SIIA and its member companies are committed to advancing the effective use of technology in education and to safeguarding student information privacy and ensuring data security. As part of this effort, SIIA today offered a series of industry best practices for providers of school services.
SIIA and our member companies are committed to safeguarding student information privacy and ensuring data security in schools. Education technology is increasingly vital to making certain our students get a world class education, and our nation can compete in the global economy.
We are stepping forward with a series of best practices that will help protect student data and allow technology providers to continue to offer effective, leading-edge education solutions. These best practices are offered as part of our ongoing effort to create a trust framework between families, educational institutions and their service providers.
Schools use technologies to collect and manage student information in ways increasingly important to a school’s enterprise management and to student learning, and do so in partnership with school service providers with expertise in data management and security, learning analytics and instructional design. A significant network of laws and business practices now govern the use and sharing of student information.
With the goal of supplementing existing efforts, SIIA released the following Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services. These privacy and security best practices are intended as guidance for providers of educational services to educational institutions to the extent that they collect, disseminate, use or maintain personally identifiable information about students (student PII). These best practices can be used to inform the contracts that govern the relationship between providers of educational services and the educational institutions – school districts and schools – for which they work.
- Educational Purpose: School service providers collect, use, or share student PII only for educational and related purposes for which they were engaged or directed by the educational institution, in accordance with applicable state and federal laws.
- Transparency: School service providers disclose in contracts and/or privacy policies what types of student PII are collected directly from students, and for what purposes this information is used or shared with third parties.
- Authorization: School service providers collect, use, or share student PII only in accordance with the provisions of their privacy policies and contracts with the educational institutions they serve, or with the consent of students or parents as authorized by law, or as otherwise directed by the educational institution or required by law.
- Security: School service providers have in place security policies and procedures reasonably designed to protect personal student information against risks such as unauthorized access or use, or unintended or inappropriate destruction, modification, or disclosure.
- Data Breach Notification: School service providers have in place reasonable policies and procedures in the case of actual data breaches, including procedures to both notify educational institutions, and as appropriate, to coordinate with educational institutions to support their notification of affected individuals, students and families when there is a substantial risk of harm from the breach or a legal duty to provide notification.
Mark Schneiderman is Senior Director of Education Policy at SIIA.