About

Educators are the first line of defense in ensuring the privacy of student data. From ensuring sufficient passwords to selecting privacy-protective apps to teaching students about digital citizenship, educators have an essential role to play in securing student information.


Educator’s Guide to Student Privacy

folder-pencil-lockTechnology tools and apps are making it possible for educators and students to collaborate, create, and share ideas more easily than ever. When schools use technology, students’ data—including some personal information—is collected both by educators and often the companies that provide apps and online services. Educators use some of this data to inform their instructional practice and get to know their students better. It is just as essential for educators to protect their students as it is to help them learn.

This guide is meant to help teachers utilize technology in the classroom while protecting their students’ privacy.

DOWNLOAD THE GUIDE

Click to see more

The Educator’s Guide to Student Privacy, written by teachers for teachers, covers several topics, including:

Why should classroom teachers care about student data privacy?

There are legal and ethical restrictions that impact districts, school, and teachers.Traditionally, student data consisted of things like attendance, grades, discipline records, and health records. Access to that data used to be restricted to the administrator, guidance counselor, teacher, or other school official who needed it to serve the educational needs of the child. With the use of technology in schools, traditional data is now often shared with companies that provide Student Information Systems (SIS), Learning Management Systems (LMS), and many other technologies. Parents, students, and others have raised concerns about what information is being collected or shared, and what use those companies might make of that data.

Teachers should be aware of Family Educational Rights and Privacy Act (FERPA) and applicable state laws, along with their district or school policies regarding the use of educational products and services from ed tech vendors. (More on FERPA and other laws below)

New technologies—including personal computers, mobile devices, apps, websites, programs, and online services—are used in classrooms in ways that cause new data to be generated about individual students that never existed before including drafts and edits as they are recorded and showing the pacing and record of their performance through a math or reading program.

Communications between students and teachers, or students and other students—along with everything from last night’s math homework to the metadata of their online behavior while immersed in an app—is now created, collected, and often held by third party educational technology vendors.

Teachers are ethically obliged to follow and model good digital citizenship practices and behaviors with their students. This includes thinking carefully about the digital products and processes that are incorporated in any project or lesson design.

What constitutes student data?

Information that is tied to individual students is referred to as personally identifiable information, or PII, and is subject to additional restrictions in laws and regulations.

Student personal information includes any information about a student’s identity, academics, medical conditions, or anything else that is collected, stored, and communicated by schools or technology vendors on behalf of schools that is particular to that individual student. This includes a student’s name, address, names of parents or guardians, date of birth, grades, attendance, disciplinary records, eligibility for lunch programs, special needs, and other information necessary for basic administration and instruction. It also includes the data created or generated by the student or teacher in the use of technology—email accounts, online bulletin boards, work performed with an educational program or app, anything that is by or about the individual student in the educational setting. Some student personal information such as social security number, is highly sensitive and collection may be barred by state law.

OTHER SECTIONS OF THE GUIDE COVER:

  • What is an education record?
  • What if I want to use an education app or tool and I don’t know if my school/district has vetted it?
  • What should I do if my school has already vetted an app or tool?
  • What about companies that provide online tools to schools?
  • What should I do if a student suggests an unvetted education app to use for a project?
  • What if my students and/or I want to use or recommend a technology tool that was not specifically designed for education?
  • What are the federal and state laws that we need to follow?
  • Some questions to help you quickly evaluate whether an app, website, product, or service will protect your students’ information.

DOWNLOAD THE GUIDE

This project is brought to you by:

fpf-logo-small
connect-logo


Best Privacy Practices for Using Apps in the Classroom

Educators routinely use new education apps in the classroom to help students learn. However, some of these apps can make student data vulnerable to hacks, advertisers, or other privacy harms. When you sign students up for an app, you might actually be violating FERPA! Read below for best practices.

Click to see more

What if I want to use an education app or tool and I don’t know if my school/district has vetted it?

Be familiar with your school’s policy or process for selecting new educational tools, if one exists.If an app or service you want to use is not on the “approved” list, ask for it to be vetted and ask how long the vetting process takes. If the process is lengthy, you will want to redesign your lesson or project plan. Once the app is approved, you can certainly use it later. The list may also contain similar alternative apps you can use in the meantime.

