This is increasingly becoming a very important question school officials should ask.
Given that many schools are seeking to save money in their infrastructure by moving to online technology services, administrators and their cloud vendors need to understand their legal obligations to protect the privacy of their students and their data when operating in the cloud. Consumerization of IT has resulted in many consumer oriented tools being deployed into schools, even though some may have data collection and use practices that are not consistent with applicable regulations and historical norms about student privacy. Moreover, with rapidly shrinking budgets, schools often look first at price and may not even have in-house expertise to understand how vendor data privacy practices align or conflict with regulations and norms. But the privacy rights of our students are too important for vendors and schools to continue to overlook these issues.
In appreciation of Data Privacy Day this week, we are providing timely reminders to help students and the education community to protect their privacy and control their digital footprint. For students and teenagers, it is important to talk about how they can protect their privacy and personal information online and on social networks.
School officials also need to ensure the security of their institution’s data and that the cloud-based IT services they deploy meet federal, state and local regulations related to student and teacher privacy. Student privacy issues in particular are increasingly important as schools opt to move increasing amounts of technology to the cloud and embrace the opportunity to reduce barriers to sharing school work, curriculum planning and collaboration. Adoption of cloud services, which are operated and managed by third party vendors, winds up placing large amounts of student, teacher and institution data in the hands of those vendors. Schools must ensure, as required by various regulations, that they place appropriate limits on the data collection and use practices of their cloud vendors.
Two critical pieces of federal legislation that school administrators should be familiar with as they move to the cloud are the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).
While the Health Insurance Portability and Accountability Act (HIPAA) in large part applies to health organizations that need to protect patient data, higher education institutions may also need to adhere to the same regulations if they use, disclose or maintain records that include protected health information (PHI). Medical schools, university hospitals, research departments, and school counseling centers are just a few examples of places on campus that use and store health information. Human resources and benefits departments may also be governed by HIPAA, as they are often privy to information about healthcare claims that employees are filing.
Recently, the U.S. Department of Health and Human Services (HHS) announced it is updating HIPAA to clarify that business associates of HIPAA covered entities can include vendors that host data in the cloud. As such, these cloud vendors must meet the privacy and security rules of HIPAA just as the campus HIPAA covered entities do. For example, both the HIPAA covered entity and their business associate cloud vendor have restrictions on using protected health information for fundraising, marketing or other commercial purposes.
At Microsoft, we respect those restrictions, and do not scan emails, data or documents our customers store in the cloud, nor do we co-mingle that data with consumer services for the purpose of building analytics, data mining or advertising.
Administrators must also keep in mind restrictions imposed by FERPA, which provides students access to their education records and control over the disclosure of that information. It applies to educational agencies and institutions that receive funding under the U.S. Department of Education. FERPA prohibits disclosure of information contained in student education records absent consent from parents (or students age 18 or older, if they are enrolled in any post-secondary educational institution). Even though much of FERPA was written before cloud services existed it does impose some important restrictions on how cloud vendors may handle and use information that may be entered into or transmitted across a cloud service by students, faculty or staff.
Department of Education guidance dictates that schools must ensure their cloud vendors agree to be contractually bound by the same restrictions that FERPA imposes on the schools themselves. That may not square with the data collection and use practices of some cloud vendors, especially where they are using, mining, analyzing or disclosing student data for commercial purposes such as advertising.
Microsoft is a cloud services vendor to many education institutions, we are dedicated to understanding your legal compliance environment and leveraging our cloud solutions to help you comply with and address applicable regulations. Through extensive collaboration with third party compliance experts and academic institutions facing these legal obligations, we are currently the only major cloud provider that contractually addresses both HIPAA and FERPA throughout our cloud service offerings, including Office 365 for education.
Privacy obligations stem not only from the letter of the legal regulations, but also the very spirit of the way that education institutions conduct their business with expectations of privacy. Microsoft understands its role as a trusted data steward. We work with administrators to not only understand their legal requirements, but also their institutional culture, to help enable a smooth, confident and compliant transition to the cloud.