1

Issue Paper
Rob Richardson
While the integration of technology into the educational setting enables teachers
and students to do things that were previously not possible to improve instruction, it also
brings with it many problematic issues that must be thoughtfully resolved. While many
technology leaders may think to first resolve the issue of internet bullying or of student
privacy, I believe it is more prudent to instead develop an acceptable use police, or
AUP, for the school. A properly constructed AUP will both be complimentary to and
supported by the schools code of conduct to cover most any other issue related to the
integration of technology in the educational setting.
Many educators would look immediately to student safety, justifying prioritizing
cyberbullying as the first issue to resolve. Cyberbullying has been linked to depression,
substance abuse, self-harm, and even suicide. Cyberbullying is capable of more
severely negatively impacting the victims due to the increase in audience size,
persistent re-living of the offense, inability of the victim to stop the attack, and an
increased feeling of helplessness due to the anonymity of the attacker (Von Mares &
Petermann 2012). Because of the anonymous nature of many online communications,
people are more likely to engage in the act of cyberbullying and the bullying itself
becomes more severe. Anonymity disinhibits cyberbullies, facilitating consequence-free
attacks on others.
In addition to it being our moral and professional duty to protect our students, we
are legally bound as professionals to protect our students from cyberbullying through
the Protecting Children in the 21st Century Act. Among other things, this act requires
that teachers educate their students that have access to the internet about appropriate
online behaviors, including social networking and cyberbullying awareness and
response.

Any communicative tool that may be utilized for educational purposes may also
be used as a tool to harass and bully. It is important that educators are aware of the
various forms that cyberbullying comes in. Students may be bullied through e-mail,
instant message, text message, phone calls, internet forum posts, social media posts,
online photo sharing, and more. Regardless of the media used, cyberbullying may take
certain common forms.
One type of cyberbullying is flaming, or engaging in heated arguments online in
which threatening, rude, or offensive messages are posted. Another is harassment, in
which the bully repeatedly sends hurtful or harmful messages to the victim. If
harassment and threats of physical harm occur frequently enough to cause the victim to
fear for his or her safety, then cyberbullying has taken the form of cyberstalking.
Occasionally, the bully will post untrue, mean, or harmful content about the victim in a
form of bullying known as denigration. A victims identity may be assumed by the bully
to post inappropriate content in an attempt to harm their reputation in impersonation.
Outing can be especially harmful, as it is when a bully reveals private information
about the victim that the victim didnt wish to divulge, such as sexual preference. Often
trickery is used to out a victim, although it can also be used to publicly humiliate a
victim. The last form of cyberbullying Ill mention is exclusion, in which a person is
purposely left out of an online group or community. (Willard 2007). These examples of
cyberbullying are not meant to be a comprehensive list, but serve to be examples to
better illustrate the phenomenon of cyberbullying.
In order to prevent cyberbullying, the first step is to provide professional
development for all the adults in the school. This professional development should
cover frequent forms cyberbullying takes, prevalence of cyberbullying in our schools,
causes of cyberbullying, and the effects of cyberbullying. From there, the school
behavior and discipline committees would meet with the technology leader to decide
how to incorporate cyberbullying into the existing student code of conduct.

The discipline committee will integrate cyberbullying language into existing

bullying language within the schools discipline policy and corrective forms. They will
also incorporate cyberbullying into future dissemination of information to the students
about the school discipline policy. Meanwhile, the behavior committee will focus on
evidence-based character education to teach the positive ways to communicate, while
educating students on the negative impacts of cyberbullying on the victim. The ultimate
goal of the behavior committee is to create a culture in which cyberbullying is neither
tolerated, nor a social norm.
Once the behavior committee and discipline committees have both finished
integrating cyberbullying into their existing frameworks, the technology leader will lead a
PD for the staff on the preventative steps teachers should be taking to prevent
cyberbullying. These steps will be a holistic approach, incorporating a clear discipline
policy, character education, instruction on the causes and effects of cyberbullying, and a
community outreach to bring parents onboard with cyberbullying awareness and
prevention.
As we see, cyberbullying is a significant issue facing educators. However it is not
where we should first focus our efforts. Within the plan above, it is shown that there is
existing framework within the student code of conduct to handle many cyberbullying
problems. Those that cant be handled through existing frameworks can easily be
addressed with a thorough AUP.
Another issue that immediately comes to mind when integrating technology into
the educational setting is privacy. In addition to generally looking out for the welfare of
our students, teachers must be sure they are in compliance with federal and state
privacy laws. Examples of such laws are the Childrens Online Privacy Protection Act of
1998 (COPPA), Electronic Communications Privacy Act and the Family Educational
Rights and Privacy Act (FERPA).

These acts clearly lay out the ways in which schools may control and
disseminate student information, operators of websites and technology may collect and
use information from children, and what permissions are necessary to share or collect
information from students. This can be as simple as alerting a recipient of an email that
it contains confidential student information, or as complex as securing digital information
behind a password protected firewall.
As an organization, the school system may not ask for personal passwords or
user IDs for personal accounts or services. This may make it troublesome to track
employee use of accounts and services. Therefore, the system requires that all
accounts and services that are used in a professional capacity be linked to a school
system email account. The school system further secures the data held within these
accounts by naming any accounts or services linked to school system email accounts
as school system property. In this way, if a teacher leaves, is terminated, or uses the
account or service inappropriately, the school system maintains ownership of student
data and may remove the teacher from having any access to it.
Student data may also be stolen by malicious individuals through network
vulnerabilities or malware. For these reasons, the school system requires all
professional communications and online activities to occur on their networks, behind
their firewall. By using a secure network with their own servers, the school system
makes data considerably more secure. It also requires that the devices themselves are
properly password protected and physically locked away when not in use to further
protect student data.
So with all the legal mandates and student safety concerns, why arent privacy
and cyberbullying more important issues than a schools AUP? Its because a thorough
and intentionally designed AUP will be an umbrella under which all those other issues
fall. A properly designed AUP will be a holistic approach to technology issues that works
in conjunction with existing framework within the school system. What the AUP does not

specifically cover, another school policy such as the code of conduct, bullying policy,
confidentiality policies, or state and federal laws will cover.
A properly designed AUP will cover the responsible use of technology and social
media for school sanctioned activities. It will also cover the responsible use of
technology and social media to enhance the education process and improve school
wide communications efforts. Finally, AUPs should provide for the safety and privacy of
individuals within the school. While the purpose of integrating new technologies into
education is to enhance it, these benefits come with a set of responsibilities that must
be addressed.
To implement an AUP, the first step is to state the purpose clearly for the AUP.
This is similar to stating a mission in a technology plan in that the purpose should state
clear goals that the AUP will attempt to meet. As noted in the discussion of privacy and
cyberbullying, these goals will attempt to cover a variety of topics and work in
conjunction with existing school framework for discipline, code of conduct, best
pedagogical practices, student safety, and staff responsibilities. The stated purpose for
the AUP should also include language from legal mandates, such as the Protecting
Children in the 21st Century Act.
To meet national and state mandates, language of an AUP should mention the
responsible use of social media for school activities. It should also cover pedagogy, with
language about the responsible use of technology in the classroom. Your stated
purpose should refer to enhanced communication throughout the school system, to
cover the email system, messaging programs, and school newsletters. Finally, the
stated purpose of the AUP should include language about the safety and privacy of
individuals to comply with many different laws, such as COPPA and FERPA.
Next, it is necessary to define vocabulary associated with instructional
technology. Acceptable use policies cover a very broad base of knowledge, so for the
layman to understand what the AUP entails, the policy itself must give the reader base

