Topic Thread

Expand all | Collapse all

GDPR for US Schools

  • 1.  GDPR for US Schools

    Posted 05-07-2018 09:03

    I am having a hard time finding any definitive answers about how or if GDPR will affect United States School Districts, and I'm hoping this group can shed some light on the matter.

     

    My understanding is that any business that is in the European Union, or who does business with the EU will need to ensure their compliance with GDPR.  Although we do not do business with the EU, it is possible that we have students who have EU citizenships, whether they are exchange students or living over here with a visa.  Can somebody please let me know your understanding of what US School districts need to do (if anything) to ensure compliance with GDPR.



    ------------------------------
    James Costello
    Security Specialist
    Cypress-Fairbanks ISD
    ------------------------------


  • 2.  RE: GDPR for US Schools

    Posted 05-08-2018 06:15

    Hi,

    "The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company's location."  I take this to mean that if my school provides its service to citizens of the EU and we collect data about these citizens we must comply with the rules of GDPR.  EU GDPR Information Portal

    The basic practices listed here are good practices for data security generally, There was a nice summary on Educause: 

    Key Takeaways
    • The European Union set an effective date of May 25, 2018, for the General Data Protection Regulation, which replaces its Data Protection Directive of 1995 and significantly expands personal privacy rights for EU residents.

    • Not only is the GDPR more enforceable compared to the DPD, it applies to entities with no physical EU presence if they control or process covered personal information of EU residents.

    • US institutions with EU-based operations or significant numbers of EU residents as students - particularly those delivering distance education programs to such students within the EU - should be in the final stages of implementing GDPR-compliant practices now.

    Also, a good checklist is offered here: https://www.ngdata.com/wp-content/uploads/2018/01/GDPR-Compliance-Checklist.pdf

    I hope you find this helpful,

    Lisa Fusco



    ------------------------------
    Lisa Fusco
    Ms.
    French American School of NY
    Mamaroneck NY
    (914) 250-0500
    ------------------------------



  • 3.  RE: GDPR for US Schools

    Posted 05-08-2018 06:34





  • 4.  RE: GDPR for US Schools

    Posted 05-08-2018 11:36

    All,

     

    Here are some great resources on GDPR and how it impacts schools

     

    http://www.centerdigitaled.com/higher-ed/what-does-the-gdpr-mean-for-education-privacy-in-the-us.html

     

    https://gdpr.report/news/2017/12/05/can-schools-ensure-gpdr-compliant/

     

    https://www.ctschoollaw.com/2017/12/is-your-institution-ready-for-gdpr/

     

    http://dataprotectionschools.ie/Document-Library/GDPR-12-Steps.pdf

     

    http://dataprotectionschools.ie/Document-Library/GDPR-Action-Plan.pdf

     

     

    Please feel free to let me know if you have any questions,

    Warm Regards,

    Ryan Cloutier

    Principal Security Architect / Principal Enterprise Architect, CISSP®

     

    CISSP-logo-2lines

    TIES   

    651-999-6006

    Ext 6822

    ryan.cloutier@ties.k12.mn.us

    www.ties.k12.mn.us

     






  • 5.  RE: GDPR for US Schools

    Posted 05-08-2018 11:37

    All,

     

    Here are some great resources on GDPR and how it impacts schools

     

    http://www.centerdigitaled.com/higher-ed/what-does-the-gdpr-mean-for-education-privacy-in-the-us.html

     

    https://gdpr.report/news/2017/12/05/can-schools-ensure-gpdr-compliant/

     

    https://www.ctschoollaw.com/2017/12/is-your-institution-ready-for-gdpr/

     

    http://dataprotectionschools.ie/Document-Library/GDPR-12-Steps.pdf

     

    http://dataprotectionschools.ie/Document-Library/GDPR-Action-Plan.pdf

     

     

    Please feel free to let me know if you have any questions,

    Warm Regards,

    Ryan Cloutier

    Principal Security Architect / Principal Enterprise Architect, CISSP®

     

    TIES   

    651-999-6006

    Ext 6822

    ryan.cloutier@ties.k12.mn.us

    www.ties.k12.mn.us



    ------------------------------
    Ryan Cloutier TIES
    Principal Security Architect / Principal Enterprise Architect, CISSP®
    TIES (MN)
    St. Paul MN
    (651) 999-6006
    ------------------------------



  • 6.  RE: GDPR for US Schools

    Posted 05-08-2018 11:49
    Here is an article from the Center for Digital Education on the subject with an excerpt below.  The following notes are my thoughts and understanding.  If you are concerned about a specific case in your district, you may want to reach out to your legal council for their interpretation and and case study reference.

    Unless something changes, I interpret the below to mean that K-12 schools are not subject to GDPR, unless you are offering an online class to a student that physically resides in the EU.  