If no such vetting process exists in your school, the checklist at the bottom of this section can help you quickly evaluate whether your students’ information will be protected.

You can also look to sources like Common Sense Media or iKeepSafe to see if they have “rated” or “badged” an ed tech product for privacy. You can also check the database of the Student Data Privacy Consortium to see which apps are being used by other districts. Note that none of these sites replace getting the app you want to use vetted by your school, they are just signals of which apps are more privacy friendly – make sure you check with them!

Some tools have already been vetted

If your school or district has an approved list of ed tech products, services, websites, or apps, check that the service you use is included and ensure you are aware of any requirements or privacy options.When schools and districts decide to adopt certain technology tools, they should evaluate those tools to ensure they meet data privacy requirements. Some examples include:

  • Workflow and collaboration tools where students and teachers draft work together, give feedback, and communicate throughout the learning process.
  • Learning Management Systems (LMS) where teachers post instructions, assignments, and links to resources for students and parents to access.
  • Online gradebooks where teachers post grades and students and parents can access them using a username and password.
  • Communication tools for emails or newsletters.
What about companies that provide online tools to schools?
Schools are allowed to rely on technology companies to provide products and services, but have the responsibility to ensure that those vendors have appropriate protections in place for student data. The school must ensure that it retains direct control over the information the company collects, uses, and maintains. Schools are responsible for seeing that companies working with the school directly only use student information for authorized educational purposes. These companies have access to this data under the “school official” exception, for the limited purpose of using student information for educational purposes only.
What should I do if a student suggests an unvetted education app to use for a project?

As a teacher, you cannot officially endorse use of an outside product, but you can explain to the student the considerations they should take into account, including recommending the student let their parents know too.It’s quite common for students to find education apps on their own to use for projects, and educators should encourage students to be creative and take their suggestions seriously. This is a teachable moment—a great opportunity to talk with the student about data privacy and review that digital citizenship curriculum.

Here are some examples of questions you could use to start the conversation with your student:

  1. Did you have to make an account in order to start using that app? If so, did you have to provide personal information (email, name, age, etc.)?
  2. Does the app require parental permission? Who has access to your email and other information now that you’ve created that account?
  3. Does the app developer share your information with others? (It’s in their privacy policy.)
  4. Does the app collect additional information such as location or contacts?

In all likelihood, your student will not know the answers to some of these questions. That is OK, but it is important to explain to them that all of this information belongs to them. They should think about protecting it, and should be encouraged to discuss their choices at home with their parents as well.

Again, you can also suggest to them that they see if that tool is rated or badged on Common Sense MediaiKeepSafe, or in the database of the Student Data Privacy Consortium.

What if my students and/or I want to use or recommend a technology tool that was not specifically designed for education?

If you, the teacher, want to recommend an app that was not specifically designed for education, checking with your administration, complying with applicable school policies, and using the checklist in this guide just as you would for an education-specific app is still a best practice.It’s a common issue because there are many “consumer apps,” not designed for education that students may wish to use for learning or to help them with their homework and projects. These may include research tools, note taking apps, collaboration tools or apps that allow users to make videos, record audio or create other media such as cartoons, images, and so on.

However, commercial products not designed and marketed for schools may not have the privacy policies and practices in place to ensure the protection of user data to the standards of laws that protect student information. Therefore, if not prohibited by school policy, these products should be carefully evaluated to see if their use will put student data at undesirable risk.

If a student approaches you and asks to use an app for your assignment that you’re not familiar with, it is a good idea to use the opportunity to talk to your student using the suggested questions above.

Again, harness that teachable moment.

