Student Data Privacy

The National Education Technology Plan discusses how the use of student data iscrucial for personalized learning and continuous improvement (see Section 4: Assessment). Acting as the stewards of student data presents educators with several responsibilities. School officials, families, and software developers have to be mindful of how data privacy, confidentiality, and security practices affect students. Schools and other educational institutions should be certain that policies are in place regarding who has access to student data and that students and families understand their rights and responsibilities concerning data collection.  Districts should have a policy or procedure for reviewing third party agreements in the terms of service or contract for compliance around use, protection (data security) and destruction of student personally identifiable data.
The U.S. Department of Education Protecting Student Privacy provides technical assistance to help schools and school districts use best practices in their use and management of information about students.


Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. New regulatory changes for FERPA became effective on January 3, 2012. Within the National Center for Education Statistics, the Department established a Privacy Technical Assistance Center (PTAC), which serves as a “one-stop resource” for the P-20 education community on privacy, confidentiality, and data security. Since its launch, the center has developed a PTAC Toolkit that provides resources on data sharing, security best practices, and other relevant topics. Among other things, the 2012 changes to FERPA expanded the requirements for written agreements and enforcement mechanisms to help ensure program effectiveness, promote effectiveness research, and increase accountability. In February 2014, additional guidance summarized the major requirements of the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA) that relate to educational services, and urges schools and districts to go beyond compliance to follow best practices for outsourcing school functions using online educational services, including computer software, mobile applications and web-based tools.

Children’s Online Privacy Protection Act (COPPA)

Congress enacted COPPA in 1998. Most recently, it was amended in December 2012 to take effect on July 1, 2013. The goal of COPPA is to put parents in charge of what information may be collected online about their children under the age of 13. The rule applies to operators of commercial websites and online services (including mobile apps). COPPA allows schools to act as “intermediaries” between website operators and parents in providing consent for the collection of personal information in the school context. For example, when a district contracts with a vendor for homework help, individualized education modules, online research and organizational tools, or web-based testing services, the vendor doesn’t have to obtain consent directly from the parent; the school is authorized to speak on behalf of the student. However, the Bureau of Consumer Protection Business Center also advises schools to inform parents of its practices in their acceptable use policy. When student use of a web service extends beyond school activities, the center adds, the school “should carefully consider whether it has effectively notified parents of its intent to allow children to participate in such online activities.

Children's Internet Protection Act (CIPA)

Schools with E-Rate funding must enforce a policy of internet safety and certify that they are enforcing a policy of internet safety that includes measures to block or filter internet access for both minors and adults to certain visual depictions. CIPA requirements include maintaining an internet Safety Policy, a Technology Protection Measure and a public notice or hearing. A technology protection measure is a specific technology that blocks or filters internet access. The school or library must enforce the operation of the technology protection measure during the use of its computers with internet access, although an administrator, supervisor, or other person authorized by the authority with responsibility for administration of the school or library may disable the technology protection measure during use by an adult to enable access for bona fide research or other lawful purpose.

Acceptable Use Policies

Acceptable Use Policies

Schools and districts typically implement acceptable use policies (AUP) for students, parents and faculty members that have access to school devices and/or the school- based software or broadband services to help ensure student safety and security and to help protect the school’s equipment and servers. AUPs vary based on school and district implementation programs, and should be customized based on the user groups. Each school or district should review current policies, templates and supporting documents related to device usage and management, broadband access and permissions and contact forms. These policies should be reviewed at least annually. Below, are sample documents that may help to manage user expectations by establishing policies for responsible device use. Examples:


Facilitator Guide

The Faciliator Guide – Student Data Privacy provides education leaders with the information and resources they need to conduct a professional learning session. Participants will:
  • Learn more about data privacy
  • Collaborate with colleagues to learn the current status of privacy programs
  • Assess the strengths and challenges of your school’s privacy program
  • Explore ways to engage parents
  • Acquire resources supporting student data privacy
  • Develop and maintain relationships with other district and state leaders

About This Project

©2024 SETDA, All Rights Reserved Privacy Policy