Heads in the Cloud: FERPA, Online Education, and Social Media

38
Heads in the Cloud: FERPA, Online Education, and Social Media Steven J. McDonald General Counsel Rhode Island School of Design

description

Heads in the Cloud: FERPA, Online Education, and Social Media. Steven J. McDonald General Counsel Rhode Island School of Design. Examples. [student Twitter account] [student blog] [student LinkedIn account] [student portfolio] [student YouTube channel] [school class Facebook page] - PowerPoint PPT Presentation

Transcript of Heads in the Cloud: FERPA, Online Education, and Social Media

Page 1: Heads in the Cloud: FERPA, Online Education, and Social Media

Heads in the Cloud:FERPA, Online Education, and Social Media

Steven J. McDonaldGeneral Counsel

Rhode Island School of Design

Page 2: Heads in the Cloud: FERPA, Online Education, and Social Media

2

Examples• [student Twitter account]• [student blog]• [student LinkedIn

account]• [student portfolio]• [student YouTube

channel]• [school class Facebook

page]• [school portfolio page]

• [school YouTube channel]• [school departmental grad

student page]• [school Twitter account]• [school news release

page]• [school mandatory online

alcohol education service]• [school course page]• [MOOC]

Page 3: Heads in the Cloud: FERPA, Online Education, and Social Media

3

FERPA

• The Family Educational Rights and Privacy Act of 1974

• A.K.A. the Buckley Amendment

Page 4: Heads in the Cloud: FERPA, Online Education, and Social Media

4

FERPA's Big Three

• College students have the right, in general, to:– Control the disclosure of their "education

records" to others– Inspect and review their own "education

records"– Seek amendment of their "education records"

Page 5: Heads in the Cloud: FERPA, Online Education, and Social Media

5

So, What's an "Education Record"?

• "'Education records' . . . means those records that are:(1) Directly related to a student; and(2) Maintained by an educational agency

or institution or by a party acting for the agency or institution"

Page 6: Heads in the Cloud: FERPA, Online Education, and Social Media

6

So, What's an "Education Record"?

• "'Record' means any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche"– The medium is not the message

Page 7: Heads in the Cloud: FERPA, Online Education, and Social Media

7

So, What's an "Education Record"?

• In general, a record is "directly related" to a student if it contains "personally identifiable information" about that student

Page 8: Heads in the Cloud: FERPA, Online Education, and Social Media

8

So, What's an "Education Record"?

• "'Personally identifiable information' includes, but is not limited to"

– The name of the student or of the student's parent or other family member

– The address of the student or student's family

– Personal identifiers such as SSNs, student numbers, or biometric records

• Cookies and assigned IP addresses?– Other indirect identifiers such as date or

place of birth or mother's maiden name

Page 9: Heads in the Cloud: FERPA, Online Education, and Social Media

9

So, What's an "Education Record"?

– "Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty"• Metadata?

Page 10: Heads in the Cloud: FERPA, Online Education, and Social Media

10

So, What's an "Education Record"?

• "Maintain" is not defined!• Owasso Independent School District v.

Falvo, 534 U.S. 426 (2002):– "FERPA implies that education records are

institutional records kept by a single central custodian, such as a registrar."

– "The ordinary meaning of the word 'maintain' is 'to keep in existence or continuance; preserve; retain.'"

• Requires conscious decision on the part of the institution?

Page 11: Heads in the Cloud: FERPA, Online Education, and Social Media

11

E-mail?• Record?

– "'Record' means any information recorded in any way, including, but not limited to, . . . computer media"

• Directly related?– E-mail address in the "to" or "from" line– Student name, address, ID number, or other identifying

information (broadly defined) within the body of a message

– Not every message will be personally identifiable, but do you really want to sort it out?

• Maintained?– Messages residing in student mailboxes– Messages residing in faculty and staff mailboxes

Page 12: Heads in the Cloud: FERPA, Online Education, and Social Media

12

We Don't Need No "Education"

• "Education records" certainly includes transcripts, exams, papers, and the like

• But it also includes:– Most of what's in your SIS– Photographs– SSNs, campus ID numbers, and e-mail addresses– Faculty and staff e-mail messages to, from, or

about a student– Log files for an assigned IP address– Virtually everything!