knowledge to work with. Examples of things that must be defined are: account
credentials, network, online resource, personal social media account vs. professional
social media account, social media, software, technology, and third-party social media.
Once these topics are defined, the reader will be able to better understand standards
and policies involving them.
With a defined vocabulary, the AUP can go on to list the standards which will
comprise the main body of the document. As these policy standards are based on
existing school framework and legal mandates, it is important that the existing policies
and/or laws be referenced in each standard.
The first place to start with standards is a statement tying technology use within
the school system to existing policies. This is where it becomes clear that an AUP is a
more important place to focus energy when compared to other issues as you see them
covered one by one under the umbrella of the AUP. In the Howard County Public
School System (HCPSS), policies 1000, 1040, 1060, 3040, 7010, 7030, 8040, 9050,
9200, and 9260 are immediately applicable to technological use. Policies 1000, 1040,
and 1060 all deal with student safety, including language about bullying that covers the
various forms of cyberbullying. Policies 3040, 7010, 9030, and 9050 all cover privacy
and how to maintain student record confidentiality. Instructional use of technology by
the educator can be largely covered by policies 2070, 7030, and 8040. By stating in the
AUP that these policies all apply to the use of technology with the school, it immediately
allows this AUP to cover the majority of issues that a technology leader faces.
Once the AUP ties existing policies in to educational use of technology, it can
begin to address the legal mandates as priorities. One such legal mandate to consider
is the Childrens Internet Protection Act, or CIPA. The Protecting Children in the 21st
Century Act is covered as a necessary part of CIPA compliance. Standards the AUP
must contain to be in compliance with CIPA are: 1) A filter to block obscene content,
child pornography, and content that is harmful to minors; 2) Monitoring of online

activities of minors; 3) Educating minors about appropriate online behavior, including

interacting with other individuals on social networking websites and in chat rooms, and
cyberbullying awareness and response.
Along with policies 1000, 1040, and 1060, the standards covered by CIPA
compliance will cover the issue of student safety very well. The required education
about cyberbullying awareness and response will be a proactive measure that can later
be incorporated in a behavior policy and discipline policy specific to technological
cyberbullying as described earlier in this paper. Another measure of proactive
prevention of cyberbullying is the inclusion of information about the Annotated Code of
Maryland, Criminal Law Article, 3-805, or Graces Law. Under Graces Law, a person
guilty of bullying someone through electronic media can be fined up to $500 or
imprisoned for up to a year. The inclusion of this language in cyberbullying education
serves as a preventative tool to stop potential cyberbullies from acting. Instruction on
appropriate online behavior will also comply with the Office of Instructional Technologys
Standard 5, Digital citizenship. This standard states:

The next legal mandates to address relate to privacy. Because the AUP also
contains language about privacy to be in compliance with the law, it again proves to
show a prioritization of completing a holistic AUP first rather than focus on any one
individual issue while missing the big picture. FERPA is one law that an AUP needs to
consider. Under FERPA, student educational records are protected and are only
allowed to be given without consent by the parent to school officials with legitimate
educational interest, other schools to which a student is transferring, specified officials
for audit or evaluation purposes, appropriate parties in connection with financial aid to a
student, organizations conducting certain studies for or on behalf of the school,
accrediting organizations, appropriate officials in cases of health and safety
emergencies, and state and local authorities, within a juvenile justice system, pursuant
to specific State law. Under FERPA, directory information may be shared without
consent after parents are notified and given an opportunity to opt out.
Occasionally the teachers use third party social media. The Childrens Online
Privacy and Protection Act, or COPPA, plays a role in how the school is able to use this
third party social media. Lets get to the COPPA! Under this legislation, an operator of a
site may not collect information from children under 13 without parental consent, or at
least a reasonable effort to gain parental consent. They must also publish their online
privacy policy for all to see and establish and maintain reasonable procedures to protect
the confidentiality, security, and integrity of the personal information collected from
children under age 13.
In order to comply with COPPA and similar legislation, third party social media
and software use needs to have its own set of standards within the AUP. The first clear
standard is that the third party software or social media must publish its terms of
service, including the privacy policy. If parents opt their child out of the use of the third
party media, the school should provide an alternate activity so as to not discriminate