    The concept of data location vs. jurisdiction of law is what causes difficulty with FERPA and data housed outside the US.  GDPR is directed at both the location of the individual and the location of the data.  For GDPR, note that the requirements are for where the data subject reside.  The exchange student (or one on a vise) physically resides in the US, therefore US laws apply (FERPA) and not GDPR.   That said, I could see this becoming an issue if the GDPR expands to citizens instead of just residence.  When/if that happens, we will see the world of data security change a great deal as EU citizens reside in every country, so all systems in the world would have to be compliant.

    I hope this helps!



    What Does the GDPR Mean for Education?

    Institutions of higher education will likely be more impacted than K-12, but that's not to say that districts couldn't ever engage with the EU and be subject to the newly updated law.

    The GDPR makes clear that residents of the EU should not be denied any privacy protection regardless of where a business is physically located. This is big for anyone who has a website that solicits business globally, and also has implications for research. As higher education institutions look to do global studies, they must ensure that all practices are in compliance with the GDPR.

    According to Educause, "The GDPR will most likely apply to U.S.-based organizations due to the broad language contained in the GDPR that focuses on where the data subject resides rather than where the organization is incorporated."

    The consent piece is also something universities that plan to conduct work on subjects residing in the EU must consider. Often, privacy wrap agreements are a boiler-plate used no matter where the user is engaging with a product. If a product or service is being used or subscribed to in the EU, a university must ensure that all the legalese is changed to common terms the user can easily understand.




    Melissa Tebbenkamp, CETL | Director of Instructional Technology | Raytown Quality Schools

    Raytown Schools Education & Conference Center | 10750 E. 350 Hwy | Raytown, MO 64138

    O: 816-268-7122 | F: 816-268-7129 | melissa.tebbenkamp@raytownschools.org


    Expect the Exceptional

    Confidentiality Notice for Raytown C-2 School District: This correspondence and any attachments are for the sole use of the intended recipient(s) and may contain confidential or privileged information. Any unauthorized use, disclosure, or distribution is prohibited and may be unlawful. If you are not the intended recipient or a person responsible for delivering this message to the intended recipient(s), please contact the sender and destroy all copies of the original message.

     

     






  • 7.  RE: GDPR for US Schools

    Posted 05-10-2018 23:36
    Hi all,

    One key point of GDPR that I missed intially is that it's applicable to EU "residents", so offering an online course to an EU citizen would be an area where I assume you'd have to comply.  On the other hand, anyone attending your school who is an EU citizen but not actually living in the EU at the time isn't subject to GDPR.

    Here are some grey areas though.  One problem area for me is where we have student exchange programs.  We keep data on EU citizens in this case, but where do they "reside" while they're with us?  In the EU, or not?  You could probably make an argument for either.  We retain their information after they leave and return to the EU.  At this point they're definitely a resident of the EU, but I guess we're no longer providing a service so maybe we're off the hook then?

    Cheers,
    Hal.

    ------------------------------
    Hal Douglas
    IT Manager
    MITIE-Tasmania
    ------------------------------



  • 8.  RE: GDPR for US Schools

    Posted 05-12-2018 15:39

    To add to the mix, here are some helpful resources:

    1. https://www.eugdpr.org/ - Not an official source, but a place where you can find easy access to a copy of the regulation.

    2. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ - The UK Information Commissioner's Office.  One of the first authorities to issue guidance on the GDPR, and still the most comprehensive and, perhaps most importantly, the most accurate. They also have some decent, if high level self-assessment tools.

    As a reminder, GDPR applies to processing of personal data of data subjects (aka people) who are in the EU, regardless of where the processing takes place.  "Personal data" is defined quite broadly, as "information relating to an identified or identifiable natural person ("data subject")."

    If you haven't started your GDPR preparations yet, here are my tips for all organizations at this stage.



    ------------------------------
    Linnette Attai
    Project Director, CoSN Protecting Privacy in Connected Learning Initiative and Trusted Learning Environment Program
    Author, "Student Data Privacy: Building a School Compliance Program"
    President, PlayWell, LLC
    LAttai@cosn.org
    Linnette@PlayWell-LLC.com
    (917) 485-0353
    ------------------------------



  • 9.  RE: GDPR for US Schools

    Posted 05-14-2018 09:57

    For school districts that have nothing to do with GPDR or the EU, are we going to have to worry about it in the future?

    Every now and then individuals DO visit our website or youtube channel, but that is a different item isn't it?

     

    Glenn Wehe

    Technology Coordinator

    Evergreen School District #50

    Kalispell, Montana 59901

    406.751.1111 district offices

    406.751.1129 direct

    406.752.2307 fax

    Email: gwehe@evergreensd50.com

     

    No trees were harmed in sending this message. 

