Are there Security and Compliance Regulations for K-12 School Districts?
My goal for this Blog is to raise awareness of the various regulatory and compliance requirements that a K-12 school district in California may need to consider when planning implementation of various Information Systems.
I would first like to emphasis, that whatever requirements that a school district should or should not comply with, is always the responsibility of the lawyers who support the school district to determine.
As you can see from my background (http://blogs.technet.com/ttalley/about.aspx), my past experience has been focused on security requirements mandated by various agencies of the Department of Defense (DoD). To help guide an agency in their Information Systems implementation, there were always various rules and regulations to follow (i.e. DITSCAP, Common Criteria, etc).
But now that I am in the K-12 Education environment, I wondered if there were similar “rules and regulations”. So the following are some of the regulatory and compliance items that I have found that would impact the K-12 implementation of Information Systems.
Compliance typically requires the enterprise to maintain its systems and networks in a known and approved state. All too often enterprises are faced with competing and conflicting requirements, leading to confusion and uncertainty and non-compliance.
Federal Regulatory Requirements
Family Education Rights and Privacy Act (FERPA)
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
http://edocket.access.gpo.gov/2004/pdf/04-9054.pdf
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA affords parents the right to have access to their children's educational records, the right to seek to have the record amended, and the right to have some control over the disclosure of information from the record. When a student turns eighteen years old or enters college, the rights under FERPA transfer to the student.
TITLE XVII - Children’s Internet Protection Act
http://www.fcc.gov/cgb/consumerfacts/cipa.html
•Schools and libraries subject to CIPA may not receive the discounts offered by the E-Rate program unless they certify that they have an Internet safety policy and technology protection measures in place. An Internet safety policy must include technology protection measures to block or filter Internet access to pictures that: (a) are obscene, (b) are child pornography, or (c) are harmful to minors, for computers that are accessed by minors.
•Schools subject to CIPA are required to adopt and enforce a policy to monitor online activities of minors; and
•Schools and libraries subject to CIPA are required to adopt and implement a policy addressing: (a) access by minors to inappropriate matter on the Internet; (b) the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications; (c) unauthorized access, including so-called “hacking,” and other unlawful activities by minors online; (d) unauthorized disclosure, use, and dissemination of personal information regarding minors; and (e) restricting minors’ access to materials harmful to them.
Health Insurance Portability and Accountability Act
http://www.hhs.gov/ocr/hipaa/
In December, the U.S. Department of Health and Human Services released new privacy standards prohibiting the release of individually identifiable health information. The standards, part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), specifically include schools, colleges and universities. Under the new rules anyone who allows confidential health information to become public whether intentionally or unintentionally can be fined. As well, parents have the right to review their child’s medical information and require correction of erroneous data. Must have procedures to prevent, detect, contain, and correct security violations as well as procedures to regularly review records of information system activity.
Children's Online Privacy Protection Act (COPPA)
http://www.ftc.gov/bcp/conline/edcams/coppa/index.html
Websites that are collecting information from children under the age of thirteen are required to comply with Federal Trade Commission (FTC) Children's Online Privacy Protection Act (COPPA).
California Local/State Compliance Regulations
California Security Breach Information Act (California SB 1386)
http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
Requires customer notification when personal information is exposed to unauthorized parties in unencrypted form.
Federal Compliance Requirements
Data Retention Compliance Requirements (E-discovery)
http://www.uscourts.gov/rules/EDiscovery_w_Notes.pdf
http://www.law.cornell.edu/rules/frcp/Rule34.htm
Federal Rule of Civil Procedure, Rule 34 - provides for requests for “documents,” including “electronic data compilations.” Today, electronically stored information, such as e-mail, is included in the definition of a “document” because that is how lawyers and judges are used to thinking of fact discovery. In reality, the term document is an inherently arbitrary concept when applied to electronically stored information.
If you have $20, you can also download the following document provided by the National School Boards Association:
“School Law Practice: E-Discovery” (Volume 1, No. 1, June 2007):
http://www.nsba.org/storefront/detail.aspx?ID=1154
