The Software & Information Industry Association(SIIA) has announced a series of industry best practices for providers of school services.
With the goal of supplementing existing efforts, SIIA released the following Best Practices for the Safeguarding of Student Information Privacy and Security for Providers of School Services. These privacy and security best practices are intended as guidance for providers of educational services to educational institutions to the extent that they collect, disseminate, use or maintain personally identifiable information about students (student PII). These best practices can be used to inform the contracts that govern the relationship between providers of educational services and the educational institutions – school districts and schools – for which they work.
• Educational Purpose: School service providers collect, use, or share student PII only for educational and related purposes for which they were engaged or directed by the educational institution, in accordance with applicable state and federal laws.
• Transparency: School service providers disclose in contracts and/or privacy policies what types of student PII are collected directly from students, and for what purposes this information is used or shared with third parties.
• Authorization: School service providers collect, use, or share student PII only in accordance with the provisions of their privacy policies and contracts with the educational institutions they serve, or with the consent of students or parents as authorized by law, or as otherwise directed by the educational institution or required by law.
• Security: School service providers have in place security policies and procedures reasonably designed to protect personal student information against risks such as unauthorized access or use, or unintended or inappropriate destruction, modification, or disclosure.
• Data Breach Notification: School service providers have in place reasonable policies and procedures in the case of actual data breaches, including procedures to both notify educational institutions, and as appropriate, to coordinate with educational institutions to support their notification of affected individuals, students and families when there is a substantial risk of harm from the breach or a legal duty to provide notification.
Source: The Software & Information Industry Association (SIIA), www.siia.net/education