Jan 12, 2021

Student Privacy Communications Toolkit: For Schools & Districts

Student Privacy Communications Toolkit: For Schools & Districts
Illustration of a woman standing in front of a computer monitor with a security lock
Student Privacy Communications Toolkit: For Schools & Districts
Author Jasmine Park, Juliana Cotto, Ann Waller Curtis, Carrie Klein, Anisha Reddy, Jim Siegl, Alexandra Sollberger, Jennifer Triplett, Amelia Vance
Organization Future of Privacy Forum
    Download Report
    Illustration of four different screens with people and a finger reaching out

    Developing a Communications Strategy

    The best communications strategy approach is one that is:
    • Clear: Speak honestly, directly, consistently, and transparently about student data collection, use, sharing, and maintenance.
    • Confident: Demonstrate the value of data in helping students and share successes.
    • Reciprocal: Listen to your stakeholders and create space for their voices.

    Open and frank conversations about student privacy are necessary to ease the school community’s concerns, particularly when children are involved.

     

    Setting Goals

    School and district leaders should be thoughtful and intentional about what they are trying to achieve when communicating about privacy protections and responsible data use to both educators and parents. Setting goals for your communications strategy will keep your message clear and consistent. Some potential goals and supporting tactics to consider include:

    SUPPORTING TACTICS

    • School and district leadership participation in conferences and seminars around student privacy;
    • Involvement of third-party expert consultants;
    • A demonstrated commitment to a consistent and thoughtful approach to protecting student data;
    • Actions taken to appropriately vet edtech tools used by schools and districts; and
    • Regular communications to educators, parents, and students.

    SUPPORTING TACTICS

    Develop and share an overview of:

    • State and federal laws,
    • Peer school or district policies,
    • Background on how the school or district developed its own policies, and
    • How such policies can be put into practice.

    SUPPORTING TACTICS

    • Share examples of state and federal funding shifts;
    • Record and amplify educator and student success stories with specific edtech;
    • Invite and document parent and educator stories highlighting individual student improvement; and
    • Incorporate data and stories into local, state, and federal reporting.

    SUPPORTING TACTICS

    • Share detailed background on how the school or district developed its policies;
    • Share how the school or district interacts with third-party websites and tools to require adherence to policies;
    • Provide presentations by tech experts regarding effective data protection strategies (that the school or district has implemented); and
    • Provide a feedback mechanism for educators, parents, and students.

    SUPPORTING TACTICS

    • Demonstrate the need for evaluating and assessing current edtech;
    • Encourage wider adoption of effective edtech with educators, parents, and students;
    • Promote effective at-home edtech activities with parents and students to garner feedback and support; and
    • Share success stories from peer schools or districts regarding student achievement and funding increases.

    SUPPORTING TACTICS

    • Use existing “captive audience” situations like educator in-service trainings and parent/educator conferences;
    • Incentivize attendance at PTA meetings and back-to-school events;
    • Hold data-specific educational forums for leaders in both groups to disseminate information back to the larger group (consider hosting those events both on- and off-campus);
    • Fund relevant educator professional developments;
    • Communicate the prioritization of privacy by the school and district often; and
    • Remind educators, students, and parents of their roles and responsibilities as members of a learning community building a culture of privacy.

    Creating a Communications Roadmap

    Once you have clearly established your communications goals, it is time to develop a roadmap to achieve them. A confident, positive communications posture is key to building long-term trust with stakeholders.

    When developing an effective communications strategy, school and district leaders should keep the following tenants in mind:

     

    • Be proactive. Establishing open and consistent lines of communication with educators and parents before an issue occurs is key to avoiding preventable frustration later on. Don’t wait to talk about student privacy until something goes wrong — your audience will not only be upset but will also wonder what else you might not have told them. Repairing trust is challenging.
    • Be honest and engaged. Because data collection involves inherent risks and benefits, acknowledge and address concerns upfront. Rather than minimizing educator, parent, and student concerns, proactively describe safeguards in place to diminish and mitigate potential harm. If adequate safeguards are not in place, work with stakeholders to fill the gaps by passing policies, training staff, and/or educating the community. Early reassurance that the school and district have the child’s safety as a top priority can increase parental trust and goodwill, especially as unexpected risks arise.
    • Be specific. Articulate how data collection and use can improve teaching and learning and better support students. Use language that is simple and direct for all stakeholders to understand. Providing specific, concrete examples of how and why data is collected and used to help teachers and students can bring to life an otherwise very technical subject.
    • Be mindful. Keep in mind that the “data” you are talking about has a face – students – about whom educators and parents care deeply. Try to avoid technical jargon about data and processes and instead emphasize the human element of how data can help real students.
    • Be humble. There is often no need to reinvent the wheel. Ask around for help if and when needed; nearby and peer schools and districts have likely faced similar challenges and developed student privacy policies and effective communications materials in response.
    • Be accountable. Provide an overview of existing laws and policies that govern the school’s, district’s, and third-party vendors’ responsible use of data. Communicate how offenses are addressed and disciplined, and how educators and parents can hold the school, district, and third-party vendors accountable. Educate parents on their rights when it comes to opting out and providing consent.
    • Be prepared. Student privacy concerns can be conflated with other political, social, or technological debates. Be ready to respond to these comments by steering conversations back to student privacy and address broader concerns at the next opportunity.

