State Education Agencies

FERPA|Sherpa For SEAs

SEAs–State Education Agencies–are more important than ever as more and more state laws pass requiring SEAs to create student privacy guidance and rules–not only for the SEA, but also for districts. SEAs across the country are leading the way on student privacy to support their districts and ensure the confidentiality and security of student information.

The Council of Chief State School Officers (CCSSO) is a leader in the SEA student privacy conversation, and much of the information below is taken from this resource. To learn more, visit https://ccsso.org.

Student Data Principles

The Student Data Principles are the values that guide the work of over 40 education organizations representing school officials and other stakeholders in every state.

Click to learn moreClick to see less

Schools, school systems, and anyone who has access to students’ personal information must do everything in their power to ensure that student information is protected and used to support students. SEAs should use these principles to build upon, not just comply with federal, state, and local laws. Some signatories include AASA: The School Superintendents Association; the National PTA; the Council of Chief State School Officers; and the National School Boards Association.

Read the Student Data Principles
Learn more about the Student Data Principles

SEA Discussion Framework

Beyond helping develop the Student Data Principles, CCSSO has also published the “Student Privacy & Data Security: A State Education Agency Discussion Framework.” This framework is a great guide for agency leaders and emphasizes the importance of communication within agencies to implement privacy-minded policies. Additionally, the framework provides state leaders with examples of effective practices implemented across the country. Here are some key questions CCSSO suggests state leadership ask within the agency as starting points for the student privacy conversation:

  • Can various stakeholders across our state find and understand the information they need?
  • What are we doing to help the public understand the need for data and data quality? Do we have a process for providing feedback or fielding questions from the public?
  • What policies, supports, outreach and/or training do we have in place to support local education agencies (LEAs), school systems, and schools in data governance?
  • Do we share data with other state agencies?  If yes, what policies are in place to govern this data sharing?
  • What are FERPA and COPPA and how do they apply to us? What other laws or regulations do we need to be concerned about?
  • Do we have clear data owners/stewards within our agency? Do those people understand their responsibilities? What policies governing ownership and sharing do we have in place? What training do we provide for data owners/stewards?
  • What are we doing to help school systems and schools submit accurate and timely data?
  • What types of data checks/routines are we performing at the SEA on school systems and schools data?
  • What is our strategy for ensuring data sets maintain the privacy and confidentiality of individual students?
  • What types of cross checks/validations are we performing on data business rules and calculations performed by our agency i.e. confirming that our priority school list is accurate?
  • What types of agreements do we have in place, related to data sharing? What is our agency doing to ensure all contracts, grants, and memorandum of understanding (MOUs) have the needed clauses to protect privacy and confidentiality?
  • Do we share PII with vendors? If so, what policies are in place
  • To protect shared data? What about data reporting for grant purposes?
  • What are our procedures in responding to data requests? How do they differ if request is for PII or not? Do we treat educator data differently from student data? If so, how? What policies and procedures are in place?
  • What policies, infrastructure and supports are in place to manage our data security?
  • What gaps do we have (if any) in terms of information security controls that may need immediate attention?
  • What is our retention and data destruction policy for student records? How do we verify destruction has occurred? How well is this policy communicated to the public?
  • What are we doing to ensure all school, district, and state staff that have access to our applications have correct roles and permissions?

Communicating with Districts and the General Public

Parents want to know how their child’s data is being collected, used, and protected, but may not have more than 10 minutes to search out answers. There are many resources SEAs can provide access to and help districts and schools communicate better with parents.

Click to see moreClick to see less

Websites

Highlight model websites for your districts, and provide useful links to resources on the SEA website for both districts and parents. The first place many parents will go to find answers is their school or district’s website. It is vital to have accessible information on your website. This doesn’t have to be complex. A great example is the Chesterfield County Public Schools (see screenshot), which is extremely simple. It has links to:

  • A list of what apps the district is using and the privacy policies for those apps (do your districts not know what apps your district is using? Advise them to take a survey, or use a product like LearnTrials or Catch On);
  • The Privacy Policies & Guidelines for the district;
  • Privacy FAQs; and
  • A link to a Google form where parents can ask a quick question that gets automatically sent to the person in charge of privacy for that district.

