Technology Use Guidelines for Staff

1. Children’s Internet Protection Act of 2000 (CIPA) with subsequent FCC rule changes such as Protecting Children in the 21st Century Amendment 2012
2. Children’s Online Privacy Protection Act of 1998 and subsequent FTC rule changes (COPPA)
3. Family Educational Rights and Privacy Act of 1974 (FERPA)
4. Federal Rules of Civil Evidence
5. Pennsylvania Right to Know Law

• Use of Personal Technology/Electronic Devices (Students)
• Acceptable Use for Students (AUP)
• Acceptable Use for Staff (AUP)
• Copyright
• Social Media
• Electronic Communication with Students
• Use of Personal Technology/Electronic Devices (Employees)
• Use of Livestream Video on District Property
• Breach of Computerized Personal Information CIPA

Schools and libraries subject to CIPA may not receive the discounts offered by the E-rate program unless they certify that they have an Internet safety policy that includes technology protection measures. The protection measures must block or filter Internet access to pictures that are: (a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors). Before adopting this Internet safety policy, schools and libraries must provide reasonable notice and hold at least one public hearing or meeting to address the proposal.

Schools subject to CIPA have two additional certification requirements:

1. The school’s Internet safety policies must include monitoring the online activities of minors.
2. As required by the Protecting Children in the 21st Century Act, schools must educate minors about Internet safety and appropriate online behavior.

Schools and libraries subject to CIPA are required to adopt and implement an Internet safety policy addressing:

1. Access by minors to inappropriate matter on the Internet;
2. The safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications;
3. Unauthorized access, including so-called “hacking,” and other unlawful activities by minors online;
4. Unauthorized disclosure, use, and dissemination of personal information regarding minors; and
5. Measures restricting minors' access to materials harmful to them.

Schools and libraries must certify they are in compliance with CIPA before they can receive E-rate funding.

Source – Federal Communications Commission

Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998. COPPA required the Federal Trade Commission to issue and enforce regulations concerning children’s online privacy. The Commission’s original COPPA rule became effective on April 21, 2000. The Commission issued an amended rule on December 19, 2012.  The amended rule took effect on July 1, 2013.

The primary goal of COPPA is to control what information is collected from young children online. The rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet.

The rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.

All Web 2.0 websites that collect personally identifiable student information must be approved by the Coordinator of Instructional Technology and parental consent obtained for students under the age of 13.  Here is a list of providers who agree to be COPPA compliant - https://studentprivacypledge.org/signatories/

Website operators covered by the rule must:

1. Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
2. Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
3. Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
4. Provide parents access to their child's personal information to review and/or have the information deleted;
5. Give parents the opportunity to prevent further use or online collection of a child's personal information;
6. Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
7. Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.

Source – Federal Trade Commission

FERPA affords student (or parent if a student is a minor) access to educational records and to challenge the contents of that record. Under FERPA, a school may not disclose personally identifiable information from an eligible student's education records including discipline records to a third party unless the student or parent, if student is a minor, has provided written consent. However, there are some exceptions to FERPA's prohibition. Under these exceptions, schools are permitted to disclose personally identifiable information from education records without parental or student consent, though they are not required to do so. There are many exceptions.

Here are some:

• Certain legitimate research purposes
• Compliance with a court order or other judicial matters
• Directory information including name address, phone, activities, photo, etc. (parent/student may opt out)
• School officials including teachers, but not defined in law, with a legitimate need to know to perform their official function
• Certain third parties service providers authorized to perform specific tasks on behalf of the school district

According to the National Center for Educational Statistics (NCES), education records include a range of information about a student that is maintained in schools in any recorded way, such as handwriting, print, computer media, video or audio tape, etc. Examples are:

• Date and place of birth, parent(s) and/or guardian addresses, and where parents can be contacted in emergencies
• Grades, test scores, courses taken, academic specializations and activities, and official letters regarding a student's status in school
• Special education records
• Disciplinary records
• Medical and health records that the school creates or collects and maintains
• Documentation of attendance, schools attended, courses taken, awards conferred, and degrees earned
• Personal information such as a student's identification code, social security number, picture, or other information that would make it easy to identify or locate a student

Personal notes made by teachers and other school officials that are not shared with others are not considered education records. Additionally, law enforcement records created and maintained by a school or district's law enforcement unit are not education records.

