About

The Education Privacy Resource Center

FERPA|Sherpa – named after the core federal law that governs education privacy – is the education privacy resource center website. This site is your tool to finding information, news and opinions on maintaining student data privacy. FERPA|Sherpa is an initiative of the the Future of Privacy Forum.

COMMON QUESTIONS

Why does student privacy matter?

Schools have always had to find that the tricky balance between ensuring student autonomy and dignity (both of which are necessary for learning) and surveilling and monitoring students (both of which are necessary to keep students safe and assess what they’ve learned). New technology and cheap data storage have certainly altered the educational landscape, but the underlying tension between privacy and monitoring in schools has not changed. Student and child privacy laws at the federal level work to address this tension by ensuring that

  • information about a student is used fairly
  • information about a student is used only for its intended purpose and not for unwanted or unanticipated purposes
  • students are not coerced into divulging personal information
  • students are not exposed to deceptive messages

In recent years, as more and more information is created and shared digitally, and data breaches and identity theft have become a bigger concern, state laws have been passed to regulate what information schools can collect and share online and what website and online application operators can do with it.

Student Privacy Laws

What federal laws govern student privacy?

FERPA: The primary federal law that protects student privacy is the Family Educational Rights and Privacy Act (FERPA), which was passed in 1974. The main goals of FERPA are to ensure that information about a student is used fairly by providing annual notice to parents about their rights toward student data, namely

  • the right to inspect and review records maintained by the school
  • the right to seek to amend records they believe are misleading, inaccurate, or otherwise in violation of a student’s privacy
  • the right to consent disclose records to other individuals
  • the right to file complaints with the Department of Education if they believe their rights under FERPA have been violated

Furthermore, FERPA ensures that information about a student is only used for its intended purpose by requiring that disclosures of student data only occur with written consent. FERPA includes several exceptions to this rule that allow the school to share information without consent in specific cases that benefit students, provided that certain guardrails are in place.

PPRA: The Protection of Pupils Rights Amendment (PPRA) is a law that ensures that students are not coerced into divulging certain personal information. This is done by giving annual notice to parents of surveys the school will be giving and giving parents the right to inspect and review the materials. Depending on the funding source of the survey, parents will be given the ability to either opt in to participation or opt out.

COPPA: The Children’s Online Privacy Protection Act (COPPA) is a law that regulates websites and online applications that collect information from children to ensure that they are not following deceptive practices. In general, these operators are required to provide notice and gather verifiable parental consent before collecting information from a child. Under the law, schools are allowed to provide consent in the place of a parent, provided that the website or online application only uses the information collected for educational purposes.

IDEA: The Individuals with Disabilities Education Act (IDEA) ensures that students with disabilities are given an appropriate education that is tailored for their needs. Since this requires collecting very sensitive personal information, the law specifies some additional privacy protections to ensure that this information is not used for other purposes.

CIPA: The Children’s Internet Protection Act (CIPA) is a law that provides federal funding to schools that monitor and filter internet content and requires that schools teach students about digital citizenship and staying safe online. Though it is not directly a privacy law, it hits on many aspects of privacy since schools will have to determine the appropriate amount of monitoring and filtering as well as cover protecting personal privacy as part of the digital citizenship curriculum.

NSLA: The National School Lunch Act (NSLA) is a law that governs school lunch programs, and it includes provisions related to protecting financial data submitted as part of free and reduced lunch applications. Aside from being able to share a student’s eligibility status for free or reduced lunch in limited cases and for auditing the management of the program, the information from these applications can only be shared with parental consent.

What do state student privacy laws cover?

Between 2013 and 2018, 40 states passed 125 laws that relate to student privacy. In general, these have coincided with states moving to online statewide testing (which has increased the quantity of data created and shared) and as states have built integrated data systems that combine data from multiple state agencies. Some common goals of these laws are

  • building upon FERPA and PPRA by further restricting what student data a school can collect or share with others
  • providing further requirements and guardrails related to student data shared with websites, online services, and applications
  • designating a chief privacy officer and other individuals at the local level responsible for ensuring compliance with privacy laws
  • requiring more transparency about what data schools collect and what it is used for
  • requiring that schools and vendors meet certain data security standards
  • requiring notification to parents in the event of a data security breach

What privacy rights do parents and students have?