Page 13: Heads in the Cloud: FERPA, Online Education, and Social Media

13

Questions(and maybe answers)

Page 14: Heads in the Cloud: FERPA, Online Education, and Social Media

14

Disclosure

• Before disclosing education records – or information from education records – an institution must obtain a signed and dated written consent from all relevant students, specifying:– The records that may be disclosed– The purpose for which they may be disclosed– The persons or classes to whom they may be

disclosed

Page 15: Heads in the Cloud: FERPA, Online Education, and Social Media

15

Except for Disclosures:• Of "directory information"

– Can include name; address; e-mail address; telephone number; photograph; date and place of birth; major; grade level; enrollment status (undergraduate or graduate, full- or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of athletes; degrees, honors, and awards received; most recent educational institution attended, and other information "that would not generally be considered harmful or an invasion of privacy if disclosed"

Page 16: Heads in the Cloud: FERPA, Online Education, and Social Media

16

Except for Disclosures:

– Cannot include SSN– Can include student ID number, user

ID, or other unique personal identifier used by student to access or communicate in electronic systems, but only if the identifier cannot be used to gain access to education records without further authentication

Page 17: Heads in the Cloud: FERPA, Online Education, and Social Media

17

Except for Disclosures:

– Must give students notice of your definition and an opportunity to opt out

– Students cannot use opt out to prevent disclosure of name, institutional e-mail address, or other identifier in classes (physical or virtual) in which they are enrolled

Page 18: Heads in the Cloud: FERPA, Online Education, and Social Media

18

Except for Disclosures:

• To "school officials . . . whom the . . . institution has determined to have legitimate educational interests"– "School officials" can include students

serving on committees and outside contractors

Page 19: Heads in the Cloud: FERPA, Online Education, and Social Media

19

Except for Disclosures:

– "A contractor, consultant, volunteer, or other party to whom an . . . institution has outsourced institutional services or functions may be considered a school official . . . provided that the outside party –

• Performs an institutional service or function for which the agency or institution would otherwise use employees;

• Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and

• Is subject to the requirements . . . governing the use and redisclosure of personally identifiable information from education records."

Page 20: Heads in the Cloud: FERPA, Online Education, and Social Media

20

Except for Disclosures:

– Institutions must "ensur[e] that outside parties that provide institutional services or functions as 'school officials' . . . do not maintain, use, or redisclose education records except as directed by the agency or institution that disclosed the information. . . . [O]ne way in which schools can ensure that parties understand their responsibilities under FERPA with respect to education records is to clearly describe those responsibilities in a written agreement or contract."

Page 21: Heads in the Cloud: FERPA, Online Education, and Social Media

21

Except for Disclosures:

• "An educational agency or institution, or a party that has received education records or information from education records under this part, may release the records or information . . . after the removal of all personally identifiable information provided that the educational agency or institution or other party has made a reasonable determination that a student's identity is not personally identifiable, whether through single or multiple releases, and taking into account other reasonably available information."– Is there any such thing as true, permanent de-identification?

Page 22: Heads in the Cloud: FERPA, Online Education, and Social Media

22

Questions(and maybe answers)

Page 23: Heads in the Cloud: FERPA, Online Education, and Social Media

23

U-Tube?• May schools:

– Outsource e-mail?– Establish campus-usable social media?– Post student information to social media?

• May faculty require:– Participation on listservs?– Blog posts?– Use of online portfolios?– Creation and posting of videos?– Use of other social media?

Page 24: Heads in the Cloud: FERPA, Online Education, and Social Media

24

First Things First• FERPA applies to educational institutions and their agents,

not to students and not to external social media and other services– Including (most) MOOCs

• At least as far as FERPA is concerned, students are free to post whatever they want wherever they want whenever they want

• Schools may establish internal and external "bulletin boards"• Schools may post directory information anywhere they want

(for non-opt-outs)• Schools may outsource services and provide education

records to cloud providers that agree to act as "school officials"

Page 25: Heads in the Cloud: FERPA, Online Education, and Social Media

25

Hmm?

• Faculty probably may require students to use independent, external social media and other services– Including (most) MOOCs

• But may they require students to use internal social media, and/or may they post student work themselves to either internal or external social media?