Part of the education record, known as directory information, includes personal information about a student that can be made public according to a school system's student records policy. Directory information may include a student's name, address, and telephone number, and other information typically found in school yearbooks or athletic programs. Other examples are names and pictures of participants in various extracurricular activities or recipients of awards, pictures of students, and height and weight of athletes.

Each year schools must give parents public notice of the types of information designated as directory information. By a specified time after parents are notified of their review rights, parents may ask to remove all or part of the information on their child that they do not wish to be available to the public without their consent (from https://nces.ed.gov/pubs97/web/97859.asp - consult for additional details).

FERPA Best Practice & Points to Remember:

1. FERPA gives parents/guardians and eligible students the right to request that certain information not be made public. Therefore, some may elect not to have student contact information (such as e-mail addresses) published in District public directories or communicated beyond the District’s network, e-mail system or course management systems.
2. No specific personal or personally identifiable information shall be released to any individual over the telephone, by e-mail or voice mail message without verifiable parental consent. Directory information may be released, if it does not invade the privacy of the student, however, if the parent/guardian has indicated on the annual Directory Information Notice that no information may be released for their child no such information may be disclosed. Directory information may include the student’s name, degrees and awards received, participation in officially recognized activities or sports.
3. E-mail, chat rooms, electronic bulletin boards, text messaging and other electronic communications are not appropriate for transmitting sensitive or confidential information. Confidentiality for such messages is protected by FERPA and other privacy laws such as HIPAA and PPRA (Protection of Pupil Rights Amendment limiting the Federal Department of Eduction's right to survey students on certain topics considered sensitive without full disclosure and permission from parents. It also requires districts to establish policies regarding the administration of surveys).
4. All use of e-mail must be consistent with the District’s Student Record’s Policy and Plan. Remember that the recipient has the right to redirect (forward) or share your message with others. You are responsible for ensuring that the message is accurately sent and the message is sent at your own risk.
5. When you find that it is necessary to provide information in an e-mail that has personally identifiable information, you should speak in general terms, i.e., explain policies and/or procedures for situations without confirming or denying personal information. You should also include in the e-mail subject line and leading lines of the body of the e-mail text “CONFIDENTIAL – (Insert Student’s Name - DO NOT DISCLOSE OR REDISCLOSE).” A general statement of confidentiality is automatically affixed to all outgoing email, and cannot be altered by the user.

One other note: The practice of using student initials instead of a student name in an email has no practical value. The email may still be deemed an educational record (think FERPA), may still be held in the case of potential litigation in accordance with Rules of Civil Evidence, and may only serve to make the District’s search process more difficult.

Users must immediately notify the Director of Technology and/or designee if they have identified a possible security problem. Students, employees, and guests must read, understand and comply with this policy that includes network, Internet usage, electronic communications, telecommunications, non-disclosure and physical information security policies. The following activities related to access to and use of the District’s computer information systems and information are prohibited:

1. Misrepresentation (including forgery) of the identity of a sender or source of an electronic message.
2. Acquiring or attempting to acquire passwords of others or giving your password to another. Users will be held responsible for the result of any misuse of the users’ user name or password while the users’ systems access were left unattended and accessible to others, whether intentional or through negligence.
3. Using or attempting to use computer accounts of others, these actions are a violation of policy, even with consent, or if only for “browsing.”
4. Altering a communication originally received from another person or computer with the intent to deceive.
5. Using District resources to engage in any illegal act, which may threaten the health, safety or welfare of any person or persons, such as arranging for a drug sale or the purchase of alcohol, engaging in criminal activity of any kind, or being involved in a terroristic threat against any person or property including cyberbullying.
6. Disabling or circumventing any District security, program or device, for example, but not limited to, anti-spyware, anti-spam software, and virus protection software or web filtering.
7. Transmitting electronic communications anonymously or under an alias unless authorized by the district.