    Communications Best Practices

    Privacy, while seemingly straightforward, is a broad term that is frequently used without being properly defined. While some think of privacy as secrecy, others interpret it as confidentiality, security, or safety. Online privacy brings up a host of unique considerations and concerns, and in the digital context, many conflate student privacy with data security. Individual feelings about privacy are often intensely personal and linked to a lack of trust, a power discrepancy, or concerns around fairness. When communicating about privacy, and particularly student privacy, it is important to consider the multiple perspectives that different audiences bring to the conversation and work to mitigate any concerns clearly and confidently. Below are some recommendations for communicating about student privacy.

    Use Clear Language

    Conversations about privacy are nuanced and tend to be full of jargon. These complex technical terms, if not defined, can be interpreted differently by different people. Be aware of the terms you use, reduce jargon to improve clarity, and provide context and meaning to increase audience understanding.

    Below are a few commonly used terms in district and vendor privacy policies that all stakeholders handling student data should understand:

     

    • EdTech: This term refers to a diverse set of online educational programs, websites, and applications used by schools, educators, and students. As this term is broad, it is important to name and define the specific type of technology collecting and using student data; explain the purpose of the technology, the benefits of use, and any potential concerns of that use; share information about mechanisms being taken to address those concerns; and highlight ways to opt in to systems, when appropriate.
    • Data, Data Use, and Data Sharing: Schools and districts can mitigate some privacy concerns by devising effective strategies to explain the lifecycle of student data, including collection, use, sharing, and maintenance.
      • Avoid terms with negative connotations like “exploit” or “manipulate” to describe how data is used. General terms like “studying” or “evaluating” are preferred.
      • The term “data sharing” also often negatively connotes that data is given to a third-party or made public without adequate protections. When discussing data sharing, be very specific on the purpose, limitations, and parameters set around the shared data, and the safeguards in place that protect student privacy.
    • Data Governance: An organizational approach to data and information management that is formalized as a set of policies and procedures encompassing the full lifecycle of data, from acquisition to use to disposal. It includes establishing policies, procedures, and standards regarding data security and privacy protection, data access, and data sharing.
    • Consent: An agreement to the terms for permission to move forward with data collection, whether that be related to the use of a student’s picture in the school newspaper or the use of a new edtech tool in the classroom. Parental consent is required for the educator, school, district, or vendor to collect personally identifiable information from the student. Sometimes, consent is described as “informed,” which means parents and students understand the potential consequences of student data collection and use. “Voluntary” or “freely given” consent means parents and students were not coerced into giving consent. In seeking consent, it is important to be clear about the type of consent, the level of confidentiality involved in participation, and specific information given to the individual to gain consent.
    • School Purpose: A purpose that is directed by or customarily takes place at the direction of the school, assists in the administration of school activities, or is otherwise for the use and benefit of the school. This includes instruction in the classroom or at home, administrative activities, and collaboration between students, school staff, or parents.
    • Anonymous: This term can have different connotations depending on the audience’s level of privacy knowledge. Generally, when speaking with the public, “anonymized data” is data that has been completely stripped of any identifying personal information. “De-identified data” has enough information removed so that an individual student cannot be identified and “aggregate data” combines data from individual students at a summary level.
    • Profiling: Any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s performance in school, at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

    Consider Your Audience

    When speaking about student privacy, it is important to be specific and tailor your message to your audience. Consider the background and experiences of your audience as you prepare for conversations about student privacy. For example, districts that have many parents who work in technology may approach a conversation differently than those with many parents who are government officials. Further, messaging to educators should look different from messaging to students. Your audience may also raise new considerations and questions, so you should encourage their active participation and keep in mind the value their individual perspectives will bring to the table.