There are many other great website examples:

Don’t be afraid to take content from other SEAs and LEAs and link to other great resources!

There are many other great ways to communicate. Some SEAs have open-to-the-public regional meetings, webinars, or an annual data conference for districts. Others put information about student privacy – like a monthly privacy tip – in their monthly newsletter. Check out our favorite communications resource, the Foundation for Excellence in Education Student Data Privacy Communications Toolkit, for ideas and resources you can copy and paste.

Communications Resources

Have other communications suggestions or materials that other districts could use? Email them to us at [email protected].

Federal Laws

Schools remain accountable for the security of their students’ information, even when it is managed by an outside vendor—thus, schools should be aware of the laws that guide the collection, use, and storage of data about students and children.

Click to see moreClick to see less

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)

The Family Educational Rights and Privacy Act (FERPA) also requires that schools give parents and students the opportunity to access information in their education records. Students and parents are allowed to review and potentially amend incorrect information within their education record. Procedures should be put in place to simplify this process.

A school may not generally disclose personally identifiable information from an eligible student’s education records to a third party without written consent. There are a number of exceptions to this rule, which are laid out in the Department of Education’s FERPA Exceptions — Summary CHART.

FERPA Directory Information
Student’s name
Address
Telephone listing
Email address
Photograph
Date & Place of Birth
Major/Field of Study
Dates of Attendance
Grade level
Participation in officially recognized activities & sports
Weight & height of athletes
Degrees, honors, & awards received
Most recent educational institution attended
Student ID, User ID, or other unique identifier (that cannot be used to access education records without a pin or password)
  • FERPA gives parents and students the right to opt out of having their “directory information” shared.
  • FERPA allows schools to share student information among designated “school officials” with “legitimate educational interests.” Schools must define these terms, and inform parents who they consider a “school official” and what is deemed a “legitimate educational interest.” This process allows schools to partner with outside persons or entities to provide educational tools and services.

Aside from the two most common FERPA exceptions listed above, there are a number of other circumstances when prior consent is not required to disclose information about a student. The following are categories of people/organizations that may not need express student consent to gain access to certain information about students.

Individual/Entity Seeking Information:Type of information available without consent…
ParentsOf dependent post-secondary studentsGenerally – any student information
Of Non-Dependent Post-Secondary Students
  • Information in connection with the student’s health or safety
  • Information related to the student’s violation of the law or the academic institution’s policy governing the use or possession of alcohol or controlled substances.
SchoolsIn which the student intends to enroll
Financial Aid OfficesFacts relevant to determining a students eligibility, amount, or conditions surrounding receiving financial aid
Authorized Representative of Federal, State, and local Governments and Educational AuthoritiesAuditing, evaluating, or enforcing education programs
OrganizationsData used to conduct studies, predictive tests, administering student aid program, or improving instruction
Judicial or law enforcement authorityIn compliance with an order or subpoena
VictimsResults of a disciplinary hearing of a crime of violence
Third PartiesFinal results of a disciplinary hearing concerning a student who is an alleged perpetrator of a crime of violence and who was found to have committed a violation of the institution’s rules or policies
Community Notification ProgramInformation concerning a student required to register as a sex offender in the State

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (COPPA) guides the protection of data, when companies collect “personally identifiable information” directly from students under the age of 13. The FTC updated its COPPA guidance in April 2014 to clarify that “the school’s ability to consent on behalf of the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose….because the scope of the school’s authority to act on behalf of the parent is limited to the school context.” School consent cannot substitute a parent’s approval “in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service.”

