Best Practices

Assess the lay of the land prior to passing laws or policies. 

Conduct a district-wide privacy assessment and online services audit, preferably by an independent third party. By determining what services are currently in use, and to what extent student data is used and protected within those services, your district will have the basis for determining what policy or practice changes are necessary – Data in the Cloud: A Legal and Policy Guide for School Boards on Student Data Privacy in the Cloud Computing Era (NSBA)

Include all stakeholders in the conversation. 

Parents should be involved in the development of privacy norms and should provide policy input. Just as schools provide significant information about online safety and appropriate use, they should put significant effort into making sure that parents understand the measures that educators are taking to protect student privacy. – 10 Steps that Protect the Privacy of Student Data (CoSN)

Many state bills introduced over the past two years did not give district stakeholders—from classroom teachers to chief technology officers to superintendents—an opportunity to weigh in on how the bills would aff ect educational work. This oversight created problems in a few states. – Policymaking on Education Data Privacy: Lessons Learned (NASBE)

Student personal information should be used only for educational purposes. 

Students have the right to expect that companies and schools will collect, use, and disclose student information solely in ways that are compatible with the context in which students provide data. – Student Bill of Rights (EPIC)

School service providers [should] collect, use, or share student PII only for educational and related purposes for which they were engaged or directed by the educational institution, in accordance with applicable state and federal laws. –  Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services (SIIA)

Put someone in charge.

Decide who in the district is responsible for privacy. A senior administrator should be designated as the person responsible for coordinating efforts to ensure compliance with privacy laws and policies. – 10 Steps that Protect the Privacy of Student Data (CoSN)

Identify a state-level official who is responsible for privacy, data security, and compliance with all federal and state privacy laws and regulations… Identify a district privacy officer who is responsible for monitoring and complying with federal, state, and district policies on data privacy and for guiding school leaders and teachers in their use and protection of data. – Recommendations on Student Data Privacy (NASSP)

A data governance plan at the state and district levels is essential.

Develop clear policies about what student information is collected, how that data is used, to whom the data is disclosed, and each party’s responsibilities in the event of a data breach. – Recommendations on Student Data Privacy (NASSP)

Districts must establish policies and implementation plans for the adoption of cloud services by teachers and staff including in-service training and easy mechanisms for teachers to adopt, and propose technologies for instructional use. – Privacy and Cloud Computing in Public Schools (CLIP)

States, districts, and third parties with student data must be more transparent.

Schools and companies should publish the types of information they collect, the purposes for which the information will be used, and the security practices in place. Schools and companies should also publish algorithms behind their decision-making. – Student Bill of Rights (EPIC)

Communicate directly with parents about the collection and use of student data and the privacy measures and protections that are in place to preempt confusion and misunderstanding. – Recommendations on Student Data Privacy (NASSP)

School service providers [should] disclose in contracts and/or privacy policies what types of student PII are collected directly from students, and for what purposes this information is used or shared with third parties. – Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services (SIIA)

[State Education Agencies] are obligated and find it imperative to proactively disseminate data use and privacy policies in clear and transparent ways. We ensure the public has access to privacy policies and information about the use of personally identifiable data and can provide feedback regarding those policies. – Data Privacy & Security Policy Statement (CCSSO)

Have policies and procedures to evaluate and approve proposed online educational services.

Schools and districts should be clear with both teachers and administrators about how proposed online educational services can be approved, and who has the authority to enter into agreements with providers…. To ensure that privacy and security concerns relating to these free services are adequately considered, the Department recommends that free online educational services go through the same (or a similar) approval process as paid educational services. – Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices (PTAC)

Ensure that all third-party vendors that collect or have access to student data have written contracts that specifically address privacy and the allowable uses of personally identifiable information, and prohibit further redisclosure of personally identifiable information without parental consent. – Recommendations on Student Data Privacy (NASSP)

School service providers collect, use, or share student PII only in accordance with the provisions of their privacy policies and contracts with the educational institutions they serve, or with the consent of students or parents as authorized by law, or as otherwise directed by the educational institution or required by law. – Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services (SIIA)


Legislators should be careful of unintended consequences from student privacy legislation. 

Analyzing the effects of laws and policies in other states can help policymakers craft good data protection plans in their own. Other states’ laws sometimes offer cautionary tales of language that proves to be imprecise or implementation issues that were not fully thought through. Frequently, these issues arise when key stakeholders do not get a chance to weigh in on the legislation’s potential impact before its drafting. – Policymaking on Education Data Privacy: Lessons Learned (NASBE)

Training is essential in ensuring student privacy laws are properly implemented and followed. 

Unless you train your staff, they will not know what to do or why it is important. Annual privacy training should be required for any school employee who is handling student data, adopting online education apps or procuring and contracting with service providers. Privacy laws represent legal requirements that need to be taken seriously. – 10 Steps that Protect the Privacy of Student Data (CoSN)

“Even though the odds of an earthquake are low, teachers in California are trained how to keep students safe.” said [Paige] Kowalski [of the Data Quality Campaign], “Why do we continue to risk student safety by not also training teachers how to deal with the far more regular occurrences of privacy and confidentiality breaches?” – Policymaking on Education Data Privacy: Lessons Learned (NASBE)

Coordinate an annual privacy training for all school and district employees who have access to personally identifiable student data, adopt online educational services or apps, or procure and contract with service providers. – Recommendations on Student Data Privacy (NASSP)

To be ensure consistent implementation of your school district’s policies and procedures regarding student privacy, extensive staff training may be necessary. Individual classroom teachers should not make unilateral decisions regarding implementation of online services. School district staff need to be informed not only of the basic legal requirements and the specific policies and procedures that must be followed in your district, but also of privacy “norms” that fuel public sentiment and understanding of what privacy means. – Data in the Cloud: A Legal and Policy Guide for School Boards on Student Data Privacy in the Cloud Computing Era (NSBA)

Review and adjust passed policies and laws.

Interpretations of privacy laws are changing, and new laws may be added. School policies and practices will need updating and adjustment so that they reflect legal requirements. Processes can become burdensome and when that happens, some people may want to skirt the process. Seek input from those involved to ensure that the processes are not hindering teaching and learning. – 10 Steps that Protect the Privacy of Student Data (CoSN)

Recommended Resources