U.S. Department of Education
The federal Education Department and several education and industry groups are among the organizations that have outlined guidelines to help protect the privacy of student data.
“Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices,” from the department’s Privacy Technical Assistance Center, defines student privacy rights under the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA) and explains how schools and the companies and organizations they work with can meet compliance requirements. It recommends that schools follow these best practices:
• Maintain awareness of other relevant federal, state, tribal, or local laws;
• Be aware of which online educational services are currently being used in a district;
• Have policies and procedures to evaluate and approve proposed online educational services;
• When possible, use a written contract or legal agreement;
• Take extra precautions when accepting “click-wrap” licenses for consumer apps;
• Be transparent with parents and students; and
• Consider that parental consent may be appropriate.
National School Boards Association
“Data in the Cloud” is a legal and policy guide for school boards on student-data privacy in the cloud-computing era. It recommends that school districts:
• Identify an individual districtwide chief privacy officer;
• Conduct a privacy assessment and online-services audit, preferably by an independent third party;
• Establish a data-safety committee or data-governance team;
• Review and update district privacy policies regularly;
• Communicate consistently, clearly, and regularly with students, parents, and the community about privacy issues;
• Adopt consistent and clear contracting practices that address student data appropriately, and discourage take-it-or-leave-it terms; and
• Train staff members about data-privacy issues and tactics for protecting data.
Consortium for School Networking
The “Protecting Privacy in Connected Learning Toolkit for School Leaders” gives advice to help school systems navigate some of the privacy issues that can arise when selecting an online service provider. It offers:
• Guidance about evaluating and contracting with online-service providers;
• Advice on requirements about notification and obtaining parental consent for the use of student data;
• Suggested contract terms;
• Security questions to ask online-service providers; and
• Advice on how to analyze “click-wrap” terms-of-service agreements in software.
Houston Independent School District
The district’s “Software Ratings for Parents” microsite displays a matrix to help parents learn more about the types of information that are collected about their children on websites commonly used in the district. Ratings are based on:
• How personally identifiable information is shared;
• How users are allowed to share information;
• Whether an email is required to use a product or service;
• Whether Internet “cookies” are used to collect data on individuals; and
• If third-party ads are part of the package.
Software & Information Industry Association
The association’s “Best Practices to Safeguard Student Information Privacy and Data Security and Advance the Effective Use of Technology in Education” is intended for education service providers to inform the contracts that govern their relationships with districts and schools. To the extent that students’ personally identifiable information (PII) is collected, used, or shared by school service providers, the practices recommend that such actions be done:
• Only for educational or related purposes;
• Transparently, disclosing in contracts and/or privacy policies what’s being collected from students, how it’s being used, and when it would be shared;
• Only when authorized by privacy policy or contract, or other specified circumstances;
• After following reasonably designed security policies and procedures to protect the information; and
• Only if companies have reasonable policies and procedures for notification in case a data breach occurs.
Association for Competitive Technology (ACT) and Moms With Apps
ACT, representing app developers, and Moms With Apps, a community of app developers founded to create educational apps they would approve for their own children, released the “Know What’s Inside” digital badge. To earn that designation, which notifies parents and educators about an app’s compliance with certain criteria, an app maker must confirm that its app is:
• Specifically for children;
• Accompanied by a clearly written and displayed privacy policy;
• Supported by an explanation of the app features;
• Developed with an understanding of, and support for, the latest privacy regulations and industry best practices; and
• Created by a member of the ACT organization.
Internet Keep Safe Coalition (iKeepSafe)
An application before the Federal Trade Commission proposes to create an iKeepSafe “safe harbor” designation for companies around compliance with the Children’s Online Privacy Protection Act (COPPA). This provision is designed to encourage better industry self-regulation. Companies that comply with FTC-approved guidelines would receive “safe harbor” from agency enforcement action. Under the iKeepSafe proposal, companies would agree, in part, to:
• Practice transparency, with clearly written policies explaining what data are collected, how the information is used and stored, and to whom it may be disclosed;
• Engage in minimal data collection, gathering only what is reasonably required to deliver a promised product, feature, or service to a child;
• Ensure parental, or school, control of data collected from the child;
• Take reasonable measures to secure and maintain the confidentiality and integrity of data; and
• Educate themselves about privacy requirements and best practices.