The National School Board Association (NSBA), a federation of state school board associations representing more than 90,000 school board officials across the United States, wrote two of FPF’s favorite legal and policy guides on student data privacy and security, “Data in the Cloud” and “Data Security for Schools.” These resources are designed to help school board members identify the crucial issues associated with student data privacy and security and develop strong data security practices in school districts, primarily through a set of practical questions and answers. While “Data in the Cloud” addresses aspects of student privacy—specifically the collection and use of personal information—“Data Security for Schools” addresses security—the protection of student data from unauthorized access or acquisitions.
On July 22, FPF spoke with Sonja Trainor, NSBA’s Managing Director for Legal Advocacy, about these resources.
FPF: Please tell us about the background for developing the “Data in the Cloud” report.
Sonja: The “Data in the Cloud” report grew out of our efforts in 2013–14, when the issue of student data privacy was really beginning to come into full force in many states. At that time, there were several new state bills on student data privacy, incidents like Edward Snowden’s leak of government surveillance documents coming to national attention, and a general surge in awareness and concern for student data privacy. Around that time, we had significant programming with our school attorneys group, The Council of School Attorneys (COSA), and we developed two resources. The first targeted attorneys. Of 3000 school NSBA-member attorneys across the country, we worked with a group who was familiar with data privacy contracting, to produce a resource that focused on vendor contracts and how to negotiate privacy clauses that would allow school districts to comply with the Family Educational Rights and Privacy Act (FERPA) and state laws, etc.
At the same time, we developed a second resource, “Data in the Cloud.” This resource was developed for school officials. It contains a broad overview of the issues that school districts and school district leaders should consider as they think about student data privacy, policy, training staff, and best practices. It is also a legal guide in the sense that it introduces school officials to laws that affect student data privacy. If, say, a new principal at a high school that has never had a formal policy on that issue is looking for a resource, this report would be something he or she could pick up to quickly get familiar with the issues and plan next steps. Luckily, federal law has not changed much since this guide was published in 2014. State laws, of course, have evolved dramatically since then, but it is still a relevant overview for districts that are either getting started with student data privacy policies or looking for a fresh perspective on policies they may already have in place.
The “Data Security for Schools” guide, published in 2017, was developed with and written primarily by an attorney with expertise in data security, Christine Czuprynski. At that time, our members were asking questions about legal requirements to protect against data breaches and what to do in case of a breach. That resource provides an overview of best practices in the area of data security, including steps like developing a data governance plan.
FPF: Along those lines, what have you specifically included or not included in these resources?
Sonja: One thing we did not include in the “Data in the Cloud” guide is a summary or analysis of state laws, which were simply moving too quickly when we wrote it. For that reason, we emphasize the need for any school official reading this to consult with a member of the NSBA Council of School Attorneys and with their state school boards association regarding their own state laws.
However, in the “Data Security for Schools” guide we did include, as a reference, a chart on the narrow issue of data security breach notification laws that covers different state laws. Both guides outline the relevant federal law and best practices. For example, while most people might know FERPA, they would not necessarily know exactly what FERPA says about digital records, which is relatively little. For this reason, there is a lot of extrapolating that has to be done. So we try to at least outline those main items and issues.
FPF: Are there any significant changes or gaps in the laws since these resources came out that may be included in a “version 2.0” update?
Sonja: As a matter of fact, we have been thinking about an update. One area of student privacy that we know is subject to possible change relates to the FTC seeking comments on the Children’s Online Privacy Protection Act (COPPA) regarding its provision for schools granting parental consent. We may incorporate any of these potential changes as well as provide additional analysis of whether and how school districts should be thinking about liability concerns for granting consent for kids under the age of 13 to use various platforms and websites. We may include current language and the way we discuss data today and may mention the European General Data Protection Regulation (GDPR). The GDPR is something of which any entity in the US that manages data should at least be aware, to get an idea of how one portion of the world is regulating data privacy and what kind of individual rights they’re looking at.
As for the “Data Security for Schools” guide, we are currently working on an update to cover the changes we have been seeing in legislation. That update should be released in late summer 2019.
FPF: You mentioned that these resources are intended for school boards and school officials. Could they be of use to other stakeholders as well, such as parents or teachers?
Sonja: The target audience is certainly school leaders at all building and district levels, the latter especially. I think that community members and parents might benefit from being able to see the kinds of issues schools need to think about when it comes to student data. It would certainly help them to understand the mindset of schools and how they are thinking about certain issues. Student data is more than a mere compliance, liability, or regulatory issue, and school districts have to be responsive to the needs of a broad group of people, a whole community of students. This perspective may lead schools to have a different approach than that of parents, for example, who are understandably looking at things from the perspective of their own individual child. So I think it would be helpful for parents to take a look at these and get a sense of school districts’ concerns as they form policy.
FPF: The question-and-answer structure of these resources is helpful. Can you tell us about how you drafted these and decided which issues to address?
Sonja: Our drafting process is very connected to practice and what people are experiencing on the ground. We collect this “intelligence” through COSA, the NSBA Council of School Attorneys, which, as I mentioned, includes more than 3000 attorneys across the country who are employed in firms or are employed directly by school districts or as staff of state school board associations. This group of attorneys, encompassing a wide variety of roles, was already responding to questions from their clients on various data-related issues at the time.
For example, for “Data in the Cloud,” we had the benefit of being able to receive the input of attorneys who were already interested in and experienced with student data privacy, despite the fact that not many professionals had that kind of practical experience back in 2014. We were able to rely on these attorneys, who informed us of the advice they had been giving on different topics and gave us a broad range of perspectives on any given issue. This process allowed us to identify the legal issues that people were concerned and grappling with on a day-to-day basis.
For the “Data Security in Schools” guide, we also made use of boots-on-the-ground input from our attorney members to determine the questions school officials were asking and what they needed to know to develop data security plans. We were fortunate to work with an attorney with specialized expertise to develop helpful answers.
This interview was conducted by Ahuva Goldstand on July 22, 2019. It has been edited and condensed for clarity.