FERPA|Sherpa For Educators
Educators are the first line of defense in ensuring the privacy of student data. From ensuring sufficient passwords to selecting privacy-protective apps to teaching students about digital citizenship, educators have an essential role to play in securing student information.
Educator’s Guide To Student Privacy
Technology tools and apps are making it possible for educators and students to collaborate, create, and share ideas more easily than ever. When schools use technology, students’ data—including some personal information—is collected both by educators and often the companies that provide apps and online services. Educators use some of this data to inform their instructional practice and get to know their students better. It is just as essential for educators to protect their students as it is to help them learn.
This guide is meant to help teachers utilize technology in the classroom while protecting their students’ privacy.
The Educator’s Guide to Student Privacy, written by teachers for teachers, covers several topics, including:
Why should classroom teachers care about student data privacy?
There are legal and ethical restrictions that impact districts, school, and teachers. Traditionally, student data consisted of things like attendance, grades, discipline records, and health records. Access to that data used to be restricted to the administrator, guidance counselor, teacher, or other school official who needed it to serve the educational needs of the child. With the use of technology in schools, traditional data is now often shared with companies that provide Student Information Systems (SIS), Learning Management Systems (LMS), and many other technologies. Parents, students, and others have raised concerns about what information is being collected or shared, and what use those companies might make of that data.
Teachers should be aware of the Family Educational Rights and Privacy Act (FERPA) and applicable state laws, along with their district or school policies regarding the use of educational products and services from ed tech vendors. (More on FERPA and other laws below)
New technologies—including personal computers, mobile devices, apps, websites, programs, and online services—are used in classrooms in ways that cause new data to be generated about individual students that never existed before including drafts and edits as they are recorded and showing the pacing and record of their performance through a math or reading program.
Communications between students and teachers, or students and other students—along with everything from last night’s math homework to the metadata of their online behavior while immersed in an app—is now created, collected, and often held by third party educational technology vendors.
Teachers are ethically obliged to follow and model good digital citizenship practices and behaviors with their students. This includes thinking carefully about the digital products and processes that are incorporated in any project or lesson design.
What constitutes student data?
Information that is tied to individual students is referred to as personally identifiable information, or PII, and is subject to additional restrictions in laws and regulations.
Student personal information includes any information about a student’s identity, academics, medical conditions, or anything else that is collected, stored, and communicated by schools or technology vendors on behalf of schools that is particular to that individual student. This includes a student’s name, address, names of parents or guardians, date of birth, grades, attendance, disciplinary records, eligibility for lunch programs, special needs, and other information necessary for basic administration and instruction. It also includes the data created or generated by the student or teacher in the use of technology—email accounts, online bulletin boards, work performed with an educational program or app, anything that is by or about the individual student in the educational setting. Some student personal information such as social security number, is highly sensitive and collection may be barred by state law.
OTHER SECTIONS OF THE GUIDE COVER:
- What is an education record?
- What if I want to use an education app or tool and I don’t know if my school/district has vetted it?
- What should I do if my school has already vetted an app or tool?
- What about companies that provide online tools to schools?
- What should I do if a student suggests an unvetted education app to use for a project?
- What if my students and/or I want to use or recommend a technology tool that was not specifically designed for education?
- What are the federal and state laws that we need to follow?
- Some questions to help you quickly evaluate whether an app, website, product, or service will protect your students’ information.
Best Practices for Using Apps in the Classroom
Educators routinely use new education apps in the classroom to help students learn. However, some of these apps can make student data vulnerable to hacks, advertisers, or other privacy harms. When you sign students up for an app, you might actually be violating FERPA! Read below for best practices.
What if I want to use an education app or tool and I don’t know if my school/district has vetted it?
Be familiar with your school’s policy or process for selecting new educational tools, if one exists. If an app or service you want to use is not on the “approved” list, ask for it to be vetted and ask how long the vetting process takes. If the process is lengthy, you will want to redesign your lesson or project plan. Once the app is approved, you can certainly use it later. The list may also contain similar alternative apps you can use in the meantime.
If no such vetting process exists in your school, the checklist at the bottom of this section can help you quickly evaluate whether your students’ information will be protected.
You can also look to sources like Common Sense Media or iKeepSafe to see if they have “rated” or “badged” an ed tech product for privacy. You can also check the database of the Student Data Privacy Consortium to see which apps are being used by other districts. Note that none of these sites replace getting the app you want to use vetted by your school, they are just signals of which apps are more privacy friendly – make sure you check with them!