1. User’s violations of this policy, any other District policy, or the law may be discovered by routine maintenance and monitoring of the District system, or any method stated in this policy, or pursuant to any legal action.
2. The District reserves the right to monitor, track, log, decrypt, and access any electronic communications, including but not limited to, Internet access and e-mails at any time for any reason. Users should not have the expectation of privacy in their use of the District CIS systems, and other District technology, even when used for personal reasons. Further, the District reserves the right, but not the obligation, to access any personal technology device of users brought onto the District’s premises or at District events, or connected to the District network, containing District programs or District or student data (including images, files, and other information) to ensure compliance with this policy and other District policies, to protect the District’s resources, and to comply with the law.

1. Federal laws, cases, and guidelines pertaining to copyright will govern the use of material accessed through the District resources. Users will make a standard practice of requesting permission from the holder of the work and complying with license Employees will instruct students to respect copyrights, request permission when appropriate, and comply with license agreements and employees will respect and comply as well.
2. Violations of copyright law can be a felony, and the law allows a court to hold individuals personally responsible for infringing the law. The District does not permit illegal acts pertaining to the copyright law. Therefore, any user violating the copyright law does so at their own risk and assumes all liability.
3. Violations of copyright law include, but are not limited to, the making of unauthorized copies of any copyrighted material (such as commercial software, text, graphic images, audio and video recording), distributing copyrighted materials over computer networks, and deep-linking and framing into the content of others’ web sites. Further, the illegal installation of copyrighted software or files for use on the District’s computers is expressly prohibited. This includes all forms of licensed software – shrink wrap, click wrap, browse wrap, and electronic software downloaded from the Internet.
4. District guidelines on plagiarism will govern use of material accessed through the District’s CIS systems. Users will not plagiarize works that they find. Teachers will instruct students in appropriate research and citation practices. Consult your school librarian for assistance, if needed.

Copyright is assumed unless there is a disclosure of public domain. Avoid using registered trademarks on your web pages, newsletters, etc. without the written permission of the trademark owner.

https://creativecommons.org/licenses/ is an alternative to “All Right Reserved” traditional copyright and used to maintain ownership of digital content but to allow certain kinds of sharing in non-commercial settings with attribution.

Fair use of videos in classrooms must meet the following criteria:

1. Content must advance learning of the established curriculum.
2. The video must be legally obtained.
3. It must be shown in the classroom with the rostered students and instructor of record.

Videos streamed from personally subscribed commercial sources such as Netflix have home use of streaming technology licensing restrictions in place. It is a violation of the licensing agreement to use these streaming services in the classroom.

Fair use is NOT intended to deny the owner of content revenue from his/her work. Fair use does NOT apply to works being “broadcast” over Internet or other media. Board Policy 815.1 & 2 (Social Media/Electronic Communication with Students)

Examples of electronic communications in which staff members are prohibited to engage include, but are not limited to:

