Student Privacy Best Practices for Use of Online Educational Services
The US Department of Education’s Privacy Technical Assistance Center (PTAC) was established to serve as a “one-stop” resource for education stakeholders to learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems and other uses of student data. Earlier this month, the PTAC released an important document, Protecting Student Privacy While Using Online Educational Services, which included within it the US Department of Education’s own recommendations to schools and districts with respect to privacy, security, and transparency best practices for the use of online educational services.
The US Department recommends that schools and districts take 7 steps in acting in loco parentis to safeguard student data:
- Maintain awareness of relevant federal, state, tribal and local laws that protect student information. Federal laws include FERPA, PPRA, and COPPA, but many states also have already enacted or are considering pertinent legislation. Unfortunately, the patchwork of laws may be difficult for districts to interpret without assistance.
- Be aware of which online educational services are currently being used in your district to assess the scope and range of student information being shared with providers.
- Have policies and procedures to evaluate and approve proposed online educational services prior to implementation. Schools and districts should be clear with both teachers and administrators about how proposed online educational services can be approved, and who has the authority to enter into agreements with providers.
- When possible, use a written contract or legal agreement that includes (a) security and data stewardship provisions, (b) collection provisions, (c) data use, retention, disclosure, and destruction provisions, (d) data access provisions, (e) modification, duration, and termination provisions, and (f) indemnification and warranty provisions.
- Extra steps are necessary when accepting clickwrap agreements for consumer apps, including (a) checking amendment provisions, (b) printing or saving the Terms of Service (TOS) agreement, and (c) given that school employees may accept TOS agreements without going through normal district or school approval channels, limiting authority on who may download and/or use clickwrap software.
- Be transparent with parents and students. Schools and districts should clearly explain on their Web sites how and with whom they share student data, and should post any school and district policies on outsourcing of school functions, including online educational services.
- Consider that parental consent may be appropriate even in instances where federal law does not require parental consent.
More detail on these 7 steps can be found within the PTAC guidance and recommendations. This seems sound advice from the federal government, but does beg the question of school district awareness of these best practices and capacity to implement them.