The U.S. Department of Education recently established the Privacy Technical Assistance Center (“PTAC”) as a resource for data privacy, confidentiality and security practices related to student-level longitudinal data systems and other uses. Claims of school district violations of student privacy laws due to use of cloud based educational programs continues to grow.
PTAC recently published non-binding guidelines, “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices” (“Guidelines”), which address privacy and security considerations related to computer software, mobile applications and web-based tools provided by third-parties to a school that students and/or parents access as part of a school activity.
The Guidelines do not contain new regulations but provide an explanation of school districts’ responsibilities under the Family Educational Rights and Privacy Act (“FERPA”) and provide best practices for districts to implement in order to effectively protect student privacy.
The Guidelines explain that FERPA protects against the unauthorized disclosure of personally identifiable information (“PII”) from students’ education records. Some online educational services use FERPA-protected information.
For instance, it is common for an online system to require that students’ names and contact information be provided in order to allow students and parents to log in and access class materials. If a third party provider is given such PII from student records to create student accounts, then FERPA is implicated, with the exception of “metadata” that is stripped of all identifiers.
Metadata is comprised of vast amounts of contextual or transactional data that provides context to other data that is collected. For instance, information about how long a student took to perform an online assignment has greater meaning if the user knows the date and time the student completed that activity, how many attempts the student made, and how long a student’s mouse hovered over an item.
The PTAC suggests that school districts evaluate the use of online educational services on a case-by-case basis to determine whether FERPA-protected information is implicated and to ensure that FERPA requirements are met.
If the use of PII is disclosed to a third-party provider, FERPA requires school districts to either obtain consent or guarantee that the arrangement with the provider meets one of FERPA’s exceptions to the written consent requirement. There are two FERPA exceptions that allow third-party providers to access PII.
First, disclosures of PII to create user accounts may be accomplished under the directory information exception if the information is not considered harmful or an invasion of privacy if disclosed. However, to disclose information under this exception, school districts must establish a list of the specific elements or categories of what constitutes directory information and provide notice to the students and parents. Additionally, parents may opt out from permitting disclosure.
Alternatively, disclosures of PII to create user accounts may be accomplished under the school official exception. Under this exception, the school district may disclose PII as long as the provider: (1) performs an institutional service or function for which the district would use its own employees; (2) has been determined to meet criteria in the district’s annual FERPA notice; (3) is under the direct control of the district with regard to use and maintenance of education records; and (4) uses education records for authorized purposes only.
An authorized purpose does not include marketing new products or targeting individual students with directed advertisements. On the other hand, information properly identified and shared under the directory exception is not protected by FERPA and can be used for these purposes.
Additionally, the Guidelines set forth seven recommended “best practices” for protecting student privacy when using online educational services:(1) maintain awareness of other relevant federal, state, tribal or local laws; (2) be aware of which online educational services are currently being used in your district; (3) have policies and procedures to evaluate and approve proposed online educational services; (4) when possible, use a written contract or legal agreement and include the provisions recommended by PTAC; (5) take the necessary extra steps when accepting Click-Wrap licenses for consumer applications, which occurs in situations where districts cannot negotiate agreements with providers of consumer applications and are faced with a choice to accept the Terms of Service or to not use the application; (6) be transparent with parents and students; and (7) consider whether parental consent may be appropriate, even in instances where FERPA does not require parental consent.
Ultimately, the Guidelines remind school districts of their role in setting policies to protect student privacy which is increasingly gaining importance in light of continuous technological advancements.
The advent of on-line and cloud computing educational programs create challenges for school district compliance with FERPA and ISSRA. Contact Heather Brickman or Lori Martin with your student records inquiries.