Digital Learning Program Development

Policies and Laws


Local Policies

Districts are required, both by law and by good practice, to have a few policies in place that are reviewed yearly: a directory information policy, an applications policy, a photography policy, a social media policy, and an acceptable/responsible use policy. Districts may choose to have other policies and regulations at the discretion of the Board, and there are other policies around purchasing and contracting that we will discuss later in the course that aren’t included in this list. The directory information policy is part of FERPA (below) and the applications policy is part of COPPA (below). Typically a parent and student will be asked to consent to all of these policies at one time, and have the option to opt-out. Increasingly in most district, opt-out requires a conference with the parent to understand the reason behind the request so that reasonable accommodations can be made. On average, less than 1% of students in any given LEA opt out. It is acceptable to disallow opt-outs for state-required functions such as testing.

Photography/Media Policy

The photography policy explains how student photography and names will be used for school media purposes. Some districts, for example, only use the backs of students heads or the first name and last initial. Others do not. In general, you should have a policy and do what the policy says. Your policy should also note that it only applies to official school photographs, and not photographs taken by students or parents in public spaces.

Social Media Policies

Social media policies are still an emerging field of study for legal researchers. There are no “right” answers nor commonly accepted answers and the tolerance for interaction on social media varies greatly between communities and is subject to sensationalism. A policy that is responsive to the community and strictly enforced is always good guidance. As a rule, I always encourage policies that address behaviors and not medium - defining appropriate behavior in any context will promote consistency in all contexts.

Social media policies for employees such as the one linked from New York City and this one address how teachers may interact with students and engage professionally online. Some districts require the creation of a separate social media account and a “fan page” to interact with students and parents while others may forbid it altogether.

Schools also need to consider how they will be involved with student activities outside of school. How will schools handle cyberbullying and threats made outside of school in school. The legal guidance on this is still sketchy, and many school districts are inconsistent. Schools should address this as a part of their digital citizenship curriculum and in their code of conduct.

School CTOs should be especially careful with regard to student “sexting”. In some localities, districts are choosing to prosecute both the sender and receiver of such a message, charging them with making or consuming child pornography. This can place both minors on a sex offender registry for life. Schools need to educate students as to these dangers. In addition, schools should coordinate with their legal counsel and local district attorney to create a response plan. A teacher who knowingly confiscates a phone with such a message may be placing themselves in legal jeopardy as well, so it is critical that all staff are educated as to the appropriate way to respond to such issues.

Acceptable/Responsible Use Policies

An Acceptable Use Policy defines which behaviors are acceptable for the use of school technology. In addition to the federally mandated elements that need to be included from CIPA, schools should include expectations for professional conduct on the network, how personal devices may be connected, and consequences for actions. Here are a few sample Acceptable Use Policies (click each word).

Increasingly, AUPs have been shifting to become “Responsible Use Policies”, or RUPs. An RUP differs from an AUP in that it is framed more positively, less as a legalese “list of things you can’t do” and more as a student-friendly “here’s what we expect from you”. Responsible use policies are still new and tend to be melded with AUPs, but here is a sample of one.

CoSN has put together a guide for responsible use policies.

State Laws

North Carolina Public Records Law

Any “record made or received in the transaction of public business” is considered a public record in North Carolina. This includes all paper and electronic records. LEAs are responsible for making best-effort attempts to store all public records (such as archiving emails), but employees are also responsible for saving any paper records that are applicable. Messages with short-term value (such as “meeting today at 10AM”) are not subject to public records laws once their value has elapsed, and personal communications made via school-owned accounts are also not subject to public records laws (however, the reverse is true - an eligible public record sent via a personal account is still subject to public records laws). Personnel records (except for name, title, and salary) and FERPA protected records are also not eligible to be disclosed, except in certain circumstances. Any person has the right to request public records and are entitled to receive them at minimal cost “in any and all media in which the agency is capable of providing them. No request for copies of public records in a particular medium shall be denied on the grounds that the custodian has made or prefers to make the public records available in another medium.” Public records are also required to be furnished as “promptly as possible”. A requestor does not have the right to ask for an analysis of records (for example, turning over all salary data is an acceptable response to “a list of every employee making over $50,000). Typically in a records request scenario, a records custodian will pull and review all applicable records, redact any data that are ineligible for release, and release the record. Even text messages are subject to public records laws.

Records must be saved, archived, and discarded according to the General Retention Schedule which is administered by the State Archives of North Carolina. This schedule must be adopted by the local school board each time it changes. The Department of Public Instruction also produces a schedule in partnership with the State Archives for programmatic data.

GS 115C-401.2.

NC General Statue 115C-401.2 (also known as “Article 29”) dictates what can be done with student data online. For example, sites cannot use student data to market to them, create student data profiles, or sell student information. The law also has security provisions for how operators may store data.

Federal Laws

There are four federal laws that all technology directors should be very familiar with: FERPA, COPPA, CIPA, PPRA, and IDEA. Much of the content of these policies needs to be considered when using third party apps. The license agreements in most software packages aren’t often read, but can have significant legal implications for school districts. License agreements are contracts, and only the School Board may legally sign a contract on behalf of the District, though they may delegate that authority for certain situations. Therefore, when you as a CTO or a Principal adopt a software package, you are entering in to a legally binding agreement and are subject to all Federal privacy laws.

