Skip Navigation
Weaving a Secure Web Around Education: A Guide to Technology Standards and Security
  Table of Contents and Introductory Material
Chapter 1
  The Role of the World Wide Web in Schools and Education Agencies
Chapter 2
    Web Publishing Guidelines
Chapter 3
    Web-Related Legal Issues and Policies
Chapter 4
    Internal and External Resources for Web Development
Chapter 5
    Procuring Resources
Chapter 6
    Maintaining a Secure Environment
PDF File (1,119 KB)

Ghedam Bairu

(202) 502-7304

Chapter 3: Web-Related Legal Issues and Policies

  • What is an Acceptable Use Policy?
  • How do state "Sunshine Laws" apply to web communication?
  • When should an agency filter its web site?
  • What are some legal issues to be addressed?


There are some aspects of web development necessary to meet federal, state, or local laws and regulations. Many of these regulations are adapted from rules or laws that existed before the advent of the Internet. For example, education agencies have long been required to comply with copyright regulations, Sunshine Laws (see below), and student privacy rights. New technologies mean that new procedures may need to be in place.

An Acceptable Use Policy (AUP) should be developed by an agency that allows students, staff, or community members to use computers or to connect to the Internet through the agency. The intent of an AUP is not to exclude anyone from using a computer, but to be certain that everyone understands that this usage is a privilege that can only be retained with appropriate usage.

This chapter concludes with a discussion of Internet filtering. For example, should an agency or school filter out web sites that may be objectionable? This chapter does not attempt to answer this very difficult question definitively. Rather, it describes various filtering techniques that could be employed.

Internet Usage

At the same time an agency is deciding on content for a prospective web site, agency staff should think about related policy issues and guidelines that will affect the entire organization. Even though the World Wide Web has been around for a relatively short time, the Internet has been in general use long enough that effective practices already exist based on well-known pitfalls. Now is the time, if the organization has not done so recently, to review Internet policies and procedures.

Many of the needed policies, such as "acceptable use" and "right to know," have legal implications and may be required by local, state, or federal regulations. This chapter provides general guidelines for awareness of potential legal issues, but does not purport to give legal advice. Specific legal questions should be discussed with the agency's attorney.

A district is responsible for a web site developed at a school.

While many school districts and state departments of education are attuned to the need for many of the policies and guidelines described below, the school technology coordinator and/or the students creating the school web site may not be aware of the policy issues that arise when a web site is developed. The district is ultimately responsible for its school web sites and must ensure that each school adheres to applicable laws and regulations.

Acceptable Use Policies

Whether an organization provides direct services to students or serves as a support or regulatory body for schools, adoption of an AUP is essential. The purpose of this policy is to inform users of the ground rules, thus protecting them and the education agency from violations of law, practices that would damage the system, or misunderstandings regarding who is responsible for what.

Internet usage for staff and students is a privilege, not a right.

The responsibility of "acceptable use" comes with the privilege of Internet access that is afforded to students, staff, and, sometimes, parents. No one should be using the Internet in a school or district environment until that person has reviewed and signed the agency's AUP. Where students are concerned, parents need to review the AUP and complete the signature page, indicating their understanding.

An AUP should include the following:

  • notice of the rights and responsibilities of computer and network users;
  • notice of legal issues, such as copyright and privacy;
  • notice of acceptable content and conduct on the network;
  • description of behaviors that could result in disciplinary action; and
  • description of the range of disciplinary options, including the removal of access privileges.
The AUP applies to all users accessing the Internet from agency terminals or computers. This includes teachers, students, parents, and other members of the community who might use the Internet at an agency site. For example, members of the community using school computer labs to learn about technology also need to review the agency's AUP.

The AUP should be available in a variety of formats for those who do not speak English or who have a disability that makes reading the policy impractical. Finally, the agency should avoid including provisions in the policy that it is not willing to enforce, or that will create difficult legal situations by their enforcement. All users need to understand the consequences of failure to comply with the AUP.

A student should have specific written approval of a parent or guardian for school-based Internet access.

Each AUP should include a detachable page where the user, or the parent or guardian of a student, can acknowledge that he or she has received, read, and understood the policy. The agency should retain this sign-off sheet. No student should have school-based Internet access without specific written approval of a parent or guardian. Parents need to work with agency personnel to ensure that students understand the components of the AUP.

An example of an AUP along with a parent signature sheet and other policy documents are provided in appendix E of this document.

Open Meeting (Sunshine) Laws and the Freedom of Information Act

Every state has some version of an open meeting law, frequently called the Sunshine Law or Right-to-Know Law. The intent of this type of statute is to ensure that public business is conducted openly and that access to public records is guaranteed to the citizens of the state.

Many of these laws have not been updated to recognize electronic communication; however, this has not stopped courts from applying the laws to such communication. To avoid problems that might arise, if a public agency maintains a web site, an e-mail server, list servers, or electronic bulletin boards, policies should be in place to address the use of these media for communication among the members of a governing body, such as a board of education.

Electronic files are subject to the same legal requirements as paper documents.

