As school districts continue to rely on online curriculum during the pandemic, they can take steps to ensure that educators can use these critical tools while maintaining student confidentiality and security.

When online educational technology tools came into the mainstream, it took educational institutions (and their lawyers) time to find the right balance between allowing educators to use these tools while also making sure that security and privacy concerns were addressed. Districts needed to ensure that the best technological resources were being used, that data was being collected and shared for meaningful purposes, and that the information was being kept safe, secure, and private.

Further, schools needed to develop clear lines of communication with students, parents, and the public about the use of data and technology. The key was to ensure that educators had the ability and flexibility to use technology and information-sharing to improve educational experiences and outcomes while also ensuring that student privacy was safeguarded.

Attaining this balance was, in some instances, impeded by the fact that student confidentiality laws were all written prior to the development of online educational curriculum tools.

When the pandemic hit, and educational institutions were forced to close and move students to remote learning programs, there was once again the scramble to access technology resources with limited time to address the real privacy and security concerns that arose.

Districts need to know which online curriculum vendors are collecting personal student information at the outset and in which applications or programs students are generating student records. This is important for several reasons:

• Many state data privacy laws require that districts track and, in some cases, post all the vendors with which the district shares personal student information.
•  The federal Family Educational Rights and Privacy Act (FERPA) and many state student records laws require districts to exert direct control over a vendor with respect to the sharing of educational records.
• A district has legal obligations to allow parents to review educational records.

An important note is that determining when and with whom a district is sharing data and which vendor relationships implicate both federal and state privacy and data sharing laws may be easier said than done.

However, determining all the online resources being used by teachers in the classroom can be more of a challenge. Once you compile a list, it gets further complicated by the need to assess which of these online programs implicate student data and privacy issues. Consider these two examples:

Program A provides videos for kindergarten students about the alphabet, which the teacher signs up for using her district email account.

Program B is a third-grade math program, and each student has an individual account that the teacher set up by providing a student’s name, grade level, and past math scores.

As is clear, a district does not share any personal information with the vendor for Program A whereas student data is both shared and generated through Program B. The data implications of Program A and B are clear, but determining which category each program falls requires administrators to know which programs are being used and understand the nature of each of them.

Here are some steps to take to ensure a district knows how and when it is sharing data with online curriculum vendors and to remain legally compliant:

1. Make sure the curriculum and instruction administrators are working with the technology director.

When administrators who oversee the development of curriculum and instruction are reviewing online curriculum programs and determining which to purchase for use, it is essential that their efforts include a review by the technology director to assess whether the vendor has proper security protocols in place to ensure the safety of student data being shared or generated, and to develop a data privacy agreement (DPA) with the vendor.

2. Use DPAs to ensure legal compliance with data security and privacy laws.

Many state laws require that—any time student data is shared with an online curriculum vendor—the district enter into a DPA that sets forth what data is being shared, how the vendor can use the data, restrictions on the disclosure of data, security and breach protocols, and return or destruction of student data when the contract is completed.

3. Make sure you have a policy or practice on who can enter into a contract with an online curriculum vendor and a process for getting online applications approved.

Many of us are familiar with clickwrap agreements—agreements we sign online to use an online service by clicking a button confirming that we understand the terms and hitting “Agree.” Many online educational curriculum vendors use clickwrap agreements, and teachers enter into these contracts in order to gain access to applications to use in the classroom.

Educational institutions should have a clear policy on who has the authority to sign a contract with an online vendor and train its educators on this policy.

Further, districts should set up a clear process by which an educator can get an online curriculum application or program approved.

Within each of these steps are nuances and complications. Even in this unprecedented time, we cannot lose sight of the importance of long-term security and privacy for our students and their data.

Nicki Bazer (nbb@franczek.com) is the co-chair of the Education Law Practice Group at Franczek P.C.