1. Sending communications to students that are not related to the overall mission of the District.
2. Providing a staff member’s personal cell phone number to students, except under limited circumstances, as part of a District-sponsored activity, and with prior approval from the staff member’s supervisor.
3. Placing a phone call to a student’s personal cell phone, except under limited circumstances, as part of a District-sponsored activity, and with prior approval from the staff member’s supervisor.
4. Sending SMS/text messages to students, except under limited circumstances, as part of a District-sponsored activity, and with prior approval from the staff member’s supervisor.
5. E-mailing students from a staff member’s personal email.
6. Providing students with a staff member’s personal email (non-district provided) account/address.
7. “Friending” or otherwise adding students to their circle of contacts on an online social networking site whose function does not involve enhancing the educational goals of the District.
8. Publicly displaying or posting online material that would be disruptive to the educational process, including, but not limited to provocative statements, provocative photographs, and/or other public or online activities that would jeopardize the professional nature of the staff-student relationship.
9. Discussing situations involving employee or student discipline in electronic forums or use of social media in a manner that interferes with the employee’s work obligations or impacts upon another staff member's effectiveness within the school environment.
10. Using any District device or network to send or attempt to send a communication anonymously or in any manner so as to disguise the identity of the actual sender.
11. Representing personal opinions as those of the District.
12. Using any District device or network to upload, download or otherwise transmit commercial software or any copyrighted materials belonging to parties outside of the district or the District.
13. Revealing or publicizing confidential or proprietary information.
14. Disclosing personally identifiable information related to a student, except in strict accordance with Board Policy and the Family Educational Rights and Privacy Act and the regulations promulgated thereunder.
15. Using any District device or network to facilitate or participate in blogging, unless used for a clear educational purpose and otherwise consistent with law and Board policy.
16. Using any District device or network to participate in or facilitate chat rooms unless used for a clear educational purpose and otherwise consistent with law and Board policy.
17. Using any District device or network to download files, games, music or video unless for a clear educational purpose, or under the limitations of employee personal use as outlined in Policy 815.1, and always in accordance with copyright law and fair use guidelines.
18. Sharing passwords to District operated systems.

Staff members are encouraged to use District provided means of communication (e.g., District email, District phone) when contacting students. However, emergency circumstances may arise that require a staff member to communicate with a student via a non-district provided method of communication. In such an instance, it is the responsibility of the staff member to report such situations to their supervisor at the first opportunity.

1. Never put anything in an email you don’t want revealed in a Right to Know request or to answer for under oath.
2. Most computer hacks are low tech. Passcodes are supposed to be inconvenient. Don’t leave them where others can see them.
3. Good passcodes should be alphanumeric with capital and lowercase letters, as well as special symbols. Make it meaningful, however, to help you remember it.
4. Don’t have one passcode for all systems.
5. Never allow students or others not authorized to access District and student data to use your district-issued devices.
6. Know the privacy settings on social media and keep them tight.
7. Never reveal personal information via email or social media.
8. Use an alternative email address for commerce and social media.
9. Select a security question that is difficult for someone to look up. For example, your mother’s maiden name or your high school mascot are probably NOT good choices. Alternatively, you can populate these security questions with incorrect answers, so long as you remember those answers when necessary. This way the service provider doesn't have access to this information about you.
10. Try to keep work files off of personal computers and vice versa (this does not preclude incidental personal use of your District device).
11. Never put an unknown flash drive (also referred to as a thumb drive) in your computer.
12. Never open an unexpected email attachment (better to confirm authenticity with the known sender) or an email attachment from an unknown sender.
13. Know and abide by our District's social media policy, as it is designed to protect you, the students, and the District.
14. Look at privacy policies, customer loyalty cards, etc., and you decide how much you are willing to reveal about yourself for the "free" service or discounts. However, what you reveal about students is restricted under law and District policy.

Finally, despite our best efforts technologically, it is impossible to filter out all scam attempts from our network’s e-mail server. Most hacks that compromise network functionality and data/information security are low tech and are classified as social engineering. Social engineering manipulates people into performing actions or divulging confidential information. The term applies to the use of deception to gain information, commit fraud, or access computer systems. Social engineering is a low tech/low-cost attack we often see in a school district setting. Here is a resource to help prevent you from being a victim of phishing, one of the most common examples of social engineering attacks, and other Internet scams that can be costly to both you and the school district:

https://www.consumer.ftc.gov/articles/0003-phishing

If you should lose control of your District passcodes by accidentally revealing them in any manner, you must notify the Director of Information Technology or designee immediately so that the District can take the appropriate measures to minimize loss.