Jenner & Block

Educational Privacy

Jenner & Block’s Privacy and Information Governance Practice has the depth of expertise to help education clients develop, implement, and strengthen privacy and cybersecurity programs. Practice members draw on their education sector, in-house, and operational experience to advise clients on navigating the unique challenges facing those who use, access, collect, process, store and share student data and records. We support clients who work in or with K-12 school districts, charter schools, colleges and universities, and research and education networks. We help facilitate discussions and projects among in-house attorneys, regulators, compliance officials, privacy professionals, and technologists.

The education sector faces multiple privacy, information governance, and cybersecurity challenges. Schools are subject to federal and state data privacy and protection laws, due to the personal information required for traditional business functions such as payroll and benefits administration. In addition, many other laws and regulations govern the type of data and information handled by the education sector. The Family Education Rights and Privacy Act (FERPA) places restrictions on the disclosure of education records. Scholarly scientific and medical research is subject to a bevy of federal regulations on data privacy and security, often imposed by the funding source. Institutional counseling centers and services may be under the purview of local mental health data protection laws.

The landscape is constantly shifting. State legislatures are enacting new (often conflicting) laws in an effort to provide greater privacy protections for student and education data. These laws have expanded their scope to not only cover the schools or districts themselves, but also vendors who provide related applications and services.

We partner with a diverse range of stakeholders at education sector client organizations, including technologists, audit, risk and compliance officers to review existing privacy and cybersecurity practices and infrastructure to ensure they are aligned with current laws, regulations, policies, and industry best practices. We design a tailored approach to help clients implement sustainable privacy and data security protective programs and practices, mitigating information-related risk.

We offer a variety of services, including the following:

  • Developing Privacy ProgramsMany organizations do not have the time, resources, or expertise to develop a comprehensive privacy program. We can provide draft policies, templates, and resources to assist in creating and implementing programs of any size. Programs can be high level, focusing just on policies and procedures or provide more detailed assistance into how your organization may address complex privacy and cybersecurity issues including the appropriate selection and use of mobile applications for teaching and learning, adoption of cloud service providers, establishing a vendor review and selection process, implementing a Privacy Impact Assessment procedure, or establishing a BYOD program for employees, faculty, and staff.
  • Incident Response PlansWhen organizational or institutional information has been inappropriately accessed or disclosed due to a cyber incident or data breach of personal information, compliance with the myriad applicable state and federal data privacy and security laws is messy. We have hands-on breach response experience in many industries. We can help determine your legal requirements, as well as industry best practices and how to address the reputational issues that follow in the aftermath.
  • Incident Response Tabletop ExercisesAlthough many organizations have incident response plans and policies, few take the time to test them. We can facilitate a pre-packaged two-hour incident response tabletop exercise. At the conclusion of the event, we will summarize areas identified for improvement.
  • Privacy and IT Policies:  Develop new policies or review and update existing policies, such as external and internal facing privacy policies, acceptable use policies, information security and information classification policies. This work is not limited to just developing the policy content, but also helping to develop a process for approval and enforcement of these policies, whether that involves working with committees, boards of directors, and diverse community populations such as teachers’ unions and faculty senates.
  • Privacy and Cybersecurity Reviews or Audits:  Working with technologists, audit, risk and compliance officers to review existing privacy and cybersecurity practices and infrastructure to ensure they are aligned with current laws, regulations, policies, and industry best practices. This includes, but is not limited to, data protection requirements, FERPA, and COPPA.
  • Information Classification and Records Management Programs:  Information governance extends beyond personal information and data elements like social security numbers. Organizations and institutions must protect the use, storage, processing, access and disclosure of many types of data, such as intellectual property, education records, and trade secrets. A strong information classification program includes: identifying the types and sensitivity of data throughout an organization, determining a realistic classification scheme and policy, developing and implementing associated data handling guidelines, and the selection and implementation of technical solutions such as data loss prevention or identity management and access controls. We have the legal and technical expertise in these areas to support the creation and execution of a robust information classification program.