Digital Privacy in FCPS
Fairfax County Public Schools is committed to providing access to digital resources in a manner that respects and protects student privacy while maximizing learning opportunities for our students.
"We must provide our schools, teachers, and students cutting-edge learning tools. And we must protect our children’s privacy. We can and must accomplish both goals..." - Arne Duncan, Former Secretary of Education
Digital Citizenship Strategies and Practices
FCPS is taking a multifaceted approach to digital privacy. This approach includes:
- Preparing instructional staff and students to practice good digital citizenship
- Implementing Privacy Information Security Strategies and Practices
- Using a process for Instructional Technology Identification, Evaluation, and Approval
Preparing FCPS Teachers
Starting with the 2016-17 school year, there is a new digital citizenship online course available for school staff. The course develops conceptual understanding of the topics of digital citizenship and provides authentic tips and strategies for integrating digital citizenship instruction in meaningful ways as students use technology at school. The new training includes the topics of:
- Privacy and Security
- Relationships and Communication
- Self-Image and Identity
- Digital Footprint
- Social Networking
- Internet Safety
- Creative Credit and Copyright
- Information Literacy
- Creating a Culture for Online Learning
From 2008 - 2016 Fairfax County Public Schools partnered with i-SAFE to provide Internet safety teacher training and curriculum materials to all K-12 schools. All instructional personnel were required to complete the i-SAFE Internet Safety Professional Development Training program.
Digital Citizenship Curriculum
All Fairfax County Public School staff have access to the K-12 Common Sense Media Digital Citizenship Student Curriculum and many additional resources through eCART. In addition, FCPS has developed K-6 Internet Safety Pacing Guides that include resources from a variety of reputable organizations. These pacing guides outline ways to include Internet Safety by aligning it to the Program of Studies (POS) and to the Virginia Standards of Learning.
Instructional Technology Identification, Evaluation, and Approval
FCPS Regulation 3008 outlines the procedures for the identification, evaluation, and approval of program and supplemental instructional technology products. This regulation describes the actions required by schools and central offices to request approval of instructional technology products and outlines the responsibility of the Instructional Services Department to conduct instructional reviews, the Department of Special Services to conduct assistive technology reviews, and the Department of Information Technology to conduct technical reviews.
Findings from instructional reviews of software, websites, and apps are accessible to FCPS staff through the FCPS Instructional Software Database which is managed by Instructional Services. In addition, Assistive Technology Services provides a repository of approved instructional resources for students with disabilities. The Department of Information Technology - Technology Architecture and Assessment group conducts formal technical evaluations based on FCPS environments, support standards, and policies. The resulting assessment reports are housed in the Techlab Reporting and Tracking repository, which is accessible to all FCPS staff.
Privacy Information Security Strategies and Practices
FCPS provides extensive systems resources that manage student information in direct support of the learning process and the administration of instruction. Some major systems that maintain student information include FCPS 24-7 Learning (Blackboard), the student information systems (SIS, SASI, and SEA-STARS), the data warehouse (EDSL), and eCART. We believe in protecting the confidentiality, integrity, and availability of the student information in accordance with the value and risk of the data.
There is a trade-off between access to student information and the risk of unauthorized use—the more accessible student information is to more users, the greater the risk of unauthorized disclosure. To mitigate this risk, FCPS implements a comprehensive information security program to protect student information encompassing physical, network, systems, procedural, and user security (FCPS Information Security Policy—Regulation 6225):
a. Physical Security
The Network Operations Center (NOC) provides a secure, environmentally-controlled, and fire-protected facility that houses the servers, storage, and network communications systems that support the systems with student information. The NOC staff control, log, and audit access to the facility. The NOC staff monitor and staff the facility 24-7-365. System sponsors complete disaster recovery and business continuity plans for all systems. NOC staff execute backup and recovery procedures.
b. Network Security
FCPS implements a “defense-in-depth” network security model at core, distribution, and access layers of the FCPS network not only to prevent and detect intrusions, but also to ensure that network bandwidth is available for mission-critical educational applications. System administrators maintain and monitor enterprise firewall, perimeter access, intrusion prevention and detection devices, wireless authentication and encryption, and virus detection software. FCPS also implements and maintains the Internet access filter to comply with federal and state laws.