    Communicate to Establish Trust

    Providing your audience with proactive, regular, and predictable updates will build trust within your school community. Open communication shows that the school or district is actively seeking to engage educators, parents, and students as partners in its efforts to better protect student privacy. Depending on the culture of your district, certain mediums may be more effective than others. For example, email, in-person meetings, phone calls, or the use of a (pre-vetted) app could be the best way to keep your community in the loop. Schools and districts should employ more than one of these approaches as it can be assumed that the community is diverse with different communication preferences. Through this outreach, invite feedback and encourage participation from your audience to establish a respectful dialogue. Ultimately, parents, educators, and school and district leaders have the students’ best interests in mind. Open and constructive dialogue is key to engaging audiences, maintaining trust, and supporting positive outcomes.

    Prioritize Equity and Engage Inclusively

    Be mindful that some of your students and their families may face significant barriers when accessing communications about student privacy. Students from marginalized groups who have experienced discrimination are less likely to trust that schools, districts, and edtech companies have their best interests at heart when using student data. Therefore, it should be a priority for school and district leaders to ensure parents and students from marginalized groups are proactively engaged in conversations about student privacy and that schools and districts are employing different strategies to broaden the reach of their communication efforts, such as:

    • Providing communications across multiple channels to ensure accessibility by all parents, educators, and students. Families who use assistive technologies or with limited access to the internet and devices may face difficulties accessing communications issues solely through digital formats, particularly channels that require high bandwidth.
    • Translating communications into other languages for non-native English speakers. If you are planning convenings, consider including bilingual facilitators or providing translators.

    Fairfax County Public Schools (VA) is an example of this practice. Web pages, including the list of approved tools that require parental consent follow a consistent format and the language is consistent for every school, only the list of applications is different. Automated translation is used on the website, but important documents such as permission forms for consent for certain tools are professionally translated into the official district communication languages.

    Find more general advice on effective communication strategies tailored by audience and ways to build trust in our Nothing to Hide Toolkit, developed by the Future of Privacy Forum (FPF) and Actionable Intelligence for Social Policy (AISP) in order to help Integrated Data Systems (IDS) and government leaders engage stakeholders and increase communities’ trust in the value of IDS.

    Check out the resources below to find out more about effective communication strategies and tools:

    Creating a Student Privacy Website

    An easy to navigate website is an essential tool for effectively communicating to your school community — from school principals and administrators to parents, educators, and potential third-party vendors — about your student privacy practices. The school or district, as well as educators, will often point to the website when communicating with various stakeholders, so a well-made central resource should serve all of these audiences.

    A website that communicates student privacy well should contain the following information:

    • A link to student privacy or data practices webpage available on the home page
    • A link to student privacy or data practices webpage available in the home page primary navigation menu
    • A copy of or link to the school or district’s annual FERPA notice and/or the rights of parents and students under FERPA
    • A copy of or link to the school or district’s policy regarding student data collection, use, retention, sharing, and protection
    • A copy of or link to the school or district’s policy regarding directory information
    • A copy of or link to the school or district’s policy under the Protection of Pupil Rights Amendment (PPRA)
    • Information about any applicable state student privacy laws or district policies
    • A list of educational technology tools being used in the school or district, and any information about the process to check those tools for privacy and security protection
    • A contact page or email address if anyone has questions about the school or district’s student privacy policies or practices
    • Resources or trainings for educators and school staff on student privacy
    • Clear, transparent language, including words like “will” and not hedging words like “may” or “might”
    Screenshot of Cambridge Public Schools Student Data Privacy landing page
    Cambridge Public Schools (MA) Student Data Privacy

    While that may sound like a lot, a good student privacy website doesn’t have to be complicated (and shouldn’t be). For example, Cambridge Public School District (MA) has created this effective and user-friendly landing page.

    Click the image to explore the site.

    For additional inspiration and guidance, here are other great examples of state and district websites for student privacy that are particularly effective:

    Illustration of a bearded man with a megaphone coming out of a computer monitor

    Talking to Parents

    To build and maintain trust, schools and districts, in coordination with educators, should communicate openly and often with parents about their student privacy policies and practices. Parents may still be overwhelmed or skeptical about edtech tools after running into technical problems in the wake of COVID-19-related closures in Spring 2020. School and district leaders should be sympathetic to the concerns of parents and be willing to engage and over-communicate, when needed, to problem solve and dispel confusion.

    The transition to online learning has reaffirmed that parents are essential partners in students’ educational journeys. As such, schools and districts should seek to inform parents of their rights; effectively communicate school and district student privacy policies, procedures, and practices; and engage parents in the development, implementation, and review of student privacy strategies.

