2003 WEMA Conference Privacy in the 21 st

2003 WEMA Conference Privacy in the 21 st Century: Issues for Schools & Libraries Helen Adams Bob Bocher hadams@coredcs. com robert. bocher@dpi. state. wi. us Rosholt School District Dept. of Public Instruction www. dpi. state. wi. us/dltcl/pld/privacy. html Privacy — 2003 WEMA Conf. (Adams, Bocher)

Topics to Cover 1. An overview of privacy issues 2. Federal and state protections and actions 3. Tips on online privacy 4. Privacy issues in schools 5. Privacy resources 2 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy Concerns and PII (Personally Identifiable Information) Ø Privacy concerns are high on consumer polls. Key concerns include “Identity theft is one of the fastest growing crimes in Identity theft and fraud the state. It’s about time law enforcement officials q. Coms selling your PII had the tools to bring down q Government misuse of your PII these high tech con artists. ” –State q Security of your medical and financial data Rep Mark q Ø Privacy concerns increase as Gundrum (R-New Berlin), Chair, Assembly TF on Identity Theft (April 8, 2003) More people are online q Residential broadband access increases (now 20%+) q Use of wireless communication increases q More people shop and conduct business online q 3 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Personally Identifiable Information (PII) Ø Typical PII includes q Name q Address (work, residence) q Email address q Telephone number q Other ID (SSN, etc. ) How much of this data is in your school’s database? Ø Non-PII includes q Demographic • Age, gender, race/ethnicity q 4 Education level, job, income q Preferences, interests, hobbies Privacy — 2003 WEMA Conf. (Adams, Bocher)

Federal Protections and Action Ø 4 th and 5 th amendments Ø Federal Trade Commission (FTC) is lead privacy agency Ø Many federal laws have privacy provisions, including: Gramm-Leach-Bliley Act (GLB, 1999) q Health Insurance Portability and Accountability Act q (HIPAA, 1996) • Rules (93 pages) effective, April 14 USA Patriot Act (2001) q Children’s Online Privacy Protection Act (COPPA, q 5 1998) Privacy — 2003 WEMA Conf. (Adams, Bocher)

FTC’s Fair Information Practice Principles (FIPPs) Any Website that collects PII should provide: 1) Notice Sites must state policy on use of 2) Choic e 3) Acces s 6 4) PII and have the policy in a prominent location on the Website. Consumers decide how their PII is to be used, if at all (opt-in or opt-out). Consumers can access their PII and make any corrections. Companies must secure your PII from any unauthorized use. "The key to privacy protection is enforcement. Now, there's no financial harm for not having or following a privacy policy. " –Andrew Shen, EPIC Privacy — 2003 WEMA Conf. (Adams, Bocher)

USA Patriot Act (PL 107– 56, Sections 214– 216) Ø Quickly passed following Sept 11, 2001 Ø 342 pages that revises more than 15 other laws q Expands Foreign Intelligence Surveillance Act (FISA) “In our Ø Provisions extend beyond terrorism haste to develop legislation q Increases counterfeiting penaltiesto help America, we went too far. ” Ø Russ Feingold was only senator–Sen. Feingold, 9 -02 to 7 vote “no” Ø Patriot II act has been drafted Ø Total Information Awareness (TIA) system, research continues Privacy — 2003 WEMA Conf. (Adams, Bocher)

USA Patriot Act: Some Privacy Issues Ø Expands monitoring laws (beyond phone taps) to include Internet traffic q Email addresses, IP addresses/routing, Web search terms • Monitoring at various levels, from PC to the ISP q Allows nationwide monitoring Ø Expands surveillance with less judicial review q Former “probable cause” was higher legal bar than new “relevant to an ongoing investigation” Ø ALA advises librarians to “avoid creating unnecessary records” 8 q Privacy — 2003 WEMA Conf. (Adams, Bocher) Is this a new “Library Awareness Program”?