c. Systems Security
Sponsors of FCPS information systems ensure that proper controls are in place to address the integrity, confidentiality, and availability of systems and information. FCPS staff adheres to the “need-to-know” principle and implements a wide-range of security safeguards to control the access to student information, such as role-based security, unique user account, strong password requirement, and account management process.
d. Procedural Security
All students and parents must review the Acceptable Use Policy (Regulation 6410). FCPS conducts technical evaluations for all products using student information (Regulation 6710) and conducts information security audits periodically. FCPS also establishes processes and procedures for student information retention, disclosure, and destruction practices (Regulation 2701).
e. User Security
All FCPS staff annually review Acceptable Use Policies and view the Computer Security Basics video on best practices. All users of the student information systems receive training (including security training) on the use of these systems. All Information Technology staff sign an additional confidentiality statement for the protection of personally identifiable information.
f. Contracted and Non-Contracted Cloud-based Application Security
In cases where FCPS contracts with a vendor to host student information externally, FCPS requires that the vendor adhere to the security requirements specified in a confidentiality addendum (included in their contracts). This addendum identifies their responsibilities as a "school official" as defined by FERPA, includes requirements to safeguard FCPS information and obligations to remediate security breaches.
Many popular and valuable instructional tools are available not through contracts, but rather though Terms of Service (TOS) and include both free and paid tools. FCPS conducts the same technical evaluations for all products using student information (Regulation 6710). For these TOS tools, FCPS follows best practices identified by the Department of Education and the Federal Trade Commission by having a process for reviewing and approving technology at the District level. In 2014, FCPS was commended by U.S. Secretary of Education Arne Duncan for its application review process.
Rights and Responsibilities
All FCPS stakeholders have the responsibility to use FCPS digital resources in accordance with the law, FCPS regulations, and FCPS best practices guidelines and have rights and responsibilities as follows:
- Privacy (P)
- Safety (SA)
- Security (SE)
- Use and access to information (U)
I have the right to:
- Be educated about the risks of sharing my personal information and images with others. (P, SA, SE)
- Expect that my personal information is used for appropriate educational purposes. (P)
- Expect that my personal information will be kept safe. (SE)
- Correct any personal information that is inaccurate. (P, SE)
- To be safe and treated respectfully. (SA)
- Be protected from being hurt or mistreated. (SA)
- Be provided a safe, secure, and reliable learning environment. (SA, SE)
- Learn and communicate my knowledge. (U)
- Create new works.
- Have an opinion and to express myself according to the SR&R. (U)
- Access and use district resources for educational purposes. (U)
- Locate and share information when appropriate. (U)
I have the responsibility to:
- Learn about and always be aware of the risks of sharing my personal information and images with others. (P, SA, SE)
- Collect or provide the minimum amount of personally identifiable information necessary. (P, SE)
- Safeguard information that violates the privacy of others. (P)
- Report inaccuracies in my personal information. (P)
- Be respectful of others. (SE)
- Not hurt or mistreat others by what I create and share, treat others fairly and not harass, stalk, threaten, insult or attack others. (SA)
- Report unsafe and inappropriate behavior. (SA)
- Use only my own username and password and not take someone else’s identity. (P, SE)
- Safeguard my own identity and not share my passwords; logoff or lock the computer when I leave it. (P, SA, SE)
- Not disrupt the system. (SE)
- Seek out quality information/content that will help me learn and/or perform my duties. (U)
- Use district resources for educational, school, and district related purposes. (U)
- Not knowingly access inappropriate content and report inappropriate materials. (U)
Federal and local laws, policies and regulations including:
FCPS Regulations and Policies:
- Appropriate Use of Resources R6410
- Privacy P1503, R2701, P2730, R6225
- Copyright R1425
- Selection and Use of Digital Tools R3007, R3008, R6710
- FCPS Information Security Policy