This post is part three of a four-part Speaker Series focused on sharing learnings from presenters at FETC 2017. If you’re attending FETC, be sure to stop by the Startup Pavilion and say hello to your Permission Click family. Attending in spirit? Send us a message on Twitter @PermissionClick and let us know what you thought of our FETC Speaker Series!
“It’s a lot easier knowing that you’re not alone. Together we can figure it out.”
Linnette Attai
Linette Attai has over 20 years of experience in the compliance industry. Starting in the entertainment world, Linette served time with both Nickelodeon and CBS before forming her compliance consulting firm PlayWell LLC.
Often presenting to developers, marketers, researchers and attorneys about privacy, safety, and advertising, Linette switched gears this week to share her learnings with FETC attendees.
PC: What exactly are FERPA and COPPA?
COPPA ensures that companies are minimizing the amount of information we are collecting from children under 13. Really, it’s about giving parents control and authority over what is collected from their children and enables certain security diligence around third parties.
FERPA (Family Educational Rights and Privacy Act) is actually not a new law. It was passed back in the 1970’s and has been updated in 2008 and 2011 to keep up with technology. FERPA was designed to ensure that parents and students 18 and older have the right to access information retained by schools about their education. It provides individuals with the ability to monitor, collect, and even amend their data.
”In the past three years alone, we’ve seen over 480 new bills passed and 82 new laws.
PC: Within any district we have three main stakeholders: teachers, district administrators, and risk managers. With new laws and bills popping up almost daily, how can each stakeholder ensure they have correct and timely information?
To say that the rate of change in student data policy is high would be a gross understatement. In the past three years alone, we’ve seen over 480 new bills passed and 82 new laws. Some are regional by state, but there’s no shortage of new information that needs to be consumed by districts.
A big challenge for the education sector is that these laws aren’t written with a set of instructions, and they’re written for the legal community. This leaves a lot of room for interpretation – and possibly missing the mark on what the law is trying to accomplish. We can’t expect educators to be part-time lawyers. When it really comes down to it, they need support, and they should be actively seeking that support. I do a great deal of training with school systems and educators in this very area. Sometimes that means guidance and education while a district builds their own compliance program. Other times we go ahead and build it for them.
PC: Resources at a district level are sometimes conflicting – other times they’re non-existent. What should a teacher do when they feel they lack required resources or aren’t properly supported?
I am lucky enough to be working with COSN (Consortium of School Networking) where we provide a lot of free resources for schools. In fact, we’ll be running an online training program called “Protecting Student Privacy in Connected Learning” starting in March. This is an excellent first step. The Privacy Technology Assistance Center also has great free online resources available to educators.
With all these resources and often conflicting online information, it’s common for districts and educators to feel overwhelmed and confused. The question becomes “what do I do with all this information?”. Even after we’ve read the law and used the resources above, we’re sometimes still missing that vital set of instructions. How do I turn the law into policy? How do I then disseminate that policy to my schools, to my staff? How do I train them? These are tough questions and there’s no one easy answer. This is why many districts contact a firm such as PlayWell LLC for guidance.
PC: If a new law comes out tomorrow, how quickly is a district expected to respond?
Implementation is usually six months to a year. They do give districts time to learn, understand, and develop policy. The challenge is the lack of guidance for schools on what the law means. When you sit down with schools who are really in the trenches, you can see the fear come up and it’s very strong. That is where I try to do a lot of my work with PlayWell, helping to explain these new laws or policies to the schools and give them support.
”The government isn’t in the business of putting schools out of business. They will work with you.
PC: A Risk Manager at a district learns that for some reason, they are no longer compliant. What happens next? How serious is this issue?
Firstly, don’t panic. When we look at FERPA or other state laws, you’re looking at a law that is designed based on limiting federal funding. This is a huge risk, absolutely. But we have to remember that the government is not in the business of putting schools out of business. That wouldn’t be good for anyone!
Second, understand the scope of your problem and put a resolution plan together. Maybe you have to pull back some data, amp up your security, hire a Chief Privacy Officer. The resolution will be unique to the situation.
Third, keep it in perspective. No one – not any district – is perfect on their compliance. 100% compliance just simply does not exist. When you have an issue, understand how it happened, and plan to fix it. Most importantly – make sure it doesn’t happen again. Having a breach in compliance doesn’t mean you’re over. It simply means you need to pay attention to it quickly and seriously. If you’re really stuck on a serious issue, call PTAC’s hotline, call me, or call COSN. These resources are here to support you.
PC: So much support for educators! What about vendors? We see many new EdTech companies every year. One has to wonder, with so many changes happening so frequently, what can we do to ensure we’re on the right side of the line?
For a vendor I see the risks being much greater. The laws treat companies differently – instead of the threat of losing federal funding, they lose the ability to work with schools. If a company isn’t compliant, they risk a restriction to student data. Essentially, schools can’t share student data with that company for five years.
“There needs to be a trusted partnership between companies and educators.”
There really is no one silver bullet. Laws and regulations change depending on the state, the age of the student, and other factors. For an EdTech company, it’s vital to stay on top of the legislation and on top of your industry. Knowing the stakeholders and the entire ecosystem is critically important. It’s not enough to be great at technology, or to have an amazing idea that’s going to improve the education of students. You have to understand how schools work, the concerns of parents, and what is happening on a broader scale. Things are moving at a pace that we really have not seen in other industries. We have a fairly mature legislature in the financial sector, in medicine, and in the entertainment sector. But when it comes to technology and education, this is the start of determining the boundaries. 21st century classrooms are growing so quickly. We really need to understand the laws and the concepts behind them.
What I would encourage for everyone: understand that their are laws and rules to protect student privacy. Schools and vendors are both working hard to ensure the privacy of student data. There really needs to be a trusted partnership between companies and educators. Laws are changing, being written very quickly, and are really focused now on vendor control. So work together to really make sure that vendors are compliant with the data they get from schools.
PC: What do you predict we should be planning for in the next 5 to 10 years?
This generation of children are very different than millennials, they are going to be much more self-directed in their learning. I see personalized learning becoming much more important to them. Strong privacy around this self-directed learning, especially in the K-12 space will be key. I also see the empowerment of students and parents to use their data to direct their own higher education. Balancing protecting the data without limiting the student’s and parent’s use of the data for their own benefit will become a key trend.