State Protections and Action Ø Student privacy protections are in state statutes Ø WI library privacy law Ø DPI approves school district technology plans q Plans often include privacy provisions in relation to NCIPA ALA policy 9 State statutes Local library/school policy Privacy — 2003 WEMA Conf. (Adams, Bocher)

WI Library Privacy Law Library privacy law (43. 30(1)) covers the following: 1. Any library supported by public funds 2. Any information indicating the identity of an individual 3. Any use of a library’s materials or other resources or services may not be disclosed except by court order. (emphasis added) 10 Includes public libraries, public K-12 schools, UW and WTCS libraries. Includes any individual, regardless of age, residence, etc. Includes circulation records, Internet use (email, Web logs, history files, sign-up sheets) meeting room use, etc. Privacy — 2003 WEMA Conf. (Adams, Bocher)

Tips on Personal Privacy Ø Read closely any Website’s privacy policy Ø Keep a “clean” email address Ø Home cable and DSL users are especially vulnerable Ø Never enter sensitive PII without a secure connection Ø Enter only minimal data, look for opt-out check boxes Ø Look for compliance with groups like BBBOnline, TRUSTe and HON 11 Ø Be aware of your surroundings Privacy — 2003 WEMA Conf. (Adams, Bocher)

Schools and Privacy: 12 Issues & Answers Helen Adams hadams@coredcs. com Rosholt School District 12 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #1 Confidentiality of Student Records (federal law) Ø Family Educational Rights and Privacy Act (FERPA, 1974) q q Requires districts to establish written policies and procedures protecting student PII q Defines educational records and who has access q 13 Applies to schools accepting DOE funds Parental permission required to disclose student PII Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #1 Confidentiality of Student Records (state law) Ø Chapter 118. 125 WI State Statutes q All student records in public schools are confidential, including: • Behavioral, directory data, progress records, physical health q Access to records granted • • 14 To parents To staff with “legitimate educational interest” For legal reasons For an audit of state or federal program Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #2 Privacy Language in the AUP Ø Addressing privacy in the AUP q N-CIPA requires schools receiving E-rate discounts to adopt an Internet Safety Policy • Must address “unauthorized disclosure, use, and dissemination of PII regarding minors. ” • Minor defined as someone less than 17 years old • Requires public hearing and formal Board adoption 15 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #3 Privacy Policy on a District’s Website Ø All school sites should post a privacy policy q Present on every major page of site q Examples • Anchorage (Alaska) School District – www. asd. k 12. org/privacy. asp • School District of Greenville County (SC) – www. greenville. k 12. sc. us/district/web/policy/privacy. htm • Valley Elementary School (Utah) – www. weber. k 12. ut. us/Legal. Notice/privacy. html 16 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #4 Identifying Students on the District’s Website Ø FBI recommends districts not publish student photos Increased arrests of pedophiles q Study: 12% of kids meet unknown person q Ø Districts approach the issue in different ways Pictures and names q Pictures with no names q Pictures and names separated q No photos or names q Ø Mankato (MN) S. D. #77 17 q www. isd 77. k 12. mn. us/webguide. php Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #5 Protecting the Confidentiality of Library Records Ø Records kept for library management Ø No federal law protects confidentiality Ø Legislation in 48 states and DC varies Ø Wisconsin Library Privacy Law covers q q Records associated with use of the Internet q Use of in-house databases q 18 Patron information, circulation records Can release only by court order Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #6 Privacy and Security of Electronic Student Records Ø Student management systems allow access to records via LAN and WAN q Include directory, attendance, grade, disciplinary, and other records q Levels of security for data • Confidentiality and privacy policies • LAN/WAN network security procedures – Teacher access q Parents access child’s records via Web – Grades, attendance, discipline, and health records 19 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #7 Conducting Market Research on Students Ø Companies have offered districts incentives for info on student use of the Internet q Equipment, email accounts, host Website Ø Student Privacy Protection Act (Dec. 2001) q Requires schools to develop and adopt policies • Collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling 20 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #8 Students Providing PII About Themselves Ø Students have little concept of privacy q Annenberg “The Internet and the Family 2000” study • Teenagers more likely to give information Ø Teach “Stranger danger” online and off Ø Wisconsin Rapids (WI) School District AUP • No PII transmitted from district computers 21 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #9 Access to Student Information by Military Recruiters Ø NCLB Act 2001 requirement q H. S. ’s must supply military recruiters with students’ names, addresses, and phone numbers (including unlisted #’s) • District policies keep student information confidential under Family Educational Rights and Privacy Act (1974) • Oct. 2002 letter sent to districts by federal officials • Parents can “opt out” 22 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #10 Internet Use Logs as Public Record Ø 2 legal battles over whether Internet logs are public records and available q 1998: Utah Supreme Court granted right to review logs of Utah Educational Network q 2000: New Hampshire judge ruled Internet history logs of 2 school districts are public records and may be reviewed – Student PII must be removed first – Person requesting logs bears the cost for removal Ø Wisc. Net’s policy 23 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #11 Use of Email to Conduct School Business Ø Monitoring of employees q 63% monitor email and Internet use q Personal email and recreational surfing cost money q Employers have the right to monitor without informing employees Ø Court cases q 24 “No legal or factual basis for extending right of privacy to cover business-related communications. ” Ø Employers should establish use policy Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #11 Use of Email to Conduct School Business Ø Email communication by administration and school boards It is the public q email issues discussion may violate open policy of this records and open meetings laws state that all persons are Ø Archiving district email entitled to the greatest possible q Content, not format, determines if documents information require archiving and length of time regarding the q Madison (WI) School District case 2001 affairs of government. q 25 Oshkosh (WI) School District case 2002 –WI Stat. 19. 31 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in Schools: Issue #12 Use of Surveillance Cameras Ø Dept. of Justice “Safe Schools Manual” q Allows use of “surveillance technology to protect health, welfare, and safety of students and staff” q Generally in places students and staff lack reasonable expectation of privacy • Hallways, cafeteria, stairways, parking lot, entrances • School libraries and computer labs q q 26 Installed to prevent vandalism, enforce school rules, provide security Notification of public • Signs on doors, notice in district newsletter, letters to parents, highlighted in orientation meetings Privacy — 2003 WEMA Conf. (Adams, Bocher)