    Elevator Speech for Talking with Parents

    To kickstart a proactive, positive conversation with parents about the collection and use of their student’s personal information, school and district leaders may find the following “elevator speech” useful:

    Our school/district cares deeply about our students and seeks to help them succeed in school and in life. To better understand our students, we collect different types of information, including their demographics, attendance, and grades. Student data can help us monitor performance and appropriately and equitably allocate limited resources. It also informs state and federal policymakers’ decisions that affect our schools and students. We commit to protecting student information according to the Student Data Principles and have developed/are actively working towards developing a comprehensive data governance policy addressing how student data is collected, accessed, used, and maintained, available for review on our district website (if applicable). We also prioritize building trust and practicing transparency with the school community. As partners in your child’s educational journey, we hope you will continue to engage with us, asking questions, sharing concerns, and keeping us accountable.

    Talking Points to Use with Parents

    School and district leaders must communicate clearly with parents to alleviate any system-level concerns regarding student data collection and protection. Below are some frequently asked questions followed by corresponding talking points to help guide a conversation with parents, focused on the ways that schools and districts use and protect student data.

     

    • Student data provides important information to support our role in your student’s educational journey, so they are prepared to succeed in college, career, and life.
    • Data help school and district leaders make informed decisions on how to allocate resources and best serve each student.
    • Our school/district can observe and monitor the performance of students/educators/schools and make positive adjustments to address identified needs.

    • Our school/district commits to safeguarding student data according to federal and state law and with ethical and equitable privacy practices in mind.
    • Our school/district has/is developing a comprehensive student privacy policy that outlines who has access to data, how data can be used, and the security mechanisms in place to protect student data.
    • Our school/district complies with all existing federal and state student privacy laws, and we train our staff, faculty, and service providers to ensure they also comply.

    • Educators, staff members, and third-party service providers are only given access to the specific pieces of data required to do their jobs.
    • If a third-party service provider needs access to limited student data to successfully perform its role with our school/district, our contract includes strict controls and consequences to ensure the protection of student data.

    • Our school/district may use online tools, websites, or applications that collect student data. We carefully vet all tools used in classrooms and ensure compliance with federal and state laws regarding data protection and privacy.

    • At the beginning of each school year, we provide parents with information about their rights related to their child’s data and the ability to opt out of sharing directory information, or sharing information with military recruiters.
    • Additionally, our school/district has a number of tools that collect data and are required for delivering instruction and other services to your child. When we share data with these third-parties, we maintain control through data protection agreements. Sometimes, our school/district will ask for your approval for certain tools that require consent because the tool has met our vetting process, but the vendor does not have the ability to sign a data protection agreement (e.g., students sign up for an account directly), and a list of these specific tools will be provided at the beginning of each school year or as new tools are added.

    Parental Rights

    Under federal and state student privacy laws, parents have the right to access, review, and amend student data.

    The beginning of the school year is a critical time to set clear expectations with parents around ethical and equitable practices for student privacy and online learning for the year ahead. Ideally, parents will hear a coordinated message from both their child’s classroom educators and the school or district.

    Note: The following letter is designed to be adapted according to your school and/or district policies and practices. Click the image below to download.

    Screenshot of back-to-school letter to parents

    Educational Technology Consent Form

    Each year, schools and districts should provide notice to parents and guardians regarding student use of various edtech tools and platforms. Take this opportunity to clearly communicate the platforms students will be using, their educational value, and the precautions that the school is taking to safeguard student information against the privacy risks that may come with the use of any app or online tool. The consent must be for specific tools, and cannot be a broad permission to share data with any approved third-party.

    Note: The following form is designed to be adapted according to your school and/or district policies and practices. Click the image below to download.

    Screenshot of educational technology consent form for parents

    Online Learning: Monitoring Attendance and Student Engagement

    Online classrooms complicate the once simple process of marking attendance and assessing student engagement. In a physical classroom, a student’s presence is clearly visible and serves as a noncontroversial measure of attendance while in an online classroom, attendance is much more nuanced and difficult to calculate. Teachers may require students to have their video on to determine presence in class or may check if the student has logged in to a particular website that day. Student engagement and participation also become more difficult to capture in an online setting. Some schools and districts plan to rely on learning analytics, such as tracking the minutes spent logged into a particular website, to assess engagement and participation. Schools should have a solid technical understanding of how they are measuring logins before proceeding down this path, as this can differ between applications and between web and mobile versions of the same tool.

    In an online setting, it is justifiable that teachers and schools are turning to new tools and types of measurements, but this also means schools and teachers must set baseline expectations for parents and students. This communication should provide students and families with the details of how students will be assessed, including the types of information collected and how it will be used, particularly any effects on grades or student records, and provide them with opportunities to request accommodations or alternatives.

    Note: The following notice is designed to be adapted according to your school and/or district policies and practices. Click the image below to download.

