PSBA 2022 January/February Bulletin PSBA 2022 January/February Bulletin - Page 48

it ’ s the law
School districts must remain ever vigilant in maintaining and securing student information .

it ’ s the law

School districts must remain ever vigilant in maintaining and securing student information .
“ Student Information ” or “ Personally Identifiable Information ” should be defined at least as broadly as stated in FERPA .
• The agreement should expressly prohibit the use of any data for marketing or advertising to students and parents , or conversely state that the data may not be used for any purpose other than the specific purposes outlined in the agreement .
• The agreement should indicate that the provider will only access or collect data necessary to fulfill its duties under the agreement .
• The agreement should state that the provider will only use data necessary to fulfill its duties and provide services under the agreement .
• The agreement should prohibit data mining for any purpose other than as agreed to .
• The agreement should outline whether or not such information may be shared with others . Either the agreement should state that data cannot be shared with any additional parties without prior written consent or should state with whom such information can be shared ( i . e ., subcontractors ) and what must be done to do so ( i . e ., that such third persons will be identified and that they shall be subject to the terms of the agreement ).
• The agreement should provide that when the data is no longer needed for the stated contractual purpose , the contractor will ensure that the data in its possession ( or that of its agents or subcontractors ) is properly returned or destroyed under the school district ’ s direction .
• The agreement should indicate that the agreement does not provide the contractor with any rights to the data , except as expressly stated . The agreement should state that all rights ( including intellectual property rights ) to the data shall remain the sole property of the school district and that the provider has a limited , nonexclusive license solely for the purpose of performing its obligations outlined in the agreement .
• The agreement should grant the school district access to any data in the possession of the provider upon request .
• The agreement should indicate that the provider will store and process the data in accordance with industry best practices , including safeguards to secure data from unauthorized access , disclosure and use .
• The agreement should require the provider to self-audit periodically and have a written incident response plan that includes prompt notification of the school district in the event of a security incident and best practices for responding to a breach .
See https :// studentprivacy . ed . gov / resources / protecting-student-privacy-while-usingonline-educational-services-model-termsservice
Notably , industry sources ( Software & Information Industry Association and Future of Privacy Forum ) have created a “ Student Privacy Pledge ” which has been updated and circulated for several years now and has been adopted by companies providing educational technology to schools . See https :// studentprivacypledge . org / privacypledge-2-0 . In addition to noting a concern for safeguarding student privacy , the document expresses industry best practices compliant with the legal standards discussed above . In particular , the pledge invokes several positive commitments and commitments not to engage in certain conduct . In a nutshell , the vendor agrees not to :
• Collect , maintain , use or share student information beyond that needed for the authorized educational / school purposes , or as authorized by the school entity or the parent / student .
46 PSBA Bulletin January / February 2022