Some questions to help you quickly evaluate whether an app, website, product, or service will protect your students’ information.
  1. Does the product collect Personally Identifiable Information? FERPA, the federal privacy law applies to “education records” only, but many state laws cover ALL student personal information.
  2. Does the vendor commit not to further share student information other than as needed to provide the educational product or service? (Such as third party cloud storage, or a subcontractor the vendor works with under contract.) The vendor should clearly promise never to sell data.
  3. Does the vendor create a profile of students, other than for the educational purposes specified? Vendors are not allowed to create a student profile for any reason outside of the authorized educational purpose.
  4. When you cancel the account or delete the app, will the vendor delete all the student data that has been provided or created?
  5. Does the product show advertisements to student users? Ads are allowed, but many states ban ads targeted based on data about students or behavioral ads that are based on tracking a student across the web. TIP: Look for a triangle i symbol ( ) which is an industry label indicating that a site allows behaviorally targeted advertising. These are never acceptable for school use. This would be particularly important when evaluating non-education-specific sites or services.
  6. Does the vendor allow parents to access data it holds about students or enable schools to access data so the school can provide the data to parents in compliance with FERPA?
  7. Does the vendor promise that it provides appropriate security for the data it collects? TIP: A particularly secure product will specify that it uses encryption when it stores or transmits student information. Encrypting the data adds a critical layer of protection for student information and indicates a higher level of security.
  8. Does the vendor claim that it can change its privacy policy without notice at any time? This is a red flag—current FTC rules require that companies provide notice to users when their privacy policies change in a significant or “material” way, and get new consent for collection and use of their data.
  9. Does the vendor say that if the company is sold, all bets are off? The policy should state that any sale or merger will require the new company to adhere to the same protections.
  10. Do reviews or articles about the product or vendor raise any red flags that cause you concern?

Communicating with Parents and Students

Parents want to know how their child's data is being collected, used, and protected, and, as the school employee they come into contact with the most often, you may be asked to answer these questions! Check out some tips to do this below.

Click to see more
Basic Parent Questions

Parents may come to you with questions. While more detailed questions may require that you refer them to a school administrator, you can prepare in advance for some of the most common parent questions, such as:

  • What apps are you using in the classroom, and why are you using those apps?
  • How can parents access their child’s education records?
  • What kind of data is collected about students?
  • How is student data used?
  • Who has access to data about my child?
  • Who is in charge of privacy in our district?
  • How does our district hold ed tech companies and other service providers accountable for maintaining the confidentiality of the student data they receive?

You can see if your district has a student privacy FAQ handout, or create your own (you can always adapt the one on pages 16-18 of this Student Data Privacy Communications Guide) and provide it to parents.

Refer Parents to Other Resources

There are many great resources for parents on the internet! We think the parent page on FERPA|Sherpa and our Parents’ Guide to Student Data Privacy are particularly useful, but you can also refer parents to great state or district websites like: 

Don’t be afraid to steal content from other SEAs and LEAs and link to other great resources!

Other Communications

There are many other great ways to communicate. You could have an after-hours meeting with students and their parents about the apps you are using in your classroom and how you are ensuring student privacy. You could also teach students about their privacy at school.

Figure out how parents in your district can best be reached – by mobile phone, website, in person, etc – and meet them where they are. Push your district to be better about communicating on student privacy. Check out our favorite communications resource, the Foundation for Excellence in Education Student Data Privacy Communications Toolkit, for ideas and resources you can copy and paste.

 

Have other communications suggestions or materials that educators could use? Email them to us at [email protected].


Federal Laws

Educators should be aware of the federal laws that guide the collection, use, and storage of data about students and children.

Click to see more
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)

Information in a student’s education record is governed by FERPA, a federal law enacted in 1974 that guarantees that parents have access to their child’s education record and restricts who can access and use student information. FERPA protects the access to and sharing of a student’s education record, which is all information directly related to a particular student as part of his or her education. FERPA gives parents specific rights to their child’s education records and when a child turns 18, the rights belong directly to him or her.

FERPA also permits schools to share information with another school system regarding a student’s enrollment or transfer, specified officials for audit or evaluation purposes; appropriate parties in connection with financial aid to a student; organizations conducting certain studies for or on behalf of the school; and accrediting organizations. The “school official” exception allows schools to share information with parent volunteers, technology companies or other vendors, but only when used for educational purposes directed by the school. Directory Information, another FERPA exception, is student data that a school may make public, for example a sports team roster, yearbook information or even data that can be provided to third parties, but parents must be given the opportunity to opt-out.

THE PROTECTION OF PUPIL RIGHTS AMENDMENT (PPRA)

PPRA outlines restrictions for the process when students might be asked for information as part of federally funded surveys or evaluations.

