Student data privacy is a top priority for inBloom, and protections for student privacy have been addressed throughout the design and ongoing operations of our solution, in compliance with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g, and its associated regulations, and other data privacy and security laws. Click here for details about how the inBloom technology (formerly known as the “Shared Learning Infrastructure”) complies with FERPA.
inBloom worked with its pilot states and districts and a panel of student privacy and security experts to create the policy that governs our handling of sensitive data. States and districts using inBloom retain ownership and control of their data, and how that data is collected, retained and made available to the right users and applications. inBloom’s role-based access management design enables states and districts to set and control levels of data access at the individual user and application level to protect student information from unauthorized access.
Each participating state and district has its own protected space in the inBloom Data Store. Personally identifiable student data will not be disclosed across states or districts. While the inBloom Data Store provides the privacy and security functionality required by FERPA, it remains the responsibility of each adopting state and local agency to ensure that their use of the technology is compliant with FERPA and other applicable data privacy and security laws and regulations.
Vendors have no access to student records through inBloom unless authorized by a state or district with legal authority over those student records. inBloom has no ownership of student records. Neither inBloom nor any other participating agency or vendor may sell, assign, lease or commercially exploit confidential student data. inBloom philanthropic supporters such as the Gates Foundation and Carnegie Corporation have no access to student data via inBloom.
View the complete inBloom Privacy & Information Security Policy.
Since its inception, inBloom has been continuously advised by a Privacy Advisory Board that includes some of the leading privacy and security experts in the country, in order to ensure that we utilize the best possible practices. They play a critical mandated role in ensuring that inBloom complies with its Data Privacy and Security Policy, as well as approving any changes to it. These experts include:
- Shawn Henry, President of Services for CrowdStrike, an information security firm, who previously served as Executive Assistant Director for Cyber Investigations at the Federal Bureau of Investigation;
- Jay Pfeiffer, currently an independent consultant with RTI and MGT of America, who was the Deputy Commissioner for Accountability, Research and Measurement at the Florida Department of Education; and
- Christopher Wolf, the Director of Hogan Lovells LLP’s Privacy and Information Management Practice, who is also the founder and co-chair of the Future of Privacy Forum.
Lastly, J. Michael Gibbons is a certified information security professional who worked with the inBloom development team to build a comprehensive security program. Mr. Gibbons spent ten years with a “Big-4” accounting firm and 15 years as a Special Agent with the Federal Bureau of Investigation, focusing on cyber security.
In-House Privacy and Security Team
inBloom also has an experienced in-house privacy and security team with decades of experience. The team includes:
Virginia Bartlett, inBloom’s Chief Privacy Officer, who leads inBloom’s data privacy efforts. Ms. Bartlett, a New York State resident, is one of the nation’s first chief privacy officers, with more than 15 years of experience in building, operationalizing and continuously improving privacy protections for large, complex, multi-jurisdictional organizations, including Fortune 50 financial services, healthcare and technology companies with government contracts.
Garrett Suhm, inBloom’s Chief Technology Officer, has managed the implementation of many large information systems and products in a career spanning 25 years. Many of the systems he managed required sophisticated protections and control regimes for sensitive and private information. He was also instrumental in implementing the Fair and Accurate Credit Transactions (“FACT”) Act at a major commercial provider. The FACT Act provided for free credit information and helped reduce identity theft for consumers across the nation.
Eric Browning, acting Chief Information Security Officer, is inBloom’s Director of Security and Compliance, has been working in the information security field for 11 years with key experience as an information security consultant and engineer, performing hundreds of various security assessments including: penetration testing, web application assessments, risk assessments, social engineering attacks, vendor assessments, and gap analyses against many various standards. Mr. Browning also has significant experience in information security program development and designing network security architecture.