New guidelines have been issued by the U.S. Department of Education to better protect student privacy online. The Department's Technical Assistance Center is aiming to help schools and teachers protect student privacy while the students are using online educational tools, according to a statement by the Department.
The services for the students include computer software, mobile apps, and website-based programs. These services are provided by a third party to a school or district that students and their parents can use for school activities via the Internet, according the guidance. Under Family Educational Rights and Privacy Act (FERPA) and Protection of Pupil Rights Amendment (PPRA), guidelines have been set for the best practices.
"As an education community, we have to do a far better job of helping teachers and administrators understand technology and data issues so that they can appropriately protect privacy while ensuring teachers and students have access to effective and safe tools," Secretary of Education Arne Duncan said in the statement.
FERPA protects personally identifiable information (PII) in education records from being disclosed without authorization, according to the decree.
"Subject to exceptions, the general rule under FERPA is that a school or district cannot disclose PII from education records to a provider unless the school or district has first obtained written consent from the parents," students 18 years of age or older and postsecondary students, the Department said.
However, there are some of the parts that FERPA doesn't protect. Generally, the PPRA requires school districts to notify parents of students whose personal information may be collected, used or disclosed for marketing purposes and to give those parents the opportunity to opt out of such activities.
The Department said it recommends schools and districts to maintain awareness of other applicable laws, such as the Children's Online Privacy Protection Act, remain aware of which online educational services the district is currently using and establish policies and procedures to both evaluate and approve new online educational services.
In addition the schools and districts are recommended by the Department to use a written contract or a legal agreement with providers, take extra steps when accepting "click-wrap" licenses for consumer applications and be transparent with both parents and students about how student information is collected, shared, protected and used.
Moreover, the Department recommends that contracts with providers include provisions on security and data stewardship, information collection, data use, retention, disclosure and destruction, data access, contract modification, duration and termination, and indemnification and warranty.
In the meantime, the Software & Information Industry Association (SIIA) on February 24th issued a set of industry best practices for providers of school services to protect student privacy and secure student data.
The best practices include: collecting, using and sharing student personally identifiable information for educational purposes; being transparent about what information is collected, used and shared; collecting, using and sharing student information with authorization from the educational institution or with student or parental consent; maintaining security policies and procedures to protect students' personal data; and informing educational institutions about data breaches.