For example, surveys might be used to better understand the effects on students of drug and alcohol use, or sexual conduct. They might also seek to understand the impact on students with family backgrounds that include violence, or variations in home life such as family makeup or income levels. In order to administer such surveys, schools must be able to show parents any of the survey materials used, and provide parents with choices for any surveys that deal with certain sensitive categories.

THE CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)

COPPA controls what information is collected from young children by companies operating websites, games, and mobile applications directed toward children under 13.

COPPA requires companies to have a clear privacy policy, provide direct notice to parents, and obtain parental consent before collecting information from children under 13. Teachers and other school officials are authorized to provide this consent on behalf of parents for use of an educational program, but only for use in the educational context.

This means the company can only collect personal information from students for the specified educational purpose, and for no other commercial purpose. Some schools have policies that require school administrator approval before teachers can allow use of certain apps or services. When information is collected with the consent of a school official, the company may keep the information only as long as necessary to achieve the educational purposes.

 


State Laws

Do you know if your state has a student privacy law? Just since 2013, 38 states have passed 91 new student privacy laws. Most of those laws impose new requirements on districts, states, and school service providers.

Click to see more

Prior to student data privacy taking off as an issue in 2014, many states had preexisting privacy laws. Some states have privacy laws that are not specific to education but still affect educational data. For example, 10 state constitutions have recognized a right to privacy,[1] and many more have general privacy protections in place for their citizens. These laws affect students, teachers, schools, and districts. Many states have specific laws regarding the disposal of records that contain personal information.[2] Some states also require government entities to have a written privacy policy in place.[3] And some, such as California, require government agencies to have a specific person responsible for compliance with privacy law.[4]

States can give students additional privacy protections, and many have: at least 35 states have passed laws supplementing FERPA;[5] 45 make their data privacy policies publically available; 48 state education agencies have established governance bodies charged with managing the collection and use of data, including how that data will be kept secure and confidential; and 45 have established policies that determine what type of data is available to select stakeholders, such as teachers and principals, who will use it to improve instruction.

The number of laws directly regulating student privacy has dramatically increased in the past three years. Since 2014, 49 states have introduced over 500 student privacy bills, with at least 100 bills introduced each year. Thirty-eight states have passed 91 laws since 2013. Generally, these laws either regulate educational agencies and institutions, such as schools, districts, and state education agencies, or regulate third parties.

Thirty-three states as of the end of 2016 have introduced either a version of California’s SOPIPA or a similar piece of legislation that regulates industry known as the SUPER (“student user privacy in education rights”) Act, and 12 states have passed those bills into law.

SOPIPA, SUPER, and other recent student privacy laws impose direct liability on ed tech operators. FERPA, which is enforced by the U.S. Department of Education is only directly enforceable against “educational institutions receiving federal funds” – which equates to most public schools. Even if a third party vendor practice causes the school to be in violation of FERPA, DOE may only hold the school liable. Any liability by the school service provider would simply be through its contract with the school. The entire purpose of states seeking to pass SOPIPA, SUPER, and other student privacy laws is to directly regulate private companies that are now so frequently working directly with students.

 

 

[1] “Constitutions in ten states—Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington—expressly recognize a right to privacy.” National Conference of State Legislatures, Privacy Protections in State Constitutions, December 11, 2013.

[2] “At least 30 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” National Conference of State Legislatures, Data Disposal Laws, December 26, 2013.

[3] Cf. Alaska Stat. § 45.48.530; Ariz. Rev. Stat. Ann. § 41-4152; Colo. Rev. Stat. § 6-1.713; N.J. Stat. 56:8-162

[4] Cal. Civ. Code § 1798.22: “Each agency shall designate an agency employee to be responsible for ensuring that the agency complies with all of the provisions of this chapter.”

[5] Epic.org, Student Privacy


Security

All educators are just as responsible for security as school officials - in fact, the most likely way for student data to be accidentally released is through human error! Read below for how to protect the security of your students' information.

Click to see more

There are many easy ways for teachers to protect the security of student data. Our favorite checklist on this topic was developed for Fordham University School of Law, Technology and Privacy Law by Elizabeth Walker. Check out the full checklist in PDF here, or our version of the checklist below.

