Jun 27 2018

ISTE 2018: 5 Best Practices for Adhering to Federal Privacy Laws

Transparency with parents is key, says director of federal Student Privacy Policy and Assistance Division Michael Hawes.

With connected technology now being used in the majority of U.S. classrooms, it’s critical to keep student data safe. In fact, it’s federal law.

Michael Hawes, the director of the Student Privacy Policy and Assistance Division at the U.S. Department of Education, gave district technology leaders and educators frank advice on how to protect students’ personally identifiable information and stay compliant with those laws Tuesday at ISTE’s 2018 Conference & Expo in Chicago. 

“You have a responsibility to protect and safeguard the information that is provided to you,” Hawes said during a packed session. 

SIGN UP: Get more news from the EdTech newsletter in your inbox every two weeks!

Current Federal Laws Guiding Student Data Protection

The Family Educational Rights and Privacy Act (FERPA) requires that school districts keep personally identifiable information safe and get parental consent to share it with technology vendors. The Protection of Pupil Rights Amendment (PPRA) was established in 2001 with the No Child Left Behind Act and is known for its provisions dealing with surveys and assessments.

It includes limitations on using personal information collected from students for marketing and may require districts to notify parents to allow them an opportunity to opt out, Hawes said. The Children’s Online Privacy Protection Act (COPPA) requires makers of websites, online services and apps to notify parents and get consent before collecting information on children under the age of 13.

“COPPA applies to commercial website providers,” Hawes explained. “Schools adhere to FERPA and PPRA.”

Hawes added that there are a number of state, local and tribal data privacy laws for districts to consider as well.

“At last count there were 119 state privacy laws passed in 39 states since 2013,” he said. “While many of those state laws mirror FERPA, many of them also introduced additional requirements above and beyond federal law. Definitely check with your legal counsel on what your state requirements are there.”

Hawes offered these tips for preserving student privacy:

1. Maintain Awareness of All Relevant Laws

“Work with legal counsel or other districts,” Hawes said. “Piggyback on the work that they’ve already done.”

2. Know What is Being Used In Your District

“How can you protect information when you don’t know all the places the information is going,” Hawes asked. Though it might be tedious to compile, he said, an inventory of apps and software throughout the district is helpful.

3. Have Policies to Evaluate Proposed Services

“This isn’t just about privacy. This is also about security,” Hawes said. “You don’t want to be using unvetted technologies on your school network. This is also about educational content. Make sure the app is consistent with the district’s curriculum.

Have policies and procedures that govern who can review and approve these. Some centralize that. Some choose to decentralize it. In all cases, there should be a guiding principal about who has that authority.”

4. Negotiate Written Contracts When Possible

This will give the district an opportunity to tailor what it wants to get out of the app or service, Hawes said. 

5. Be Honest With Parents and Students on Data Use

Adults often give their information away — social media sites, frequent shopper cards, etc. — but they’re rewarded with discounts and services. Hawes said parents often complain because they see the risks of their child’s information being used, but not the benefits.

“We’re not having an effective conversation with parents, students and the community about the value that we’re getting to improve students’ educational experiences by using these technologies. And we’re also not being forthcoming in many cases about the risks entailed in using those apps and services. In many cases we’re not even properly evaluating those risks.”

The key, Hawes said, is to remain transparent. “Tell parents what information you’re collecting from students,” he said. “Tell parents how you’re protecting it. Tell parents how that information is being used, who’s accessing it and what return for that they can expect to see.”

For more of the latest stories out of ISTE 2018, check out our conference page here.

sakkmesterke/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.