As schools introduce new technology and rely more on data analytics to inform academic decisions, concerns about protecting privacy and keeping students secure online tend to rise.
The federal government — along with some states and individual school districts — has instituted regulations like the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA) and the Children’s Internet Protection Act (CIPA) to ensure privacy and security for K–12 students. But sometimes it’s difficult to figure out what it all means.
“The tough part is that the alphabet soup gets intimidating,” says Jim Flanagan, the chief learning services officer of ISTE. “I encourage folks to understand the regulations at the most basic level.”
Add to this some best practices and a lesson on digital citizenship, says Flanagan, and creating an environment where privacy and security are protected should become easier.
When introducing a new education technology tool, such as a cloud platform, Flanagan says the first thing a school should do is make sure that the vendor complies with the Student Privacy Pledge.
The pledge — which was introduced early in 2015 — has been signed by 316 educational technology providers that vow to “carry out responsible stewardship and appropriate use of student personal information.”
Flanagan also suggests that school administrators have a targeted Q&A with vendors and ask the following:
Beyond that, it’s important for school administrators, IT professionals and teachers to know the basics of the federal regulations.
FERPA requires that schools have written permission from a parent to release education records unless the records are going to a school official, state or local authority or accrediting organization, among others, the U.S. Department of Education reports.
The Education Department also notes that while schools can release “directory information” — name, address, telephone number, date and place of birth, honors and dates of attendance — they must give parents notice that they will be disclosing this information and give them ample time to request that it remain private.
According to the Federal Trade Commission, COPPA seeks to protect what information mobile apps, websites, online gaming platforms and the like can collect from kids under the age of 13. The FTC reports protected information as full name, home address, telephone number, social security number and other personally identifiable information.
CIPA, set in place by the Federal Communications Commission, states the schools and libraries that are eligible for E-Rate funding may not receive discounts unless they have an internet safety policy in place that protects minors from access to inappropriate material, protects their safety when using email or other online communications, and protects against unauthorized hacking.
Though education technology is constantly changing, the regulations of FERPA, CIPA and COPPA have been in place for more than a decade, so there’s abundant advice from both districts and outside experts to help schools maintain compliance.
“Privacy compliance is not a new thing,” Flanagan says. “People have been working on this for a long time.”
One such district is Cambridge Public Schools in Massachusetts which was awarded the Trusted Learning Environment Seal from CoSN in August.
“Technology is a critical part of the 21st century classroom, and data is vital to efforts to provide a more personalized education for all students,” the district’s website states. “The TLE Seal is a mark of distinction, signaling CPS has taken measurable steps to assure the digital privacy of student data.”
Part of CPS’s plan for protecting student data, which is outlined on their website, is thorough vetting of vendors that provide education technology. Also, in an effort to keep information to parents and teachers widely available and transparent, CPS maintains a list of approved applications and the contract and privacy protections associated with each one.
In June, Common Sense Education partnered with 70 schools and districts to launch the K–12 Edtech Privacy Evaluation Platform to help administrators and educators choose trustworthy software.
“Evaluating the privacy and security practices of the educational software is a daunting task for most schools and districts, but doesn’t have to be,” says Common Sense founder James P. Steyer in the press release.
“By working together with educators, Common Sense has developed a comprehensive, centralized, and free resource to help an education community that is spread out across the country learn from each other and make more informed decisions about protected student privacy.”
Even with software and policies in place, sometimes mistakes happen, and a violation of privacy or security might occur.
“If something happens, be open, clear and transparent,” says Flanagan. “Start by contacting the superintendent and legal department simultaneously.”
Just as a school might do a fire drill, Flanagan says a school should run through scenarios of what to do in the event of a security breach.
In 2012, the Education Department released a data breach response checklist designed to help schools establish a response policy, create an action plan, and develop widely followed procedures:
“Establishing a robust response capability well in advance decreases the pressure on the responders and reduces errors as a result of having to ‘make it up as you go.’ As a best practice, consider conducting recurring tests, drills, and incident response exercises.”
At ISTE, Flanagan says there has been a huge push to focus on the human factor in incidents like data breaches.
His suggestion is to start by educating students on where privacy concerns fit into their digital citizenship. ISTE’s Standards for Students for 2016 includes instructing students on how to manage their digital identities and be aware of what data collection is happening, and how to maintain privacy.
“This is key, not only for them to be protected at school, but for the rest of their lives,” says Flanagan.