TOS TIPS: On February 26, the US Department of Education provided a model for how schools and districts can evaluate the student privacy terms of service from edtech companies (PDF here). The resources, which cover areas from initial data collection to data transfer in the case of a company sale, offer a checklist for evaluating terms of service, warning signs of unsafe data practices, and a training video.
Recommendations include:
- Data De-Identification: “Because it can be difficult to fully de-identify data, as a best practice, the agreement should prohibit re-identification and any future data transfers unless the transferee also agrees not to attempt re-identification.”
- Data Sharing: Terms of service should include, “Data cannot be shared with any additional parties without prior written consent of the User except as required by law.”
- Access: “A good contract will acknowledge the need to share student information with the school in order to satisfy FERPA’s parental access requirements.”