Administrative Requirements

BackgroundThe Purpose of the DocumentSchool District SystemsAdministrative RequirementsAppendix

Background
The School District of Philadelphia Policy No. 216 STUDENT RECORDS defines the legal parameters by which student data can be collected, shared and utilized. In addition, the District must further adhere to Policy No. 815 ACCEPTABLE USE OF INTERNET, COMPUTERS AND NETWORK RESOURCES, and Policy No. 815.1 INTERNET AND MEDIA PRESENCE, that further defines the rights and responsibilities of employees, associates, students and parents, when using technology resources, systems, services and data.

The Purpose of the Document
1) To provide clarity between a District-wide sanctioned foundational online system and the growing world of third party websites, applications, services and programs; and

2) To provide administrative requirements that ensure each employee is compliant with the District’s SRC polices noted above and ensure that student data is secure and private when used within third party online systems.

The District understands that there is a growing list of terms that reference the world of online access. For example, online tools can be referred to as websites, computer applications, downloadable apps, online services and programs. While each term can have a distinct meaning, for the purpose of this document, we will use ‘websites, computer applications, and online services’ to cover everything.

School District Systems

The School District provides access to District-wide sanctioned online systems, which must be used to perform key business or educational functions in all District schools and offices. An example would be the Student Information System (SIS), which is used to collect enrollment data, or the EasyIEP System, which is used to collect Special Education Data on our students. All sanctioned online systems have a formal contract to guarantee the privacy and security of student data. The School District has published an official list of District sanctioned foundational systems at:

http://www/philasd.org/studentdataprivacy

Guidance for selecting third party websites, computer applications, and online services
The District does understand that schools want to utilize the growing world of third party websites, computer applications, and online services as part of classroom instruction. While many of these online services enhance classroom learning, schools MUST be aware of the risks and responsibilities associated with using these tools with your students. The purpose of these administrative requirements is to ensure student data privacy and security when using any third-party website, online service or computer application.

Any system or service not vetted and sanctioned by the administration of the School District must be evaluated at the school level for its adherence to student data privacy and security and relevance to meet instructional goals.

Below represents the key administrative requirements to guide the selection of websites, computer applications and online resources: 

1) The School District’s Internet content filtering system blocks thousands of websites containing obscene, inappropriate or harmful material. However, filtering systems do not ensure student data privacy and security. Users who decide to utilize websites must first consider the safety and privacy of student data collected by the web site, online service or computer application.

2) Users considering the use of a web site, online service or computer application must first review and become familiar with the requirements of applicable state and federal Laws, such as FERPA, COPPA and HIPAA.

A. FERPA, The Family Educational Rights and Privacy Act mandates that all student records are to be kept private and information gleaned from such records can only be used by authorized staff to engage in activities to benefit the student. FERPA defines “education record” as essentially, any document maintained by the School District, which includes personally identifiable information about a student, including but not limited to: contact information, grades or evaluations, disciplinary records or health information. The School District must keep education records private. Parents and guardians always have the right to inspect and request changes to education records. Under FERPA the following documents are not considered education records: sole possession (i.e., the teacher’s own) documents; law enforcement unit records; student employee records; and certain health-related records of post-secondary students.

A1. FERPA authorizes the release of certain student information defined as directory information, see below. Everything else regarding a student is, by law, private. School District Policy No. 216 states:

Directory information includes, but is not limited to, the student’s name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status; dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors and awards received; and the most recent educational agency or institution attended.

A2. When Directory Information can be used:

You may release directory information to create accounts in web sites, online services or computer applications to be used for academic enrichment, practice or remediation. However, educators must ensure all data privacy laws are followed.

Please note that parents can opt-out of the release of directory information. In these situations, the teacher cannot create an account for instructional activities in any web site, online service or computer application. Schools can record the parental opt-out of directory information in the Student Information System (SIS). Schools then must ensure that teachers are aware of students who have opted-out of the release of directory information.

Parents cannot opt-out of the use of sanctioned foundational systems listed on http://philasd.org/privacy.

B. COPPA, The Children’s Online Privacy Protection Act, defines the rules around which websites and service providers may collect information from children under the age of 13. This includes explicit parental consent, how to verify such consent, and what must be included in a website’s privacy policy.