FERPA: Federal Education Rights Privacy Act

The Federal Education Rights Privacy Act (FERPA) protects the privacy and ensures parental access to student records. Under FERPA, a school may not disclose records to any third party except those meeting a specific list of qualifications, detailed in the link above (see also FERPA policy guidance) without parental consent (or student consent if they are over 18). Parents and eligible students (those over 18) also have rights to inspect any records maintained by a school and to request changes and corrections as appropriate. Schools are required to adopt policies specifying which information is considered “directory information” under FERPA and to advise families of this policy yearly. Directory information for a student may be released without consent unless they opt out (for example, the NC State directory will list your name, address, major, and phone number unless you add a Privacy Block - these items are considered directory information under NC State policy).

When selecting educational tools, school personnel need to ask vendors what data they are collecting from students and how it intends to be used. Vendors do not violate FERPA, schools do by providing vendors with data to use in a way that is a FERPA violation. The provisions are usually in the contract or a data processing amendment. For example, Google enters the following text into their license agreement for GSuite for Education:

The parties acknowledge that (a) Customer Data may include personally identifiable information from education records that are subject to FERPA (“FERPA Records”); and (b) to the extent that Customer Data includes FERPA Records, Google will be considered a “School Official” (as that term is used in FERPA and its implementing regulations) and will comply with FERPA.

This text means that the school delegates legal authority to Google to host and maintain student records (i.e. homework assignments and grades in Google Classroom) and Google has an extra data processing agreement limiting the use of this data. Because this is part of the GSuite for Education license agreement, it only applies for GSuite for Education accounts. Therefore, a school or teacher using a personal Google account or requiring students to do so would be in violation of FERPA privacy laws if they transmitted or stored any student information via that account.

Many people are, for example, looking at using tools such as Amazon Alexa in the classroom. Because there is no FERPA clause in the Alexa license agreement, the prevailing thinking currently is that using Alexa in the classroom is illegal.

COPPA: Children’s Online Privacy Protection Act

COPPA guidance exists primary as public rules within the Federal Trade Commission. COPPA requires sites that collect and store personal data for children under age 13 to disclose the data they collect and to require consent from parents before signing up (hence why sites like Facebook have a blanket “prohibition” against children under 13). COPPA does allow schools to act as an agent of the parent and provide consent on the student’s behalf. However, schools are required to obtain parental consent and publish notice that they will be allowing use of websites (this can be blanket opt-in consent). School are also responsible for ensuring that applications delete data when it is no longer needed and that they are in compliance with FERPA.

CIPA: Children’s Internet Protection Act

The Children’s Internet Protection Act (CIPA) requires compliance by any school receiving E-Rate funding (will be discussed later in the course, but just about every public school does). To comply with CIPA, all schools must include in their Internet safety policies that student activities will be monitored and schools must teach digital citizenship. Schools are also required to “block or filter Internet access to pictures that are: (a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors)”.

The “harmful to minors” component is a very delicate line that schools must walk. As public entities, public schools are not allowed to filter information in a way that violates a student’s first amendment right or would otherwise be considered government censorship. The American Civil Liberties Union successfully sued to North Carolina school districts in the mid-2000s over their filtering policies. One district was filtering information about Islam but not about Christianity. The other was restricting a student from accessing information about LGBTQ+-friendly mental health resources. The ACLU published a report in 2012 on other efforts and software companies in the intervening time have made efforts to allow more granular filtering. A general rule of thumb is “don’t filter more than necessary” and where possible use role-based filters that can filter more conservatively for younger students.

CIPA also requires schools to adopt a policy containing the following. The content of the policy isn’t mandated Federally, just that the policy exists and is followed:

  • “Access by minors to inappropriate matter on the Internet;
  • The safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications;
  • Unauthorized access, including so-called “hacking,” and other unlawful activities by minors online;
  • Unauthorized disclosure, use, and dissemination of personal information regarding minors; and
  • Measures restricting minors’ access to materials harmful to them.”

PPRA: Protection of Pupil Rights Amendment

The PPRA protects the privacy of student data and requires parental consent prior to the administration of any Department of Education funded survey. Parents may provide blanket consent as a part of a policy manual signature page, but this is not always a good practice depending on the survey.

IDEA: Individuals with Disabilities Education Act

IDEA provides the legal background for all Federally-funded special education services and sets guidelines for state-funded services. IDEA rules include and reference FERPA, but contain additional restrictions to data sharing to protect the nature of a student’s disability and because students outside of the traditional public schools will receive services under IDEA.

HIPAA: Health Insurance Portability and Accountability Act

The HIPPA act, passed in 1996, contains numerous provisions about medical records and patient privacy. Even in nursing and special education contexts, HIPAA’s privacy regulations do not apply in schools. This is largely because special education services such as psychology, speech, occupational and physical therapy are provided to promote student access to the educational environment. Therefore, these records are educational records and not medical records. Privacy for these records is ensured under FERPA as a result. The same thinking applies to student medications - that it is part of the student’s educational record.

COVID-19 and Digital Policy

In the wake of COVID-19, and the significant increase in both the frequency and variety of educational technology tools used, schools are struggling to protect student data and to enact policies to vet digital resources prior to use (which we will cover in greater detail in future units). This will likely lead to additional policy levers in the future to protect student data.

New Data Sharing policy

In response to Article 29, FERPA, the increases in tools in use from COVID, and the fact that nearly 80% of cybersecurity breaches start with third party providers the Department of Public Instruction has released new data sharing guidelines for K-12 schools. Schools have had to increase vetting of digital resources for cybersecurity. We will discuss this more in later units.