Use of electronic media to inform public officials and the public generally is not contrary to law. However, in many states, when the communication invites, or results in, responses from and discussion among public officials, such communication may constitute an illegal meeting. Some states' laws specifically prohibit electronic meetings. Others, while not prohibiting such a meeting, may require public notice stating that the meeting will occur and identifying a location where the public, in real time, can monitor the electronic communications.

Under the Freedom of Information Act (FOIA), members of the public can request, and must be granted access to, any documents in the possession of a public agency that address public business and are not specifically protected by other statutes establishing classes of confidential records. Over the years, public agencies have developed records retention policies designating how long their paper documents will be retained in the files before disposal or destruction will be permitted. Under FOIA, electronic files are subject to the same legal requirements as paper documents, so it is important for an education agency to maintain an archive or archives of e-mail and other electronic documents as they would paper documents.

Usability Guidelines

Simply stated, usability guidelines ensure that visitors using various software packages are able, optimally, to view a web site. For example, programming requirements for Microsoft's Internet Explorer® are somewhat different from those for Netscape. In order to accommodate users of both applications, a web site has to be programmed accordingly. While there are no legal requirements to accommodate users of different software applications, agencies should consider the issue and establish formal guidelines.

Certain aspects of maintaining a web site, such as accessibility, privacy, and copyright, may require compliance with laws or federal regulations. Whether working with outside sources on the development and/or maintenance of the web site or managing the process in-house, the agency needs to have policies in place to ensure that usability guidelines are followed.

Accessibility Guidelines

Web sites are effective tools to assist people with disabilities.

The World Wide Web Consortium (W3C), an international group seeking to optimize the use of the web, has developed standards to address Section 508 of the Rehabilitation Act [29 U.S.C. 749d] requirements (see appendix F). These standards, known as the Web Access Initiative (WAI), provide practical guidance for web developers in designing accessible web pages. The standards are prioritized and include sample HTML programming code to assist developers.

Web site accessibility measures include the following:

  • Attach alternative text tags to graphics. The tags can be spoken to visually impaired and blind users with programmable screen readers.
  • Avoid the use of red and green in web text. Use of style sheets to set standard color schemes on a web page will permit color-blind users to modify colors easily from within their own browsers.
  • Enable synchronized captioning of audio files and avoid the use of streaming audio for deaf and hearing-impaired users.
A free service for checking web site accessibility according to WAI and Section 508 standards is located at For more detailed information about W3C and WAI guidelines, visit

Student Rights and Privacy

The Family Education Rights and Privacy Act (FERPA) regulates the dissemination of student information. The regulations apply to information posted on the Internet or web. The posting of student work, photos, or other personally identifiable information on a web site is one of the most obvious issues addressed by federal and state privacy laws.

One might ask: If the Internet and World Wide Web are used to access information outside an agency, how can internal privacy issues be a concern? Often web sites are created to inform the community about the activities of a district or school. Under these circumstances, classroom or schoolwide test scores may be displayed. These web pages may be based on student databases that are maintained by the agency.

People should not be able to identify individual students from an agency web site.

Student privacy is an agencywide issue. Even computer programmers need to be trained on the provisions of federal, state, and local laws and regulations that prohibit the display of individual student information, particularly when such information exists in agency databases.

Even if a district does not maintain a database of all students, there is a great probability that databases of special education or Medicaid-eligible students exist. Such databases would be subject not only to the privacy requirements of FERPA [20 U.S.C. 1232g] but also the privacy regulations of the Health Insurance Portability and Accountability Act of 1996 [45 CFR Parts 160 and 164] (HIPAA) and the Individuals with Disabilities Education Act [20 U.S.C. 1400 et seq.] (IDEA). In addition to protecting the privacy of students, agencies maintaining databases must provide security for employee records as well.

Discussing laws and federal regulations about student privacy may seem esoteric, or even unnecessary. However, it is not a difficult task for a person to make contact with students simply by using information obtained on the Internet. While this may be a frightening scenario, a photograph connected to a name displayed on a school web site makes it much easier to identify a student.

Policymakers are urged to provide this guidebook to their district information or technology director or their school site technology coordinator for a review of the information in this chapter and the discussion of security procedures in chapter 6. Additionally, the federal acts named above should be reviewed.

Copyright Compliance

Student reports must cite information gathered from the Internet the same way information from other media is cited.

Many educators have common misconceptions about Fair Use Doctrine for schools and libraries under the United States Copyright Law [17 U.S.C. 107 et seq.]. This misunderstanding, coupled with a general belief that anything found on the Internet is free for the taking, can put the agency at risk of severe legal penalties.

Establishing a link from one web site to other web sites is entirely within legal practice; however, copyright law protects the materials on those web sites. It is imperative that educators have a reasonably good understanding of what constitutes "fair use" and what is prohibited. The education agency's policy and its accompanying procedures should provide guidance to users and should establish, without equivocation, that violation of copyright law is contrary to the policies and practices of the agency.

Copyright compliance applies as well to the use of the Internet by students. For example, it is important for educators to ensure that students understand fair use of citations and quotes obtained online for use in their own class presentations and reports.


Filtering is required if the agency has benefited from discounts for internal school connectivity or Internet access via the Erate discount program. See for up-to-date E-rate information.