    Screenshot of a monitoring attendance and student engagement parent notice for parents

    Online Learning: Behavioral, Social, and Emotional Learning Surveys

    As some schools and districts consider administering social, emotional, and behavioral screening surveys, it is important to consider the privacy and equity concerns and requirements. Under the Protection of Pupil Rights Amendment (PPRA), whether schools must obtain opt-in or opt-out parental consent prior to administering screeners depends on a number of factors shown below.

     

    Student Participation Required Covers eight protected categories Opt in/Opt out
    Yes Yes Provide notice and parents must opt in for the student to take the survey.
    Yes No Provide notice and parents have the right to opt out.
    No Yes Provide notice and parents have the right to opt out (but check your specific state law first).
    No No Provide notice only if the survey was created by a third party. In that case, parents have the right to opt out.

     

    For more information on PPRA, see FAQs: The Protection of Pupil Rights Amendment.

    If your school or district determines that administering social, emotional, and behavioral screeners are necessary in order to assess the impact of the COVID-19 pandemic and national events related to systemic racism on student wellbeing, be sure to notify parents and guardians of their rights, explain the purpose of the survey, describe what student data will be collected, and detail potential follow-up measures based on the results.

    Note: The following form is designed to be adapted according to your school and/or district policies and practices. Click the image below to download.

    Screenshot of a social, emotional, and behavioral survey consent form for parents

    Parents as Partners in Protecting Student Privacy

    Parents, especially those new to educational settings, may be unaware of what data is collected about their child and how that data is used and protected by educators, staff, and school and district administrators. Further, in an effort to assist their child in learning, parents may unwittingly use online tools that put their child’s privacy at risk. To help parents understand the importance of protecting student privacy and encourage their participation in cultivating a culture of privacy, schools and districts may wish to consider sharing a tailored version of the following letter with parents:

    Note: The following letter is designed to be adapted according to your school and/or district policies and practices. Click the image below to download.

    Screenshot of sample edtech tools parent letter

    Sample Text Messages to Parents

    Back-to-School Text: From the school/district: [School/District Name] Families, Remember to sign the educational technology consent form and review our student privacy policy - together, we can protect student privacy: [add link to privacy information here].
    General Follow-Up Text: From the school/district: [School/District Name] Families, Read how we are working together to protect student privacy: [add link to privacy information here].
    Illustration of a woman speaking on a laptop screen and a woman sitting on a couch listening

    Talking to Educators

    From selecting privacy-protective edtech tools to teaching students about digital citizenship, educators play an essential role in protecting student privacy. They are also critical in building parent trust in and understanding of the role of technology in the classroom to create a culture of privacy in school communities.

    While educators may have the best intentions, without proper training and support from schools and districts on student privacy, student data may be unwittingly put at risk. Schools and districts should recognize educators as the first line of defense in safeguarding student privacy and provide clear and easily accessible guidance describing the educator’s role and responsibilities, the school or district student privacy policies and procedures, legal requirements, and ethical and equitable practices.

    Elevator Speech for Talking with Educators

    The following “elevator speech” is designed to help school and district leaders start a dialogue with classroom educators about the importance of protecting student privacy and using only school- and district-vetted edtech tools in their classrooms.

    As educators, you are constantly seeking the best tools to help your students learn and thrive. Useful websites, apps, and other tools are readily available to assist you in monitoring student progress and improving student learning. While these tools are easily accessible and tempting to download, I’d ask that you pause and check with [the school IT department/privacy officer] first. We don’t want to prevent you from finding new tools to better support your students, but to protect student privacy we must ensure that anything you use in your classroom complies with state and federal student privacy laws, as well as our district’s student privacy policy. (If applicable: The good news is that we have already vetted several great apps that do meet all of those requirements, which you can access here [link to list].) If there is an app that you would like to use that has not yet been vetted by our IT department, let us know so that we can consider it in future evaluations for use in classes. You are also on the frontlines of communicating with students and parents about the importance of student privacy and our school/district policies and practices. Familiarize yourself with the Student Data Principles and the ways our school/district works to protect student privacy to build trust with parents and students, allowing us to use student data and edtech tools to better serve our students.

    Talking Points to Use with Educators

    Educators are typically the first point of contact for parents with questions or frustrations concerning educational technologies. It is extremely important that educators feel prepared to address any privacy-related issues with parents and are well-informed regarding student data collection, use, and protection. Additionally, educators must be aware of the school’s/district’s approval process to vet and confirm use of online tools for their classrooms; otherwise, they may download and use something that is not privacy-protective. Below are some frequently asked questions followed by talking points to adapt and use with educators to ensure they have a high-level of comfort regarding student data policies.

