To All Families, All Employees of the Delta Vision HCP, and
All Educators:

Any type of record keeping requires vigilance to assure accuracy, security and privacy. After reviewing the legal requirements of FERPA (Family Educational Rights and Privacy Act), the Paperless committee would like to assist everyone in taking advantage of the advanced security features available through electronic record keeping. We would like everyone to carefully review this document to ensure the highest levels of confidence from our learners and their families. We would like to preface this letter with an acknowledgment that we believe everyone at Vision shares the desire to provide privacy and security for our documents. In the days of paper records, there were protocols to ensure the security of student information: Documents had to be filed, cabinets and vaults needed to be locked.  Electronic information also has its own set of protocols to be followed.  We want to take every reasonable step to protect confidential student information. That is the main purpose of this letter; to help each of you to take those important steps. There are hyperlinks throughout this document. Click on them and it will take you the referred page.

Here are the areas we plan to address in this document:

1. (Link) How Google Documents helps us to ensure our compliance with the Family Educational Rights and Privacy Act (FERPA) 
2. (Link) Why using Google's servers is safer than using our own servers
3. (Link) How Google provides our data a safe haven from hacking and data loss. 
4. (Link) Why entrusting our data to a large corporation ensures the longevity of the data.
5. (Link) How Vision employees can be diligent in protecting our data and how we can improve on what is already a high level of security for the data with which we are entrusted

Item One deserves research and explanation so that everyone knows what is expected. Some of you may not know what FERPA requires. The easiest way to think of FERPA, is to compare it to another privacy act that many of us have had more experience with, and that is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Most of us have experienced the inconvenience of needing to stand ten feet back at the pharmacy or not being able to take care of some medical information for a spouse. FERPA is the educational equivalent of HIPAA. For example, learner and family information should only be shared with school personnel who directly work with that student, or who are directly responsible for confidentially managing the storage of this data. This would include test scores, weekly journals, inventories, funding, emails, and any other personal and private information about families and learners. For a detailed explanation, here are several links to websites that will help you with the law. This list includes government sites and sites for universities and school districts. Most of them are only a page or two long and should be fairly clear to those of us in this career.

• http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
• http://www.nacada.ksu.edu/Resources/FERPA-Overview.htm
• http://www.nccu.edu/students/Federal%20Law.cfm
• http://www.fetaweb.com/04/ferpa.summary.htm
• http://www.hb-rights.org/5parents/ferpa

Now, to address how we, at Vision, are assisted through Google's compliance with FERPA. Google itself makes their policies regarding the privacy of our data very clear. The easiest place to get and overview of this is at the following Google page, the second link is the full privacy statement at Google: 

• http://www.google.com/intl/en/privacy_highlights.html.
• http://www.google.com/intl/en/privacypolicy.html#information

The previous two links are links regarding Google's general privacy statements, but there are more specific documents from Google which address school data. There is a Google forum page which clarifies Google's contract with its users. A reading of the entire page will provide complete assurance to the users of Google's resources. There are additional links on that page that describe the new terms of service and the description of the SAS Type II  audit performed by independent labs that Google passed.

As a committee, we feel that Google's efforts are in full compliance with the FERPA laws.

Item Two was discussed at the last Paperless Committee meeting. Most of us think in terms of the way things have been done before.  In the past, keeping your own data seemed to be the preferred way to go. In the world of data and technology, the way things were a year ago is like twenty years in the rest of the world. The following quote is from the committee's minutes: "The trend is now leaning toward companies (even large companies) outsourcing their server needs. Tech support, maintenance, and equipment costs become prohibitive. Data security is also weaker for small companies trying to keep out hackers and viruses with their own limited resources and expertise."

If you look in the address bar when you are logged on to Google Docs, you will see the URL (address) preceded by the letters https. This is the SSL or secure socket layers protocol that used by all banks, credit cards and business order sites to protect the privacy and security of data transmitted over the Internet. 

The committee concluded that it is cost prohibitive and probably less secure to maintain our own servers than to outsource our storage. We also believe that RCs should provide additional security by maintaining backup copies of data for our learners. This will be discussed in detail in item five, below.

Item Three is really a follow-up to the previous section. How do the Google servers protect us from hackers, viruses and other threats to our data? It is important to remember that the very existence of Google's company depends on the security of their data storage. If the storage fails, the company fails. They make every possible effort to safeguard and back up the data.  The following quote is from a Google Apps Admin Help page: "Locations of Google data centers are kept private and the buildings themselves are kept discrete for security. Access to data centers is very limited to only select Google employees and is controlled by strict measures at each facility."

Another quote  from a Google Apps Admin Help page explains the backup and redundancy measures taken by Google: "The application and network architecture run by Google is designed for maximum reliability and uptime. Google's computing platform assumes ongoing hardware failure, and robust software fail-over withstands this disruption. All Google systems are inherently redundant by design, and each subsystem is not dependent on any particular physical or logical server for ongoing operation. Data is replicated multiple times across Google's clustered active servers, so, in the case of a machine failure, data will still be accessible through another system. We also replicate data to secondary data centers to ensure safety from data center failures."

