Facilitating District-Vendor Relations and Protecting Student Data/Privacy
The following question was posed on an email list:
If a school and/or a teacher wanted to create a website or portal that would allow students to login and take online classes, yet had to host the site through a third party hosting company, would they be in violation of the Children's Online Privacy Protection Act (COPPA) in the US for transferring student personal information?
Why not draft a letter to the website/portal provider that requires them to guarantee that they will maintain the data confidential? That would address the requirements. This is the same kind of agreement entered into by school districts and businesses that have to share data (e.g. student information systems).
As to a teacher doing it, the teacher should still seek District permission before hosting anything outside of the District's control. I would request a district technologist provide oversight to make sure the teacher has considered all the possible problems and developed a plan to address those issues. Below are two sample letters--note that I did not write them but have used them for several projects--that you can use. One is from your district to the vendor, while the second is from the vendor to the superintendent.
Letter to Vendor from Superintendent:
As an authorized agent of the board of trustees for SCHOOL DISTRICT NAME, I authorize release of all current school district data to the VENDOR NAME. VENDORNAME warrants that the confidentiality of data from the school district will be maintained according to all Federal and State laws, and any local policies that are communicated to the responsible parties. VENDORNAME will act as an agent and representative for the school district in the translation, import, and/or use of data. Access to personally identifiable data will not be allowed for anyone other than the staff and sub-contractors directly responsible for the translation, import, and/or use of the data.
Data will be provided only to persons or entities authorized by the school district. The data will be physically stored and backed up on servers located at VENDORNAME'S subcontractor's offices or on servers located at Internet Service provider secured sites. If the agreement between SCHOOL DISTRICT and VENDORNAME is terminated, data will be copied to storage media and returned to the district or destroyed upon the request of the District. No backup or other copies of the data will be maintained by VENDORNAME or its sub-contractors.
Letter from Vendor to Superintendent
VENDORNAME warrants the confidentiality of student data received from the SCHOOL DISTRICT will be maintained according to all federal and Texas laws, and according to any local policies provided that such local policies are communicated to VENDOR NAME Chief Technology Officer by SCHOOL DISTRICT in written or electronic form.
VENDORNAME will act as SCHOOL DISTRICT'S agent and representative in the translation, import, and/or analysis of certain student data. Access to personally identifiable student data will not be granted to anyone other than persons or entities authorized by SCHOOL DISTRICT representatives and VENDORNAME staff and contractors directly responsible for the translation, import, and/or analysis of the data. VENDORNAME will only use student data received from SCHOOL DISTRICT according to the terms of our agreements or addenda.
The student data received from SCHOOL DISTRICT will be physically stored and backed up on servers located at a secure site.
When the project ends, student data received from SCHOOL DISTRICT will be copied to storage media and delivered to SCHOOL DISTRICT or destroyed upon SCHOOL DISTRICT'S request. No backup or other copies will be maintained by VENDORNAME.
Please call either the Chief Technology Officer or I at your convenience with any questions. We look forward to working with SCHOOL DISTRICT.
CHIEF EXECUTIVE OFFICER, VENDORNAME
Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure