Under Key (Digital): Best Practices for Protecting Data and Information in Independent Schools | Venable LLP
Independent schools hold a significant amount of data. Information routinely collected by schools includes social security numbers, financial aid information, student medical information, and donor information. To ensure that they exercise due diligence to protect all this information, schools should consider understanding if and to what extent legal obligations apply and taking practical steps to protect this information.
Understand what legal obligations may apply
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. It is important to note that the law only applies to schools that receive funds under an applicable US Department of Education program. In other words, unless an independent school receives federal financial assistance from a Department of Education program, independent schools are not covered by FERPA.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information. HIPAA rules apply to “covered entities,” which are limited to healthcare providers that electronically transmit health information as part of certain transactions; health plans, including employer-provided group health plans that provide or pay for medical care; and healthcare clearinghouses that convert healthcare information from a standard HIPAA format to a non-standard format, or vice versa. Most HIPAA rules also apply to “business associates,” which include contractors or suppliers of a covered entity who use or disclose individually identifiable health information in the course of providing services to the covered entity.
Especially, most independent schools are not considered covered entities. Maintaining records containing employee or student health information, such as documentation regarding an employee’s need for sick leave or a student’s immunization status, does not make an independent school an independent entity. covered. Offering health insurance or any other type of group health plan does not make an independent school a covered entity, as they are considered separate legal entities from the health plan itself. Nevertheless, health information is considered private information and should be treated confidentially.
Consumer Data Privacy Laws
Generally speaking, consumer data privacy laws govern permissions to share data collection and give individuals the right to control their data. While there is no single, comprehensive data privacy law in the United States, some states have enacted their own consumer data privacy laws, with others seeking to implement such laws. In addition, the European Union has a comprehensive data protection law – the General Data Protection Regulation (GDPR) – which protects data belonging to EU citizens and residents. Independent schools can be covered by the GDPR, depending on the extent to which they “offer goods and services” to EU citizens and residents (i.e. solicit students who live in the EU).
Independent schools would do well to ensure that they understand whether their operations are governed by these laws and, if so, what policies and procedures they will need to implement.
In addition to understanding what legal obligations may apply, schools can consider doing the following to ensure they are protecting student privacy and data:
Perform a privacy assessment
A privacy assessment can be used to determine what types of data the school keeps, where it is stored, and where there may be risks that this data could be breached or misused. Importantly, the assessment can also be used to identify areas where data privacy and security can be improved.
Implement (and periodically review) privacy policies
Schools may want to implement privacy policies that explain how school community data is collected and used, as well as how schools will respond to a privacy or data breach.
Organize a training
Conduct periodic training, not only on the school’s own privacy policies, but also on general best practices to ensure that sensitive and/or confidential school information, including student and employees, are protected. For example, make sure teachers understand how to identify suspicious emails and students understand the importance of protecting any passwords they have for educational apps.