Given the continuing increase in the use of electronic communications (e.g., texting, email, instant messaging, video chatting, Instagram, Facebook, Twitter), it is not surprising that families and Part C and Part B 619 providers use these technologies to communicate and share program information. However, use of these forms of communication introduces the risk of unintended disclosure of personally identifiable information (PII). State data governance policies can minimize this risk by addressing the use of electronic communications. State policies can require implementation statewide, require local programs/agencies to develop and implement consistent policies and procedures, or require a combination of these two options.
The Privacy and Technical Assistance Center (PTAC) of the U.S. Department of Education lists use of mobile devices as one of the top threats to data protection.
Use of mobile devices, such as laptops or handheld devices, including smartphones, is exploding. However, the ability to secure them is lagging behind. The situation is complicated by the fact that these devices are often used to conduct work outside the organization’s regular network security boundaries. Data breaches can occur in a number of ways: devices can be lost, stolen, or their security can be compromised by malicious code and/or downloaded applications invading the operating system and other applications. — Privacy Technical Assistance Center, Data Security: Top Threats to Data Protection (2011)
Some federal policy clarification already exists about the use of electronic mail (email). The Individuals with Disabilities Education Act (IDEA) Part B regulations at 34 CFR 300.505 permit the use of email to provide procedural safeguard notices to parents under certain circumstances as long as the parent and the agency agree. The use of email is further clarified in the policy guidance from the Office of Special Education Programs (OSEP) related to Part B of IDEA, which indicates that parents may elect to receive written notices, procedural safeguards notices, and due process complaint notices by email if a school district makes that option available. This guidance is located in the “Frequently Asked Questions on Confidentiality Requirements” issued in October 2016.
Additionally, according to this OSEP guidance,
email communications are permitted for providing parents copies of their child’s IEP and progress reports if a public agency has implemented the following security procedures when delivering such information via electronic mail: the district obtains prior signed permission from the parents; the parents provide the address of their confidential email account; a secure password is used to access documents; and the parents may request hard copies at any time and/or refuse the electronic mail option.
The OSEP guidance above specifically relates to Part B of IDEA. A reasonable best practice would be to apply these principles to Part C because the relevant procedural safeguards and confidentiality requirements are consistent across Part B and Part C of IDEA.
PTAC recommends additional security processes to protect all electronic PII data. They recommend PII data be encrypted on all mobile devices storing sensitive information. Further, PTAC states the best protection is to implement a strict mobile device usage policy and monitor networks for malicious activity. Encryption, usage policy and network monitoring should be included in data governance policies on electronic communications. In addition, it is important to remember that the use of personal devices increases risk as policies and monitoring of personally-owned devices may not apply or will be difficult to enforce. Note that the most substantial risk to mobile devices occurs with downloaded applications. Many of those applications have terms that you must agree to that “allow the application to read, share, or modify any contents of your mobile device without your knowledge.”
“Authentication of identity” means ensuring that the recipient of education records or the party who receives or transmits students’ records is in fact the authorized or intended recipient or sender. Authentication is the process by which an educational agency or institution establishes the appropriate level of identity authentication assurance or confidence in the identity of the person or entity requesting access to the records. This assurance is established through the use of a variety of vetting methodologies, which employ so-called “authentication factors,” individually or in concert, to raise the level of confidence that the party being granted access is the person or entity it claims to be.
A key consideration in developing policies related to electronic communication is to be sure parent identity is authenticated. The Family Educational Rights and Privacy Act (FERPA) regulations require Part C and Part B 619 programs to use reasonable methods to identify and authenticate the identity of parents, children, school officials, providers, and other parties before disclosing or permitting access to PII (34 CFR 99.31(c)). These requirements must be addressed in data governance policies. As technology and data security standards change, policies and procedures should be reviewed and updated to ensure reasonable governance for and methods to authenticate the identity of all parties before disclosing PII.