B1. Some websites, online services or computer applications have age restrictions. If students are too young, use of the service would violate the provider’s terms of use, and therefore also violate the School District’s Acceptable Use Policy.

B2. Many websites, online services or computer applications stipulate in their terms of use or license agreement that users under a specific age must have parental consent before using them. The District or individual schools may consent on the behalf of students under 13 years of age for educational purposes only, if the resource satisfies all other data security and privacy requirements.

C. HIPPA, The Health Insurance Portability and Accountability Act, among other purposes, protects the confidentiality and security of healthcare information.

C1. Schools may not enter student health information or records into a non-sanctioned District System.

3) Web sites, online services and computer applications sometimes engage in an activity known as “data mining” – the act of collecting usage and demographic information from users. Schools must never use websites, online services and computer applications that collect personally identifiable information to aggregate for any purpose (i.e. research, sales or advertising).

4) In some cases, service providers will require that all users accept the terms of an End-User License Agreement (“EULA”) in order to use the web site, online service, or computer application. When the service provider requires this, teachers and administrators must carefully review these terms and consider whether or not these EULA terms conflict with applicable laws, including FERPA, or School District policies. When in doubt, educators must consult with administrators. If needed, administrators can consult with the Office of General Counsel before accepting the EULA terms in question, by sending an email to studentdataprivacy@philasd.org.

5) When used by public school districts, some application publishers require the signing of a Memorandum of Understanding (MOU) or service agreement or contract between the publisher and the School District. If a web site, online service, or computer application states that the provider requires a MOU, then teachers and administrators must not use that service or application until an MOU has been executed. The Office of General Counsel (email: studentdataprivacy@philasd.org) can provide necessary information about existing contracts, MOUs or other agreements executed by the School District, and if needed, create an MOU.

6) If a web site, online service or computer application collects achievement or behavioral data that contributes to a student’s permanent academic record, then a Memorandum of Understanding, Service Agreement or contract is required and teachers and administrators must not use that service or application until an MOU has been executed. The Office of General Counsel (email: studentdataprivacy@philasd.org) can provide necessary information about existing contracts, MOUs or other agreements executed by the School District, and if needed, create an MOU.

The School District has provided a rubric to assist educators in the evaluation of websites, online services or computer applications, which compiles all of the needed evaluation criteria to guide educators through the vetting process. The completion of this rubric is mandatory to ensure proper vetting before using websites, online services and computer applications that require an account with students.

The District understands the complexity associated with the evaluation of websites, online services and computer applications. In the interest of providing schools with the ability to be innovative and bring engaging tools into the classroom the above requirements are designed to empower educators and keep student data secure and private. Administrative or disciplinary action will be considered for failure to follow these Requirements.

Appendix
The U.S. Department of Education’s Privacy Technical Assistance Center (http://ptac.ed.gov) provides guidelines to teachers and administrators about the use of websites and online resources that require the acceptance of license agreements to begin using them (often called “Click-Wrap” or “Click-Through” agreements). To learn more, please review the following website: http://ptac.ed.gov/sites/default/files/Student%20Privacy%20and%20Online%20Educational%20Services%20%28February%202014%29.pdf

The Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA) provide a “Student Data Privacy Pledge” to hold school service providers accountable to student data privacy in the collection, maintenance and use of student personal information. To learn more about the “Student Data Privacy Pledge,” please review the following website: http://studentprivacypledge.org

The Consortium for School Networking (CoSN) provides “The Protecting Privacy in Connected Learning toolkit” to help educators and families navigate federal student privacy laws, including FERPA, COPPA, HIPPA and other privacy issues, when selecting appropriate educational websites, computer applications, and online services. To learn more about CoSN and their work around protecting privacy, please review the following website: http://www.cosn.org/focus-areas/leadership-vision/protecting-privacy

The Data Quality Campaign, CoSN and a diverse coalition of national education organizations provide 10 Student Data Principles to help educators and families make decisions when choosing learning solutions. To learn more about the Student Data Principles, please review the following website: http://studentdataprinciples.org

Common Sense Media’s Privacy and Internet Safety Parent Concern page provides answers to parents’ most popular questions relating to their children’s privacy and safety online. To learn more about Common Sense Media and their work privacy, safety and digital citizenship, please review the following website: https://www.commonsensemedia.org