Actions Schools Can Take Ø Add privacy language to Internet AUP Ø Add privacy statement to district Website Ø Review how Internet logs are archived Ø Maintain minimal library records Ø Provide staff training on privacy issues Ø Teach students about privacy issues q q 27 Students should know their rights They should learn to protect their own privacy Ø Inform parents of district policies related to privacy Privacy — 2003 WEMA Conf. (Adams, Bocher)

Privacy in the 21 st Century: Issues for Schools & Libraries ? Questions ? Helen Adams Bob Bocher hadams@coredcs. com robert. bocher@dpi. state. wi. us Rosholt School District Dept. of Public Instruction www. dpi. state. wi. us/dltcl/pld/privacy. html Privacy — 2003 WEMA Conf. (Adams, Bocher)

Map showing over 120 security cameras in Times Square area. Most predate Sept 11. –As Security Cameras Sprout, Someone’s Always Watching, NYT Sept. 29, 2002 return 29 Privacy — 2003 WEMA Conf. (Adams, Bocher)

Monday, Feb. 10, 2003 FRANKFORT, Kentucky (AP) – Over 2, 000 state PCs sold as surplus still had confidential files on them naming thousands of people with AIDS and other STDs. "It's a lot of information with lots of names and things like the sexual partners of those diagnosed with AIDS. It's a terrible security breach. " – KY State Auditor Ed Hatchett KY Health Services Secretary Marcia Morgan has ordered an investigation. B. J. Bellamy from the Kentucky Auditor's Dept. checks a hard drive on a PC owned by the state. return 30 Privacy — 2003 WEMA Conf. (Adams, Bocher)