Home‎ > ‎Departments‎ > ‎Technology‎ > ‎Info-Security Blog‎ > ‎

Protecting the PII of students

posted Apr 29, 2013, 8:06 AM by jtozer@rsu20.org   [ updated Apr 29, 2013, 8:06 AM ]

In the last installment, I discussed personally identifiable information (PII), how it relates to you, and how you can protect your PII.  This time, I want to explore securing the PII of our students.  One of the fastest growing exploits is identity theft of student information; specifically, high school and college students (Student Identity Theft).  This theft is primarily occurring from social networking sites.  Securing the PII of students requires the same diligence you would use to secure your own PII.  The same pitfalls that can trip up adults trip up our students.  While they may be more tech savvy than many adults, they are still children and are often too trusting.  That is where we can help.

The Family Education Rights and Privacy Act (FERPA) was signed into law in 1974.  There is much written on FERPA, but in a nutshell it requires schools that receive federal funding to obtain written permission from a parent or eligible student in order to release student records.  This is one reason we have a section on the annual RSU #20 emergency form that allows parents to accept or decline having student information posted on the web.  In 1974, the concern was not for student PII being placed on the web:  The intent was to protect paper documentation associated with a student. Today, FERPA regulations have increased importance given the use of blogs and websites by staff and students.  School districts and staff can be held liable for not following FERPA guidelines.  For more on FERPA violations, take a look a these links:

Wisconsin middle school posts list of failing students

Teacher resigns after posting blog with personal student info

School District found in violation of privacy law

The Title XIII-Children's Online Privacy Protection Act of 1998, also known as COPPA, concerns the collection of personal information from children under the age of 13.  COPPA is directed toward commercial sites such as Facebook, Myspace, or Twitter. COPPA details what a website must have in its privacy policy, what information can be gathered, and how the site must display its privacy policy.  If you read the privacy policy for Facebook, you will see a disclaimer that one must be 13 years of age or older to register. That's COPPA. 

From Facebook's privacy policy:

No information from children under age 13. If you are under age 13, please do not attempt to register for Facebook or provide any personal information about yourself to us. If we learn that we have collected personal information from a child under age 13, we will delete that information as quickly as possible. If you believe that we might have any information from a child under age 13, please contact us through this help page.

Know of any students under 13 that have a Facebook account? 

Information security education is not designed to scare you into no longer using the Internet.  It is designed to raise your awareness of infosec issues.  What can we do to help our students?  First, become familiar with FERPA, if you aren't already.  Understand what guidelines we are required to follow to protect student information.  Second, practice keeping your PII safe from unnecessary exposure.  Make that part of your daily routine.  This practice will help you in your daily routines with students.  Third, reinforce with our students the dangers of sharing personal information, regardless of medium.  Use our wonderful Digital Citizenship resources developed in-house by Barb Rehmeyer and Tracy Hayslip.  Class links are located in the lower left of the side bar.  Take a few minutes, when you have an opportunity, and check it out.

Here are some additional sites:





Always Use Protection: A Teen's Guide to Safe Computing.  Dan Appleman.  Apress.  ISBN: 978-1-59059-326-4

Next time: the importance of password protection