Independent schools hold a significant amount of data. Information regularly collected by schools includes Social Security numbers, financial aid information, student medical information, and donor information. To ensure that they are doing their due diligence to protect all such information, schools should consider understanding whether and the extent to which any legal obligations apply and take practical measures to protect such information.
Understand What Legal Obligations May Apply
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Importantly, the law applies only to schools that receive funds under an applicable program of the U.S. Department of Education. In other words, unless an independent school received federal financial assistance from a Department of Education program, independent schools are not covered by FERPA.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information. HIPAA's rules apply to "Covered Entities," which are limited to healthcare providers that electronically transmit health information in connection with certain transactions; health plans, including employer-provided group health plans that provide for or pay for medical care; and healthcare clearinghouses that convert health information from a standard HIPAA format to a nonstandard format, or vice versa. Most of HIPAA's rules also apply to "Business Associates," which encompass a Covered Entity's contractors or vendors that use or disclose individually identifiable health information in the course of providing services to the Covered Entity.
Notably, most independent schools are not considered to be Covered Entities. Maintaining records with employee or student health information, such as documentation regarding an employee's need for medical leave or a student's vaccination status, does not make an independent school a Covered Entity. Offering health insurance or any other type of group health plan does not make an independent school a Covered Entity, as they are considered legal entities that are separate from the health plan itself. Still, health information is considered private information and should be treated with confidentiality.
Consumer Data Privacy Laws
Generally speaking, consumer data privacy laws govern permissions to share data collection and give individuals rights to control their data. While there is no singular, comprehensive data privacy law in the United States, certain states have enacted their own consumer data privacy laws, with others seeking to implement such laws. In addition, the European Union has a comprehensive data privacy law – the General Data Protection Regulation (GDPR) – which protects data belonging to EU citizens and residents. Independent schools may be covered by the GDPR, depending on the extent to which they "offer goods and services" to EU citizens and residents (i.e., solicit students who live in the EU).
Independent schools would be wise to ensure that they understand whether their operations are governed by such laws and, if so, the policies and procedures they will need to implement.
In addition to understanding what legal obligations may apply, schools may want to consider doing the following to ensure they are protecting student privacy and data:
Conduct a Privacy Assessment
A privacy assessment can be used to determine what kinds of data the school maintains, where it is stored, and where there may be risks that such data could be subject to breach or misuse. Importantly, the assessment can also be used to identify areas where privacy and data security can be improved.
Implement (and Periodically Revisit) Privacy Policies
Schools may want to implement privacy policies that explain how school community data is collected and used, as well as the manner in which schools will respond to a privacy or data breach.
Periodically conduct training, not only on a school's privacy policies themselves, but also on general best practices for ensuring that sensitive and/or confidential information of the school, including student and employee information, is protected. For example, ensure that faculty understand how to identify suspicious emails and that students understand the importance of protecting any passwords they have for educational applications.
* * * * *