Oopsie. This School District Stepped on the ‘Legal Minefield’ NSBA Advised Districts to Avoid.
The privacy breach leaked information about every student in the district and it included medical information, home addresses, nicknames, birthdates, student grades, test scores and parents’ sensitive occupations.
Gabriela Dow told CBS News 8 she received the sensitive information after an open records request. Dow is a parent and a member of the district education technology advisory committee.
According to Dow, after months of being denied information internally, she filed an open records request on behalf of the committee to make recommendations on restructuring the IT department.
In return she received two discs with the sensitive information. “We are dealing with the equivalent of someone leaving the doors open to come in and potentially harm the children. That is when it really hits home and you realize each of these is a child whose information needs to be kept safe,” she said.
Notice to other school boards. Have you followed up on the recommendations made in 2014 by the National School Board Association advising school boards on what to do if/when a privacy breach occurs?
Here’s what the NSBA press release says about the local school board responsibilities in having to guard private student data. From Attention School Board Members. Have you Budgeted in Legal Expenses for Data Privacy Protections?:
Posted: 28 Apr 2014 02:00 PM PDT
As school districts increasingly move to cloud computing instead of on-site data storage, the National School Boards Association (NSBA) and its Council of School Attorneys (COSA) have released a guide for school boards introducing the legal issues associated with protecting student data and suggesting best practices.
The guide, “Data in the Cloud,” seeks to raise awareness of student data privacy concerns, and to provide a framework for comprehensive student data privacy approaches in school districts.
The guide notes that cloud computing applications offer ease of use and accessibility, but come with the potential for loss of privacy and increased liability, as personal information is transferred to the application.
“School boards should consider starting a discussion with school district staff and their communities about building a comprehensive student privacy protection program,” said NSBA Executive Director Thomas J. Gentzel. “This guide is a helpful tool for school boards as they review and potentially rethink policies related to data and student privacy.”
The guide uses a question-and-answer format to explain the relevant terminology, recent academic research, the breadth of software offerings, important legal requirements, and additional resources available to school board members and school lawyers.
“The legal requirements that could potentially govern student data privacy are still evolving,” said Greg Guercio, COSA Chair. “The school law requirements section of this guide is a key asset for school districts and their attorneys. Current laws still leave plenty of room for interpretation on student privacy, making it is essential for district leaders to ask the right questions and understand potential problems.”
Recommendations for school boards include:
• Identify an individual district-wide Chief Privacy Officer (CPO), or a group of individuals with district-wide responsibility for privacy;
• Conduct a district-wide privacy assessment and online services audit;
• Establish a safety committee or data governance team that includes the school or district’s Chief Privacy Officer to work with the school community, recommend policies and best practices, and serves as the liaison between the school district and the community on privacy issues;
• Regularly review and update relevant district policies and incident response plans;
• Consistently, clearly, and regularly communicate with students, parents, and the community about privacy rights and district policies and practices with respect to student data privacy;
• Adopt consistent and clear contracting practices that appropriately address student data; and
• Train staff to ensure consistent implementation of school district’s policies and procedures.
Parents should have little patience with the release of personally identifiable information by school districts. They’ve been warned about the legal minefield and the costly consequences of data breaches:
(Graphic accessed here)