About

SEAs – State Education Agencies – are more important than ever as more and more state laws pass that require SEAs to create student privacy guidance and rules – not only in the SEA, but also for districts. SEAs across the country are leading the way on student privacy to support their districts and ensure the confidentiality and security of student information.


Student Data Principles

The Student Data Principles are the values that guide the work of over 40 education organizations representing school officials and other stakeholders in every state.

Click to see more

Signatories include AASA: The School Superintendents Association; the National PTA; the Council of Chief State School Officers; and the National School Boards Association. Schools and school systems, and anyone who has access to students’ personal information must do everything in their power to ensure that information is protected and used to support students. They should use these principles to build upon, above and beyond complying with federal, state, and local laws.

 

Read the Student Data Principles

Learn more about the Student Data Principles


Communicating with Districts and the General Public

School Officials should also explore better ways to communicate with parents and students how student data is being used. While FERPA requires schools to provide an annual notification of parent's and eligible student's FERPA rights, this can occasionally be little more than a rote legal notice. Both parents and students are better served when they understand how data is used in schools, and school officials should consider ways to explain their technology, data, and privacy policies in a friendly manner.

Click to see more

Parents want to know how their child’s data is being collected, used, and protected, but may not have more than 10 minutes to search out answers. There are many resources that can help districts and schools communicate better with parents.

Be Able to Answer Parent Questions

Parents may come to you or their child’s teacher with questions. While some questions may require more investigation, you can prepare in advance for some of the most common parent questions, such as:

  • What kind of data is collected about students?
  • How is student data used?
  • Who has access to data about my child?
  • Who is in charge of privacy in our district?
  • What apps are our district using?
  • How does our district hold ed tech companies and other service providers accountable for maintaining the confidentiality of the student data they receive?
  • Can parents access their child’s education records?

Create an FAQ handout (you can always adapt the one on pages 16-18 of this Student Data Privacy Communications Guide) and provide it to parents at least once annually. You could also print out or link to our Parents’ Guide to Student Data Privacy.

Websites

The first place many parents will go to find answers is their school or district’s website. It is vital to have at least a little easily-found information on your website. This doesn’t have to be fancy! One of our favorite websites from Chesterfield County Public Schools (see screenshot) is extremely simple. It has links to:

  • A list of what apps the district is using and the privacy policies for those apps (don’t know what apps your district is using? Find out! Take a survey, or use a product like LearnTrials or Catch On);
  • The Privacy Policies & Guidelines for the district;
  • Privacy FAQs; and
  • A link to a Google form where parents can ask a quick question that gets automatically sent to the person in charge of privacy for that district.

There are many other great website examples!

Don’t be afraid to steal content from other SEAs and LEAs and link to other great resources!

Other Communications

There are many other great ways to communicate. Some districts have an annual meeting with students and their parents about privacy. Some devote annual time for students to learn about their privacy at school. Others put information about student privacy – like a monthly privacy tip – in their district’s monthly newsletter. Figure out how parents in your district can best be reached – by mobile phone, website, in person, etc – and meet them where they are. Check out our favorite communications resource, the Foundation for Excellence in Education Student Data Privacy Communications Toolkit, for ideas and resources you can copy and paste.

Communications Resources

Have other communications suggestions or materials that other districts could use? Email them to us at [email protected].


Federal Laws

Schools remain accountable for the security of their students’ information, even when it is managed by an outside vendor—thus, schools should be aware of the laws that guide the collection, use, and storage of data about students and children.

Click to see more

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)

The Family Educational Rights and Privacy Act (FERPA) also requires that schools give parents and students the opportunity to access information in their education records. Students and parents are allowed to review and potentially amend incorrect information within their education record. Procedures should be put in place to simplify this process.

A school may not generally disclose personally identifiable information from an eligible student’s education records to a third party without written consent. There are a number of exceptions to this rule, which are laid out in the Department of Education’s FERPA Exceptions — Summary CHART.

