As session wraps up in many state legislatures, new student data privacy bills have become law. For those of us in the education technology space, protecting student data is a mandate we take seriously.
Two major forces have propelled this trend: California passed the SOPIPA bill two years ago and ACLU recently released a model student data privacy bill. According to EPIC, states recently introduced 36 student data privacy bills during this year alone. Colorado, North Carolina, and Connecticut all passed new student data privacy laws.
These state laws vary but have several key components in common. Below are five tips to help application developers get privacy right early-on. Implementing this list won’t ensure a software application is in compliance with the various state laws, but it’s a great place to start.
This shouldn’t feel like some inconvenient box to check – it should embody the philosophy of your company and demonstrate how you follow the federal and state laws. Check out ours if you need help.
2. No selling, renting, or sharing student information without permission or a legal reason.
Yeah, don’t do that. Many states explicitly prohibit targeted advertising for all students. Plus, these are young people; their data is particularly vulnerable, and they cannot protect themselves well.
The good news? Most states allow student data to be used within the product – for personalized learning, to make recommendations based on student performance, or to improve the product itself.
3. Design security, privacy, and confidentiality structures.
Define a clear system for ensuring the security, privacy and confidentially of the data you collect – and communicate those decisions clearly. The requirements for what this looks like varies from state to state. Clever accomplishes this through a white paper that details our security measures.
4. Provide an easy way to update and delete student personal information.
You must have an easy method to update and delete the data upon request. Most states, including Washington and Connecticut, require data is deleted within a “reasonable” timeframe. Clever is committed to deleting within 10 days. It’s a best practice – and a requirement in some states – to notify the person or education entity after the data has been deleted or updated.
5. Notify of a breach in a timely manner.
Be prepared for any scenario. Specifically, have a plan for how and when you will notify your education partners after a breach. Some states have explicit timeframes. For example, Connecticut law says users must be notified within a reasonable time frame but that it also can’t exceed 30 days.
Keeping it up
If you follow best practices for student data privacy, you should be in compliance with these new state laws, but it’s always best to double check how your company handles data privacy. To learn more about best practices, take a look at Clever’s lead security engineer’s article on our “privacy by design” process that makes sure privacy is always at the forefront of our product.