     

    • Our school and district collect various amounts of student data and has a comprehensive privacy policy in place to help keep data safe. You – along with any parents that may have questions – can access that policy at any time by page25image53846464. If you have questions or need clarification regarding this policy, please contact page25image53846464.
    • Ensuring student safety and privacy is the right thing to do and part of our obligation as educators/school staff. There are serious consequences if these policies are not followed — the entire district/school could lose public trust and face other repercussions, such as costly lawsuits.

    • As an educator, you have access to some student data necessary for monitoring student progress and creating individualized learning plans. This means you are responsible for ensuring that it is not lost, accessed, or shared without proper authorization. If you have any questions about how data can or should be best used and protected, let us know and we’re happy to help. Additional resources are available at page25image53846464.

    • Our district has developed a vetting process for you to get applications approved prior to bringing them into the classroom. Find our policy here page25image53846464. These policies are not meant to limit creativity or infringe on your professional perspective, rather they are in place to help ensure the safety and privacy of you and your students.
    • In addition to our vetting and assessments, you may choose to refer to a resource like the Common Sense Privacy Program, which provides expert evaluations of edtech tools’ privacy policies, to assess our school/district’s pre-approved websites and online tools as well as any others you may be considering using in your classroom.

    • Be careful posting any information about your students online. While posting a picture on Facebook, Instagram, Twitter, TikTok, or another social media platform may seem harmless, this may inadvertently subject students to cyberbullying or reveal sensitive information, such as their whereabouts, to unwanted parties.

    Evaluating Edtech Tools

    Even before the transition to online learning, edtech tools had become indispensable to our K-12 education system. Schools and districts rely on dozens, if not hundreds, of third-party partners to enhance teaching and learning. Data gathered by LearnPlatform indicated that “1,327 ed-tech tools were accessed on average each month after the coronavirus-related closures. That’s a nearly 90 percent increase over the previous monthly average for the 2018-2019 academic year, when just 703, were accessed.” As part of a robust data governance program, schools and districts should have a process in place to vet edtech tools, regularly inventory all of the tools used within their school/district, and practice transparency by making a list of pre-vetted tools and tools currently in use available to educators, parents, and students.

    The US Department of Education recommends that “schools and districts should be clear with both teachers and administrators about how proposed online educational services can be approved, and who has the authority to enter into agreements with providers;” this includes free services. If your school or district has not yet established a vetting and review process for edtech tools, school and district leaders should ensure that educators are equipped to evaluate the new educational technologies they bring into the classroom for legal compliance and other important student privacy protections. Educators should receive training on federal and state legal obligations and the school’s or district’s student privacy protection commitments, summarized below:

    Federal Legal Requirements

    Schools and districts should inform educators of the legal requirements under the Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Rule (COPPA).

    • FERPA, which applies to all schools receiving funding from the US Department of Education, guarantees parents access to their children’s education records and restricts the parties to whom schools can disclose students’ education records without consent. Educators should know that under FERPA, schools are required to obtain parental consent to share information in a student’s education records, which is the case for most edtech tools, or qualify for an exception. Most edtech providers receive student information under the “school official” exception, which requires schools to ensure the edtech company is doing something for which the school would otherwise use internal staff; has a legitimate interest; is under direct control of the school; and any data is only collected, used, and shared for the original purpose it was collected for.
    • COPPA, which applies to operators of commercial websites and online services, regulates the collection of information from children under the age of 13. Educators and other school officials, such as district administrators, are authorized to provide consent on behalf of parents for the use of online tools in the context of educational programs. Educators need to know that for this age group, COPPA requires that student information is used solely for a specific educational purpose and not for commercial purposes.

    Commitments

    It is also important for educators to consider key questions that are vital in upholding certain student privacy protections. For example, educators should check to see if the vendor creates a profile of students for non-educational purposes or if any advertisements are shown to students while using the product. The list of questions below should be provided to educators to aid in their vetting process.

