Sharebar?

App Vetting App Vetting

The App Vetting Program

Educational applications provide content and tools to help students learn. Most educational applications are created and managed by vendors who do their best to protect the identity of the individuals accessing the system and the data that they generate. However, there are many factors that need to be considered to ensure that each application used in schools is appropriate for students. Software vendors often have not considered student privacy, data security or other safety issues when developing educational software, and thus it is the responsibility of the school or district to ensure that some safeguards to student data are in place. Vetting educational applications, to ensure that a minimum standard of privacy and security is met, provides assurance that the information gathered by these educational applications is being used responsibly.

What is App Vetting?

Several organizations vet “free” educational applications for use in the classroom and employ a variety of simple processes and checklists. Few organizations can thoroughly vet and evaluate any educational application, regardless of price. Vetting an application involves:

  • Knowing what questions to ask to gauge the comprehensive security and privacy policies of the application
  • Knowing where to look for answers in a supplier’s Privacy Policy and Terms of Service Agreement
  • Reading a Terms of Service Agreement
  • Reading a Privacy Policy
  • Contacting the vendor to discuss policy concerns
  • Verifying compliance with data transmission security requirements via testing
  • Testing all application functionality to confirm policy and terms of service statements.

There are nuances in evaluating fee versus free educational software. Free applications are being used in the classroom at K-12 and higher ed institutions quite often. Paid applications may have legally binding contracts to hold a vendor to its data privacy standards. Vendors who provide free applications do not require legally binding contracts and have no obligation to follow any standards. Understanding what free applications are doing with data and how they are safeguarding student information is important. There may not be a contract, but data is still being produced. IMS Global’s App Vetting Program helps to protect teachers and institutions and ultimately students by allowing the institution to understand how data obtained from an app is being used.

What are the benefits of App Vetting?

The IMS App Vetting Program benefits institutions that do not have the time or the resources to thoroughly vet an application. Organizations vetting free applications may only be scratching the surface of understanding data privacy and security. IMS’s App Vetting Program allows institutions to:

  • Save time and money
  • Safeguard against free apps violating student data privacy standards
  • Quickly build a dashboard of approved apps
  • Communicate with developers to clarify issues found in policies or an application’s security

The IMS Global App Vetting Program uses member-established criteria (rubric) for evaluating apps that encompass data privacy, information security, accessibility and more. While developers of ed tech applications strive to meet the data privacy and security expectations from K12 and higher ed institutions, using the App Vetting Program allows vendors to refine their products with student data safety in mind, increasing the adoption of their product, and ensuring compliance with federal or state privacy laws. The myriad of state and federal guidelines and laws regarding student data can be confusing to navigate. Giving suppliers a standard that explains what criteria to meet simplifies the process.

Thoroughly vetting an application can take several hours. As the  App Vetting Program evolves, we are looking to further reduce the time needed to evaluate applications. Future plans include embedding details about the app vetting criteria and translating those results into a machine-readable format (JSON) so that both K-12 and higher ed institutions can thoroughly vet an application quickly and easily.

The App Vetting Rubric

The IMS App Vetting program has created a rubric that covers the base set of questions that K-12 districts and higher ed institutions need to ask when vetting an application. This program was able to establish a base set of questions to develop a rubric by aggregating a list of questions from different K-12 districts and higher ed institutions that vet applications for student data privacy. The program also looked at criteria set by other organizations that vet applications for their student data privacy practices. To establish this base set of "must ask" questions, the program compared all of the questions that were collected from the K-12 districts, higher ed institution, and other organizations and pulled out all of the questions that were similarly being asked in each. There are currently two versions of the rubric. We realize that the rubric is long but it does cover some very important topics so the program includes a shorter version of the rubric for ease of use. We suggest that you start with the Lite version of the rubric and gradually add pieces of the Extended version as needed.

The Lite version of the rubric is used by IMS in the Certified Product Directory to vet applications and produce reports. These reports are available to IMS Members.

App Vetting Extended Rubric

Information on the rubric and the criteria for the following areas:

  • Availability of Policy
  • Data Collected
  • Third Parties
  • Data Handling
  • Social Interactions
  • Advertising
  • Security
  • Legal
  • Accessibility
  • Mobile
  • Integrations

 

Availability of Policy

This section of the rubric covers the privacy policy. Specifically, whether a link to the policy exists, where the link is located, when it is presented to the user and how it is formatted.

Data Collected

This section of the rubric covers what data the supplier collects. Specifically, what information a user is required to input and how the user can interact with their own data.

Third Parties

This section of the rubric covers all third-party interactions with the supplier and users data. This section also addresses the selling or sharing of user data.

Data Handling

This section of the rubric deals with how suppliers handle data with regard to data retention and deletion.

Social Interactions

This section of the rubric covers how social
media is managed and used within the app.

 

Advertising

This section of the rubric covers how the supplier manages advertisements to its users and whether or not there is ad targeting or tracking.

Security

This section of the rubric covers all of the supplier's back-end security policies and practices. Specifically, it addresses encryption, cookies, and authentication.

Legal

This section of the rubric covers all state and federal regulations on student data including COPPA, FERPA, and HIPPA.

Accessibility

This section of the rubric covers accessibility and accommodation standards compliance.

Mobile

This section of the rubric covers mobile application privacy, safety & security.

Integrations

This section of the rubric covers the privacy, safety, and security of third-party integrations.
 


App Vetting Lite Rubric

Information on the Lite rubric and the criteria for the following areas:

  • Data Collected
  • Security
  • Third Party Data Sharing
  • Advertising

 

Data Collected

This section of the rubric covers what data the supplier collects. Specifically, what information a user is required to input and how the user can interact with their own data.

Security

This section of the rubric covers all of the supplier's back-end security policies & practices. Specifically, it addresses encryption, cookies, and authentication.

Third Parties

This section of the rubric covers all third-party interactions with the supplier and users data. This section also addresses the selling or sharing of user data.

Advertising

This section of the rubric covers how the supplier manages advertisements to its users and whether or not there is ad targeting or tracking.

 

Contact Us for more information.

 

Tutorials and Guides [ view all... ]