If you’re not familiar with school directories, here’s how they work: at the beginning of a school year, some schools publish directories with contact details for each student and his/her parents. That directory is then distributed to each parent. Parents who need to contact one another how have a directory to aid them in doing so. Easy.
Except, perhaps not so easy, as this brings up a few privacy issues. Let’s work through them.
Legally speaking, these directories are in the clear, as long as the schools tell parents that they are going to be in the directory when they collect their personal information.
However, the minimum legal requirement may not be enough to protect the vulnerable, or to maintain good relations in the community. At the very least, we’d recommend that parents be given the opportunity to opt out.
Opt-in or opt-out?
The opt-out approach is telling parents that their information will be published unless they explicitly say they don’t want it to be published. The other approach is to decline to publish information unless parents opt in – that is, they explicitly say that they’d like to have their details published.
We might expect that opt-in approaches would result in very thin directories, not because of heightened privacy awareness, but rather because it’s easy to forget to send the opt-in form back.
Real privacy risks
An opt-out approach is likely to lead to the most comprehensive directory. However, that approach increases the risk of publishing someone’s details against their wishes. This isn’t just a matter of minor annoyance, either. There are real safety issues at play when it comes to some peoples’ contact details. For example, if someone has escaped from a domestic violence situation, publishing their contact details can put them in danger of serious physical harm.
Managing the process
To manage these risks, schools need to examine the process behind their directories. For example, we’ve heard anecdotes about schools sending opt-out forms to parents through their children – a less-than foolproof approach. How heavily should we be relying on children keeping forms in their bags, getting opt-out forms to their parents, then repeating that process in reverse to get the forms back to the teachers?
Imagine that in the above scenario, a half-dozen or so children managed to get opt-out forms back to their teachers. What happens next? Does an administrative staff member make a mental note? Or are they marked more clearly?
These are the questions that schools need to ask because they flush out points in the process where a mistake is most likely. Once you identify these points, you can put in processes to mitigate them. Simply collecting a stack of opt-out forms confident in the knowledge that “it’ll work itself out” is not quite enough.
A few tips
With all this in mind, there are a few practical steps schools can take to publish directories without compromising peoples’ privacy:
1) Consider whether you need a directory in the first place. Are parents able to just get contact details from one another when they need them?
2) If you do choose to publish a directory, have a conversation with the community about whether to use an opt in or opt out approach.
3) If you do use an opt-out approach, don’t solely rely on children as couriers. Contact parents directly as well, in order to ensure that they get the forms and are aware of their ability to opt out.
4) Create a clear, step-by-step process for managing opt-outs.
5) Perform a “mini audit” before you publish the directory. This is someone who hasn’t seen the directory checking the opt-outs against the draft directory, to ensure that none of the opt-outs have snuck in.
Do you have any tips we haven’t thought of?
Image credit: WeCometoLearn via Flickr