Topic Thread

Topic: GDPR for US Schools

1.  GDPR for US Schools

Posted 13 days ago

I am having a hard time finding any definitive answers about how or if GDPR will affect United States School Districts, and I'm hoping this group can shed some light on the matter.

 

My understanding is that any business that is in the European Union, or who does business with the EU will need to ensure their compliance with GDPR.  Although we do not do business with the EU, it is possible that we have students who have EU citizenships, whether they are exchange students or living over here with a visa.  Can somebody please let me know your understanding of what US School districts need to do (if anything) to ensure compliance with GDPR.



------------------------------
James Costello
Security Specialist
Cypress-Fairbanks ISD
------------------------------


2.  RE: GDPR for US Schools

Posted 12 days ago

Hi,

"The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company's location."  I take this to mean that if my school provides its service to citizens of the EU and we collect data about these citizens we must comply with the rules of GDPR.  EU GDPR Information Portal

The basic practices listed here are good practices for data security generally, There was a nice summary on Educause: 

Key Takeaways
  • The European Union set an effective date of May 25, 2018, for the General Data Protection Regulation, which replaces its Data Protection Directive of 1995 and significantly expands personal privacy rights for EU residents.

  • Not only is the GDPR more enforceable compared to the DPD, it applies to entities with no physical EU presence if they control or process covered personal information of EU residents.

  • US institutions with EU-based operations or significant numbers of EU residents as students - particularly those delivering distance education programs to such students within the EU - should be in the final stages of implementing GDPR-compliant practices now.

Also, a good checklist is offered here: https://www.ngdata.com/wp-content/uploads/2018/01/GDPR-Compliance-Checklist.pdf

I hope you find this helpful,

Lisa Fusco



------------------------------
Lisa Fusco
Ms.
French American School of NY
Mamaroneck NY
(914) 250-0500
------------------------------



3.  RE: GDPR for US Schools

Posted 12 days ago





4.  RE: GDPR for US Schools

Posted 12 days ago

All,

 

Here are some great resources on GDPR and how it impacts schools

 

http://www.centerdigitaled.com/higher-ed/what-does-the-gdpr-mean-for-education-privacy-in-the-us.html

 

https://gdpr.report/news/2017/12/05/can-schools-ensure-gpdr-compliant/

 

https://www.ctschoollaw.com/2017/12/is-your-institution-ready-for-gdpr/

 

http://dataprotectionschools.ie/Document-Library/GDPR-12-Steps.pdf

 

http://dataprotectionschools.ie/Document-Library/GDPR-Action-Plan.pdf

 

 

Please feel free to let me know if you have any questions,

Warm Regards,

Ryan Cloutier

Principal Security Architect / Principal Enterprise Architect, CISSP®

 

CISSP-logo-2lines

TIES   

651-999-6006

Ext 6822

ryan.cloutier@ties.k12.mn.us

www.ties.k12.mn.us

 






5.  RE: GDPR for US Schools

Posted 12 days ago

All,

 

Here are some great resources on GDPR and how it impacts schools

 

http://www.centerdigitaled.com/higher-ed/what-does-the-gdpr-mean-for-education-privacy-in-the-us.html

 

https://gdpr.report/news/2017/12/05/can-schools-ensure-gpdr-compliant/

 

https://www.ctschoollaw.com/2017/12/is-your-institution-ready-for-gdpr/

 

http://dataprotectionschools.ie/Document-Library/GDPR-12-Steps.pdf

 

http://dataprotectionschools.ie/Document-Library/GDPR-Action-Plan.pdf

 

 

Please feel free to let me know if you have any questions,

Warm Regards,

Ryan Cloutier

Principal Security Architect / Principal Enterprise Architect, CISSP®

 

TIES   

651-999-6006

Ext 6822

ryan.cloutier@ties.k12.mn.us

www.ties.k12.mn.us



------------------------------
Ryan Cloutier TIES
Principal Security Architect / Principal Enterprise Architect, CISSP®
TIES (MN)
St. Paul MN
(651) 999-6006
------------------------------



6.  RE: GDPR for US Schools

Posted 12 days ago
Here is an article from the Center for Digital Education on the subject with an excerpt below.  The following notes are my thoughts and understanding.  If you are concerned about a specific case in your district, you may want to reach out to your legal council for their interpretation and and case study reference.

Unless something changes, I interpret the below to mean that K-12 schools are not subject to GDPR, unless you are offering an online class to a student that physically resides in the EU.  

