Data Privacy Laws

Chief Privacy Officer's clarification that schools are prohibited "from using biometric identifying technology for any purpose other than" fingerprinting prospective employees or if staff has agreed.

For many districts this clarified that facial-recognition technology is prohibited - especially that within embedded security camera systems.

Find at: https://www.nysed.gov/sites/default/files/programs/data-privacy-security/cpo-memo-regarding-stl-106-b-use-of-biometrics-tech-in-nys-schools_final_mar-10-2021.pdf

U.S. Federal Laws

FERPA - Family Education Rights and Privacy Act

"The granddaddy of student data privacy laws. Passed in 1974, but updated via guidelines issued in 2008 and 2011, FERPA is enforced the by the United States Department of Education (ED) Family Policy Compliance Office (FPCO) and applies to all education institutions that receive federal funding."(Attai, 2018, 16-17)

Simply put FERPA is "a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records." See https://studentprivacy.ed.gov/faq/what-ferpa

FERPA is know for defining PII, Directory Information, Direct Control and De-identified Data.

PPRA - Protection of Pupil Rights Amendment

"PPRA requires that, in the event that there will be a survey, analysis, evaluation or similar measure asking students about sensitive topics, the school system must provide advance notice to parents and obtain their prior consent when that survey is funded in whole or in part by ED..."

"While FERPA requires that school system provide parents and eligible students with access to the student's education record, PPRA requires that schools systems ask for permission before collecting certain information" from students. (Attai, 2018, p 24)

Find more at: https://studentprivacy.ed.gov/training/what-protection-pupil-rights-amendment

COPPA - Children's Online Privacy Protection Act

"COPPA does not apply to, and is not enforced against, school systems. It does apply to technology providers operating commercial websites and online services directed in whole or in part to children, defined as individuals under age thirteen, that collect, use, or disclose personal information from children."

"COPPA requires that technology providers obtain verifiable parental consent before collecting personal information from your a child under the age of thirteen." (Attai, 2018, 31).

COPPA was enacted in 1998.

Find more at: https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa and https://www.ftc.gov/business-guidance/privacy-security/childrens-privacy

CIPA - Children's Internet Protection Act

"CIPA is enforced by the FCC. It applies to schools and libraries that receive discounts for Internet access or internal connections through the E-rate program. In order to qualify for the E-rate discounts, school systems and libraries must implement an Internet safety policy ... (and) also ensure that they educate their minor students about appropriate online behavior" (Attai, 2018, 35).

Find more at: https://www.fcc.gov/consumers/guides/childrens-internet-protection-act

HIPPA - Health Insurance Portability and Accountability Act

"For elementary and secondary schools, the student health information maintained by the school system is commonly subject to FERPA" (Attai, 2018, 36).

Find more at: https://www.hhs.gov/hipaa/for-professionals/faq/513/does-hipaa-apply-to-an-elementary-school/index.html

CFAA - Computer Fraud and Abuse Act

The federal "anti-hacking statute" passed in 1984, notoriously by President Reagan's response to the movie WarGames.

Find more at: https://www.justice.gov/jm/jm-9-48000-computer-fraud

ECPA - Electronic Communications Privacy Act

"The Electronic Communications Privacy Act and the Stored Wire Electronic Communications Act are commonly referred together as the Electronic Communications Privacy Act (ECPA) of 1986. The ECPA updated the Federal Wiretap Act of 1968, which addressed interception of conversations using "hard" telephone lines, but did not apply to interception of computer and other digital and electronic communications. Several subsequent pieces of legislation, including The USA PATRIOT Act, clarify and update the ECPA to keep pace with the evolution of new communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases."

Section 230 - Communications Decency Act

A law that looks to protect the Freedom of Expression by protecting the intermediaries of content, aka online providers.

"No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." (47 U.S.C. § 230(c)(1)).

Notable Laws from Other Nations

GDPR - General Data Protection Regulation (EU Regulations)

"The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros."

Read more at: https://gdpr.eu/what-is-gdpr/

Page updated

Report abuse