Page 26: Heads in the Cloud: FERPA, Online Education, and Social Media

26

Steve McDonald's "Implied Pedagogical Exception" Theory™

Page 27: Heads in the Cloud: FERPA, Online Education, and Social Media

27

Steve McDonald's "Implied Pedagogical Exception" Theory™

• FPCO: "Neither the statute, the legislative history, nor the FERPA regulations require institutions to depart from established practices regarding the placement or disclosure of student theses so long as students have been advised in advance that a particular undergraduate or graduate thesis will be made publicly available as part of the curriculum requirements."

Page 28: Heads in the Cloud: FERPA, Online Education, and Social Media

28

Steve McDonald's "Implied Pedagogical Exception" Theory™

• FPCO: "The final regulations . . . ensure that . . . students [may] not use the right to opt out of directory information disclosures to remain anonymous in the classroom, by clarifying that opting out does not prevent disclosure of the student's name, institutional e-mail address, or electronic identifier in the student's physical or electronic classroom."

Page 29: Heads in the Cloud: FERPA, Online Education, and Social Media

29

Steve McDonald's "Implied Pedagogical Exception" Theory™

• Owasso: "We doubt Congress meant to intervene in this drastic fashion with traditional state functions. Under the Court of Appeals' interpretation of FERPA, the federal power would exercise minute control over specific teaching methods and instructional dynamics in classrooms throughout the country. The Congress is not likely to have mandated this result, and we do not interpret the statute to require it."

Page 30: Heads in the Cloud: FERPA, Online Education, and Social Media

30http://ptac.ed.gov/document/protecting-student-privacy-while-using-online-educational-services

Page 31: Heads in the Cloud: FERPA, Online Education, and Social Media

31

Is Student Information Used in Online Educational Services Protected by FERPA?

• "It depends."• Yes: "For example, a district may decide to use an online

system to allow students . . . to log in and access class materials."

• No: "For example, a teacher may have students watch video tutorials or complete interactive exercises offered by a provider that does not require individual students to log in. In these cases, no PII form the students' education records would be disclosed to (or maintained by) the provider."

• What about providers that do require individual log-ins but that don't have a relationship with the school?

Page 32: Heads in the Cloud: FERPA, Online Education, and Social Media

32

What Does FERPA Require if PII from Students' Education Records is Disclosed to a Provider?

• "It depends."• Directory Information: Only that, and no opt-outs• School Official: "[T]he framework under which the school or

district uses the service must satisfy the 'direct control' requirement by restricting the provider from using the PII for unauthorized purposes. . . . If the school or district has shared information under FERPA's school official exception, . . . the provider cannot use the FERPA-protected information for any other purpose than the purpose for which it was disclosed. . . . [T]he provider may not share (or sell) FERPA-protected information, or re-use it for any other purpose, excepted as directed by the school or district and as permitted by FERPA."

Page 33: Heads in the Cloud: FERPA, Online Education, and Social Media

33

http://chronicle.com/blogs/wiredcampus/google-disables-scanning-of-student-email-for-advertising-purposes/52261

Page 34: Heads in the Cloud: FERPA, Online Education, and Social Media

34

What Does FERPA Require if PII from Students' Education Records is Disclosed to a Provider?

• "A provider that has been granted access to PII from education records under the school official exception may use any metadata that are not linked to FERPA-protected information for other purposes, unless otherwise prohibited by the terms of their agreement with the school or district."– Is there anything that isn't really linked?

Page 35: Heads in the Cloud: FERPA, Online Education, and Social Media

35

What Does FERPA Require if PII from Students' Education Records is Disclosed to a Provider?

• "Schools and districts are encouraged to remember that FERPA represents a minimum set of requirements to follow. Thus, even when sharing PII from education records under an exception to FERPA's consent requirement, it is considered a best practice to adopt a comprehensive approach to protecting student privacy when using online educational services."

Page 36: Heads in the Cloud: FERPA, Online Education, and Social Media

36

Can vs. May vs. Should

• What is the pedagogical reason for requiring the posting to be public?

• If there is one, is it really important that the posting be attributed?

• What are the implications for the student's privacy?

• What are the implications for the student's intellectual property?

• Who's reading the contracts and terms of service?

Page 37: Heads in the Cloud: FERPA, Online Education, and Social Media

37

Page 38: Heads in the Cloud: FERPA, Online Education, and Social Media

38

Questions(and maybe answers)