Filtering of Internet content is one of the most controversial issues facing schools and districts using the Internet. Proponents of filtering are concerned about protecting children and teens from inadvertently, or intentionally, visiting sites with pornographic material, hate group rhetoric, or other inappropriate material. Opponents believe that censorship of any kind, even for children, sets a dangerous precedent that is contrary to the free speech provisions of the U.S. Constitution.

For schools and districts participating in the federal E-rate discount program, the question of whether to filter is answered by provisions of the Children's Internet Protection Act (Public Law 106-554). This act, often referred to as CIPA, requires agencies receiving E-rate discounts for school connectivity or Internet access to employ a filter, regardless of their philosophical preferences.

There are many options available for agencies that choose, or are required, to place some type of filtering system on their web site. All methods should be considered carefully to determine what they do, how they operate, and how much time the agency will need to devote to maintaining the filtering system.

Whether to filter is not as straightforward a decision as it might appear.

The earliest filtering programs still in common use contain lists of keywords or phrases likely to be found on objectionable web sites. These lists tend to be static and inflexible. The primary complaint about this type of filter is that it blocks access to a large number of appropriate sites, such as those describing research on breast cancer and government data files listing the data element for gender as "sex."

An alternative to the list filter is a subscription to a service that constantly reviews and screens new sites for objectionable material. Specific sites, rather than words and phrases, are blocked. The main objection to this method of filtering is that access to some objectionable sites is still possible because monitoring every site on the Internet is impracticable. A newly emerging challenge for filtering services is the purchase, by "disreputable" companies, of Uniform Resource Locators (URLs), or web addresses, previously owned by other businesses and organizations. These URLs are used to mask the true nature of a site.

Most subscription lists accommodate manual overrides to permit the local network administrator to define trusted and questionable domains. Reviewing lists to determine what the filter should override is a time-consuming process and, therefore, expensive. Generally, it is impractical for an organization to structure its entire filtering system on this basis.

A larger agency may choose to develop its own process for filtering the Internet. While providing more flexibility for the agency, this effort can be resource intensive. Personnel will need to be assigned to determine which sites should be filtered. The agency will need to establish procedures for monitoring the filter and for responding to requests from staff to modify the filtering protocol.

In addition to filtering content and advertising, the agency may consider filtering unacceptable services. For example, it may block "free" web-based e-mail services, instant messaging services, or chat rooms. The agency may additionally choose to block the downloading of multimedia content, such as music files or movies, because of its heavy use of bandwidth and copyright issues.

In 2001, 96 percent of all public schools with Internet access used some procedure to control student access to inappropriate material on the Internet.

Within the local network, the agency may have the ability to restrict Internet access on specific computers or work groups, while granting broader access to others. Thus, a filter may be active on the firewall for computers used by students but configured to grant greater freedom to faculty or administrative staff computer users.

Many districts deal with filtering and web-based advertising proactively. They filter all sites and then determine which sites would be appropriate for use within the agency. Students are allowed access to approved sites only.

Agencies discussing a software or hardware solution with vendors should ask about the criteria used to determine what is to be filtered. If a vendor has a specific political or moral agenda, for example, sites may be filtered that oppose that agenda.

While there is a great deal of discussion about filtering out inappropriate sites on the Internet, there is no substitute for the vigilance of teachers. Professional development programs should stress that surfing the Internet is an inappropriate activity for students at school. The web, in a classroom, should be treated as an instructional tool, not a plaything. The agency's AUP should contain language that defines the appropriate use of the Internet by students (see appendix E for a sample AUP).

Logging System Usage

Even if an agency does not require filtering, the related issue of access to and maintenance of Internet logs must be considered. The logs are electronic records documenting the sites visited from the agency's network. One New Hampshire parent successfully sued a school district to gain access to its Internet logs in order to determine whether the district, which was not filtering, was providing enough protection to students through its AUP. The judge granted the parent's request for access, but the district had already deleted the logs.

In addition to the question of access, the district found itself having to defend its position related to the deletion of the records. The problem was not just that the records were deleted, but that there was no policy governing a file maintenance schedule or purging procedure. In short, because the district had no standard operating procedure in place, it appeared to the judge that the logs were deleted to prevent their use as evidence in a legal action. The court found the school district to be in contempt of court and ordered it to produce the remaining records and to pay the parent's costs and attorney's fees. The case could set a precedent regarding parent access to logs that will affect schools and districts nationwide.

The bottom line is that a policy must be in place regarding the retention and destruction of files and must address the use of all computer systems within the agency.


  • A district is responsible for a web site that is developed at a school within that district.
  • An Acceptable Use Policy should be available for all users of the Internet within the agency.
  • The Freedom of Information Act and state Sunshine Laws have an impact on the use of the Internet in an education agency.
  • Usability standards can be employed to ensure that the web site has the widest possible audience.
  • Student rights and privacy guidelines that apply to the education community include the use of the Internet and its components, such as the World Wide Web.
  • Usability guidelines must address access for individuals with disabilities and the protection of privacy and confidentiality rights of students.
  • There are many options available for filtering web content.