against that student. Of course, as stated earlier, all third party media should be
required to comply with every aspect of COPPA.
Sometimes school workers create technology in the form of social media
accounts, websites, or other that they use professionally. If they are representing the
school through this technology, and especially if students are submitting data to them, it
is important that the school system have the rights, access, and control to this
technology. Under the Annotated Code of Maryland, Labor and Employment Article, 3712, an employer shall not ask an employee for a username and/or password for a
private account. Because of this, its possible for an employee to control the access to a
technology they are using while representing the school system or collecting student
data.
For these reasons, standards within the AUP should state that technology used
professionally should be linked to a school email account. Technology linked to
personal accounts should not be used professionally and the worker should not
represent the school system in personal technology. The technology used
professionally is school property, under school control, and the school system should
have access to it. This allows the school to retain the technology, and the student
information it may contain, should the employee leave for any reason.
Once the legal and policy issues are addressed, the AUP can move on to more
administrative issues, such as who is responsible for the schools tech and for private
tech when used in an educational setting. The later is very important, as Bring Your
Own Device (BYOD) policies are becoming more common in education. Without a
clearly outlined AUP, the school system may find itself responsible for replacing
personal devices that are used instructionally.
Individuals using school system technology must not use it to engage in any
unlawful activity or any activity that violates the school policies outlined earlier (1000,
1040, & 1060). When using technology in the educational setting, it must be for

10

instructional use. Any personal use of technology in the educational setting must not
interfere with learning.
Individuals must take reasonable precautions to safeguard school technology. If
they are found to be negligent in its care and it leads to the technology being lost,
stolen, or damaged; the individual assigned to the school technology is financially
responsible for it.
School employees may not require the instructional use of personal devices.
Individuals that choose to use personal devices do so knowing that the school system is
not responsible for maintenance, technological support, or damage to the technology. If
this language is not in the AUP, the school system may find itself liable for fixing or
replacing personal technology used instructionally.
Now an AUP does no good if people do not know about it or if it is outdated, so
language should be included within the AUP to detail who gives training, who receives
training, and how often the training should happen. Who gives it is going to be
hierarchical in nature. The admin will be responsible for notifying the staff and the
community of the AUP. The staff will be responsible for notifying the students. The AUP
notification should be given at least once annually, at the beginning of the year.
Technology is continually evolving, and as such the AUP should continue to grow
and evolve. The AUP should be revisited a minimum of every two years to update it,
expand it, or to streamline it as fitting.
As it is shown, designing a comprehensive and thorough AUP should be the
priority for any technology leader. An AUP is a holistic approach to educational
technological integration that works in conjunction with existing policies and laws to
address any expected issue that may arise. With a narrow focus on an issue such as
cyberbullying or student privacy, the technology leader may miss complying fully with
existing laws, or may not fully resolve the issue as it forms in the school ecology.
Because a comprehensive AUP is such an important piece to resolving the many issues

11

associated with incorporating educational technologies in the classroom, it is important

to not just create one and forget about it, but to continually revisit it and improve it
through a reflective cycle. With a current and comprehensive AUP, staff, students and
the community can all better handle the responsibilities that come along with the
opportunities emerging technologies provide to us.

12

AUP Memo
To: Principal Martin
From: Rob Richardson
Date: June 26, 2015
Subject: Importance of implementing an Acceptable Use Policy for educational
technology
As our school moves forward in utilizing educational technology, a thorough and
comprehensive Acceptable Use Policy (AUP) will be integral in managing the
associated issues that arise. I would like to share the AUP I have developed with you in
the hopes that it will be adopted by the school and community. The attached AUP
proposal is comprehensive and will take care of issues with legal mandates for the
educational technology use, connecting technological use to the existing school
policies, student privacy, student safety (including cyberbullying awareness, prevention
and response), administrative issues, and the use of third party media.
If a comprehensive AUP is not implemented in our school, many separate issues
will arise and need to be dealt with individually. Often times these issues may put the
school or individuals in jeopardy, as the absence of an AUP may place liability for
student harm, device damage or loss, and noncompliance with state and federal
mandates on the school or individuals working for the school. The policies Ive designed
were designed by prioritizing issues and attempting to resolve them in the order of
decreasing severity.
I started with legal mandates from laws like the Protecting Children in the 21st
Century Act , Childrens Internet Protection Act (CIPA), Childrens Online Privacy and
Protection Act (COPPA), Family Educational Rights and Privacy Act (FERPA),
Annotated Code of Maryland, Criminal Law Article 3-805 (Graces Law), Annotated
Code of Maryland, Labor and Employment Article 3-712, and others. Each law
mandates steps that we must take to protect our students.
To comply with CIPA, the AUP contains language about using a content filter to
protect children from obscene, sexual, or otherwise harmful content. It also contains
language about online student activities being monitored by the staff.
To be in compliance with the Protecting Children in the 21st Century Act, the AUP
contains language about teaching responsible online behavior. It also deals with
cyberbullying in that it requires teaching cyberbullying awareness, prevention, and
response to staff, the community and the students.