The concept of data location vs. jurisdiction of law is what causes difficulty with FERPA and data housed outside the US.  GDPR is directed at both the location of the individual and the location of the data.  For GDPR, note that the requirements are for where the data subject reside.  The exchange student (or one on a vise) physically resides in the US, therefore US laws apply (FERPA) and not GDPR.   That said, I could see this becoming an issue if the GDPR expands to citizens instead of just residence.  When/if that happens, we will see the world of data security change a great deal as EU citizens reside in every country, so all systems in the world would have to be compliant.

I hope this helps!



What Does the GDPR Mean for Education?

Institutions of higher education will likely be more impacted than K-12, but that's not to say that districts couldn't ever engage with the EU and be subject to the newly updated law.

The GDPR makes clear that residents of the EU should not be denied any privacy protection regardless of where a business is physically located. This is big for anyone who has a website that solicits business globally, and also has implications for research. As higher education institutions look to do global studies, they must ensure that all practices are in compliance with the GDPR.

According to Educause, "The GDPR will most likely apply to U.S.-based organizations due to the broad language contained in the GDPR that focuses on where the data subject resides rather than where the organization is incorporated."

The consent piece is also something universities that plan to conduct work on subjects residing in the EU must consider. Often, privacy wrap agreements are a boiler-plate used no matter where the user is engaging with a product. If a product or service is being used or subscribed to in the EU, a university must ensure that all the legalese is changed to common terms the user can easily understand.




Melissa Tebbenkamp, CETL | Director of Instructional Technology | Raytown Quality Schools

Raytown Schools Education & Conference Center | 10750 E. 350 Hwy | Raytown, MO 64138

O: 816-268-7122 | F: 816-268-7129 | melissa.tebbenkamp@raytownschools.org


Expect the Exceptional

Confidentiality Notice for Raytown C-2 School District: This correspondence and any attachments are for the sole use of the intended recipient(s) and may contain confidential or privileged information. Any unauthorized use, disclosure, or distribution is prohibited and may be unlawful. If you are not the intended recipient or a person responsible for delivering this message to the intended recipient(s), please contact the sender and destroy all copies of the original message.

 

 






7.  RE: GDPR for US Schools

Posted 10 days ago
Hi all,

One key point of GDPR that I missed intially is that it's applicable to EU "residents", so offering an online course to an EU citizen would be an area where I assume you'd have to comply.  On the other hand, anyone attending your school who is an EU citizen but not actually living in the EU at the time isn't subject to GDPR.

Here are some grey areas though.  One problem area for me is where we have student exchange programs.  We keep data on EU citizens in this case, but where do they "reside" while they're with us?  In the EU, or not?  You could probably make an argument for either.  We retain their information after they leave and return to the EU.  At this point they're definitely a resident of the EU, but I guess we're no longer providing a service so maybe we're off the hook then?

Cheers,
Hal.

------------------------------
Hal Douglas
IT Manager
MITIE-Tasmania
------------------------------



8.  RE: GDPR for US Schools

Posted 8 days ago

To add to the mix, here are some helpful resources:

1. https://www.eugdpr.org/ - Not an official source, but a place where you can find easy access to a copy of the regulation.

2. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ - The UK Information Commissioner's Office.  One of the first authorities to issue guidance on the GDPR, and still the most comprehensive and, perhaps most importantly, the most accurate. They also have some decent, if high level self-assessment tools.

As a reminder, GDPR applies to processing of personal data of data subjects (aka people) who are in the EU, regardless of where the processing takes place.  "Personal data" is defined quite broadly, as "information relating to an identified or identifiable natural person ("data subject")."

If you haven't started your GDPR preparations yet, here are my tips for all organizations at this stage.



------------------------------
Linnette Attai
Project Director, CoSN Protecting Privacy in Connected Learning Initiative and Trusted Learning Environment Program
Author, "Student Data Privacy: Building a School Compliance Program"
President, PlayWell, LLC
LAttai@cosn.org
Linnette@PlayWell-LLC.com
(917) 485-0353
------------------------------



9.  RE: GDPR for US Schools

Posted 6 days ago

For school districts that have nothing to do with GPDR or the EU, are we going to have to worry about it in the future?

Every now and then individuals DO visit our website or youtube channel, but that is a different item isn't it?

 

Glenn Wehe

Technology Coordinator

Evergreen School District #50

Kalispell, Montana 59901

406.751.1111 district offices

406.751.1129 direct

406.752.2307 fax

Email: gwehe@evergreensd50.com

 

No trees were harmed in sending this message. 