FERPA Directory Information
Student’s Name
Address
Telephone listing
Email Address
Photograph
Date & Place of Birth
Major/Field of Study
Dates of Attendance
Grade Level
Participation in officially recognized activities & sports
Weight & Height of Athletes
Degrees, Honors, & Awards Received
Most recent educational institution attended
Student ID, User ID, or other unique identifier (that cannot be used to access education records withought a pin or password)
  • FERPA gives parents and students the right to opt out of having their “directory information” shared.
  • FERPA allows schools to share student information among designated “school officials” with “legitimate educational interests.” Schools must define these terms, and inform parents who they consider a “school official” and what is deemed a “legitimate educational interest.” This process allows schools to partner with outside persons or entities to provide educational tools and services.

Aside from the two most common FERPA exceptions listed above, there are a number of other circumstances when prior consent is not required to disclose information about a student. The following are categories of people/organizations that may not need express student consent to gain access to certain information about students.

Individual/Entity seeking information Type of information available without consent…
Parents Of Dependent Post-Secondary Students Generally – any student information
Of Non-Dependent Post-Secondary Students (1) Information in connection with the student’s health or safety
(2) Information related to the student’s violation of the law or the academic institution’s policy governing use or possession of alcohol or controlled substances
Schools In which the student intends to enroll
Financial Aid Offices Facts relevant to determining a students eligibility, amount, or conditions surrounding receiving financial aid
Authorized Representative of Federal, State, and local Governments and Educational Authorities Auditing, evaluating, or enforcing education programs
Organizations Data used to conduct studies, predictive tests, administering student aid program, or improving instruction
Judicial or law enforcement authority In compliance with an order or subpoena
Victims Results of a disciplinary hearing of a crime of violence
Third Parties Final results of a disciplinary hearing concerning a student who is an alleged perpetrator of a crime of violence and who was found to have committed a violation of the institution’s rules or policies
Community Notification Program Information concerning a student required to register as a sex offender in the State

 

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (COPPA) guides the protection of data, when companies collect “personally identifiable information” directly from students under the age of 13. The FTC updated its COPPA guidance in April 2014 to clarify that “the school’s ability to consent on behalf of the parent is limited to the educational context – where an operator collects personal information from students for the use and benefit of the school, and for no other commercial purpose…. because the scope of the school’s authority to act on behalf of the parent is limited to the school context.” School consent cannot substitute a parent’s approval “in connection with online behavioral advertising, or building user profiles for commercial purposes not related to the provision of the online service.”

 

PROTECTION OF PUPIL RIGHTS AMENDMENT (PPRA)

PPRA Sensitive Information
Political Affiliations
Address
Mental & Psychoogical Problems
Email Address
Sex behavior & Attitudes
Date & Place of Birth
Illegal, anti-social, self-incriminating & demeaning behavior
Critical Appraisals of other individuals
Legally recognized privileged or analogous relationships
Participation in officially recognized activities & sports
Income

State Laws

Do you know if your state has a student privacy law? Just since 2013, 39 states have passed 106 new student privacy laws. Most of those laws impose new requirements on districts, states, and school service providers.

Click to see more

Prior to student data privacy taking off as an issue in 2014, many states had preexisting privacy laws. Some states have privacy laws that are not specific to education but still affect educational data. For example, 10 state constitutions have recognized a right to privacy,[1] and many more have general privacy protections in place for their citizens. These laws affect students, teachers, schools, and districts. Many states have specific laws regarding the disposal of records that contain personal information.[2] Some states also require government entities to have a written privacy policy in place.[3] And some, such as California, require government agencies to have a specific person responsible for compliance with privacy law.[4]

States can give students additional privacy protections, and many have: at least 35 states have passed laws supplementing FERPA;[5] 45 make their data privacy policies publically available; 48 state education agencies have established governance bodies charged with managing the collection and use of data, including how that data will be kept secure and confidential; and 45 have established policies that determine what type of data is available to select stakeholders, such as teachers and principals, who will use it to improve instruction.

