For many years pretty much the only student privacy laws that schools had to be concerned with were the big two; FERPA (Family Education Rights & Privacy Act) and COPPA (Children’s Online Privacy Protection Act). Two others, PPRA (Protecting Pupil Rights Amendment) and certain provisions of HIPAA (Health Insurance Portability & Accountability Act), while applicable, have narrower in their application.
In 2014 more than 120 laws were proposed in state legislatures intended to regulate a broad range of student data collection and use practices. As a result, a number of states are now implementing new laws, with California’s SOPIPA (Student Online Personal Information Privacy Protection Act), the most significant and perhaps influential. Already in 2015 more than 130 student privacy laws have been proposed in states, proposals similar to California’s SOPIPA common. Then of course the really big news in privacy legislation is President Obama’s Student Digital Privacy & Innovation Act.
A common refrain by many of those outspoken on privacy is that we need to go beyond compliance, yet with little or no specifics as to what that means. The problem with this, is that it can imply that compliance is really easy or not that important in the grand scheme of things. Of course, neither is true. FERPA and COPPA alone can be quite confusing when it comes to implementation. So when I say we need to “go beyond compliance,” I mean that, let’s not focus so narrowly on compliance that we lose sight of some key issues that privacy laws are often intended to address.
There are 4 key issues that many student privacy laws address:
- Schools need to maintain control over student data, wherever the data is located. This includes having explicit agreements with 3rd party service providers about how student data is to be secured, managed, shared and retained.
- Parents of K12 students have a right to access data contained in the educational records of their students. In addition to access rights, parents have the right to seek corrections when inaccuracies are found.
- Online service providers must be explicit about what data they will collect, how they will use it and, if applicable, will the data be shared with others and for what purposes. Commercial use of data is of particular concern.
- Service providers have an obligation to obtain consent from parents for collecting personal information about their students when using their services/applications. In some cases school officials may provide consent on behalf of parents.
By focusing on these four issues, you will not necessarily ensure compliance, but you will be going a long ways towards addressing some of the more significant privacy concerns. It’s true that good intentions alone are not enough, but failing to do anything because you are mystified by privacy laws is also not the answer.
The key takeaway here is to not let the confusing privacy laws and changing legal landscape get in the way of implementing practical steps to protect student data. There are many outstanding resources that you can refer to for compliance guidance. I mentioned these in my previous post, but they bear repeating. CoSN’s (Consortium for School Networking) Protecting Privacy in Connected Learning toolkit, the US Department of Education’s Privacy Technical Assistance Center, and K12 Blueprint’s privacy toolkit are all great resources. And just as you do for other technical services, consider turning to service providers who have expertise in privacy compliance. There is no reason that you have to go it alone on this difficult issue.
My next post will be Service Providers: The Legal View (What School Leaders Need to Know).
About the author:
Bob Moore is a veteran of nearly 27 years in education technology. He served in the district CIO role for many years, before leading global education strategy for a large technology business. Bob has been long considered a thought leader on issues important to K12 school system technology leaders. In recent years he has emerged as a thoughtful, practical voice on student data privacy issues and leads the Protecting Privacy in Connected Learning initiative for CoSN. In his role of Founder & Chief Consultant for RJM Strategies LLC, Bob works with schools across the US and globally on a wide range of technology leadership and operations issues. He can be contacted at BobMoore@RJMStrategies.com.
Comments(0)
Post a Comment