Data Governance policies must also support procedures that address what information is included as part of the child’s early intervention or education record. Such information will then be subject to other data governance policies. In general, electronic PII on an individual child and their family collected, maintained, or used to meet requirements under Part C or Part B of IDEA would be considered part of an education or early intervention record. Although Part C and Part B regulations do not specifically reference electronic files, the FERPA regulations at 34 CFR 99.3 that apply to IDEA define a “record” as “any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche.” This definition would include digital photos, videos, text messages and emails as long as it meets the definition of a record under FERPA.
Further, Part C and Part B 619 programs do not operate independently of the state agency in which they are housed. Thus, the structure of any data governance already within an agency is of particular importance. After first taking into consideration all relevant federal requirements, Part C and Part B 619 programs should review any policies regarding electronic communications developed by the agency in which their program resides. Existing policies might need to be updated with specific references or provisions related to Part C or Part B 619, in which case the considerations and the template below may be helpful in proposing language for this purpose.
Where no policy on electronic communications exists or a separate policy related to Part C or Part B 619 is needed, the template following the Considerations section is fully editable and prepopulated with language to expedite writing new electronic communication policies.
Considerations for an Electronic Communication Policy
Use the questions below to discuss the components of a comprehensive electronic communications policy. Where appropriate, procedures and operational guidance that detail specific actions for implementing this policy should be created.
1. Electronic Communications: General Provisions
- What federal laws/regulations related to electronic communications apply to the Part C or Part B 619 program?
- Are there additional state agency policies related to electronic communication that apply to your Part C or Part B 619 program? If yes, what are they?
- What specific Part C or Part B 619 electronic communication policies or procedures, if any, exist in your state agency’s data governance policies?
- What communication methods will be covered by the term “electronic communications” (e.g., text, email, video chatting, Facebook, Instagram, Twitter)?
- How will parents elect or choose these forms of communication?
- What participating agencies will be required to follow this policy and under what mechanisms (e.g., contracts, subgrants, or interagency agreements)?
- Will the policy be specified at the state level or will local programs/agencies be required to develop and implement their own policies and procedures?
- Which role within what agency/program should be contacted with questions about this policy?
- Which role within what agency/program is responsible for ensuring adherence to this policy?
- Which role within what agency/program is responsible for monitoring adherence to this policy, and how will the monitoring be conducted?
- Which role within what agency/program is responsible for managing the implementation of this policy, including provision of training and technical assistance?
- What consequences, if any, will apply when this policy is not followed? If the policy is not followed, what procedures are in place to report this occurrence within the agency?
- How often will this policy be reviewed for necessary revisions?
- How will the public be informed about this policy? How is this policy included in your agency’s privacy statement? Where will it be posted on the state’s website?
2. Electronic Communications: Specific Provisions
- Under what circumstances can PII information be communicated electronically by agency/program/vendor staff?
- What procedures are required to authenticate the recipient’s identity?
- What policies govern the use of personally owned devices (e.g., mobile, computers) for electronic communication and transference of PII?
- What policies govern the use of personally owned devices (e.g., mobile, computers) for electronic communication when PII is not being transmitted?
- What policies govern virus protection?
- Under what circumstances is encryption of electronic communication required?
- What procedures are required when a device is lost or damaged?
- Under what circumstances is the information that is communicated electronically included in the child’s early intervention or educational record?
When analyzing the privacy and confidentiality requirements for children with disabilities, it is critical to begin by examining the IDEA requirements first. If you or members of your staff have questions, please contact your State Lead in OSERS Office of Special Education Program’s (OSEP) Monitoring and State Improvement Planning Division.
- Privacy Technical Assistance Center, Data Security Top Threats to Data Protection (Updated June 2015)
- Identity Authentication Best Practices (Updated July 2015)
- Understanding the Confidentiality Requirements Applicable to IDEA Early Childhood Programs Frequently Asked Questions (2016)
Electronic Communication Policy Template
Use, and modify as needed, the template linked below for developing an electronic communications policy. Select the highlighted text and replace with your state/program information. We recommend that you consult with relevant staff and stakeholders when developing these policies. Upon completing the template, be sure to follow your state’s processes for finalizing and enacting policy.
Download Template for Electronic Communications