PROTECTION OF PUPIL RIGHTS AMENDMENT (PPRA)

PPRA Sensitive Information
Political Affiliations
Address
Mental & Psychological Problems
Email Address
Sex behavior & Attitudes
Date & Place of Birth
Illegal, anti-social, self-incriminating & demeaning behavior
Critical appraisals of other individuals
Legally recognized privileged or analogous relationships
Participation in officially recognized activities & sports
Income

State Laws

Do you know if the state you are working in has a student privacy law? Just since 2013, over 100 new student privacy laws have passed in almost all states. Most of those laws impose new requirements on districts, states, and school service providers.

Data Governance

According to the National Center for Education Statistics, “data governance refers to the overall management of the availability, usability, integrity, quality, and security of data.” It is important for SEAs to know what data is collected, where it is collected, how it is stored, and more. Implementing a strong data governance plan “help[s] [SEAs] ensure that appropriate policies and procedures are in place to facilitate access to and use of student data while protecting student privacy.”

Click to see moreClick to see less

Good governance assures accuracy, timeliness, usability, and security in data. Governance plans should define roles and responsibilities when it comes to data access, disclosure, and use; ensure data management and monitoring; and describe and set up parameters on how data is collected, accessed, and used.*

There are many great resources that K-12 school officials can use to create or improve their state, district, or school data governance plan. We recommend:

Developing a Privacy Program for Your District (U.S. Department of Education PTAC)

*Definition from West Virginia Department of Education

Security

Without ensuring the security of data collected, there can be no assurances regarding the privacy of that data. SEAs have a responsibility to ensure that data is protected through adequate security measures. When contracting with educational technology vendors, school officials should make sure that these companies have privacy policies and practices that ensure data security. Even moreso, SEAs should ensure that proper policies are in place within school districts. Security threats come in many forms and it is important for SEAs to craft policies to help schools address them. NCES has identified several areas of current student privacy threat landscape, which can reach schools in several forms:

  • Physical security;
  • Network security;
  • Security configurations;
  • Patch management;
  • Authentication methods;
  • Data encryption;
  • Staff security training; and more.

SEAs should keep in mind that there are legal requirements for storing student data as well, and ensure that any policies implemented keep in mind FERPA requirements. FERPA security principles. See more information below.

Click to see moreClick to see less

Recommended Security Resources

See the video below for more information about protecting security in the context of ed tech.

Reviewing Edtech Products: Security (iKeepSafe)

Helping Districts with Vendors

Most schools and districts partner with third parties to improve the ability of schools to use, analyze, store, and protect data. However, surveys have shown again and again that parents are very concerned about third parties having access to student data. Thankfully, many organizations have provided districts resources that can help guide them as they share data with third parties.

Additionally, almost half of US states currently use model contracts when contracting with edtech vendors. Model contracts involve districts working together to create standard, education-contract language for use throughout the state. Model contracts are a way for districts to minimize the time and money required to engage companies each year–some districts require more than 500 individual contracts. Education agencies should ensure that model contracts used effectively promote privacy and security requirements and are appropriate for the planned management and use of technology and student data.

Click to see moreClick to see less

Resources for Dealing with Service Providers

Videos

Protecting Student Privacy While Using Online Educational Services (U.S. Department of Education PTAC)

Reviewing Edtech Products: Privacy, Safety, Security, and Contracts (iKeepSafe)

Is there a resource or model document for dealing with vendors that we should add? Email us at [email protected].

Resources for SEAs

There are many great resources for SEA officials on student privacy. Some of our favorite resources are listed below, but you can access all the resources we have found for service providers by clicking the “Resources” tab above and selecting “K-12 officials” in the Resources sidebar.

Click to see moreClick to see less

Websites

Resources

Videos

How to Use Your District’s Website to Communicate with Parents About Data Use and Security (U.S. Department of Education PTAC)

The ABC’s of Student Directory Information (U.S. Department of Education PTAC)

Email and Student Privacy (U.S. Department of Education PTAC)

School Volunteers and FERPA (U.S. Department of Education PTAC)

Are we missing a resource you think should be included? Email us at [email protected].

the LATEST