Advocates advise schools to get student privacy protections in writing

In the Parent Toolkit for Student Privacy, advocates advise LEAs and state departments of education to develop student privacy policies and procedures that “reach beyond protections” offered in current state and federal law, including the Family Educational Rights and Privacy Act.

Such advocates believe that federal laws such as FERPA serve only as a baseline for protecting student data.

Created by the Campaign for a Commercial-Free Childhood and the Parent Coalition for Student Privacy, the toolkit offer various recommendations derived from the coalition’s Five Principals to Protect Student Privacy, the U.S. Department of Education’s Privacy Technical Assistance Center, and other organizations concerned with the issue of privacy and data security.

They said one of the best methods schools can help protect student information is to require written agreements, contracts, or memoranda of understanding between states, schools, districts and any third parties accessing or receiving personal information, including companies that offer online instructional programs or free classroom applications.

“Written agreements can limit how student information is collected, used, and shared with others; they can also require the company to adopt strong security and breach notification requirements, include enforceable penalties for noncompliance, and enumerate recourse procedures for parents,” they wrote.

Increasing violations

In a recent webcast the alliance held in partnership with Class Size Matters and NYS Allies for Public Education, experts talked about common practices schools do that may violate student privacy and related federal law.

“We have seen an increasing number of breaches by districts, schools, and for-profit vendors,” said Leonie Haimson, co-chair of the Parent Coalition for Student Privacy.

EdTech Strategies LLC, which tracks adverse cyber incidents across the nation, reports that U.S. public schools have experienced at least 215 separate cyber security-related incidents in the last 21 months.

Recently, Edmodo also experienced a data breach claiming to have stolen credentials, including usernames, passwords, and email addresses of 77 million users that include children, Haimson said.

School systems have also been the target of attacks in which hackers made ransom demands in order to release information back to the schools and districts or in exchange for not releasing personally identifiable information of students and their families to the wider public, she noted.

Rachael Stickland, who also co-chairs the coalition, said the matter of privacy is a “time-sensitive issue” and they plan to release a companion to the parent toolkit just for teachers in 2018.

Best practices for teachers

The toolkit offers the following advice for the education community:

  • Before assigning an online program or classroom app, consider whether its use is necessary — many privacy issues can be avoided by simply not adopting every new online tool marketed to schools, they said.
  • Do not use or ask students to use any online program or app unless it has first been vetted and approved by the state educational agencies or local educational agencies.
  • Be prepared to offer an appropriate alternative (e.g., a textbook or paper and pencil version) to students whose parents choose to opt out of an online program that accesses their personal information.
  • Never sign up for online programs or classroom apps with “click-wrap” agreements — when a user checks a box to accept terms and conditions before using a product or service — unless the terms have been rigorously reviewed by someone with legal and/or technical expertise.
  • Remember that even with review, the terms of service may change over time, putting students’ privacy at risk. See PTAC’s guidance to learn more about click-wrap agreements.
  • Learn the principles of “good digital citizenship” and incorporate “responsible technology practices” in the classroom. They suggested incorporating Fordham University Law School’s Privacy Educators Classroom curriculum into classroom lessons.
  • When creating “data walls” that display students’ test scores or grades in public areas like classrooms or hallways, never include any information that could be used to identify children.

Emily Ann Brown covers education technology and STEM education issues for LRP Publications.

Copyright 2017© LRP Publications, Education Daily®