Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. New regulatory changes for FERPA became effective on January 3, 2012. Within the National Center for Education Statistics, the Department established a Privacy Technical Assistance Center (PTAC), which serves as a “one-stop resource” for the P-20 education community on privacy, confidentiality, and data security. Since its launch, the center has developed a PTAC Toolkit that provides resources on data sharing, security best practices, and other relevant topics. Among other things, the 2012 changes to FERPA expanded the requirements for written agreements and enforcement mechanisms to help ensure program effectiveness, promote effectiveness research, and increase accountability. In February 2014, additional guidance summarized the major requirements of the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA) that relate to educational services, and urges schools and districts to go beyond compliance to follow best practices for outsourcing school functions using online educational services, including computer software, mobile applications and web-based tools.
Children’s Online Privacy Protection Act (COPPA)
Congress enacted COPPA in 1998. Most recently, it was amended in December 2012 to take effect on July 1, 2013. The goal of COPPA is to put parents in charge of what information may be collected online about their children under the age of 13. The rule applies to operators of commercial websites and online services (including mobile apps). COPPA allows schools to act as “intermediaries” between website operators and parents in providing consent for the collection of personal information in the school context. For example, when a district contracts with a vendor for homework help, individualized education modules, online research and organizational tools, or web-based testing services, the vendor doesn’t have to obtain consent directly from the parent; the school is authorized to speak on behalf of the student. However, the Bureau of Consumer Protection Business Center also advises schools to inform parents of its practices in their acceptable use policy. When student use of a web service extends beyond school activities, the center adds, the school “should carefully consider whether it has effectively notified parents of its intent to allow children to participate in such online activities.
Children's Internet Protection Act (CIPA)
Schools with E-Rate funding must enforce a policy of internet safety and certify that they are enforcing a policy of internet safety that includes measures to block or filter internet access for both minors and adults to certain visual depictions. CIPA requirements include maintaining an internet Safety Policy, a Technology Protection Measure and a public notice or hearing. A technology protection measure is a specific technology that blocks or filters internet access. The school or library must enforce the operation of the technology protection measure during the use of its computers with internet access, although an administrator, supervisor, or other person authorized by the authority with responsibility for administration of the school or library may disable the technology protection measure during use by an adult to enable access for bona fide research or other lawful purpose.
Acceptable Use Policies
Acceptable Use PoliciesSchools and districts typically implement acceptable use policies (AUP) for students, parents and faculty members that have access to school devices and/or the school- based software or broadband services to help ensure student safety and security and to help protect the school’s equipment and servers. AUPs vary based on school and district implementation programs, and should be customized based on the user groups. Each school or district should review current policies, templates and supporting documents related to device usage and management, broadband access and permissions and contact forms. These policies should be reviewed at least annually. Below, are sample documents that may help to manage user expectations by establishing policies for responsible device use. Examples:
- Greene Central High School in North Carolina sample acceptable use policy, signature page, and laptop consent form
- Fairfax County Virginia acceptable use policy.
- iPad Procedures: Lamoille UHS, Hyde Park, Vermont. Fall 2013.
- Student-Centered Universal BYOT Policy Template For Schools.
Facilitator GuideThe Faciliator Guide – Student Data Privacy provides education leaders with the information and resources they need to conduct a professional learning session. Participants will:
- Learn more about data privacy
- Collaborate with colleagues to learn the current status of privacy programs
- Assess the strengths and challenges of your school’s privacy program
- Explore ways to engage parents
- Acquire resources supporting student data privacy
- Develop and maintain relationships with other district and state leaders