In yet another quote  from the Google Apps Admin Help pages they explain their efforts at fighting viruses and spam: "Google has one of the best spam blockers in the business, and it's integrated into Google Apps. Spam is purged every 30 days. We have built in virus checking, and we enforce checking of documents before allowing a user to download any message. Most computer viruses are contained in executable files, so standard virus detectors scan messages for executable files that appear to be viruses. Google blocks viruses in the most direct possible way: by not allowing users to receive executable files (such as files ending in .exe) that could contain damaging executable code; even if they are sent in a compressed (.zip, .tar, .tgz, .taz, .z, .gz) format"

It has been brought to our attention that many secure sites such those used by banks and credit cards log out automatically after a period of inactivity. Google does not currently provide an option for this level of security. We believe that DVHCP users can provide similar security through a few simple safeguards which are described in item five, below.

The Paperless Committee is confident that these measures are far and above anything that Vision HCP could provide with its own efforts. We, along with many others, believe that Google is providing strong protection for our data.

Item Four How does keeping our data with a large, private, for profit coroporation ensure the longevity of our data? Google is a large and strong company. If the company were to fail, it would most likely be purchased by another company that would maintain their files and services. That might come with increased costs, but there would be time to migrate the data to other locations. We also believe that the ultimate responsibility for backup of data belongs with the RCs who work directly with the learners. As mentioned earlier, this will be covered in more detail in the next section.

Item Five is the most important of the these areas addressed in this document, because it involves everyone who works with student data. Google takes every precaution to protect our data but we could still leave a student's confidential information sitting around on a computer screen for the casual viewing of anyone who passes by our desks or computers. We believe that there is very little chance of our families, learners or anyone else trying to hack into and steal our data.  It is, however, very likely that a curious students who sees the data of a friend might just take a peek to see how they are doing. This would be a violation of the other student's privacy and we must make a strong effort to prevent this type of problem also. Our responsibility in this area is covered in three sections as follows:

Section 1 (Link) Maintaining and protecting your computer.
Section 2 (Link) Reasonable precautions to protect learner data.
Section 3 (Link) Backing up data

Sections one and three contain information that you have probably received before from either Nathan or Jeff, but you should probably review them again. Section 2 contains new information that you may not have seen before, so pay particular attention to it.

Maintaining and Protecting Your Computer
Nathan has set up most of the Vision computers with a set of tools to protect it from outside threats. Some of you might have your own computers or perhaps, your computer was not set up with all of these tools. Please check to see that you have them and then use them regularly.

1. AVG anti-virus software. You should have this or some form of regularly updated anti-virus software running on your machine. You can get a free version of this software  and install it if you do not have anti-virus software running on your machine. If you have another anti-virus program and wish to change to AVG, you should uninstall the other program first. To uninstall a program, go to your Control Panel and choose Programs and Features then select the program you wish to uninstall, then click the Uninstall button. You can also find this area by clicking on the start button and typing "Program" into the search box. You should see Programs and Features as one of the choices at the top.
2. You should regularly run anti-spyware and anti-adware programs. There are two that are regularly recommended, Spybot Search and Destroy and Ad-Aware. Both of these programs are free, but be careful to get the free versions and not something else. Here are links to the download sites for these programs: Ad-Aware  and Spybot. You should know that if you have both of these programs installed, you will get a warning of possible conflicts when Spybot runs. Just ignore that warning and continue on, it seems to work ok anyway.
3. In addition to these two tools, you should regularly clean your hard drive. This is very easy to do. Open your Computer or My Computer by double-clicking on its icon. Right-click on the C: drive and choose Properties. You should see a button called Disk Cleanup, click on this button and let it run. When it finishes, you will be presented with a list of files that you could delete to cleanup your disk. You are probably safe to select all of them. If you view a lot of pictures, you may want to leave the thumbnails (it will speed up thumbnail viewing). You might also wish to leave downloaded programs, but if you delete them and need them later, they will download again.
4. Error checking your hard-drive is also something you should do at least one per month. The option to do that is in the same dialog box, but under the tools tab. When you choose to run it, you will be told that it cannot run because the drive is currently in use and you will be asked if you want to schedule it. If you say yes, then the next time you restart your computer the scan will take place. It might take quite a long time. This is a good thing to start before you go to bed at night.
5. Defragmentation of your hard-drive is also something that should be performed regularly and it is also on the tools tab along with the Error checking. It also might take all night to run.
6. This item is only for your general information.  You are not required to back up your entire computer. Backing up your computer and files is also recommended. Windows does have backup software installed, but it does not seem to work well on all machines and backup drives. There are some free versions available, but they currently seem to be very difficult to use. Even some of the software that comes with backup drives often doesn't work, especially with Windows Vista. ***There are programs that you can buy that are very easy to use and very reliable. You would want to find one that will make a complete image of your computer and also do incremental backups. It should also be able to both restore your entire machine or just one or two files. One favorite is Acronis TrueImage Home 2009, which costs about $50. There are several good programs available, so it is worth the time to review them to see which ones meet your needs. Here is a good website  to look at reviews of several software packages.  

