To help school districts and educators better protect student data when using online educational resources, the Privacy Technical Assistance Center (PTAC) of the Department of Education, released new guidelines with information and best practices for meeting the major requirements of the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA).
The guidance document is for individual school districts and education vendors with cloud-services. It outlines:
- How student data can and should be used
- What steps are necessary to protect student privacy
- How to prevent the misuse, abuse, and commercialization of student information.
It includes school data privacy best practices by encouraging schools to do the following:
- Maintain awareness of relevant federal, state, tribal, and/or local laws.
- Be aware of which online educational services are being used within your district.
- Have policies and procedures to evaluate and approve proposed online educational services.
- When possible, use a written contract or legal agreement specifically outlining data use and protection.
The Security and Information Industry Association (SIIA) also just released guidelines on best practices for vendors that work with student data. Their guidelines include:
- Collecting data only for educational purpose
- Showing transparency in what type of data is collected and how this will be used
- Ensuring appropriate authorization from the school and/or parents
- Creating a data breach notification in the event of a data breach
- Ensuring security policies and procedures are in place and effective to protect personal student information against risks such as unauthorized access or use, or unintended or inappropriate destruction, modification, or disclosure.
As classrooms continue to increase use of technology, new questions about protecting student data are raised, including effective contracting procedures. In December, Fordham University professor Joel Reidenberg published a scathing study of the shortcoming and vulnerabilities of most districts’ contracts with cloud-service providers.
Administrators should keep their feet firmly planted on solid ground, outlining concerns for student data use and safeguarding, so they are not caught with their heads in the cloud from a misuse or breach of data. Simple measures and proactive discussion with your district technology experts and technology vendors upfront will go a long way to protecting personal information and other data.