Districts have a duty to protect the students physically as well as electronically. Implementing a student data privacy program protects the student, teacher, and district.
Districts that receive federal funding are required to abide by FERPA. Documentation such as a data privacy agreement (DPA) ensures the district and vendor understand their responsibilities and are compliant with federal and state regulations. If the district is sharing student personally identifiable information (PII) with a vendor, they can state the vendor is a school official utilizing the “School Official Exception” per FERPA. This statement is usually included in a DPA.
A child’s Social Security number is 35 times more likely to be compromised than an adult’s Social Security number. Potentially, this will not be discovered for several years until they purchase their first car, apply for student loans, etc. Districts have an obligation to protect this student PII and by allowing only vendors that agree to handle the data per the DPA ensures due diligence.
Knowing the applications/extensions in use at the district is the first step in the vetting process. Districts can’t protect what they don’t know. This often requires a cooperative alignment between teachers and technology to compile a complete list.
Districts are to be transparent with legal guardians about who they share the student data with and how it is used. To provide this information in a timely manner, processes and procedures should be documented with a list of approved applications per subject/grade.
Following district procedures protects the teacher from using or approving unvetted applications. All applications and extensions, free and/or paid, should follow the district’s vetting process. Supporting and protecting the teacher is a priority for districts.
If a vendor does have a data breach, responsibilities are outlined in the DPA along with reporting timelines. This ensures the district is informed in a timely manner and can answer questions from the community.
Deleting the data from district and vendor databases is an important but often overlooked element of student data privacy. Including data governance best practices ensures data no longer required is permanently deleted.
The main district goals are:
- Protect the student from:
- Identity theft
- Discrimination
- Predatory activity
- Protect the district by:
- Maintaining Community Trust
- Due Diligence
- Ensuring FERPA and Regulation Compliancy
To assist districts with this task, consider joining the Missouri Student Privacy Alliance (MOSPA) and MOSPA+TEC.