Some tools have already been vetted
If your school or district has an approved list of ed tech products, services, websites, or apps, check that the service you use is included and ensure you are aware of any requirements or privacy options. When schools and districts decide to adopt certain technology tools, they should evaluate those tools to ensure they meet data privacy requirements. Some examples include:
- Workflow and collaboration tools where students and teachers draft work together, give feedback, and communicate throughout the learning process.
- Learning Management Systems (LMS) where teachers post instructions, assignments, and links to resources for students and parents to access.
- Online gradebooks where teachers post grades and students and parents can access them using a username and password.
- Communication tools for emails or newsletters.
What about companies that provide online tools to schools?
Schools are allowed to rely on technology companies to provide products and services, but have the responsibility to ensure that those vendors have appropriate protections in place for student data. The school must ensure that it retains direct control over the information the company collects, uses, and maintains. Schools are responsible for seeing that companies working with the school directly only use student information for authorized educational purposes. These companies have access to this data under the “school official” exception, for the limited purpose of using student information for educational purposes only.
What should I do if a student suggests an unvetted education app to use for a project?
As a teacher, you cannot officially endorse the use of an outside product, but you can explain to the student the considerations they should take into account, including recommending the student let their parents know too. It’s quite common for students to find education apps on their own to use for projects, and educators should encourage students to be creative and take their suggestions seriously. This is a teachable moment—a great opportunity to talk with the student about data privacy and review that digital citizenship curriculum.
Here are some examples of questions you could use to start the conversation with your student:
- Did you have to make an account in order to start using that app? If so, did you have to provide personal information (email, name, age, etc.)?
- Does the app require parental permission? Who has access to your email and other information now that you’ve created that account?
- Does the app collect additional information such as location or contacts?
In all likelihood, your student will not know the answers to some of these questions. That is OK, but it is important to explain to them that all of this information belongs to them. They should think about protecting it, and should be encouraged to discuss their choices at home with their parents as well.
What if my students and/or I want to use or recommend a technology tool that was not specifically designed for education?
If you, the teacher, want to recommend an app that was not specifically designed for education, checking with your administration, complying with applicable school policies, and using the checklist in this guide just as you would for an education-specific app is still a best practice. It’s a common issue because there are many “consumer apps,” not designed for education that students may wish to use for learning or to help them with their homework and projects. These may include research tools, note taking apps, collaboration tools or apps that allow users to make videos, record audio or create other media such as cartoons, images, and so on.
However, commercial products not designed and marketed for schools may not have the privacy policies and practices in place to ensure the protection of user data to the standards of laws that protect student information. Therefore, if not prohibited by school policy, these products should be carefully evaluated to see if their use will put student data at undesirable risk.
If a student approaches you and asks to use an app for your assignment that you’re not familiar with, it is a good idea to use the opportunity to talk to your student using the suggested questions above.
Again, harness that teachable moment.
Some questions to help you quickly evaluate whether an app, website, product, or service will protect your students’ information.
- Does the product collect Personally Identifiable Information? FERPA, the federal privacy law applies to “education records” only, but many state laws cover ALL student personal information.
- Does the vendor commit not to further share student information other than as needed to provide the educational product or service? (Such as third party cloud storage, or a subcontractor the vendor works with under contract.) The vendor should clearly promise never to sell data.
- Does the vendor create a profile of students, other than for the educational purposes specified? Vendors are not allowed to create a student profile for any reason outside of the authorized educational purpose.
- When you cancel the account or delete the app, will the vendor delete all the student data that has been provided or created?
- Does the product show advertisements to student users? Ads are allowed, but many states ban ads targeted based on data about students or behavioral ads that are based on tracking a student across the web. TIP: Look for a triangle i symbol ( ) which is an industry label indicating that a site allows behaviorally targeted advertising. These are never acceptable for school use. This would be particularly important when evaluating non-education-specific sites or services.
- Does the vendor allow parents to access data it holds about students or enable schools to access data so the school can provide the data to parents in compliance with FERPA?
- Does the vendor promise that it provides appropriate security for the data it collects? TIP: A particularly secure product will specify that it uses encryption when it stores or transmits student information. Encrypting the data adds a critical layer of protection for student information and indicates a higher level of security.
- Does the vendor say that if the company is sold, all bets are off? The policy should state that any sale or merger will require the new company to adhere to the same protections.
- Do reviews or articles about the product or vendor raise any red flags that cause you concern?
