STRATEGY: Develop and refine privacy policies and protocols that ensure student data protection and privacy.
The Family Educational Rights and Privacy Act (FERPA) is the most widely recognized federal law that protects the privacy of student education records. This law was written largely before the data revolution yet still applies to all schools that receive funds under an applicable program of the US Department of Education. Many education stakeholders worry that FERPA does not clearly spell out whether significant portions of the digital data collected now in schools, such as academic work habits and performance, count as part of a student’s formal education record. Schools must stay current; parents expect online access to information about their children; and data security, privacy concerns, and data management are areas that modern school systems must budget for and develop systems to manage.
As schools and/or districts employ more and more technology-based systems, the need to develop secure, safe, and evidence-based policies and protocols to ensure student data is protected and remains private is paramount. Schools and/or districts should consider the following when designing and implementing privacy policies and protocols for student data protection:
1. Involve, or at the very least inform, parents of the design and reasons behind student data policies and procedures.
Most parents, while overwhelmingly in support of technology as a deep and integral part of their child’s learning experiences, are also concerned with the security and privacy of their child’s data. Parents should be kept informed of how the school, and/or district, ensures student data is secure and private.
2. Develop strong relationships with vendors who manage student data.
With more complex demands for schools to meet the needs of all students, implement effective education strategies and practices, differentiate instruction, and make learning happen anytime and anywhere, there is a high potential for third-party vendors to take advantage of these challenges by offering free, online solutions. The cost, however, is measured in student data. These vendors and applications will offer free access and solutions and will use the data (often from students) to improve their product. While this is not by itself negative or troubling, it does raise questions about the use and protection of individualized student data. Districts and schools must be careful about the organizations and vendors with which they contract, and they must build strong relationships with those vendors to establish trust, value, and security.
3. Find examples of data privacy policies to help ensure local policies and protocols align with national and regional laws.
4. The National Association of Secondary School Principals issues the following recommendations for school districts and schools:
- Develop clear policies about what student information is collected, how that data is used, to whom the data is disclosed, and each party’s responsibilities in the event of a data breach.
- Ensure that data security practices include proper data deletion and disposal, including purging electronic data, shredding physical documents, and destroying all data stored on old electronic equipment.
- Identify a district privacy officer who will be responsible for monitoring and complying with federal, state, and district policies on data privacy and for guiding school leaders and teachers in their use and protection of data.
- Provide training for all district staff to ensure they understand basic legal requirements, their responsibilities, and specific district policies concerning student data.
- Ensure principals receive training on policies and procedures that prevent a data breach and specify steps to be taken in the event that a breach occurs. This should include procedures to notify authorities, parents, and other community members.
- Educate district staff about online educational services (paid and free) and how to determine whether they comply with FERPA and state and district regulations.
- Coordinate annual privacy training for all school and district employees who have access to personally identifiable student data, adopt online educational services or apps, and/or procure and contract with service providers.
- Ensure all third-party vendors that collect, or have access to, student data have written contracts that specifically address privacy and the allowable uses of personally identifiable information and prohibit further redisclosure of personally identifiable information without parental consent.
- Communicate directly with parents about the collection and use of student data and the privacy measures and protections that are in place to preempt confusion and misunderstanding.
- Prior to using online educational services, ensure that the contract or ‘terms of service’ contain all necessary legal provisions governing access, use, protection, and destruction of student data.
- Ensure that agreements with outside providers include provisions to allow direct parental access to personally identifiable student information and assistance to schools for indirect parental access to other student data.
- Ensure greater transparency by posting, on district and school websites, all policies governing the outsourcing of school functions and contracts with outside providers.
- Make available a list of online educational services, or apps, that are used within the district.
First Steps to Consider
Identify districtwide and schoolwide systems currently in place that collect student data and report on how that data currently is used (e.g., transcripts, report cards, attendance reports, discipline reports, assessment results, etc.).
2. Meet with current system vendor(s) to obtain explicit information and details on how the vendor(s) use student data.
4. Collect information that details the current school-based procedures and protocols for monitoring and securing data security and privacy, as well as information on the fidelity of the implementation of those procedures and protocols.
5. Talk with neighboring districts and obtain samples of their privacy policies.
6. Establish a quick and easy procedure for teachers to access and use third-party programs to support classroom instruction and assessment, while also ensuring that school and/or district technology administrators are aware of what is being used in the building/district. This can be done by using a simple online format (i.e., Survey Monkey, Google forms, etc.).
Complexities & Pitfalls
Privacy policies, procedures, and protocols need to align with state and federal statutes, best practices for technology and data use, and effective strategies for monitoring and implementation. With the wealth of online access now available for educators, it can be easy for teachers, schools, and districts to be inundated with accounts for, connections to, and data from, programs, applications, and vendors. The information technology department needs to be aware of these connections, accounts, and data use so they can effectively ensure that student data is kept private and secure.
- Procedures and protocols that are complicated to use do not help staff implement the policy. Keep things simple.
- To what extent are the school district’s data privacy policies current and up to date?
- To what extent are data protocols and/or procedures implemented with fidelity?
- How might the school or school district understand what vendors (including third party) are in active use across the school and/or district?
- To what extent do policies, practices, and procedures align with state and federal statutes, best practices, and effective implementation strategies?