13

COPPA deals mostly with the use of third party social media and technology. In
specific, it deals with the collection and use of student data. To comply with COPPA, the
AUP contains language requiring third party social media to publish their terms of
service and privacy policy, to take reasonable steps to try to obtain parent permission to
collect or use data from children under 13, and to provide alternate activities for
students that opted out of a technology due to a lack of comfort with the privacy policy.
One last law to consider is the Annotated Code of Maryland, Labor and
Employment Article 3-712. This requires that no employer may ask an employee for
his or her username or password for personal accounts. This language was included in
the AUP, as well as leading to specific language to cover the schools responsibilities to
safeguard student data. Because the school may not ask for information to have access
to personal accounts, Ive included language in the AUP requiring teachers to link all
professionally used technology to a school email account. Ive also included language
stating that professionally used technology is the property of the school, that the school
must have access to it, and that the technology stays with the school should the
employee leave for any reason. This is to better safeguard any student data that may be
stored in the technology.
Although the above laws cover a majority of the potential issues, Ive also
included language to tie any technology use to the existing school policies. In specific,
Ive included language to link policies: 1000, 1040, 1060, 3040, 7010, 7030, 8040, 9030,
9050, and 9200 to any technological use. In addition to the explicit language in the AUP,
this provides a mechanism to manage issues that have not been addressed specifically
here, but are covered in policies elsewhere.
The administrative issues of integrating technology became the last section of
standards within this AUP. Currently, many classrooms are using a Bring Your Own
Device (BYOD) policy. Because students are using their personal devices for
instructional uses, without language assigning liability, the school system may find itself
responsible to fix, support, or replace private devices and technologies. I included
language in the AUP that explicitly states that personal devices should be used at the
risk and liability of the owner. Ive also included language that prevents any school
representative from mandating the use of personal technology to prevent any liability
from falling on the school.
Conversely, Ive included language to protect the school system from negligent
use of school technology. The AUP states that if an individuals negligence results in
school technology being damaged, lost, or stolen; then that individual is financially
responsible for that technology. In this way the school is shielded from having to pay for
private technology, and for having to pay to repair or replace technology damaged, lost
or stolen due to someones negligence.
Finally, Ive included language making it clear that personal use of technology
shall not interfere with educational responsibilities, and that the expectation is for
technology to be for instructional use only.
As you see, the implementation of my proposals for an AUP at our school will
have the ability to handle most any issue related to educational technological

14

integration. Without this comprehensive list of standards, our school is at risk of legal
punishments, financial liability for technology, cyberbullying, harmful online activities,
and the unlawful release of confidential student information. I implore you to consider
these proposals and forward them immediately to be approved and implemented at our
school to facilitate safe learning and good digital citizenship for our students.

15

Bibliography
1. Nandoli von Mares and Franz Petermann
Cyberbullying: An increasing challenge for schools School Psychology
International October 2012 33: 467-476, doi:10.1177/0143034312445241
2. Willard, N. E. (2007). Cyberbullying and Cyberthreats: Responding to the
challenge of online social aggression, threats, and distress. Champaign, IL:
Research Press.
3. Howard County Board of Education. Policy 8080 Responsible Use of Technology
and Social Media. Available at http://www.hcpss.org/f/board/policies/8080.pdf.
Accessed on June 26, 2015.
4. Federal Trade Commission. Children's Online Privacy Protection Rule
("COPPA"). Available at https://www.ftc.gov/enforcement/rules/rulemakingregulatory-reform-proceedings/childrens-online-privacy-protection-rule. Accessed
on June 26, 2015.