Under FERPA, parents and eligible students are given four rights, namely

  • the right to inspect and review records maintained by the school
  • the right to seek to amend records they believe are misleading, inaccurate, or otherwise in violation of a student’s privacy
  • the right to consent disclose records to other individuals
  • the right to file complaints with the Department of Education if they believe their rights under FERPA have been violated

State laws may provide parents with additional rights, such as the right to sue an educational website for damages after a data breach.

Do private schools have to follow these laws?

Schools that receive funding from a program administered by the US Department of Education generally have to comply with federal student privacy laws even if they receive most of their other funding from private sources. For example, many private college and universities still have to follow laws like FERPA since they receive funds via the Federal Student Aid program.

Privacy and the Internet

How can students protect themselves online?

Students may choose to share personal information online in ways that schools may not be able to protect. Students can take several steps to better protect their data online, beyond protections schools can provide. Students may choose to do any or all of the following:

  1. Know when you are public. When sharing information on forums or social media, check whether your post will be private or public. When you share information publicly, it is available for other to copy, share, or retain without your explicit permission. Make sure that when you are sharing information online, you understand that you may be sharing personal or sensitive information and that you have the choice on whether publicly posting or keeping such information private.
  2. Use privacy settings. When sharing information on certain sites or devices, such as a smart phone, you may have the option to choose how your data is collected or shared. For example, certain apps on your phone may track your location, which may be helpful in telling your parents where you are in an emergency, but may not be helpful when the app you are using is a video game that does not need your location to function. Remember that there are usually settings available to you to customize your privacy. If a website, social media site, or app does not give you privacy setting options, you may want to consider not using that site or app if you want to protect your information.
  3. Delete data. When you find yourself no longer using a site or app, you can choose to delete your account or data. Usually you are able to delete your account while logged in through settings or you can email the appropriate contact listed on the website or app and ask for deletion.
  4. Browse securely. When you browse the web, you may find that some websites are secure and others are not. One easy way of knowing whether you are on a secure site is making sure that the URL at the top of your browser includes the text “https://”, rather than “http://” at the beginning of the URL text. Seeing the text “https://” means that the website secures the exchange of information on the site so when you share information, it is safer.
  5. Update your passwords regularly. If you have accounts on websites or apps, make sure to use a password that is difficult to guess, such as including allowable numbers and symbols, and does not include any personal information. Additionally, try to change your password on your accounts on a regular basis, such as every three to six months or every year. This makes it more difficult for hackers to get into your account and know your personal information.
  6. Only communicate online with people you know offline. You may find that you will receive emails, messages, or follows from people you are not sure you know or from people who promise you something you want if you give them some information about yourself. Be careful with these types of communications. Often, these messages could be what is called “phishing,” where someone you don’t know is trying to trick you into giving them personal information in order to use it in a way you would not consent to. The easiest way to avoid this is to only communicate online with people you have already met offline and to report or delete any emails or messages from people you do not know.
  7. Clear your browser history and cookies. While terms like “browser history” and “cookies” might seem technically complicated, it is fairly easy to understand why it is important to clear them and how. When you browse the internet, websites may collect information about you by tracking what other websites you visit or what information you input into text boxes. While this could be useful to you by having your browser remember your passwords for quick and easy log-ins, websites may be tracking more than what you think by using cookies. If you want to protect your information, you may want to use your browser settings to clear your history and your cookies every so often. This may result in you having to type out your log-in information when signing back into websites you have an account with.
  8. Go incognito. Most browsers allow you to use a “private window,” which means that your browser will not keep data about your browser history or cookies. This makes it more difficult for websites to track you and your information.
  9. Ask a trusted adult. Especially if you are 13 years old or younger, it may be very helpful to speak to an adult you trust about your online use. Usually you can speak to your parents, a teacher, or a relative who may understand how to protect your privacy online or will have access to resources that can help both of you understand.
  10. Install antivirus software on your devices. Antivirus software helps protect your computer or other devices against attacks from hackers who may use computer viruses or other malware to gather your personal information and track your online behavior. You may want to discuss antivirus software options with a trusted adult before installing the software. There are various types of antivirus software, including ones that require payment and ones that are free. One thing to be careful about is to make sure that you are downloading a validated and well-known antivirus software, because some antivirus software you may find for free online are actually viruses themselves.