The number of laws directly regulating student privacy has dramatically increased in the past three years. Since 2014, 49 states have introduced over 500 student privacy bills, with at least 100 bills introduced each year. Thirty-eight states have passed 91 laws since 2013. Generally, these laws either regulate educational agencies and institutions, such as schools, districts, and state education agencies, or regulate third parties.

Thirty-three states as of the end of 2016 have introduced either a version of California’s SOPIPA or a similar piece of legislation that regulates industry known as the SUPER (“student user privacy in education rights”) Act, and 12 states have passed those bills into law.

SOPIPA, SUPER, and other recent student privacy laws impose direct liability on ed tech operators. FERPA, which is enforced by the U.S. Department of Education is only directly enforceable against “educational institutions receiving federal funds” – which equates to most public schools. Even if a third party vendor practice causes the school to be in violation of FERPA, DOE may only hold the school liable. Any liability by the school service provider would simply be through its contract with the school. The entire purpose of states seeking to pass SOPIPA, SUPER, and other student privacy laws is to directly regulate private companies that are now so frequently working directly with students.

 

 

[1] “Constitutions in ten states—Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington—expressly recognize a right to privacy.” National Conference of State Legislatures, Privacy Protections in State Constitutions, December 11, 2013.

[2] “At least 30 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” National Conference of State Legislatures, Data Disposal Laws, December 26, 2013.

[3] Cf. Alaska Stat. § 45.48.530; Ariz. Rev. Stat. Ann. § 41-4152; Colo. Rev. Stat. § 6-1.713; N.J. Stat. 56:8-162

[4] Cal. Civ. Code § 1798.22: “Each agency shall designate an agency employee to be responsible for ensuring that the agency complies with all of the provisions of this chapter.”

[5] Epic.org, Student Privacy


Data Governance

Data governance is the processes and systems governing data quality, collection, management, and protection; basically, data governance is formal policies that address the whole life cycle of data.

Click to see more

Good governance assures accuracy, timeliness, usability, and security in data. Governance plans should define roles and responsibilities when it comes to data access, disclosure, and use; ensure data management and monitoring; and describe and set up parameters on how data is collected, accessed, and used.*

There are many great resources that K-12 school officials can use to create or improve their state, district, or school data governance plan. We recommend:

Developing a Privacy Program for Your District (U.S. Department of Education PTAC)

*Definition from West Virginia Department of Education


Security

Securing data is a large part of ensuring student data protection. When storing student data, data should be stored following FERPA security principles. See more information below.

Click to see more

Without security, there can be no privacy. LEAs and SEAs have a responsibility to ensure that data is protected through adequate security. When contracting with educational technology vendors, school officials should make sure that these companies have privacy policies and practices that ensure data security.

Recommended Security Resources

See the video below for more information about protecting security in the context of ed tech.

Reviewing Edtech Products: Security (iKeepSafe)


Helping Districts with Governance

This section will be updated in summer 2017.

Click to see more

This section will be updated in summer 2017. 


Helping Districts with Vendors

Most schools and districts partner with third parties to improve the ability of schools to use, analyze, store, and protect data. However, surveys have shown again and again that parents are very concerned about third parties having access to student data. Thankfully, many organizations have stepped up to provide districts resources that can help guide them as they share data with third parties.

Click to see more

Resources for SEAs

There are many great resources for SEA officials on student privacy. Some of our favorite resources are listed below, but you can access all the resources we have found for service providers by clicking the “Resources” tab above and selecting “K-12 officials” in the “Resources for…” drop-down menu.

Click to see more

Websites

Resources

Videos

How to Use Your District’s Website to Communicate with Parents About Data Use and Security (U.S. Department of Education PTAC)

The ABC’s of Student Directory Information (U.S. Department of Education PTAC)

Email and Student Privacy (U.S. Department of Education PTAC)

School Volunteers and FERPA (U.S. Department of Education PTAC)

 

Are we missing a resource you think should be included? Email us at [email protected]