Communicating with Parents and Students
Parents want to know how their child’s data is being collected, used, and protected, and, as the school employee they come into contact with most often, you may be asked to answer these questions. Check out some tips to do this below.
Basic Parent Questions
Parents may come to you with questions. While more detailed questions may require that you refer them to a school administrator, you can prepare in advance for some of the most common parent questions, such as:
- What apps are you using in the classroom, and why are you using those apps?
- How can parents access their child’s education records?
- What kind of data is collected about students?
- How is student data used?
- Who has access to data about my child?
- Who is in charge of privacy in our district?
- How does our district hold ed tech companies and other service providers accountable for maintaining the confidentiality of the student data they receive?
You can see if your district has a student privacy FAQ handout, or create your own (you can always adapt the one on pages 16-18 of this Student Data Privacy Communications Guide) and provide it to parents.
Refer Parents to Other Resources
There are many great resources for parents on the internet! We think the parent page on FERPA|Sherpa and our Parents’ Guide to Student Data Privacy are particularly useful, but you can also refer parents to great state or district websites like:
- Wisconsin SEA Privacy Page
- Fairfax County Privacy Page
- Denver Public Schools Student Data Privacy Page
There are many other great ways to communicate. You could have an after-hours meeting with students and their parents about the apps you are using in your classroom and how you are ensuring student privacy. You could also teach students about their privacy at school.
Figure out how parents in your district can best be reached – by mobile phone, website, in person, etc – and meet them where they are. Push your district to be better about communicating on student privacy. Check out our favorite communications resource, the Foundation for Excellence in Education Student Data Privacy Communications Toolkit, for ideas and resources you can copy and paste.
Have other communications suggestions or materials that educators could use? Email them to us at [email protected].
Educators should be aware of the federal laws that guide the collection, use, and storage of data about students and children.
Family Educational Rights and Privacy Act (FERPA)
Information in a student’s education record is governed by FERPA, a federal law enacted in 1974 that guarantees that parents have access to their child’s education record and restricts who can access and use student information. FERPA protects the access to and sharing of a student’s education record, which is all information directly related to a particular student as part of his or her education. FERPA gives parents specific rights to their child’s education records and when a child turns 18, the rights belong directly to him or her.
FERPA also permits schools to share information with another school system regarding a student’s enrollment or transfer, specified officials for audit or evaluation purposes; appropriate parties in connection with financial aid to a student; organizations conducting certain studies for or on behalf of the school; and accrediting organizations. The “school official” exception allows schools to share information with parent volunteers, technology companies or other vendors, but only when used for educational purposes directed by the school. Directory Information, another FERPA exception, is student data that a school may make public, for example a sports team roster, yearbook information or even data that can be provided to third parties, but parents must be given the opportunity to opt-out.
The Protection of Pupil Rights Amendment (PPRA)
PPRA outlines restrictions for the process when students might be asked for information as part of federally funded surveys or evaluations.
For example, surveys might be used to better understand the effects on students of drug and alcohol use, or sexual conduct. They might also seek to understand the impact on students with family backgrounds that include violence, or variations in home life such as family makeup or income levels. In order to administer such surveys, schools must be able to show parents any of the survey materials used, and provide parents with choices for any surveys that deal with certain sensitive categories.
The Children’s Online Privacy Protection Act (COPPA)
COPPA controls what information is collected from young children by companies operating websites, games, and mobile applications directed toward children under 13.
This means the company can only collect personal information from students for the specified educational purpose, and for no other commercial purpose. Some schools have policies that require school administrator approval before teachers can allow use of certain apps or services. When information is collected with the consent of a school official, the company may keep the information only as long as necessary to achieve the educational purposes.
State Laws and Regulations
Do you know if the state you are working in has a student privacy law? Just since 2013, over 100 new student privacy laws have passed in almost all states. Most of those laws impose new requirements on districts, states, and school service providers.
All educators are just as responsible for security as school officials – in fact, the most likely way for student data to be accidentally released is through human error! Read below for how to protect the security of your students’ information.
There are many easy ways for teachers to protect the security of student data. Our favorite checklist on this topic was developed for Fordham University School of Law, Technology and Privacy Law by Elizabeth Walker. Check out the full checklist in PDF here, or our version of the checklist below.
- Do not share passwords for school accounts with anyone, including other staff, family members, or significant others. Check out some of the suggestions in this article for how to create a secure password. You can also use password managers like LastPass or 1Password to help you remember your passwords and keep them secure.
