Cybersecurity

California AG issues recommendations to edtech vendors, cites student privacy as top priority

Attorney General Kamala D. Harris issued comprehensive recommendations to edtech vendors on how to protect student privacy.

By Corinne Lestch

November 11, 2016

California’s attorney general has released recommendations to edtech companies to protect student privacy and minimize data breaches in a new report obtained by EdScoop.

Attorney General Kamala D. Harris said that student privacy is one of her top priorities, as well as ensuring that kids are safe from third-party vendors that may inappropriately collect or use personally identifiable information. The recommendations were contained in a just-released report, “Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data.”

“Organizations that make use of student data must take every
step possible to be transparent with parents and schools and
to protect student privacy,” she wrote in a letter. “As the devices we use each day
become increasingly connected, it’s critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.”

Harris said the recommendations build upon two major California laws enacted in 2014. The first, known as the Education Agency Contracts, applies to local school districts and charter schools and requires that certain terms be included in vendor contracts for services and software that store or collect student data. Student records must be the property of the local education agency, not the vendor, and parents can review their children’s information to ensure it is correct.

The second state law is the Student Online Personal Information Privacy Act (SOPIPA), a law that has garnered nationwide attention for its strict procedures and obligations for edtech companies. This law is geared towards online operators and other services, rather than schools, that create apps and other digital tools are designed and used for K-12 school purposes.

While the report, and the recommendations, are not legally binding, Harris said they are a marker of how seriously the state takes this issue and part of an effort to encourage best practices among edtech vendors.

“These recommendations are intended to encourage companies whose Ed
Tech products enter the physical or virtual classroom to model the good digital citizenship
that our students are being taught by protecting their personal information and using it only
for school purposes,” according to the report.

Among the recommendations listed in the report:

Describe the data that is being collected from schools, districts, teachers, parents and students, and how it is being collected, whether from a student’s technology; content provided by a student; or content provided by a district, school, teacher or other educator. Unique identifiers include, but are not limited to, cookies, device IDs, IP addresses and others.
Collect only student information necessary to accomplish school purposes.
Directing students to any links to external non-edtech or school-related sites or services should be disclosed in the vendor’s privacy policy.
Retain student information only for as long as allowed or required by the school or district.
If vendors use student information to improve their product, aggregate or de-identify the data first.
Describe the types of third parties that may be privy to student data that is disclosed through a site.
Develop a systematic process for notifying schools, districts, parents, students and government agencies about any breach of student information.
Implement a training program to ensure that employees understand the privacy policies and procedures, including ones on data breach notifications.
Consider engaging with users to test the privacy policy’s terms, and how comprehensive they are. Modify the policy to reflect feedback from various stakeholders, including parents, educators and eligible students.