    Evaluating Edtech Tools for Privacy Checklist

    • Does the app collect personally identifiable information (PII)?
    • What other types of data (de-identified data, aggregate data, metadata) are being collected?
    • Does the vendor commit to not further share student information other than as needed to provide the educational product or service (such as third-party cloud storage, or a subcontractor the vendor works with under contract)?
      Tip: The vendor should clearly promise never to sell student data.
    • Does the vendor create a profile of students, other than for the educational purposes specified?
      Tip: When schools share student data under FERPA’s “school official” exception, vendors are not allowed to create a student profile for any reason outside of the authorized educational purpose.
    • When you cancel the account or delete the app, will the vendor delete all the student data that has been provided or created?
    • Does the product show advertisements to student users?
      Tip: Many states ban ads targeted based on data about students or behavioral ads that are based on tracking a student across the web. Look for a blue triangle i symbol, an industry label indicating that a site allows behaviorally targeted advertising. These are never acceptable for school use. This is particularly important when evaluating non-education-specific sites or services.
    • Does the vendor allow parents to access data it holds about students or enable schools to access data so the school can provide the data to parents in compliance with FERPA?
      Tip: This is one of the criteria the FTC lists as required for a school to be able to provide consent on behalf of a parent.
    • Does the vendor promise that it provides appropriate security for the data it collects?
      Tip: A particularly secure product will specify that it uses encryption when it stores and transmits student information. Encrypting the data adds a critical layer of protection for student information and indicates a higher level of security.
    • Does the vendor claim that it can change its privacy policy without notice at any time?
      Tip: This is a red flag — current FTC rules require that companies provide notice to users when their privacy policies change in a significant or “material” way and companies must obtain new consent from users for collection and use of their data.
    • Does the vendor state that the school is responsible for complying with the Children’s Online Privacy Protection Act (COPPA)?
      Tip: the FTC prohibits vendors from pushing COPPA compliance onto schools.
    • Does the vendor say that if the company is sold, the service to the school or district is terminated?
      Tip: The policy or contract should state that any sale or merger will require the new company to adhere to the same protections.
    • Does the vendor provide notice and indemnify the school or district to take responsibility in the event it or one of its subcontractors experiences a data breach?
      Tip: Some states have laws that require schools to notify parents when student data is breached.

    The information provided here is only a starting point for training teachers to vet any edtech tools they would like to use in the classroom. Educators will need thorough training to learn these terms and concepts, which are most likely new to them, and learn the nuances of the applicable federal legislation.

    Here are more resources for providing edtech privacy vetting training to teachers:

    Note: The following email is designed to be adapted according to your school and/or district policies and practices. Click the image below to download.

    Screenshot of vetting edtech tools email template for educators

    Practice Privacy when Using Edtech with Students

    Selecting safe and approved tools is an important part of protecting student privacy. Teachers also protect student privacy in the choices they make when using these tools.

    Recording Video Classes

    Schools and districts should train educators so they are equipped to protect student privacy before recording video classes. It is permissible for a lesson to be recorded so long as no FERPA-protected student information is disclosed in the recording. Schools and districts should consider creating a process for obtaining parental consent to record video classes if a student’s personal information, including their name, likeness, or voice, is part of the recording, and consider developing guidelines for teachers that specify processes for creating, storing, sharing, and deleting classroom recordings in a secure, privacy-protective manner.

    When an educator reaches out about recording a video classroom, encourage them to:

    • Only record the educator’s portion of the presentation or lesson, without showing students or recording student participants.
    • Be transparent with students and their parents about classroom recordings. Students should be aware that their lessons are recorded, how long these recordings are stored, who has access to the recordings, and what rights students have to opt-out of attending a live recording.
    • Develop rules of engagement for their online classroom and set standards for how students are expected to participate when a class is recorded.

    To find out more about protecting student privacy with video classrooms, see the resources below:

    Talking to Students

    As students increasingly live and learn in digital environments, they must be empowered to recognize the opportunities and risks of being online, as well as their rights and responsibilities in that space. In addition to educators and parents, schools and districts have an important role to play in developing students’ digital citizenship skills and privacy knowledge.

    While school and district leaders work less directly with students on a day-to-day basis, they still have meaningful opportunities to communicate with students. Whether through policy development, presentations at school events, or during one-on-one conversations, leaders should actively engage students in talking about and practicing appropriate online behaviors that protect their privacy and the privacy of their learning communities.

    To include students as active participants in building a culture of privacy, schools and districts should be transparent about data governance and student privacy policies and procedures. This includes transparent communication about any monitoring, filtering, or blocking of online content and activities by the school or district, as well as expectations of appropriate use of technologies by students. In this way, transparent privacy policies and standards that outline when, why, and how students are monitored and how their data and school technologies are used to support student learning bolsters trust. This trust extends to the technologies used by schools and districts; the policies and practices that govern the use of these technologies; and the intent of teachers, schools, and districts in using technologies that keep students safe online and do not leave them feeling under constant surveillance.

    Too often students are excluded from conversations about student privacy. At a minimum, schools and districts should include information about privacy in student rights and responsibilities handbooks or paperwork that may be sent home at the beginning of the year as a way to begin conversations about privacy among educators, parents, and students. However, communications with students should also be designed in a manner that is suitable for each age group. For example, schools and districts may choose to share responsible use of technology policies with elementary school-aged students through animated videos as opposed to a written form. You can find more information on tailoring messaging to the age of a child under the transparency standard of the UK’s Age Appropriate Design Code.