How do I keep my child safe online when they're not in school?

Children use various educational programs and e-games for both learning and fun. There are other rules that apply to children who access educational or non-educational web programs through personal computers, and through mobile apps on tablets and smartphones. Parents should be aware that data that is collected about their student, that is not a part of their educational record at school does not fall under the protection of FERPA.

GreatSchools has this video about keeping children safe online. The Federal Trade Commission, the government agency that enforces the Children’s Online Privacy Protection Act (COPPA), offers tips to parents about how to protect their children’s privacy online. Additionally, kidSAFE provides a quick one-pager on COPPA. More detailed information is available through the Center for Digital Democracy their COPPA parent guide, “The New Children’s Online Privacy Rules: What Parents Need to Know.” Moms with Apps has also provided a nice breakdown of 5 Things Moms Need to Know about Apps.

Some other resources for parents include the following:

What best practices should schools follow in choosing an educational app or website?

Educators routinely use new education apps in the classroom to help students learn. However, some of these apps can make student data vulnerable to hacks, advertisers, or other privacy harms. When you sign students up for an app, you might actually be violating FERPA! Read below for best practices.

What if I want to use an education app or tool and I don’t know if my school/district has vetted it?

Be familiar with your school’s policy or process for selecting new educational tools, if one exists. If an app or service you want to use is not on the “approved” list, ask for it to be vetted and ask how long the vetting process takes. If the process is lengthy, you will want to redesign your lesson or project plan. Once the app is approved, you can certainly use it later. The list may also contain similar alternative apps you can use in the meantime.

If no such vetting process exists in your school, the checklist at the bottom of this section can help you quickly evaluate whether your students’ information will be protected.

You can also look to sources like Common Sense Media or iKeepSafe to see if they have “rated” or “badged” an edtech product for privacy. You can also check the database of the Student Data Privacy Consortium to see which apps are being used by other districts. Note that none of these sites replace getting the app you want to use vetted by your school, they are just signals of which apps are more privacy friendly – make sure you check with them!

Some tools have already been vetted

If your school or district has an approved list of ed tech products, services, websites, or apps, check that the service you use is included and ensure you are aware of any requirements or privacy options. When schools and districts decide to adopt certain technology tools, they should evaluate those tools to ensure they meet data privacy requirements. Some examples include:

  • Workflow and collaboration tools where students and teachers draft work together, give feedback, and communicate throughout the learning process.
  • Learning Management Systems (LMS) where teachers post instructions, assignments, and links to resources for students and parents to access.
  • Online gradebooks where teachers post grades and students and parents can access them using a username and password.
  • Communication tools for emails or newsletters.

What about companies that provide online tools to schools?

Schools are allowed to rely on technology companies to provide products and services, but have the responsibility to ensure that those vendors have appropriate protections in place for student data. The school must ensure that it retains direct control over the information the company collects, uses, and maintains. Schools are responsible for seeing that companies working with the school directly only use student information for authorized educational purposes. These companies have access to this data under the “school official” exception, for the limited purpose of using student information for educational purposes only.

What should I do if a student suggests an unvetted education app to use for a project?

As a teacher, you cannot officially endorse use of an outside product, but you can explain to the student the considerations they should take into account, including recommending the student let their parents know too. It’s quite common for students to find education apps on their own to use for projects, and educators should encourage students to be creative and take their suggestions seriously. This is a teachable moment—a great opportunity to talk with the student about data privacy and review that digital citizenship curriculum.

Here are some examples of questions you could use to start the conversation with your student:

  1. Did you have to make an account in order to start using that app? If so, did you have to provide personal information (email, name, age, etc.)?
  2. Does the app require parental permission? Who has access to your email and other information now that you’ve created that account?
  3. Does the app developer share your information with others? (It’s in their privacy policy.)
  4. Does the app collect additional information such as location or contacts?

In all likelihood, your student will not know the answers to some of these questions. That is OK, but it is important to explain to them that all of this information belongs to them. They should think about protecting it, and should be encouraged to discuss their choices at home with their parents as well.

Again, you can also suggest to them that they see if that tool is rated or badged on Common Sense Media, iKeepSafe, or in the database of the Student Data Privacy Consortium.

What if my students and/or I want to use or recommend a technology tool that was not specifically designed for education?

If you, the teacher, want to recommend an app that was not specifically designed for education, checking with your administration, complying with applicable school policies, and using the checklist in this guide just as you would for an education-specific app is still a best practice. It’s a common issue because there are many “consumer apps,” which are not designed for education, that students may wish to use for learning or to help them with their homework and projects. These may include research tools, note taking apps, collaboration tools or apps that allow users to make videos, record audio or create other media such as cartoons, images, and so on.

However, commercial products not designed and marketed for schools may not have the privacy policies and practices in place to ensure the protection of user data to the standards of laws that protect student information. Therefore, if not prohibited by school policy, these products should be carefully evaluated to see if their use will put student data at undesirable risk.

If a student approaches you and asks to use an app for your assignment that you’re not familiar with, it is a good idea to use the opportunity to talk to your student using the suggested questions above.
Again, harness that teachable moment.

What are some questions to help you quickly evaluate whether an app, website, product, or service will protect your students’ information?

  1. Does the product collect Personally Identifiable Information? FERPA, the federal privacy law applies to “education records” only, but many state laws cover ALL student personal information.
  2. Does the vendor commit not to further share student information other than as needed to provide the educational product or service? (such as third party cloud storage, or a subcontractor the vendor works with under contract.) The vendor should clearly promise never to sell data.
  3. Does the vendor create a profile of students, other than for the educational purposes specified? Vendors are not allowed to create a student profile for any reason outside of the authorized educational purpose.
  4. When you cancel the account or delete the app, will the vendor delete all the student data that has been provided or created?
  5. Does the product show advertisements to student users? Ads are allowed, but many states ban ads targeted based on data about students or behavioral ads that are based on tracking a student across the web. TIP: Look for a triangle i symbol ( ) which is an industry label indicating that a site allows behaviorally targeted advertising. These are never acceptable for school use. This would be particularly important when evaluating non-education-specific sites or services.
  6. Does the vendor allow parents to access data it holds about students or enable schools to access data so the school can provide the data to parents in compliance with FERPA?
  7. Does the vendor promise that it provides appropriate security for the data it collects? TIP: A particularly secure product will specify that it uses encryption when it stores or transmits student information. Encrypting the data adds a critical layer of protection for student information and indicates a higher level of security.
  8. Does the vendor claim that it can change its privacy policy without notice at any time? This is a red flag—current FTC rules require that companies provide notice to users when their privacy policies change in a significant or “material” way, and get new consent for collection and use of their data.
  9. Does the vendor say that if the company is sold, all bets are off? The policy should state that any sale or merger will require the new company to adhere to the same protections.
  10. Do reviews or articles about the product or vendor raise any red flags that cause you concern?

How can website/apps show their commitment to privacy?

Parents need to trust both schools and the service providers that work with schools. In an effort to ensure parents can be confident in how organizations use student data, the Future of Privacy Forum and the Software & Information Industry Association developed the Student Privacy Pledge in 2014. The Pledge is legally enforceable: by taking the Pledge, a company is making a public statement of their practices with respect to student data. Accountability comes from the Federal Trade Commission (FTC), which has the authority to bring civil enforcement actions against companies who do not adhere to their public statements of practices.

Companies can apply to join the Pledge here.

Communication and Transparency

What are parents’ main concerns when it comes to student privacy?

The Future of Privacy Forum surveyed parents in 2016 to better understand their views of technology use and student privacy. Overall, this survey showed the increasing prevalence of technology use by both parents and students, increasing levels of support by parents of the appropriate collection and use of data by schools, and continued strong belief in the possibilities of technology to improve their child’s educational opportunities. The goals for educators, advocates, and policymakers remain to communicate policies clearly; establish transparent practices; and work with parents as key partners in the educational system to achieve the best learning outcomes for our children. For more details, see this blog post.

What should parents ask schools about privacy?

Here are the seven most important questions that parents should ask about student privacy during the school year.

  1. Which websites, services, and apps will my child’s classroom use this year?
  2. How does my school handle directory information?
  3. What is my school’s approach to school safety, and what does it mean for my child’s privacy?
  4. Does my child’s school administer surveys?
  5. What are the rules for recording devices in my child’s school?
  6. How is my child’s information secured?
  7. How does the school train teachers and staff to protect student information?

For more detail about these questions, please see this blog post.

How should schools communicate about privacy to parents?

As schools collect more data on students, it is critical for them to be transparent about their data practices to foster trust with parents. Schools benefit when they are able to most clearly and effectively communicate the following to parents and guardians, beginning with broader descriptions and over time moving toward the sharing of more granular information:

  • Legal requirements and restrictions
  • Governance and accountability
  • Types and uses of data
  • Privacy and security practices
  • Third-party data sharing
  • Parent access and rights

A multi-layered approach is most effective, matching the content format with the message scale, complexity and timeliness. Schools should utilize the following channels to communicate:

  • School websites and mobile applications
  • Notifications
  • Parent involvement
  • Technology dashboard
  • Tiered staff response

For more information, see this blog post.

Schools and Student Data

How does data help schools?

Schools hold a variety of information on students, including name, address, names of parents or guardians, date of birth, grades, attendance, disciplinary records, eligibility for lunch programs, and special needs. Schools, including teachers and school officials, use this data not just for basic administrative needs such as knowing whether a student may have a peanut allergy, but they also use this data to assess how well students are progressing, how effective teachers are, and how well schools are doing in relation to each other. Student data, in aggregated (averaged out) form, can help states make better policy decisions and plan budgets according to how to more effectively educate students. This video from Data Quality Campaign explains more.

Who can schools share student data with?

In general, schools may only share student data with written parental consent. There are a limited number of exceptions to this that can be found in FERPA. Some of the most commonly exceptions are

  • Directory information: this exception allows the sharing of information the school has deemed harmless and may make public. Yearbooks, playbills, and honor code rolls are all examples of ways schools use the directory information exception.
  • School official: this exception allows educators to share with other school employees who have a legitimate educational need for the information. It also allows the school to share with contractors and other parties, like volunteers, who are doing a job the school would otherwise use its own employees for.
  • Studies: this exception allows the school to share information with a researcher for the purpose of evaluating educational programs.
  • Audit/Evaluation: this exception allows student data to be shared to audit or evaluate a federal- or state-funded education program.

Other examples include sharing student data with another school after the student transfers or with relevant individuals in the case of a health or safety emergency.

What can schools share with law enforcement?

Schools are generally restricted from sharing student information with outside parties without first obtaining written parental consent. There are a limited number of exceptions wherein a school may share student data with other individuals without prior consent. A few of the exceptions could be used to share with law enforcement in very limited cases. For example, a school may share with law enforcement if there is a legally issued court order or subpoena, but generally only if they first notify the parents of the subpoena so that they may attempt to seek protective action. They may also share with law enforcement in the case of a health or safety emergency.

School resource officers (SROs) are law enforcement officers assigned to work in the school for various purposes. As such, many are classified as school officials and may be given access to records for which they have a legitimate educational reason; however, just the same as teachers should not share information about students with others outside the school, SROs acting as school officials may not share information they obtain with other law enforcement officers outside the school.

More information about legal restrictions and best practices when disclosing to law enforcement can be found here.

What kind of training do educators typically receive on privacy?

For most of FERPA’s existence, the majority of data shared by a school occurred at the administrative level, so teachers generally received little to no training on data privacy laws or policies. In recent years, with more and more educational technology entering the classroom, teachers have become one of the primary sharers of student data. Consequently, it is more important than ever for teachers to be trained on what their legal obligations are and what best practices they should follow when sharing and securing student data.

What best practices should schools and states follow in developing privacy policies?

Data governance addresses the processes and systems governing data quality, collection, management, and protection; basically, data governance includes formal policies that address the whole life cycle of data.

Good governance assures accuracy, timeliness, usability, and security in data. Governance plans should define roles and responsibilities when it comes to data access, disclosure, and use; ensure data management and monitoring; and describe and set up parameters on how data is collected, accessed, and used.

There are many great resources that K-12 school officials can use to create or improve their state, district, or school data governance plan. We recommend:

Also, see this video from the US Department of Education, which goes over starting a district privacy program

Security

What does a strong password look like?

If your password consists of a dictionary word and a number (or worse still, appears on the list of most common passwords), then a hacker could easily crack your password in under a few seconds. The most recent guidelines from the National Institute for Standards and Technology (NIST) focuses on length of passwords over complexity. To increase the length of your passwords, consider using passphrases instead, which consist of a short sentence or several random words put together. This blog post provides more detail on choosing a strong passphrase.

Furthermore, you could stop creating and remembering passwords all together and use a password manager to do both.

How should schools keep student data secure?

Securing data is a large part of ensuring student data protection. When storing student data, data should be stored following FERPA security principles. See more information below.

Without security, there can be no privacy. LEAs and SEAs have a responsibility to ensure that data is protected through adequate security. When contracting with educational technology vendors, school officials should make sure that these companies have privacy policies and practices that ensure data security.

Recommended Security Resources

See this video for more information about protecting security in the context of ed tech.

Privacy and New Technology

Is it safe to use voice assistants in the classroom?

It is unclear how a lot of new technology fits within the existing privacy legal framework. Voice assistants, such as Google Home and Alexa, are no exception. In general, these tools are intended for home use and not for the classroom. With that said, we recommend that you do the following if you choose to use them in the classroom.

  • Check with your school or district first since they may have policies regarding their use
  • Educate yourself about your state and federal privacy laws using The Educator’s Guide to Student Data Privacy
  • Get parent permission first before using the assistant in the classroom
  • Once in the classroom, treat the voice assistant as if it were an outside classroom visitor
  • Learn how to use the device’s privacy settings and proactively manage them
  • Consider how and whether this device will enhance teaching and learning

See this blog post for more detail.

Our Audiences

FERPA|Sherpa aims to provide a one-stop shop for education privacy-related resources to all stakeholders in the student privacy conversation: students, parents, educators and education agencies, the edtech industry, and policymakers struggling to grapple with the ever-changing student privacy legal landscape.

icon box image

Students

It is important to understand that your student data is one thing that you have some control over. Here, you can take the initiative and explore these resources to better understand how your student data may be used by others and what choices you have to protect your personal information.

icon box image

Parents

As schools increasingly rely on technology as a core educational resource, it is important to understand how your child’s data is collected and maintained. Parents and students have rights to information, and here, we help you understand how they work.

icon box image

Educators

Educators are the first line of defense in ensuring the privacy of student data. From ensuring sufficient passwords to selecting privacy-protective apps to teaching students about digital citizenship, educators have an essential role to play in securing student information.

icon box image

Local Education Agencies

Local Education Agencies (LEAs) have the responsibility of ensuring school districts have sound data privacy practices in place. This means creating systems that ensure the safety of student data while allowing for effective instruction in schools.

icon box image

State Education Agencies

According to the Council of Chief State School Officers, every state has created policies for how State Education Agencies (SEAs) should make decisions with privacy in mind. Creating a culture of privacy, particularly student privacy, requires state leaders to know what the privacy landscape looks like, how to navigate it, and how to best communicate that information downstream.

icon box image

Ed Tech

Education technology (edtech) companies provide services and tools to help students learn, and can increase the quality of students’ learning experiences significantly. However, most of these services and tools require access to student data, and edtech service providers must comply with a myriad of federal and state student privacy laws as well as local and state contracting requirements.

icon box image

Policymakers

Effective policies enacted at the local, state, and federal levels can curtail the risks accompanying student data collection and ensure that data is used ethically to support learning. Since 2014, state policymakers have built new legal frameworks, passing over 130 laws to protect student privacy.

icon box image

Higher Education Institutions

Higher Education institutions are like miniature cities, storing not only student transcripts, but health and financial data, employment information, and campus safety and access technologies that can create new types of data. These data and new technologies can be used to help more students graduate and succeed than ever before, but it also makes higher education institutions uniquely vulnerable to privacy and security risks.

icon box image

LEA Lawyers

Lawyers representing schools, parents, edtech companies, or other education stakeholders must advise clients about how to navigate an increasingly complex web of legal requirements. Moreover, state and federal policymakers are continually regulating what information schools can collect and share online and what website and online application operators can do with it.

Our Team Members

Amelia Vance
View Profile

Amelia Vance

Director of Education Privacy and Senior Counsel
David Sallay
View Profile

David Sallay

Contractor
Monica Bulger
View Profile

Monica Bulger

Senior Fellow