Given the continuing increase in the use of electronic communications (e.g., texting, email, instant messaging, video chatting, Instagram, Facebook, Twitter), it is not surprising that families and Part C and Part B 619 providers are also using these technologies to communicate and share program information. State data governance policies can minimize the risks introduced by electronic communications by addressing its use. State policies can require implementation statewide, require local programs or agencies to develop and implement consistent policies and procedures, or require a combination of these two options. This section contains topical information, a packet with a considerations worksheet and a policy template, and an option to request technical assistance.
The Privacy and Technical Assistance Center (PTAC) of the U.S. Department of Education lists use of mobile devices as one of the top threats to data protection because it introduces the risk of unintended disclosure of personally identifiable information (PII). Use of mobile devices, such as laptops or handheld devices, including smartphones, is common place. However, the ability to secure them is lagging behind. The situation is complicated by the fact that these devices are often used to conduct work outside the organization’s regular network security boundaries. Data breaches can occur in a number of ways: devices may be lost or stolen, or their security may be compromised by malicious code and/or downloaded applications invading the operating system and other applications (Privacy Technical Assistance Center, Data Security: Top Threats to Data Protection, 2015). Security measures should be addressed through the development and implementation of data governance policies.
Some federal policy clarification already exists about the use of electronic mail (email). (PTAC developed a helpful video about sharing PII via email.) The Individuals with Disabilities Education Act (IDEA) Part B regulations at 34 CFR 300.505 permit the use of email to provide procedural safeguard notices to parents under certain circumstances as long as the parent and the agency agree. The use of email is further clarified in the policy guidance from the Office of Special Education Programs (OSEP) related to Part B of IDEA, which indicates that parents may elect to receive written notices, procedural safeguards notices, and due process complaint notices by email if a school district makes that option available. This guidance is located in the Frequently Asked Questions on Confidentiality Requirements issued in October 2016.
The OSEP guidance above specifically relates to Part B of IDEA. A reasonable best practice would be to apply these principles to Part C because the relevant procedural safeguards and confidentiality requirements are consistent across Part B and Part C of IDEA.
PTAC recommends additional security processes to protect all electronic PII. They recommend PII data be encrypted on all mobile devices storing sensitive information. Further, PTAC states the best protection is to implement a strict mobile device usage policy and monitor networks for malicious activity. Encryption, usage policy, and network monitoring should be included in data governance policies on electronic communications. In addition, the use of personal devices increases risk as policies and monitoring of personally-owned devices may not apply or will be difficult to enforce. Note that the most substantial risk to mobile devices occurs with downloaded applications. Many of those applications have terms and conditions that “allow the application to read, share, or modify any contents of your mobile device without your knowledge.”
A key consideration in developing policies related to electronic communication is to be sure parent identity is authenticated. The Family Educational Rights and Privacy Act (FERPA) regulations require Part C and Part B 619 programs to use reasonable methods to identify and authenticate the identity of parents, children, school officials, providers, and other parties before disclosing or permitting access to PII (34 CFR 99.31(c)). These requirements must be addressed in data governance policies. As technology and data security standards change, policies and procedures should be reviewed and updated to ensure reasonable governance for and methods to authenticate the identity of all parties before disclosing PII.
In general, electronic PII on an individual child and family that is collected, maintained, or used to meet requirements under Part C or Part B of IDEA would be considered part of an education or EI record. Although Part C and Part B regulations do not specifically reference electronic files, the FERPA regulations at 34 CFR 99.3 that apply to IDEA define a “record” as “any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche.” This definition would also include digital photos, videos, text messages, and emails that meet the definition of an education record.