Guide to data regulation compliance for distance learning in K-12

Greg Shine

I’m sure you are aware of the worldwide pandemic that is gripping our lives and changing how children learn. It is an incredibly difficult time for educators who are being asked to offer new and improved ways of learning remotely. Securing the new distance learning environment and the privacy of students has become a catch-up game for many. But there is no alternative. Schools must ensure full compliance with data regulation to protect students and educators.

Understanding the Legal or Regulatory Landscape

There are many legal and regulatory compliance elements to consider when we think of Data Privacy and Data Security. Voluntary certification standards may or may not have been selected by your agency or business, but legal obligations are not voluntary.

In this blog post, I’ll hopefully shine a light on some areas that you will need to consider if you are operating a business or service that handles data belonging to minors in the USA.

Data Security Vs Data Privacy

What I want to make clear here is the distinction (and overlap) between Data Privacy and Data Security.

Data Privacy in general is concerned with why the data is being processed – the legal basis, the fairness, the transparency, the purpose, minimization, accuracy, retention limits and finally the integrity and confidentiality elements “baked in” to the solution that protects the data.  The Children’s Online Privacy & Protection Act (COPPA) establishes a legal framework that addresses your requirement to adhere to these Data Privacy principles.

Data Security, alluded to in the above list, is concerned with ensuring appropriate technical or administrative controls are in place to safeguard the data being processed.

To put it another way, Data Privacy obligations make sure you process data whilst respecting the rights of the data owner. Data Security obligations make sure you process this data with the right level of technical and administrative rigor. To be compliant with these legal requirements we must consider, document, and deploy solutions that help us meet these compliance goals. CIPA elaborates legal requirements addressing these Data Security controls.

Applicable Law

In the USA, CIPA and COPPA are two standout Federal Acts we must look at when dealing with special category data, specifically data belonging to minors.

COPPA

The Children’s Online Privacy & Protection Act (COPPA) governs the collection, use, and disclosure of personal information collected from children under age 13.

Anyone, including teachers, school superintendents and district officers who select, and evaluate online resources, websites, and apps that will be used by students under age 13 must be aware of their requirements under COPPA.

The law covers, two types of Data Collection:

Active Data Collection where an operator directly solicits information from children or enables children to make their personal information available.

Passive Data Collection where online activities can be tracked using “identifiers” across sites and platforms (think cookies).

Obligations for service operators

COPPA requires online service providers (Operators) to do several things including the provision of direct notices to parents and the maintenance of an online privacy policy. COPPA establishes different requirements depending on the type of processing. In general, COPPA mandates the direct notice to:

– Identify the personal information that the operator has already or intends to collect
– Explain the purpose of the notification
– Identify the actions that the parent must or may take
– Explain how the operator intends to use the personal information collected
– Provide a link to the operator’s clearly located online privacy policy

The online Privacy Policy must include:

  • The Operator contact details.
  • All 3rd Party Operators contact details
  • Details of how parents can review their children’s personal information, request its deletion, and refuse consent to further data collection.

Regulation clearly calls out for the need to provide “reasonable steps” to limit and release data only as stated and as necessary, to limit the amount of time data is retained and to take reasonable steps to protect the data from unauthorized access including at data disposal. In a general sense, COPPA legally establishes the Data Privacy principles mentioned earlier.

CIPA

Congress enacted the Children’s Internet Protection Act (CIPA) in 2000 to address concerns about children’s access to obscene or harmful content over the Internet. Schools and libraries subject to CIPA must certify that they have an Internet safety policy that includes technology protection measures.

The Internet Safety Policies must include monitoring the online activities of minors; and as required by the Protecting Children in the 21st Century Act, they must provide for educating minors about appropriate online behavior (digital citizenship) including the use of social networking websites and chat rooms, and cyberbullying awareness and response. It is important to note that CIPA defines a minor as any person under the age of 17. Finally, the Internet Safety Policy must also address the technical threat of unauthorized online access and prevent the use of technology for illegal purposes as well protection against the unauthorized disclosure of Personal Information.

In a general sense, CIPA establishes a required standard of Data Security controls.

Your data regulation compliance checklist

If you are under legal obligation to provide a safe, secure environment to minors accessing the internet, you should:

  • Have a clear, reasonable, fair reason for processing
  • Understand the data you are processing, be transparent with users in how you use the data
  • Make someone in your organization accountable for the service or solution
  • Educate your Staff about Data Privacy and Data Security matters and the service or solution
  • Educate your Students about Digital Citizenship and their online behavior
  • Have a clear, accessible Privacy Policy
  • Have authorized consent or consent mechanisms in place
  • Deploy appropriate technical controls to ensure the safeguarding of children when online
  • Be able to show evidence of good decision making and processes when considering controls
  • Choose appropriate technology and technology providers for your business or educational needs
  • Demonstrate diligence when considering your suppliers
  • Document your efforts and keep records of all Security or Privacy related activities

Start with the basics

Planning how you are going to meet your compliance objectives regarding your processing activities can seem daunting. I am not going to lie, it takes thought, effort and diligence. Start with the basics, the list above and work from there. Choose suppliers that offer transparency. Choose suppliers that are well established and offer security comfort through their compliance and certifications. Use those services, products, and processes as appropriate, where they fit into your compliance journey.

Learn more about how Asavie helps K-12 schools create a safe distance learning experience for teachers and students.

Recommeded reading

More information about FCC CIPA legislation is available here

More information about FTC COPPA legislation is available here

As head of security and compliance, Greg Shine manages the information security function in Asavie with the sole mission of keeping Asavie and our customers’ data safe.