    However, a rather large number of electrons were somewhat inconvenienced.

     

    This e-mail and any attachment may contain information which is private and confidential and is intended for the addressee only. If you are not an addressee, you are not authorized to read, copy, or use this e-mail or any attachment. If you have received this e-mail in error, please destroy it and notify the sender by return e-mail.

     






  • 10.  RE: GDPR for US Schools

    Posted 05-14-2018 15:55
    Correct.  Just because you have a website available to people in the EU doesn't automatically trigger GDPR requirements.  GDPR applies to those outside of the EU when you are processing personal data of data subjects who are in the EU, where the processing is related to offering goods or services (even without payment), or monitoring their behavior (such as online tracking).

    ------------------------------
    Linnette Attai
    Project Director, CoSN Protecting Privacy in Connected Learning Initiative and Trusted Learning Environment Program
    Author, "Student Data Privacy: Building a School Compliance Program"
    President, PlayWell, LLC
    LAttai@cosn.org
    Linnette@PlayWell-LLC.com
    (917) 485-0353
    ------------------------------



  • 11.  RE: GDPR for US Schools

    Posted 05-15-2018 16:39
    I'm curious about jurisdiction of GDPR.    I can understand the EU's ability to fine organizations that are either headquartered or have a physical presence there.    How will a foreign government have the ability to levy fines for non-compliance outside of its jurisdiction?    If there are any legal precedents for this, please share.




    ------------------------------
    Josh Hale
    Director of Infrastructure Technology
    Center Grove Community School Corporation
    ------------------------------



  • 12.  RE: GDPR for US Schools

    Posted 05-16-2018 09:40
    At the core, EU regulators are concerned with ensuring that data subjects in the EU have strong protections around their personal data, and that rules are in place to ensure that the data remains protected in accordance with those requirements wherever the data goes.  To boil it down simply:  EU provides certain protections to data subjects in the EU.  EU regulators are now ensuring that if you want to take personal data out of the EU, it remains subject to EU law.  Otherwise, the data must stay in the EU.  They are putting requirements on your collection and use of their individuals' data.


    ------------------------------
    Linnette Attai
    Project Director, CoSN Protecting Privacy in Connected Learning Initiative and Trusted Learning Environment Program
    Author, "Student Data Privacy: Building a School Compliance Program"
    President, PlayWell, LLC
    LAttai@cosn.org
    Linnette@PlayWell-LLC.com
    (917) 485-0353
    ------------------------------



  • 13.  RE: GDPR for US Schools

    Posted 05-16-2018 16:43

    Hi Josh,

     

    The bad news is yes it looks like US k-12 schools would be in scope, the good news is no one is completely clear on how it would be enforced.

     

    But it is for all intents and purposes it's a global law so it could be enforced under international law precedent (the article I included speaks to that in some depth)

     

    This may help to clarify I have included an excerpt from  the article, the link to the full article below.

    Hopefully this information is helpful in answering your question,

     

     

    (Think Exchange students, dual citizen employees and contractors when thinking about the scope for K-12)

    Applicability: Does the GDPR Apply to You?

    Under the GDPR, jurisdiction is less related to the location where a business is incorporated or headquartered and more to the scope and location of business activity  The GDPR will apply to the processing of personal data by businesses "established" within the EU. More controversially, it also will apply to businesses outside the EU if their data processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals' behavior. This latter provision expands the territorial scope of the GDPR well beyond the EU, essentially making it global law.

     

     

    1. Article 3(1): "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."

     

     

    https://www.wileyrein.com/newsroom-newsletters-item-May_2017_PIF-The_GDPRs_Reach-Material_and_Territorial_Scope_Under_Articles_2_and_3.html

     

    Thanks,

    Ryan Cloutier

    Principal Security Architect / Principal Enterprise Architect, CISSP®

     

    CISSP-logo-2lines

    TIES   

    651-999-6006

    Ext 6822

    ryan.cloutier@ties.k12.mn.us

    www.ties.k12.mn.us

     






  • 14.  RE: GDPR for US Schools

    Posted 05-17-2018 10:10
    ​Josh,
    Here's another article that - while addressing a specific requirement of GDPR - also touches on the question of enforcement in the US:  https://iapp.org/news/a/is-article-27-the-gdprs-hidden-obligation/

    Linnette

    ------------------------------
    Linnette Attai
    Project Director, CoSN Protecting Privacy in Connected Learning Initiative and Trusted Learning Environment Program
    Author, "Student Data Privacy: Building a School Compliance Program"
    President, PlayWell, LLC
    LAttai@cosn.org
    Linnette@PlayWell-LLC.com
    (917) 485-0353
    ------------------------------