- Use different passwords for your school accounts than you do for personal accounts.
- Avoid connecting to the Internet through wireless networks (WiFi) that are not password protected.
- Immediately report to the administration any suspicious activity involving or affecting technology related to school work, school accounts, or student data.
- Back up your data regularly. If your account is hacked, subject to ransomware, or there is just a technical bug, you will be very glad that you kept a backup of your data.
Accessing or Sharing Student Data
- Ask the administration whether your district or school has a policy about using or sharing student data.
- Only access the student data that you have permission to access.
- Only access student data for legitimate school or educational purposes.
- When accessing student data, only use computers or devices that have either been approved by the school or that contain security software and are password protected.
- Lock up hardcopy files and devices with access to student data.
- Do not share or disclose student data without authorization from an administrator, parent, or guardian.
- Do not share student data during public meetings or presentations; use fictitious records instead.
- Avoid sending student data via email unless specifically authorized.
- Immediately report any incidents to the administration where you believe student data may have been inappropriately accessed or shared.
Using Computers, Tablets, and Other Devices
- Do not use public wireless internet if you have student data on your device (read this article to learn why).
When you are using school-owned equipment:
- Ask the administration whether your district or school has a policy about using school-owned computers, tablets, or other devices.
- Log out of accounts and close browsers and programs whenever you finish using a program.
- Password-protect, lock, or otherwise secure all computers and devices when not in use.
- Immediately report lost or stolen devices to the administration.
When you are using your own equipment:
- Ask the administration whether your district or school has a policy about bringing your own computer, tablet, or other device to school or using your own device for school purposes.
- Ask the administration if approval is necessary prior to using your own computer or other device in the classroom or to access student data.
- Install anti-virus software on the device before using it on the school network or to access school accounts
- If the device or a program notifies you that critical security updates or patches are available, promptly follow the instructions on the screen to download and install the updates.
- Set up password protection to log in to the device, wake the device, or unlock the screen.
- Log out of accounts and close browsers and programs whenever you are finished.
- Password-protect, lock, or otherwise secure all computers and devices when not in use.
- Immediately report lost or stolen devices to the administration.
- Ask the administration whether your district or school has a policy about using email.
- Do not click on any links or download any attachments you receive from a suspicious source.
- Be cautious of emails containing the following:
- Links in suspicious-looking messages
- Threats that your account will be closed if you do not respond
- Web addresses where names of well-known companies have been slightly altered
- Requests for personal information
- Unexpected attachments, especially those purporting to come from banks or financial
- Deals that sound too good to be true
- Urgent emails demanding that you act immediately
- Messages that list your email as the sender or from address
Do you have any security tips to add? Email them to [email protected].
Training is absolutely essential to protect student privacy, especially in K-12 schools where educators often have access to very sensitive information about a student, such as their disciplinary record or medical history.
Student Privacy For K-12 Educators and Administrators Playlist (iKeepSafe)
There are many great resources for Educators on student privacy. Some of our favorite resources are listed below, but you can access all the resources we have found for service providers by clicking the “Resources” tab above and selecting “Educators” in the Resources sidebar.
ConnectSafely Educator’s Guide to Social Media explains how educators can use social media in the classroom without risking their professional reputation.
Student Privacy Pledge is a list of twelve commitments K-12 school service providers agree to in order to safeguard student data privacy regarding the collection, maintenance, and use of student personal information.
ConnectSafely, FPF, and National PTA’s Parent’s Guide to Student Data Privacy assists parents in understanding the laws that protect student data and helps parents understand their student’s rights under the law.
Department of Education PTAC is a resource for education stakeholders to learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems and other uses of student data.
CoSN Privacy Toolkit for School Leaders provides school officials with 10 essential skills areas, outlining the responsibilities and knowledge needed to be an educational technology leader.
Data Quality Campaign provides information on state laws annually, as well as other useful privacy review tools and resources.
- Common Sense
The following training guide is presented for educators in several short video presentations to provide training on the Common Sense privacy evaluations, use o…
- Data Quality Campaign
For all students to be college and career ready, they need a learning experience that is tailored to their unique needs, skills, and interests. Data is a criti…
- U.S. Department of Education
Email is an easy way to communicate with students and parents. Prior to sending an email, it’s important to evaluate the risk associated with sending student i…
- U.S. Department of Education
FERPA allows schools and districts to designate certain basic student information as directory information, and share that information without consent if certa…