by mguhlin

FERPA This, GoogleApps!

EdTech

Doug Johnson (Blue Skunk Blog) wrote a wonderful article—Computing in the Clouds—using GoogleApps in Education, then followed up with a blog post about a reader comment in Learning and Leading with Technology magazine.

In that blog post, he makes the following point after responding specifically to some assertions in the reader’s comment:

Unreasonable fears should not be an impediment to any technology adoption. Some risk, considered and acceptable, is a part of any change.

Deal with it.

But that’s the problem, isn’t it? These are not fears but the due diligence of a school district tasked with caring for children, as if they were the parent, during the time they have them available. As such, school districts have to ask questions that—to the best of my knowledge—GoogleApps for Education has FAILED to definitively answer in public.

You see, it doesn’t matter that GoogleApps for Education says to those who ARE using it. We don’t have access to that. Public school districts who are not shirking their duty—as perhaps those who run to embrace the elusive mist of the cloud without giving due diligence to these issues—will ask questions like this one. What am I referring to? The FERPA question I raised in an earlier blog entry on behalf of Robert Alford.

Robert Alford (blog) recently asked presented a fascinating question that gets at implementation issues that I suspect districts that just “jumped” into GoogleApps for Education haven’t really thought through:

Question regarding staff members/school districts use of Google docs. What is your district’s stance regarding teachers/schools use of Google docs? Would signing up for a Google Apps for Education account and activating the SSL capabilities meet with FERPA laws?

An example: A teacher using Google forms/spreadsheet to keep track of parent contacts made and items discussed. Using Google docs the school’s administrative staff could have access to the information as the teacher complies the data. BUT because we are not in a contractual agreement with Google (as opposed to Fitness Gram or TMSDS) would this violate FERPA law?

So…until GoogleApps for Education comes out with an official policy statement for K-12 schools, a District’s response should be, “What’s out there just isn’t substantial enough.”

On a related note, some Googling of FERPA and GoogleApps for Education yielded the following inconclusive results:

IMPORTANT DISCLAIMER: By subscribing to a Gmail (SouthSeattle.edu Google Apps) account, you acknowledge that Google is not acting on behalf of South Seattle Community College and any e-mail transmission between you and College employees or others is subject to Google’s Gmail privacy statement on the use and disclosure of e-mail.

Source: http://www.google.com/support/forum/p/Google+Apps/thread?tid=758d3885214aecee&hl=en

Excluding students due to FERPA - Not possible

http://www.google.com/support/forum/p/Google+Apps/thread?tid=4ce5d893154c3047&hl=en

Does Gmail meet FERPA guidelines?

Google is contractually and legally responsible to protect information. Google will not share e-mail contents or personal information to outside parties.
Source: http://www.csuchico.edu/google/facultystaff.shtml#ferpa

Discussion in Mark Wagner’s blog about GoogleAPps and FERPA is mentioned in comments:
http://edtechlife.com/?p=2236

Fascinating reading…

The question of Family Educational Rights and Privacy Act (FERPA) compliance was raised during

most sessions. Session attendees appeared to be comfortable with the typical subsequent discussion

pointing out that FERPA compliance is more a task of user behavior rather than infrastructure, and that

the features within Google Apps allow FERPA compliance.

The most significant issue may be with the ability of Google Apps to allow compliance with The Health

Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Sessions were held at

Arizona Health Sciences Center (AHSC) as well as at the remote Phoenix Biomedical Campus (PBC).

The question of HIPAA compliance arose at both locations, although the most pointed comments were

made here in Tucson. Steven Wormsley, the head of college IT for the College of Medicine, was explicit

in expressing his doubts that Google would be HIPAA compliant, although without noting specific

issues. An attorney from the UA Office of General Counsel’s (OGC) Comstock satellite office was

present at one of the AHSC sessions. She appeared less worried about present compliance, but

informed us that the HIPAA rules would be updated as of February 2010, and might contain certain

aspects of required encryption that is not presently mandated. GIT anticipates that we would purchase

an optional but standard add-on for Google Apps, if we were to move faculty and staff into the Google

structure, that allows much more control over staff and faculty email. This add on, the Postini service,

would allow encryption of email data, as well as requirements such as ediscovery, mail rollback,

archiving, record retention, etc.

There is some precedence in regards to education and healthcare institutions determining that Google

Apps does allow HIPAA compliance. St. Louis University (SLU), a private school of approximately

13,000 students, has moved their faculty and staff to Google Apps. SLU has a comprehensive

healthcare program, including a College granting medical degrees, and running a 365-bed academic

teaching hospital. Their Compliance Office has determined that Google Apps meets HIPAA

requirements. See more at http://www.slu.edu/x22574.xml .

FERPA Issues

Google is contractually and legally responsible to protect information. A note is made that they are not obligated to be FERPA compliant — since Google itself is not required to be — but that they work with the institution to ensure their privacy needs are met. Northwestern feels that Google security is a contractual requirement that the institution must agree to (so should support their needs) and is better than what many institutions can provide.
Source: http://blog.vibrantjourney.com/2008/05/27/google-apps-for-education/


Subscribe to Around the Corner-MGuhlin.org


Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure