FERPA|Sherpa For EdTech
As schools increasingly implement new technologies, perception is among the greatest risks to edtech companies, specifically the possibility that parents or districts may believe that a company is behaving irresponsibly with student data. To comply with federal and state laws and create trust among schools, parents, and students, companies should recognize the sensitivity of student data and employ best privacy practices appropriate to the nature of any data use. Successful edtech companies have worked to build trust with the communities they serve, often by clearly outlining their data practices and privacy protections. Many of these companies have also committed to follow the Student Privacy Pledge. In doing so, these companies strengthen relationships with education stakeholders, and inform public perception.
Student Privacy Pledge
Over 300 companies have signed onto the Student Privacy Pledge, a voluntary but legally binding industry pledge to safeguard student privacy regarding the collection, maintenance, and use of student personal information. The commitments are intended to concisely detail existing federal law and regulatory guidance regarding the collection and handling of student data, and to encourage service providers to more clearly articulate these practices.
Parents need to trust both schools and the industry providing technology for schools. In an effort to ensure parents can be confident in how organizations use student data, the Future of Privacy Forum and the Software & Information Industry Association developed the Student Privacy Pledge in 2014. The Pledge is legally enforceable: by taking the Pledge, a company is making a public statement of their practices with respect to student data. Accountability comes from the Federal Trade Commission (FTC), which has the authority to bring civil enforcement actions against companies who do not adhere to their public statements of practices.
Companies can apply to join the Pledge here.
Almost half of US states currently use model contracts in the edtech space. Model contracts involve districts working together to create standard, education-contract language for use throughout the state. Model contracts are are a way for districts to minimize the time and money required to engage companies each year–some districts require more than 500 individual contracts.
Some service providers have found that district-written model contracts may contain provisions that are unworkable from a technical perspective, conflict with legal or other contractual requirements, or that hold service providers liable for data privacy issues, regardless of whether a service provider was the party that caused the liability. If a district insists on using a model contract as a starting point, service providers should work with district officials to negotiate or strike problematic provisions to ensure the privacy and security requirements are appropriate for the planned management and use of technology and student data.
Privacy and Security Tips
In the wake of widely publicized data breaches in major technology companies and numerous data security incidents in both K-12 and higher education, the public has become increasingly concerned about data privacy. In education, these concerns are heightened because stakeholders agree that children are more sensitive than adult consumers to data use. The Future of Privacy Forum has developed simple privacy and security tips for ed tech vendors. Check them out below.
There are a number of important laws of which vendors of education products or services should be aware. These laws either restrict how schools can provide access to student data, limit the uses that can be made of that information, or require parental consent which can restrict how vendors may use data.
Family Educational Rights and Privacy Act (FERPA)
Under the Family Educational Rights and Privacy Act (FERPA),
a school may not generally disclose personally identifiable information from an eligible student’s education records to a third party without written consent. However, there are a number of exceptions to this rule, which the Department of Education has laid out in a simple chart.
The most common exception applied to education service providers is the “school official” exception. Under this exception, a “school official” may obtain access to personally identifiable information contained in education records without prior consent, provided that the school had determined they have a “legitimate educational interest” in the information. The Department of Education interprets school official to generally include: professors, instructors, administrators, health staff, counselors, attorneys, clerical staff, trustees, member of committees, disciplinary boards, contractors, volunteers or other parties to whom the school has outsourced institutional services or functions.
The terms school official and legitimate educational interest are not defined by statute; rather, the school must define them and inform eligible students in its annual notification of FERPA rights. However, this exception requires that vendors act under the direction and control of the school.
Education service providers should also be aware of other student rights granted under FERPA, including that:
- Schools must provide parents (or certain eligible students) with an opportunity to inspect and review their student’seducation records within 45 days. If a service provider is maintaining or storing student records, they should be aware of the time limits for processing such requests.
- As a separate matter, parents (or certain eligible students) have the right to request that schools amend their student’s education records that include inaccurate or misleading information. Schools are not required to amend the record, but are required to consider the request.
The Department of Education has offered some guidance on Protecting Student Privacy While Using Online Educational Services, and requirements and best practices relating to sharing student information with Education Service Providers.
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) guides the protection of data, when companies collect “personally identifiable information” directly from students under the age of 13. The FTC updated its COPPA guidance in April 2014 to clarify that “the school’s ability to consent on behalf of the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose because the scope of the school’s authority to act on behalf of the parent is limited to the school context.” School consent cannot substitute a parent’s approval “in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service.”
Protection of Pupil Rights Amendment (PPRA)
|PPRA Sensitive Information|
|Mental & Psychological Problems|
|Sex behavior & Attitudes|
|Date & Place of Birth|
|Illegal, anti-social, self-incriminating &|
|Critical appraisals of other individuals|
|Legally recognized privileged or analogous|
|Participation in officially recognized activities|
As a result of the increased public conversation surrounding student privacy, 40 states have passed hundreds of new student privacy laws, many of which add contractual requirements, data use limits, and transparency requirements for edtech companies. The requirements in these laws go beyond the longstanding federal protections for student records and the collection of children’s data. Technology companies providing services to children have received significant fines for violating federal law, and potential consequences for breaching student privacy regulations include voided contracts, being blacklisted from contracting with districts, and, in one state, criminal penalties. Public fear of inappropriate data use or disclosure is now a serious risk for edtech companies both in terms of compliance and communications.
It is absolutely essential to be transparent about your privacy practices, not just because it builds trust with parents, districts, and states, but because of a lack of transparency can raise privacy concerns.
There are many great ways to be transparent about your student privacy practices.
While some technical questions from districts, educators, or parents may require you to dig out specific answers, there are some common questions that you can post answers to on your website, including:
- What data does your product collect?
- Is any of that data Personally Identifiable Information (PII) (or information that could become identifiable if it were combined)?
- Who do you share PII with?
- How does your business make money? Do you sell student data?
- Does your service create a profile of students for purposes other than an educational purpose?
- Does your service have advertising? (Ads are allowed, but many states ban ads targeted based on data about students or behavioral ads that are based on tracking a student across the web.)
- When users (whether a student, educator, school, or district) request deletion of data, will you delete it?
- Do you allow parents to directly access data about their child held by your service, or do they need to go through their local school or district to access the data?
- Do you have appropriate security for the data you collect?
- Have you signed on to the Student Privacy Pledge, signed the Massachusetts or California Student Privacy Alliance contracts, or been reviewed for privacy by Common Sense Media? Have you had an independent privacy audit done, or shown in some other impartial way that you are committed to protecting privacy?
Do you have other transparency solutions for companies or resources we should share? Email us at [email protected]
Resources for Service Providers
There are many great resources for service providers on student privacy. Some of our favorite resources are listed below, but you can access all the resources we have found for service providers by clicking the “Resources” tab above and selecting “K-12 Service Providers” in the Resource sidebar.
Protecting Student Privacy While Using Online Educational Services (U.S. Department of Education PTAC)
Student Data and De-Identification: Understanding De-Identification of Education Records and Related Requirements of FERPA: Guidance document prepared by the Future of Privacy Forum and Foresight Law + Policy provides an overview of the different tools used to de-identify data to various degrees, based on the type of information involved, and the determined risk of unintended disclosure of individual identity. Proper data de-identification requires technical knowledge and expertise as well as knowledge of and adherence to industry best practice.
Data de-identification represents one privacy protection strategy that should be in every student data holder’s playbook. Integrated with other robust privacy and security protections, appropriate de-identification – choosing the best de-identification technique based on a given data disclosure purpose and risk level – provides a pathway for protecting student privacy without compromising data’s value. This paper provides a high level introduction to: (1) education records de-identification techniques; and (2) explores the Family Educational Rights and Privacy Act’s (FERPA) application to de-identified education records. The paper also explores how advances in mathematical and statistical techniques, computational power, and Internet connectivity may be making de-identification of student data more challenging and thus raising potential questions about FERPA’s long-standing permissive structure for sharing non-personally identifiable information.
ADDITIONAL GUIDANCE FOR EDUCATION SERVICE PROVIDERS
The Software and Information Industry Association has developed “best practice” principles for educational service providers and third party vendors.
Some states, cities, and large school districts have produced guidance for vendors. New York City Public Schools has fashioned a vendor’s guide to providing professional services for their schools.
The National Center for Education Statistics has put out a best practices brief focusing on Vendor Engagement Tips from the States, specifically related to the Statewide Longitudinal Data Systems Grant Program.
GENERAL PRIVACY GUIDANCE
In addition to student privacy specific guidance, education service providers should be familiar with general privacy rules that are relevant when personal information is collected. When other sensitive information such as health data or financial data is collected or used, additional regulatory requirements apply. If you collect, store, or use health or financial information please seek further advice from a legal professional.
If an education service provider submits an app to a major app store or includes social media plug-ins, they need to comply with the developer requirements of those platforms. The Future of Privacy Forum and the Center for Democracy and Technology have issued “Best Practices for Mobile App Developers.” The Federal Trade Commission and the California Attorney General’s Office have also offered guidance for mobile app developers. Additionally, specific guidance for app developers is available through each major app store, including Apple, Google Android, and Facebook.
Other general privacy guidance is available from the International Association of Privacy Professionals Resource Center. Also, the Future of Privacy Forum and other organizations such as the Center for Democracy and Technology, Electronic Privacy Information Center,World Privacy Forum, and the Electronic Frontier Foundation work on a variety of privacy issues and have available resources on their websites.
- Future of Privacy Forum and Playwell, LLC
This three-pager describes New York State Education Law §2-d's third party contractor requirements at a glance, including: who must comply what data is prote…
- EDUCAUSE Review
This infographic explains some of the trends and recommendations for how to upkeep your security and privacy programs.
- Common Sense
The Common Sense Privacy Risks and Harms report identifies risks to children and students as they engage online and identifies ways for parents and educators t…
- Common Sense
The release of our 2018 State of EdTech Privacy Report represents the culmination of our research over the past three years in evaluating hundreds of education…