Reasonable Precautions to Protect Learner Data

1. Have a password to log on to your computer. When you start up your computer, you should be asked for a password. It should be an easy password for you to remember, but not an easy one for others to remember or guess. There are many websites for guidelines on setting up passwords, here is a good one from Microsoft. It is also informational to see how hackers try to guess passwords so that you can avoid doing things to help them. Here is a link on guessing passwords. Here is a fun little application, a password strength checker. If you do not have this password set up, you can do it by going doing the following:
   1. Click on Start and then Control Panel.
   2. Click on the User Accounts and Family Safety link.
   3. Note: If you're viewing the Classic View of Control Panel, you won't see this link. Simply double-click on the User Accounts icon and proceed to Step F.
   4. Click on the User Accounts link.
   5. In the Make changes to your user account area of the User Accounts window, click the Change your password link.
   6. In the first text box, enter your current password (if you don't have a password yet, leave it blank)
   7. In the next two text boxes, enter the password you would like to start using if you have no password yet.
   8. Entering the password twice helps to make sure that you typed your new password correctly.
   9. Click the Change password button to confirm your changes.
   10. You can now close the User Accounts window.
   11. Now that your Windows Vista log-on password has been changed, you must use your new password to log on to Windows Vista from this point forward.
   12. It is also considered at good idea to change your passwords regularly using this same procedure.
2. Do not save your passwords for Google Docs in your browser. You should always have to type your user name and password to access your mail and documents. Saving your passwords might make it faster and easier to access your documents, but it is not secure. It depends which browser you are using how this happens. If you have already saved your passwords, you can get a fresh start by clearing your private information. Here is how to clear the passwords in each of the four major Windows browsers and also Safari.

Internet Explorer 6

• Open Internet Explorer
• Click on Tools on the menu bar
• Click on Internet Options
• Click on the Autocomplete button
• Click on the Clear Passwords button
• Click OK

Internet Explorer 7

• Open Internet Explorer
• Click on Tools on the menu bar
• Click on Internet Options
• Click on the Delete button
• Click on the Delete Password button
• Click on Yes

Firefox
(actually this also disables the ability for Firefox to store passwords)

• Select "Tools" then "Options".
• Select the "Security" tab (or button).
• Remove the check mark from the "Remember passwords".
• Click OK.

Google Chrome
(this also disables the ability for Chrome to store passwords)

• Click on the wrench in the upper right-hand corner
• Click on Options 
• Click on the Minor Tweeks tab
• Click on the Never Save Passwords button
• Click on the Close button

Safari

• Select Preferences.
• Click on Autofill
• Uncheck the box next to "User names and passwords"
• Close the Autofill window

3. Set up your screensaver to require a password when you come back to your computer. Since Google Docs doesn't have a time-out feature when you are logged in, you could walk away from your computer with a learner's confidential data showing on your screen. You might mean to be away for only a minute or two and you might even think you will have your computer in sight all the time. Invariably, something will come up and you will be away for longer than you had planned. If you have your screen saver set to come on after a few minutes of inactivity and then require a password to get back in, you will have an approximation of the security a website's timeout feature would provide. It will not log you off the website, but it will prevent some casual observer from seeing private information. This is just a safety net, the best method is to log out from the website when you are away. You can also easily lock your computer as  you are getting up to leave by pressing the windows button and the letter L (caps not necessary).

 

Changing your screen saver and putting a password on it.

• From your main desktop right-click on the desktop.
• On the pop-up menu, click on Personalize
• Next, click on Screen Saver
• From the drop down list of screen savers choose one you like.
• Make sure it blanks your screen by clicking on the Preview button
• NOTE: The Bubbles screen saver looks fun, but your data remains visible.
• Select a short Wait time. It should not be longer than ten minutes, five is better, three minutes is even better, but it might be irritating.
• Click on the box next to On resume, display logon screen so that it displays a check mark in the box.
• Click OK
• Close the window.

Backing up Google Documents

Jeff has covered this issue in at least two other emails, but it probably bears repeating. In order to be as sure as possible that our learner's data is secure, we should have a local backup of the data. This will also give a point-in-time copy in case someone makes unauthorized, accidental or unapproved changes to documents. The following is a copy of the information that has been presented in earlier emails.

To export the Weekly Journal, Funding Summary, and Inventory:
Export these documents as an .xls file (under "File > Export > .xls"). Then just decide where you want to save it and then click "Save".

To export the Learning Plan:
Export the LP as a Word file (under "File > Download file as... > Word"). Then just decide where you want to save it and then click "Save".
Of course, anyone could potentially log into your computer and view these files if they knew your password. If you want to add an extra level of security to these backup files, you can create an encrypted folder with a really cool (and free) utility called TrueCrypt. You can read about it here and you can download it here. However, this is not a requirement for you to do.

If you have any questions about the above information, please don't hesitate to contact anyone on the Paperless/Tech Committee (Dan, Dolly, and Jeff). Nathan Bryant is also our Tech Coordinator for the program, and he is also very knowledgeable and helpful regarding these issues.
Keep that data safe, secure and private. That's all folks!