Technical Security in an Educational Environment

Seminar at Columbus State University - Tuesday, April 17, 2007

Summary of notes from Patty Nathan, Steve Wells, Lee Conner and Kathy Bailey.

Seminar Theme – IT and technology staff can not be isolated but must work with the administration to set policy for educational and legal issues; technology is not just running servers and teaching. Administrators must be involved with decisions dealing with student confidentiality, fair use policies, curriculum, data access and storage, and, in general, procedures followed by the technology department.

AUP – Acceptable Use Policy
  • Law passed that all schools must have an AUP as of January 1, 2007
  • Difficult to prove violations, but can track
  • Should include statement that by reading the AUP and using the school’s technology equipment you are agreeing to the AUP
  • Strongly recommend that teachers and staff sign (if discipline or dismissal becomes necessary)
  • Should explicitly state not to share password and log-in information
  • Specifically states that the school filters
  • Specifically states e-mail is the property of the school and subject to the open records laws
  • Must have a separate Internet Safety Policy including how information is stored, accessed and who can access
  • Include in employee and student handbooks
  • Careful with restrictions because of the 1st amendment

Document and Data Retention
  • Most emails are 'transitory' in nature and needn't be retained
  • Content of item not format (ie just because it is e-mail) is used to determine which emails are transitory. There are many categories – all on a case by case situation as to how long must be kept.
  • The State of Georgia Retention Schedules
  • Need written Record Retention Policy clearly stating how long documents including e-mail are kept
  • E-mails do not have to be kept electronically but can be printed and saved.

FERPA – Family Education Rights Protection Act
  • Can’t release educational records without parental permission
  • Parents has full access to child’s records. Written requests recommended.
    • Records include anything about student in print or electronic including gradebooks, e-mails and online data
  • Exceptions:
    • Some information kept by special education teachers
    • Notes kept by counselors and administrators for recall purposes. Notes can not be viewed by other staff members or they become part of the students’ record.
  • Within strict guidelines, directory information is exempt from records that must be with held:
    • Name, address, photo, clubs, yearbook OK with parent approval and done in such a way that child cannot be specifically identified.
    • Can not include any personal or private information that could result in a student be contacted by a third party.
    • Parents must be given this choice to opt out.
    • Directory information policy should be in handbooks.

Open Records
(Public Institutions and Organizations: everything is an open record unless exempt; Private Schools and Businesses: only during court order or legal investigations).
  • Citizens can access open records and right to copies
  • Every record received in the course of business day by a public institution is an open record
  • Emails are property of the institution and are treated as records
  • Exemptions include teacher evaluations, personal information, personal notes by counselors and administrators for recall purposes
  • Exemptions are defined in various different places in Georgia Law and include:
    • Social security numbers
    • Home address, phone number
    • Law enforcement addresses and phone number
    • Teacher evaluations
    • Tax information
    • Student records
  • Directory Information is an open record (Which has implications as to what can be posted on the Internet. (See FERPA and CIPA)
  • Records retention policy needs to be defined

CIPA – Children’s Internet Protection Act
  • Requires monitoring of student access
  • School is responsible for what happens to student or what the student might do to someone else while using school technology
  • Restricts student access to private mail accounts while at school since can’t screen content
  • Video: Each project requires a note to parents with option for parent to say decline their child being in front of the camera. Should clearly state where the video will be posted and how it will be distributed. Should include the phrase, “As with any electronic media, the possibility exist for a wider, unsanctioned distribution.” (At Paideia, a class video found its way to YouTube.)

  • Discovery process – don’t need all evidence to sue
    • Deposition
    • Documents asked for are required with some limitations; some filtering OK
    • A good attorney will ask lots of information about a school’s technology network, servers, data format and retention to aid him/her in the discovery process. Will want to know what work documents, e-mail, photos and other items are retained, in what format, how they can be accessed and how they can be searched
    • Has to be explained at the most simplistic level
  • Search limited to what is reasonably accessible. i.e. Don’t have to keep old servers with dated programs so old files can be viewed
  • Set up search system that makes access easy. (Be able to search all computers on a network from a server instead of having to go to individual stations. One public school set their mail software to download mail to each individual’s computer when mail was accessed instead of retaining mail on server. It saved server space but during a lawsuit, someone from technology had to physically visit every computer that might have received or received a response from each message.)