop mechanisms to help districts vet privacy-safe services and technologies. Finally, larger districts and state departments of education must designate a Chief Privacy Officer to provide advice and assistance.”

Contract Practices

“Districts, as stewards of children’s information, must properly document all cloud service agreements including maintaining fully executed contracts complete with all appendices and incorporated documents.”

Non-Cloud-Based Environments

Cloud-stored data accounts for only some of the student data stored electronically in North Carolina. In addition to ensuring data security on cloud-based servers, the state also should conduct periodic audits of data security standards in other environments, such as LEA- and school-level servers and applications installed on personal devices for individual classroom use. Though not enacted as originally filed, H632/S534 would have required the first of these audits by 2016; in future sessions, the General Assembly should continue to consider the language in this proposed legislation.

2 For example, though not passed in this form during the 2015 long session, earlier versions of H632/S534 (http://www.ncleg.net/Sessions/2015/Bills/Senate/HTML/S534v2.html) would have required the Joint Legislative Education Oversight Committee to “study issues related to protecting elementary and secondary student data and personal information online, in cloud-based services, and in other electronic applications which collect student data. The study shall include, but is not limited to, the use of elementary and secondary student data and personal information by third parties, sale of elementary and secondary student data and personal information, and transparency in disclosure of privacy policies in online, cloud-based, or electronic application services targeted at students in elementary and secondary schools.”
3 For original documentation of CLIP recommendations, see pages 6-7 of http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1001&context=clip


 

Considerations for Transparency in the Use of Student Data

Recommendation: No additional changes to statute or policy necessary, but the state is advised to consider whether current practices in this area should be expanded.

A final major concern for parents and students is transparency about the use and dissemination of collected student data. S.L. 2014-50 requires NCDPI to provide parents an opportunity to review student educational records and exercise limited control over their use:

“The notice shall include information on parental rights under State and federal law to:

  1. Inspect and review education records.
  2. Seek to amend inaccurate education records.
  3. Provide written consent prior to disclosure of personally identifiable information from education records, except as otherwise provided by law. Information shall be included on disclosure of directory information and parental rights to opt out of disclosure of directory information.
  4. File a complaint with the U.S. Department of Education concerning alleged failures to comply with the Family Educational Rights and Privacy Act.
  5. Receive notice and the opportunity to opt out prior to the participation of the student in a protected information survey under 20 U.S.C. § 1232h”

This language aligns sufficiently with related CLIP recommendations:

“The existence and identity of cloud service providers and the privacy protections for student data should be available on district websites, and districts must provide notice to parents of these services and the types of student information that is transferred to third parties”

As noted above, as originally written, H632/S43 would have required the state to review “transparency in disclosure of privacy policies in online, cloud-based, or electronic application services targeted at students in elementary and secondary schools.” As recommended above, the General Assembly should continue to consider the language of this proposed legislation in future sessions.