What is PII? What Districts and Families Need to Know December 19, 2019By Katie Onstad Student Privacy Laws PII New student data privacy laws are changing the landscape for school districts, educators, and parents. For themselves and for their students’ families, districts are faced with growing concerns about data privacy leading to the question—what is PII? Otherwise known as personally identifiable information. Once defined, districts need to know how to protect it. PII is any data point that can be used to identify a specific individual. In K–12 schools, the most common pieces of student PII include: Student’s full name Date of birth Social security number Home address Home telephone number This information is usually stored in a school’s student information system (SIS). In many districts, the SIS is now linked to other programs in a network ecosystem where information is accessible through a single sign on (SSO)—eliminating the need for countless user names and passwords for log-in. SSO vendors, such as Classlink, act as a connector between the school’s SIS and other digital programs. Not only does the SSO allow users to log-in with just one user name and password to access approved programs on the network, but it means that teachers’ class rosters are automatically populated, or “rostered” by the SIS1. With all digital programs linked together, network security becomes paramount in addition to ensuring that PII is protected. Unless applications or digital resources have been developed by the district itself, these digital programs are provided by third party vendors. These vendors are collecting user data—or student PII. There are federal and state privacy laws that limit what information vendors can collect, how long they can keep it, and what they can use it for. However, it falls to the school district to understand vendors’ privacy policies, negotiate terms, and monitor the vendors for continued compliance. District data breaches are more and more common, and student PII is being sold on the dark web. If this happens, it could take years for a student or her family to become aware that the information has been compromised and sold. In the meantime, debt and false records accrue in that student’s name or are tied to the student’s social security number. COPPA and FERPA Use Different Definitions of PII The Children’s Online Privacy Protection Rule (COPPA) protects children under 13 and spells out exactly what online operators and third party vendors must do to protect children. Each of the following is considered personal information (PII) under COPPA: Full name Home or other physical address, including street name and city/town Online contact information like an email address or other identifier that permits someone to contact a person directly—screen name, or user name where it functions as online contact information Telephone number Social security number A persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number or unique device identifier A photo, video, or audio file containing a child’s image or voice Geolocation information sufficient to identify a street name and city/town Other information about the child or parent that is collected from the child and is combined with one of these identifiers2. The Family Educational Rights and Privacy Act (FERPA) considers to be any information that can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information. Direct identifiers include a student’s or other family member’s name, and indirect identifiers, can be a student’s date of birth, place of birth, or mother’s maiden name3. One thing that causes confusion is that persistent unique identifiers are considered PII under COPPA but not under FERPA. Schools are required to comply with both of these federal privacy laws, in addition to any state or local laws, but as a practical matter, school districts often adopt the more comprehensive COPPA definition of PII to ensure compliance. As you can see, compliance with state and federal student data privacy laws is complicated. However, it is now a driving concern of school district administrators—and not just those in charge of technology. Understanding how to protect student privacy requires reading each vendor’s privacy policy and vetting the technologies for their level of security. Then, as privacy policies change frequently, districts need to monitor the policies over time to ensure they stay informed of any changes. How EdPrivacy Provides Data Privacy Peace of Mind EdPrivacy from Education Framework provides a K–12 privacy management solution that vets the security and safety of all online applications based on their compliance with FERPA, COPPA, and state privacy laws. EdPrivacy’s proprietary rating system provides student data privacy peace of mind as it allows users to see at a glance whether or not the apps they are using are in compliance with state and federal data privacy laws. If there are changes in the law, districts receive notification from EdPrivacy. EdPrivacy has a searchable database of more than 10,000 vetted online applications, and expertise districts can rely on when it comes to FERPA, COPPA, and state data privacy requirements. With EdPrivacy, districts can review a privacy scorecard for any vendor and quickly determine the safety of the application. Further they can understand whether or not the district can grant consent on behalf of the parents for each individual online resource. For a free trial, visit here. ____________________ 1EdPrivacy works with SSO programs, such as Classlink, G-Suite for Education, and Microsoft Office 365 for Education. 2 Retrieved from https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance#step1 3Retrieved from https://studentprivacy.ed.gov/content/personally-identifiable-information-pii#glossary-node-210 Related Posts Helping School Districts Address FERPA Compliance Meeting FERPA regulations and ensuring FERPA compliance is no easy task. Learn the solutions that schools use to manage student privacy. What is App Vetting and Why is it Important? School district leaders are tasked with protecting student data. Here we share the importance of reading the privacy policy and vetting apps for privacy before approving them for student use, and explore the benefits of outsourcing the vetting process to data professionals. District Challenges in Executing a Student Data Privacy Policy Districts must develop a comprehensive K-12 student data privacy policy. Get our top 5 policy best practices today. Student Data Privacy Policy for Schools—How to Ensure Your Data Stays Private Keeping students’ PII can be complicated - learn how to create a student data protection policy for your school today. NY State Educators Approach July 1st Deadline to Demonstrate Compliance with Ed Law 2-d Part 121 Public school districts in New York state have until July 1, 2020 to complete the requirements of Education Law 2-d Part 121. The law protects student data privacy and security by limiting access to students’ personally identifiable information (PII) in all public schools and education agencies throughout the state. Learn how EdPrivacy helps district leaders quickly and easily identify safe technologies for the classroom and meet their obligations under the law. Managing Student Data Privacy: How One District is Doing it Right Learn how a school district in Georgia is effectively supporting their student data privacy policy with EdPrivacy, a comprehensive privacy management tool that vets vendor privacy policies, monitors policies for changes, and protects sensitive student information.