    Elevator Speech for Talking with Students

    You may choose to adapt this short “elevator speech” when talking to your students about how their data may be collected, used, shared, and maintained. Student buy-in is essential in creating a culture of privacy, and schools and districts can empower students by helping them develop skills to effectively manage their own privacy and security.

    Our school/district cares deeply about protecting your privacy. Some of your personal information like your name, age, and grades are needed by the school or district for basic administrative purposes and to help you on your educational journey. We work closely with your parents and teachers to make sure our policies and procedures prioritize safeguarding your personal information. However, you can also play an active role in protecting your own privacy and security by developing your digital citizenship skills and taking proper cybersecurity precautions. This includes learning how to manage your digital identity and reputation; engaging in positive, safe, legal, and ethical behavior online; and being aware of how your data is collected and used.

    To learn more about digital citizenship and cybersecurity for students, refer to the resources below:

    Guiding Questions for Use with Students

    Students may engage in behaviors that place their own privacy or the privacy of others at risk. For instance, students may share screenshots or recordings from online classes on social media without the permission of their teachers and peers. When responding to such incidents, school and district leaders can use the following questions to guide a conversation about the need to respect and protect privacy and security. These questions should be adapted as appropriate based on the student’s age and stage of development.

    • What does privacy mean to you? What about security?
    • Why should you care about privacy and security?
    • How might you or others be put at risk when privacy and security are not respected and protected?
    • What are some steps you can take to protect your own privacy and the privacy of others?

    Responsible Use of Technology Policy

    One way to reduce the likelihood of students engaging in activities that compromise privacy and security is to set common expectations for online activities and behaviors through a responsible or acceptable use of technology policy. Your school or district should solicit input from educators, parents, and students when shaping a responsible use policy to identify shared values and address potential violations.

    The example below was adapted from Montgomery County Public Schools’ Responsible Use of Technology Student Expectations.

    Note: The following form is designed to be adapted according to your school and/or district policies and practices, as well as student age and grade level. Click the image below to download.

    Screenshot of sample responsible use of technology policy for students

    Online Learning: Monitoring Attendance and Student Engagement

    Monitoring student attendance and engagement in person was relatively straightforward through physical observations in traditional classrooms. However, with online or hybrid learning environments where such constant physical observation is not possible, schools, districts, and educators have been seeking innovative solutions to ensure students are present, engaged, and learning. With the adoption of new methods for tracking attendance and engagement, students should be informed of the school’s or district’s policies and be provided an opportunity to ask questions and request alternative strategies.

    Note: The following notice is designed to be adapted according to your school and/or district policies and practices, as well as student age and grade level. Click the image below to download.

    Screenshot of monitoring attendance and engagement online sample notice for students

    Conclusion

    The shift to online learning due to the COVID-19 pandemic has spotlighted the prevalence of student data collection, use, sharing, and maintenance, and the need to adopt ethical and equitable practices to properly safeguard student privacy.

     

    Schools and districts are critical to the establishment of robust data governance programs and policies that protect student privacy. For those programs and policies to be most effective, schools and districts must also clearly and effectively communicate to their stakeholders – educators, parents, and students – the value of student data to better support students. Communicating that value and the associated policies and procedures to protect student data encourages prioritization of student privacy, better protection of student data, and the creation of a community-based culture of privacy.

    We hope this toolkit provides a useful starting point as your school or district seeks to actively engage your school community to build trust and establish a culture of privacy in which each stakeholder is trained and motivated to protect student privacy in their particular role.

    We encourage you to regularly visit our site (www.StudentPrivacyCompass.org) for additional updates, resources, analyses, and professional development materials. You can also follow us on Twitter (@SPrivacyCompass) for real-time updates on our work and reach out to us with questions at this link: https://studentprivacycompass.org/contact-us/.

    Additional Resources

    FPF thanks the following individuals and their respective organizations for contributing their time, insight, and work in providing feedback on the information in this toolkit:

    • Fagen Friedman & Fulfrost, LLP
    • Data Quality Campaign
    • Student Data Privacy Consortium
    • Susan Bearden, Chief Innovation Officer, Consortium for School Networking (CoSN)
    • Andrea Tejedor, Assistant Superintendent for Curriculum, Instruction & Technology, Highland Falls-Fort Montgomery Central School District (NY)
    • Sharon Thomas, Associate General Counsel I, Los Angeles Unified School District (CA)
    • Julie Tonsing-Meyer, Associate Professor of Education, McKendree University (IL)