Email and Social Media Compliance in the Education Sector
Nowadays, organizations are required to adhere to email archiving compliance legislation, and educational institutions are no exception. Educational institutions, just like other organizations, increasingly rely on digital communication technologies for their day-to-day operation. From the compliance perspective, running a school is like running a business. Any breach of regulations can have serious consequences for your educational institution, including fines, penalties and reputation damage.
When it comes to enterprise data archiving and compliance, things seem to get even more complicated for K-12 schools, universities and other educational institutions. That’s largely because the line between using email, social media and instant messaging in and out of the classroom is blurrier than ever. The education industry is different from other regulated industries as there are several relations in the equation. Students are using email and social media to communicate to each other on school grounds. And so are teachers. Both groups are now using instant messaging apps to communicate among themselves and with each other. Teacher contact parents and administrative staff on social media, by texting or even on the phone. It’s messy and it’s compliance-failure heaven.
Research shows that almost 90% of daily communication in school districts relies on email as the main communication channel, closely followed by unsecured instant messages. When we know that only 20% of social media and mobile content ever gets retained (but contains a bunch of evidence and sensitive information), our compliance worries get even more real.
The Complexity of K-12 Email Compliance
Organizations now need to follow various compliance laws and strict regulations which govern how and where they should store their digital information. However, unlike other highly regulated industries, schools can fall under a number of different categories. But the story doesn’t end there. Schools, colleges and universities were the first organizations to fully and enthusiastically embrace the BYOD trend. However, there are numerous concerns regarding the security of these devices.
What follows is a list of the relevant regulations that govern retention, storage and accessibility of all digital communications in the education industry:
1. The Freedom of Information Act (FOIA) and State Sunshine Laws
According to FOIA, public schools, colleges, universities and other government agencies must make available all records, including those in the electronic format (email, IM, social media). Freedom of Information Laws (commonly known as Sunshine Laws) are state laws very similar to FOIA and entail that the school must produce the requested information.
Similar laws have been enacted worldwide. In Canada, for instance, there’s the Freedom of Information Protection and Privacy Act (FIPPA). As schools inevitably collect a lot of personal and health information, this law makes them responsible for “ensuring compliance with all access to information and protection of privacy requirements”. Schools are required to keep complete student files and grades for 10 and 30 years, respectively.
2. Family Education Rights and Privacy Act (FERPA)
This federal law governs the access to educational information and records and may apply to electronic communication. FERPA gives parents access to their children’s education records. After the student reaches the age of 18, their consent is mandatory before their education records can be accessed, inspected and reviewed. FERPA is applicable to all public K-12 school districts and all post-secondary institutions.
3. The Health Insurance Portability and Accountability Act (HIPAA)
Although HIPAA regulates the way healthcare workers handle protected health information and medical records, we now have medicare on school campuses. Schools often provide services such as counseling, vaccination or administration of prescription drugs. This means that schools which possess sensitive health information must ensure full compliance with HIPAA.
4. Gramm-Leach Bliley (GLBA)
GLBA is the federal act which regulates the security and privacy of personal financial information, so many educators believe that it is limited solely to financial institutions. However, if a school issues loans to students or personnel or provides financial counseling to donors, it may be considered a financial institution. The process is much more straightforward in higher education, as colleges and universities regularly engage in lending and providing financial advisory services. When it comes to K-12 schools, it is necessary to conduct assessment to evaluate whether their activities fall under GLBA. Still, all schools are required to make sure that their students’ financial aid records and all other sensitive information are kept secure and confidential.
How to Ensure Compliance with Information Archiving
1. Conduct an Assessment
The first step towards full compliance is to conduct an assessment and check which specific regulations apply to you. This first stage is the most demanding and time-consuming, but it’s worth the effort. Don’t hesitate to hire a legal expert to decipher the laws and regulations for you.
2. Create Policies (and stick to them)
Make sure you have rock-solid policies and procedures. Train and educate your staff to make sure they understand your compliance and information governance program. Make sure they understand the risks and severe consequences of non-compliance. Then have them educate the students. Provide strict guidelines and enforce the policy. Define what’s acceptable on your official social media channels and assign a compliance officer to monitor and control how technology is used on school grounds.
3. Conduct Internal Audits
Regular internal audits will help you identify areas of risk and allow you to take steps to neutralize or minimize this risk before it becomes a real threat. Coordinate your various departments to improve your information governance strategy and learn to always be prepared for litigation.
4. Get a Dedicated Archiving Solution
No compliance program is complete without technology. Managing electronic information can be a demanding task, especially when you deal with somebody’s entire education history and hundreds of student records. Secure storage and easy access to such data is mandatory for all educational institutions.
Information archiving technology i.e. compliance, governance and eDiscovery solutions can be on-premise appliances or cloud solutions that capture, store and allow you to search your entire electronic communications from a single interface. Once captured, your email, attachments, social media, text or IM exchanges are indexed, made searchable and stored in a WORM format for however long you need them (typically 7 years in order to be compliant with all relevant regulations). You can also use your archiving solution to detect and prevent cyber bullying or improper employee relationships. This can be done by specifying keywords and then searching conversations for the given keywords or getting an alert if a specific word gets used.
For more information on social media compliance in K-12 schools, read this white paper. To learn how Jatheon can help your school to ensure compliance, contact us or let us show you our solution and its key features by scheduling a personal tour.
Originally published at jatheon.com on May 7, 2018.