However, a rather large number of electrons were somewhat inconvenienced.

 

This e-mail and any attachment may contain information which is private and confidential and is intended for the addressee only. If you are not an addressee, you are not authorized to read, copy, or use this e-mail or any attachment. If you have received this e-mail in error, please destroy it and notify the sender by return e-mail.

 






10.  RE: GDPR for US Schools

Posted 6 days ago
Correct.  Just because you have a website available to people in the EU doesn't automatically trigger GDPR requirements.  GDPR applies to those outside of the EU when you are processing personal data of data subjects who are in the EU, where the processing is related to offering goods or services (even without payment), or monitoring their behavior (such as online tracking).

------------------------------
Linnette Attai
Project Director, CoSN Protecting Privacy in Connected Learning Initiative and Trusted Learning Environment Program
Author, "Student Data Privacy: Building a School Compliance Program"
President, PlayWell, LLC
LAttai@cosn.org
Linnette@PlayWell-LLC.com
(917) 485-0353
------------------------------



11.  RE: GDPR for US Schools

Posted 5 days ago
I'm curious about jurisdiction of GDPR.    I can understand the EU's ability to fine organizations that are either headquartered or have a physical presence there.    How will a foreign government have the ability to levy fines for non-compliance outside of its jurisdiction?    If there are any legal precedents for this, please share.




------------------------------
Josh Hale
Director of Infrastructure Technology
Center Grove Community School Corporation
------------------------------



12.  RE: GDPR for US Schools

Posted 4 days ago
At the core, EU regulators are concerned with ensuring that data subjects in the EU have strong protections around their personal data, and that rules are in place to ensure that the data remains protected in accordance with those requirements wherever the data goes.  To boil it down simply:  EU provides certain protections to data subjects in the EU.  EU regulators are now ensuring that if you want to take personal data out of the EU, it remains subject to EU law.  Otherwise, the data must stay in the EU.  They are putting requirements on your collection and use of their individuals' data.


------------------------------
Linnette Attai
Project Director, CoSN Protecting Privacy in Connected Learning Initiative and Trusted Learning Environment Program
Author, "Student Data Privacy: Building a School Compliance Program"
President, PlayWell, LLC
LAttai@cosn.org
Linnette@PlayWell-LLC.com
(917) 485-0353
------------------------------



13.  RE: GDPR for US Schools

Posted 4 days ago

Hi Josh,

 

The bad news is yes it looks like US k-12 schools would be in scope, the good news is no one is completely clear on how it would be enforced.

 

But it is for all intents and purposes it's a global law so it could be enforced under international law precedent (the article I included speaks to that in some depth)

 

This may help to clarify I have included an excerpt from  the article, the link to the full article below.

Hopefully this information is helpful in answering your question,

 

 

(Think Exchange students, dual citizen employees and contractors when thinking about the scope for K-12)

Applicability: Does the GDPR Apply to You?

Under the GDPR, jurisdiction is less related to the location where a business is incorporated or headquartered and more to the scope and location of business activity  The GDPR will apply to the processing of personal data by businesses "established" within the EU. More controversially, it also will apply to businesses outside the EU if their data processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals' behavior. This latter provision expands the territorial scope of the GDPR well beyond the EU, essentially making it global law.

 

 

1. Article 3(1): "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

 

 

https://www.wileyrein.com/newsroom-newsletters-item-May_2017_PIF-The_GDPRs_Reach-Material_and_Territorial_Scope_Under_Articles_2_and_3.html

 

Thanks,

Ryan Cloutier

Principal Security Architect / Principal Enterprise Architect, CISSP®

 

CISSP-logo-2lines

TIES   

651-999-6006

Ext 6822

ryan.cloutier@ties.k12.mn.us

www.ties.k12.mn.us

 






14.  RE: GDPR for US Schools

Posted 3 days ago
​Josh,
Here's another article that - while addressing a specific requirement of GDPR - also touches on the question of enforcement in the US:  https://iapp.org/news/a/is-article-27-the-gdprs-hidden-obligation/

Linnette

------------------------------
Linnette Attai
Project Director, CoSN Protecting Privacy in Connected Learning Initiative and Trusted Learning Environment Program
Author, "Student Data Privacy: Building a School Compliance Program"
President, PlayWell, LLC
LAttai@cosn.org
Linnette@PlayWell-LLC.com
(917) 485-0353
------------------------------