5 Best Practices for Safeguarding Student Data
In response to ongoing calls for increasing the safety of student data in the hands of technology vendors, the Software & Information Industry Association has issued a set of best practices for education technology vendors to follow.
The purpose of the best practices, according to the SIIA, is to protect student data while also allowing vendors to deliver effective technologies to schools. The recommendations focus specifically on personally identifiable information and do not touch on the use of anonymous or aggregated student data by vendors.
"SIIA and our member companies are committed to safeguarding student information privacy and ensuring data security in schools," said Mark Schneiderman, SIIA's senior director of education policy, in a prepared statement. "Education technology is increasingly vital to making certain our students get a world class education, and our nation can compete in the global economy. We are stepping forward with a series of best practices that will help protect student data and allow technology providers to continue to offer effective, leading-edge education solutions. These best practices are offered as part of our ongoing effort to create a trust framework between families, educational institutions and their service providers."
The best practices include:
- Personally identifiable student data must be used only for "educational and related purposes for which they were engaged or directed by the educational institution, in accordance with applicable state and federal laws."
- Service providers should disclose which pieces of information are collected and for what purpose the data will be used or shared.
- Vendors should "collect, use or share student [personally identifiable information] only in accordance with the provisions of their privacy policies and contracts with the educational institutions they serve, or with the consent of students or parents as authorized by law, or as otherwise directed by the educational institution or required by law."
- Vendors should secure student data with policies and procedures that are "reasonably designed to protect personal student information against risks such as unauthorized access or use, or unintended or inappropriate destruction, modification or disclosure."
- And in the event of a breach, providers should have in place "reasonable policies and procedures" to notify schools "and as appropriate, to coordinate with educational institutions to support their notification of affected individuals, students and families when there is a substantial risk of harm from the breach or a legal duty to provide notification."
Additional details can be found on the SIIA's education policy portal.