General Guidelines
  • Do not share passwords for school accounts with anyone, including other staff, family members, or significant others. Check out some of the suggestions in this article for how to create a secure password. You can also use password managers like LastPass or 1Password to help you remember your passwords and keep them secure.
  • Use different passwords for your school accounts than you do for personal accounts.
  • Avoid connecting to the Internet through wireless networks (WiFi) that are not password protected.
  • Immediately report to the administration any suspicious activity involving or affecting technology related to school work, school accounts, or student data.
  • Back up your data regularly. If your account is hacked, subject to ransomware, or there is just a technical bug, you will be very glad that you kept a backup of your data.
Accessing or Sharing Student Data
  • Ask the administration whether your district or school has a policy about using or sharing student
    data.
  • Only access the student data that you have permission to access.
  • Only access student data for legitimate school or educational purposes.
  • When accessing student data, only use computers or devices that have either been approved by the
    school or that contain security software and are password protected.
  • Lock up hardcopy files and devices with access to student data.
  • Do not share or disclose student data without authorization from an administrator, parent, or
    guardian.
  • Do not share student data during public meetings or presentations; use fictitious records instead.
  • Avoid sending student data via email unless specifically authorized.
  • Immediately report any incidents to the administration where you believe student data may have
    been inappropriately accessed or shared.
Using Computers, Tablets, and Other Devices

When you are using school-owned equipment:

  • Ask the administration whether your district or school has a policy about using school-owned computers, tablets, or other devices.
  • Log out of accounts and close browsers and programs whenever you finish using a program.
  • Password-protect, lock, or otherwise secure all computers and devices when not in use.
  • Immediately report lost or stolen devices to the administration.

When you are using your own equipment:

  • Ask the administration whether your district or school has a policy about bringing your own computer, tablet, or other device to school or using your own device for school purposes.
  • Ask the administration if approval is necessary prior to using your own computer or other device in the classroom or to access student data.
  • Install anti-virus software on the device before using it on the school network or to access school accounts
  • If the device or a program notifies you that critical security updates or patches are available, promptly follow the instructions on the screen to download and install the updates.
  • Set up password protection to log in to the device, wake the device, or unlock the screen.
  • Log out of accounts and close browsers and programs whenever you are finished.
  • Password-protect, lock, or otherwise secure all computers and devices when not in use.
  • Immediately report lost or stolen devices to the administration.
Using Email
  • Ask the administration whether your district or school has a policy about using email.
  • Do not click on any links or download any attachments you receive from a suspicious source.
  • Be cautious of emails containing the following:
    • Links in suspicious-looking messages
    • Threats that your account will be closed if you do not respond
    • Web addresses where names of well-known companies have been slightly altered
    • Requests for personal information
    • Unexpected attachments, especially those purporting to come from banks or financial
      institutions
    • Deals that sound too good to be true
    • Urgent emails demanding that you act immediately
    • Messages that list your email as the sender or from address

Do you have any security tips to add? Email them to [email protected]


K-12 Training

Training is absolutely essential to protect student privacy, especially in K-12 schools where educators often have access to very sensitive information about a student, such as their disciplinary record or medical history.

Click to see more

TBA

Student Privacy For K-12 Educators and Administrators Playlist (iKeepSafe)


Other Resources

There are many great resources for Educators on student privacy. Some of our favorite resources are listed below, but you can access all the resources we have found for service providers by clicking the “Resources” tab above and selecting “Educators” in the “Resources for…” drop-down menu.

Click to see more

ConnectSafely Educator’s Guide to Social Media explains how educators can use social media in the classroom without risking their professional reputation.

Student Privacy Pledge is a list of twelve commitments K-12 school service providers agree to in order to safeguard student data privacy regarding the collection, maintenance, and use of student personal information.

ConnectSafely, FPF, and National PTA’s Parent’s Guide to Student Data Privacy assists parents in understanding the laws that protect student data and helps parents understand their student’s rights under the law.

Department of Education PTAC is a resource for education stakeholders to learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems and other uses of student data.

CoSN Privacy Toolkit for School Leaders provides school officials with 10 essential skills areas, outlining the responsibilities and knowledge needed to be an educational technology leader.

Data Quality Campaign provides information on state laws annually, as well as other useful privacy review tools and resources.